Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + ho

看板FB_security作者時間11年前 (2014/04/24 04:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串11/49 (看更多)
Den 23/04/2014 kl. 21.14 skrev Charles Swiger <cswiger@mac.com>: > The most straightforward changes to this snippet would be either: > > int foo(int y, int z) { > int x; > if (y == z) { > x = 0; > } else { > x = 1; > } > return x; > } > > ...or: > > int foo(int y, int z) { > int x = 0; > if (y != z) { > x = 1; > } > return x; > } > > Not only are both of these shorter and they pass clang's static analyzer without a warning, I'd argue that the second version is noticeably cleaner. I don't disagree with you, but rewriting 1000 if-else cases in single-threaded userland programs just so the analyzer understands them is 1) tedious and 2) bound to accidentally introduce at least 50 new bugs, since most real-life examples are considerably more complicated than the minimal example I posted. Erik _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 erik+lists. 的文章
文章代碼(AID): #1JM2D3bZ (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 11 之 49 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共49篇)
更多 erik+lists. 的文章
文章代碼(AID): #1JM2D3bZ (FB_security)