Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c

2009-11-25 Thread Jess Portnoy
Hello, I agree that it [potentially] many false positives and the is even addressed in the homepage. While this is common to most static analyzers to some extent and requires going through each "find" with care while mumbling "again with this crap..", I still think it has some value. One pers

Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c

2009-11-25 Thread Rasmus Lerdorf
Jess Portnoy wrote: > Hello, > > clang is indeed a great tool but since it does a lot more than just > static analysis. > For those cases where one wants source code analysis, especially > security oriented, I'd recommend flawfinder > [http://www.dwheeler.com/flawfinder]. I find that flawfinder i

Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c

2009-11-25 Thread Michael Maclean
Jess Portnoy wrote: > The thing I like a lot about clang is that it can be used as a drop-in > substitute for GCC so you can actual call clang or clang++ instead of > executing gcc/g++, see here: Sure, that's how I compiled PHP with it. CC=clang ./configure --enable-all --my-usual=stuff make make

Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c

2009-11-25 Thread Jess Portnoy
Hey, The thing I like a lot about clang is that it can be used as a drop-in substitute for GCC so you can actual call clang or clang++ instead of executing gcc/g++, see here: http://clang.llvm.org/get_started.html The results you published certainly look interesting :) May the source be with

Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c

2009-11-25 Thread Michael Maclean
Hi, Jess Portnoy wrote: clang is indeed a great tool but since it does a lot more than just static analysis. Yeah, it looked like an interesting thing and so I decided to play with it. Incidentally, I discovered later that clang appears to compile PHP 5.3 pretty much flawlessly just now (at

Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c

2009-11-25 Thread Jess Portnoy
Hello, clang is indeed a great tool but since it does a lot more than just static analysis. For those cases where one wants source code analysis, especially security oriented, I'd recommend flawfinder [http://www.dwheeler.com/flawfinder]. This is a very good tool and it exists in the official

Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c

2009-11-24 Thread Rasmus Lerdorf
Michael Maclean wrote: > Hi, > Gwynne pointed me at the clang static analyser earlier on today, and so > I've run it against current PHP_5_3. In the course of messing with it, > it noticed a potential null dereference in ext/ftp - I've attached a > one-liner to fix it. Thanks, committed. -- PHP

[PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c

2009-11-24 Thread Michael Maclean
Hi, Gwynne pointed me at the clang static analyser earlier on today, and so I've run it against current PHP_5_3. In the course of messing with it, it noticed a potential null dereference in ext/ftp - I've attached a one-liner to fix it. Michael Index: ext/ftp/ftp.c