-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/20/2011 06:54 AM, thilo wrote: > They are a great tool ensuring programs have fewer memory leaks, thread > issues and the like and if one has access to their results, please USE > it and judge the false positives with human eyes - strcpy & fprintf are > not security risks by themselves but only in an application context. > Reviews (human & automated) are always a good step towards a stable > codebase!
What you have missed is that the tool you pointed to is crap. It gives noisy useless results. In addition to their brains the SQLite team also uses other tools such as the compiler, Coverity, clang etc. Then they have a test suite with full MCDC coverage which means all code has to be read to be tested that much (on several platforms). All changes are public (see the timeline) and on rare occasions other people may have observations. In other words the existing tools and brains are orders of magnitude better than that tool. No one is against tools to improve the integrity of products but that one contributes nothing. If you believe it shows things existing tools don't then please enlighten us. The evidence at the moment is that it wastes time better spent with other tools and human review. Roger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2vj4QACgkQmOOfHg372QR2SgCfXXogHwGyUfGEWHRXDUWZlAJr gToAoLuOKGs5nvIRJJb5ur9hKgxCtQ7v =zvtr -----END PGP SIGNATURE----- _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
