False positives when analyzing 'sdlmame'

Hi,

I am not a developer myself (just a lowly system administrator), but I
was intrigued by the idea of an open source static source analyzer
Just the Same. So I decided to run scan-build on my favorite emulator,
'sdlmame', and posted the results of the scan/build to the sldmame
forum. there it was looked at by qat least one developer, and he
noticed at least two false positives.

Now since im not a developer myself, I can only point to the forum
posts, the analyzer results, and the source code, hoping that someone
on this list is interested enough to investigate further. The main
reason I did not post a bug in the bugtravker instead of sending this
message to the mailing list is because I cannot create a (small)
testcase myself :frowning:

Anyway, here's the info :

The source code on which the analysis was run:
http://www.mediafire.com/?2ndj2wjkgjf
The full results of the scan-build analysis:
http://www.mediafire.com/?ryyvj3lazma
The post on the forum discussing the two false positives:
http://www.bannister.org/forums/ubbthreads.php?ubb=showflat&Number=50763#Post50763

Please feel free to ignore this message if it is not at all helpfull,
or if I violated the mailing list rules, and if that is the case, then
I sincerely apologize,

Regards,

John Smith

Hi John,

Thanks so much for the feedback! Please do file a bug report in Bugzilla, even with just the information you have. False positives reported to this mailing list will just get lost.

When you file the bug report, please include the information about how to reproduce the false positive, and what file and line where the false positive occurs. It is also good to know *why* you think it is a false positive, as sometimes it isn't always obvious. Basically I need to know where to get the code, what was the build line you passed to scan-build, etc.

Thanks so much!

Ted

From a quick glance at the forum and at the output in question, the first

false positive could indeed be a bug, since the same loop condition is
considered false at first and true later on, with no code in-between that
could possibly change it (don't know if the static analyzer takes into
account that the struct might have been changed from another thread
or something like that).
The second one pointed out is not exactly a false positive, since if it
weren't for the fact that the structure in question is initialized always
with at least 32 entries, then that null dereference could very much
happen. The thing is, clang is not yet, AFAIK, doing interprocedural
analysis, so it has no way of possibly knowing that.

I'm not familiar with the SDL codebase, but the report generated is
quite extensive, I'd suggest that you and/or the other developers do
not simply forget about clang because of these two issues. Not everything
pointed out there might be an issue, but if you find at least one possible
problem then it will already have been worth it IMHO.

There's been an extensive cleanup on the codebase for the Enlightenment
project using the output of clang's static analyzer, and I've already sent
patches for a few other projects as well (like mplayer). I'd suggest you try
to find a server somewhere where you could put this output so others can
more easily take a look at it.

Best regards,
--lf

Well like I stated earlier, I'm not a developer myself and I cannot
tell what the developers of sdlmame will or will not do. However, I
will take up the earlier suggestion and post a bug to the bugtracker
anyway even with my limited information.

Regards,

John Smith.