On Thu, 04 Feb 2016 23:29:10 +0000, tsbockman wrote: > That explains why the linker doesn't catch it. I still don't see much > excuse for the compiler allowing it though, beyond a desire to allow > each module to be compiled independently.
Doing this sort of validation requires build system integration (track the command line arguments that went into producing this object file; find which object files are combined into which targets; run the analysis on that) and costs as much time as compiling the whole project from scratch. Developing such a system is nontrivial, so it's not a matter of conjuring excuses; rather, someone would have to put in considerable effort to make it work. I'm betting some of the commercial static analyzers for C do this, but they're not the sort of things you install on every dev machine and run on every build. Generally they're the sort of thing that you send off to the security company anda they send you a report some weeks later.
