On Tue, Apr 17, 2012 at 9:46 PM, Lubomír Sedlář <lubomir.sed...@gmail.com>wrote:
> Hello, > I would like to ask if any static analysis tool was ever used to detect > possible problems in OpenSSL source code. Is some tool used regularly? > > I tried running Clang Static Analyzer [1] on the source of OpenSSL. It > found 222 possible "bugs". You can see the full list here [2]. At least > 65 of them are false positives. Most of the ones that seem valid to me > are classified as Dead Code. However, even some dead assignments look > like real problems. > > Some examples follow: > > http://www.fi.muni.cz/~xsedlar3/openssl-analysis/report-JxXj0g.html#EndPath > The variable 'al' is never read. The goto should probably jump to > 'f_err' in order not to lose the alert. > > http://www.fi.muni.cz/~xsedlar3/openssl-analysis/report-6OKYC8.html#EndPath > The assignment to 'ret' is either useless or goto should jump to 'err'. > > http://www.fi.muni.cz/~xsedlar3/openssl-analysis/report-117dnV.html#EndPath > http://www.fi.muni.cz/~xsedlar3/openssl-analysis/report-rT4fgM.html#EndPath > Duplicit assignment to 'ret' and 'saved_state.epoch', respectively. > > http://www.fi.muni.cz/~xsedlar3/openssl-analysis/report-xy1iZT.html#EndPath > 'qbits' gets assigned the same value in following condition again. > > http://www.fi.muni.cz/~xsedlar3/openssl-analysis/report-IG0Qez.html#EndPath > The 'E', 'e', 'G', 'g' cases don't seem to do anything. Is there some > missing functionality? > Missing but not missed, I suspect :-) > > http://www.fi.muni.cz/~xsedlar3/openssl-analysis/report-euj1zH.html#EndPath > Default port is assigned twice, on line 234. > > Would you be interested in some patches? How and where should I submit > them? > Interesting bugs. I would be happy to work with you to get these fixed. I like static analysis :-) > > Regards, > Lubomír Sedlář > > [1]: http://clang-analyzer.llvm.org/ > [2]: http://www.fi.muni.cz/~xsedlar3/openssl-analysis/ > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >