On 07-02-17 09:45, Илья Шипицин wrote:
>     I have a question (sorry if I couldn't check myself): did you check that
>     SSL_get_privatekey() and SSL_free() won't crash when ssl is NULL ?
> what if we involve clang static analyzer for such things ? can we count
> on it ?
> it is capable of detecting "Argument with 'nonnull' attribute passed null"
> and, as I can see, after applying patch it didn't find new issues
> http://chipitsine.github.io/without-patch/
> http://chipitsine.github.io/with-patch/
> also, it might be even automated, run clang static analyzer before and
> after applying patch and compare the result

Static analyzers are useful, but do not and probably never will replace
review by someone who knows the code.  They complement each other;
neither will detect all mistakes.

In relation to that, please stop making statements like 'it passes
travis, so the patch must be okay'.  That's pertinently not true.


Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to