Hi Rob
Our main focus for finding latent security flaws has been via > "document fuzzing." It is more complicated to set up than just > running a static analysis tool but since it involves probing the > actual running code it is more effective in many ways. Historically > this is one of the primary ways that editors like OpenOffice are > exploited. Also, when security researches report security flaws to > us, they are often flaws found from fuzzing. I don't recall ever > seeing a report that was derived from static analysis. > You are focusing on security and exploits (which is obviously a very important area). But I was thinking more in terms of program stability *during* usage. I assume that Coverity's "project's defect density" would reflect this? > If you want to read more about what we're doing with fuzzing you can > see my presentation from ApacheCon: > http://www.robweir.com/blog/publications/AOOFuzzing.pdf > > Also, if you are really interested in this area I can help you set up > a fuzzing environment. It works best if you have a machine (or a VM) > your can dedicate to it for a couple of weeks . > Very interesting stuff. Actually the few times I had any problem with AOO usage was not while opening files. They happen during regular work sessions where Calc/Writer/Impress would freeze completely and leave no other choice other than killing soffice (with consequent data loss) So I would be more interested in running a debug build that could log these occasional crashes (if they are not occasional and I can replicate them, I create a regular Issuezilla bug report). Regards, Pedro
