catching 32/64 bit integer mixing

2020-05-23 Thread Drew Parsons 
An upstream author has asked whether we know of tools or compiler flags 
to help catch problems mixing 64 and 32 bit integers, for instance 
catching implicit conversions, as in


  int64_t n = ...;
  for (int32_t i=0; iThere is -fsanitize=signed-integer-overflow (which generates a runtime 
error message), but that requires data to cause overflow at every 
possible location.


Is there a better tool for catching this kind of problem?

Drew

Re: catching 32/64 bit integer mixing

2020-05-23 Thread Thomas Schiex 
For open source projects, a few online static analyzers are available 
and usable for free. This kind of integer type mismach will be caught by 
most of them. Possibly clang-static-analyzer will do the job. Otherwise, 
an easy one is lgtm for example. See https://lgtm.com/



(I have no link with them except as an open source software developer 
using their services for free).


There are other tools (mostly geared towards security)  available for 
free for open source software but I just forgot their name. Any web 
search tool should help you here.


Thomas

Le 23/05/2020 à 09:03, Drew Parsons a écrit :
An upstream author has asked whether we know of tools or compiler 
flags to help catch problems mixing 64 and 32 bit integers, for 
instance catching implicit conversions, as in


  int64_t n = ...;
  for (int32_t i=0; iThere is -fsanitize=signed-integer-overflow (which generates a runtime 
error message), but that requires data to cause overflow at every 
possible location.


Is there a better tool for catching this kind of problem?

Drew

Re: Maven packages in Debian (was Re: Progress in preparing the Bazel Build System for Debian (COVID-19 Biohackathon follow-up))

2020-05-23 Thread Sudip Mukherjee 
On Wed, May 13, 2020 at 7:33 PM Thorsten Glaser  wrote:
>
> On Wed, 6 May 2020, Andreas Tille wrote:
>
> > > Or perhaps we need a webpage or wiki page generated by parsing the
> > > Contents file and listing the matching Debian package for each class
> > > or, at least, Java package (unless split across multiple packages)…
> >
> > I remember times when such a web page (actually some autogenerated text
> > file) existed which was **extremely** helpful.  I wished this would be
> > back!
> >
> > > … I just volunteerd, didn’t I?
>
> Here you are:
>
> https://wiki.debian.org/Java/MavenPkgs
>
> Sponsored by ⮡ tarent, see below.
>
> This is step 1, the list of all Maven packages ⇒ Debian package name.
> It doesn’t go as far as to map Java packages or even classes… yet.
> For this I’d have to download all those packages, extract them and
> look into the JARs. I’d prefer some central service to offer archive
> contents if possible (diffoscope already extracts archives anyway).

I have now made a list with package name, the jar files that it
provides and the list of class that the jar provides.
Not sure where to put that or if it is in an usable format. So,
initial version is at:
https://drive.google.com/open?id=1A0tnTNofdNFuMwzrxV_HQE6npfpUglcS

I think, next I will make a sorted list so that it will be easy to
make a diff of what has changed.

-- 
Regards
Sudip

Re: Maven packages in Debian (was Re: Progress in preparing the Bazel Build System for Debian (COVID-19 Biohackathon follow-up))

2020-05-23 Thread Thorsten Glaser 
On Sat, 23 May 2020, Sudip Mukherjee wrote:

> I have now made a list with package name, the jar files that it
> provides and the list of class that the jar provides.

This must be scripted/scriptable though… the list for stable is
pretty much fixed, but the one for unstable (which is the relevant
one for packaging) isn’t and needs to be redone every few weeks at
least…

> Not sure where to put that or if it is in an usable format. So,
> initial version is at:
> https://drive.google.com/open?id=1A0tnTNofdNFuMwzrxV_HQE6npfpUglcS

Ouch, 33M… methinks this is more suited as a web application.
Not all that easy… due to sheer size, at least.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

Re: Maven packages in Debian (was Re: Progress in preparing the Bazel Build System for Debian (COVID-19 Biohackathon follow-up))

2020-05-23 Thread Sudip Mukherjee 
On Sat, May 23, 2020 at 8:10 PM Thorsten Glaser  wrote:
>
> On Sat, 23 May 2020, Sudip Mukherjee wrote:
>
> > I have now made a list with package name, the jar files that it
> > provides and the list of class that the jar provides.
>
> This must be scripted/scriptable though… the list for stable is
> pretty much fixed, but the one for unstable (which is the relevant
> one for packaging) isn’t and needs to be redone every few weeks at
> least…

It was generated using a script. It will not be a problem to redo every week.

>
> > Not sure where to put that or if it is in an usable format. So,
> > initial version is at:
> > https://drive.google.com/open?id=1A0tnTNofdNFuMwzrxV_HQE6npfpUglcS
>
> Ouch, 33M… methinks this is more suited as a web application.
> Not all that easy… due to sheer size, at least.

Yes, I was thinking of making a Debian native package for it, the data
will be in either sqlite or yaml and then an application to read from
it. cmdline will accept either jar or class name and will list the
package containing them. And if package name is given then it will
list everything that the package contains.
Just a thought for now.


-- 
Regards
Sudip

Re: catching 32/64 bit integer mixing

2020-05-23 Thread Drew Parsons 

Thanks Thomas, I'll pass that on.

Drew


On 2020-05-23 21:33, Thomas Schiex wrote:

For open source projects, a few online static analyzers are available
and usable for free. This kind of integer type mismach will be caught
by most of them. Possibly clang-static-analyzer will do the job.
Otherwise, an easy one is lgtm for example. See  https://lgtm.com/

(I have no link with them except as an open source software developer
using their services for free).

There are other tools (mostly geared towards security)  available for
free for open source software but I just forgot their name. Any web
search tool should help you here.

Thomas
Le 23/05/2020 à 09:03, Drew Parsons a écrit :


An upstream author has asked whether we know of tools or compiler
flags to help catch problems mixing 64 and 32 bit integers, for
instance catching implicit conversions, as in

int64_t n = ...;
for (int32_t i=0; i