On Tue, Dec 10, 2019 at 10:46:59AM -0500, David Malcolm wrote: > For the adventurous/curious, my static analyzer branch of GCC [1] is > now available on Compiler Explorer (aka godbolt.org) so you can try it > out without building it yourself. [Thanks to Matt Godbolt, Patrick > Quist and others at the Compiler Explorer project]
Congrats! > On https://godbolt.org/ within the C and C++ languages, select > "x86-64 gcc (static analysis)" > as the compiler (though strictly speaking only C is in-scope right > now). It's configured to automatically inject -fanalyzer (just on this > site; it isn't the default in the branch). > > Some precanned examples: > * various malloc issues: https://godbolt.org/z/tnx65n > * stdio issues: https://godbolt.org/z/4BP-Tj > * fprintf in signal handler: https://godbolt.org/z/ew7mW6 > * tainted data affecting control flow: https://godbolt.org/z/3v8vSj > * password-leakage: https://godbolt.org/z/pRPYiv > (the non-malloc examples are much more in "proof-of-concept" territory) > > Would it make sense to add an "analyzer" component to our bugzilla, > even though this is still on a branch? (with me as default assignee) I think so, we have it for e.g. JIT already, and it's probably just a matter of time before the analyzer is merged. -- Marek Polacek • Red Hat, Inc. • 300 A St, Boston, MA
