Closed
Bug 583074
Opened 14 years ago
Closed 6 years ago
Investigate Dehydra/Treehydra based static analysis
Categories
(Tamarin Graveyard :: Tools, defect)
Tamarin Graveyard
Tools
Tracking
(Not tracked)
RESOLVED
WONTFIX
Future
People
(Reporter: treilly, Unassigned)
References
Details
(Whiteboard: Tracking)
There's a lot of ways to use the GC incorrectly, it would be nice to catch the more common ones with static analysis if we can't come up with an API fix. Examples: - declaring a GC field w/o a write barrier (except we need to allow const ctor initited fields) - checking for NULL on a non-can fail alloc - zero'ing a field in a ctor - not zeroing a field in a RCObject dtor
Updated•14 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
Comment 1•14 years ago
|
||
(In reply to comment #0) > - checking for NULL on a non-can fail alloc see bug 427115 which attemps this (not only checking, but rewriting too). not sure of its status.
Depends on: 427115
Updated•14 years ago
|
Component: Garbage Collection (mmGC) → Tools
QA Contact: gc → tools
Summary: Investigate static analysis tools for enforcing GC rules → Investigate Dehydra/Treehydra based static analysis
Whiteboard: Tracking
Updated•14 years ago
|
Target Milestone: --- → Future
Comment 2•14 years ago
|
||
Here is an analyzer that prints the C++ classnames that override createInstance(): http://hg.mozilla.org/users/edwsmith_adobe.com/analyzers/file/tip/createInstance.js In TR, these classes have a createInstance that isn't boilerplate: * avmplus::ArrayClass passes an additional capacity=0 arg to ArrayObject(). * avmplus::DictionaryClass has an extra assert(ivtable->traits->isDictionary()) * avmplus::ObjectVectorClass has code to store the type parameter on the instance (doh, why not vtable? every instance doesn't need a copy) * avmplus::RegExpClass passes extra constructor parameters to RegExpObject() * avmplus::VectorClass throws kConstructOfNonFunctionError The rest just create an instance with no extra logic or constructor parameters. All but two above could be easily made generic. ObjectVectorClass could be generic if we moved the type parameter to the instance vtable instead of the instance itself. VectorClass might be able to be generic if we throw the error in construct() instead of createInstance() (needs investigation). For the remaining generic createInstance methods, we could have nativegen.py generate the createInstance method and add an extra field in NativeClassInfo to point to it. Then, copy that pointer into VTable::createInstance instead of using slowCreateInstance -- code size is a wash but we replace handwritten boilerplate with machine written boilerplate. avmshell::ByteArrayClass avmshell::DomainClass avmplus::DeleteObjectSampleClass avmplus::DoubleVectorClass avmplus::IntVectorClass avmplus::NewObjectSampleClass avmplus::UIntVectorClass avmplus::SampleClass avmplus::StackFrameClass avmplus::ArgumentErrorClass avmplus::DefinitionErrorClass avmplus::ErrorClass avmplus::EvalErrorClass avmplus::RangeErrorClass avmplus::ReferenceErrorClass avmplus::SecurityErrorClass avmplus::SyntaxErrorClass avmplus::TypeErrorClass avmplus::UninitializedErrorClass avmplus::URIErrorClass avmplus::VerifyErrorClass
Comment 3•14 years ago
|
||
This 1997 article by Scott Meyers is interesting in how it organizes and documents checkable rules. The article is also an interesting survey of static analysis tools. http://www.aristeia.com/ddjpaper1.html
Comment 4•14 years ago
|
||
A while back, I wrote an easy-to-use script to automate building dehydra in a linux VMware image. Here it is: http://hg.mozilla.org/users/edwsmith_adobe.com/build-dehydra/
Comment 5•14 years ago
|
||
Google is using clang based semantic analysis for chrome. Some interesting links: http://code.google.com/p/chromium/wiki/Clang http://dev.chromium.org/developers/coding-style/chromium-style-checker-errors
Reporter | ||
Comment 6•14 years ago
|
||
Another couple ideas: find cases where a C++ ctor may throw an exception, this can lead to weird bugs and should probably be outlawed. find cases where an exception if thrown would trigger a leak, the analyzer would have to recognize that unmanaged memory was a) allocated and b) not freed before the throw site. This is a common error in code utilizing the older unmanaged String classes.
Comment 7•6 years ago
|
||
Tamarin isn't maintained anymore. WONTFIX remaining bugs.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•