Tommy Reilly Reporter
	Description • 14 years ago

There's a lot of ways to use the GC incorrectly, it would be nice to catch the more common ones with static analysis if we can't come up with an API fix.

Examples:

- declaring a GC field w/o a write barrier (except we need to allow const ctor initited fields)
- checking for NULL on a non-can fail alloc
- zero'ing a field in a ctor
- not zeroing a field in a RCObject dtor

	Edwin Smith
	Comment 1 • 14 years ago

(In reply to comment #0)
> - checking for NULL on a non-can fail alloc
see bug 427115 which attemps this (not only checking, but rewriting too). not sure of its status.

	Edwin Smith
	Comment 2 • 14 years ago

Here is an analyzer that prints the C++ classnames that override createInstance():

http://hg.mozilla.org/users/edwsmith_adobe.com/analyzers/file/tip/createInstance.js

In TR, these classes have a createInstance that isn't boilerplate:

* avmplus::ArrayClass passes an additional capacity=0 arg to ArrayObject().
* avmplus::DictionaryClass has an extra assert(ivtable->traits->isDictionary())
* avmplus::ObjectVectorClass has code to store the type parameter on the instance (doh, why not vtable? every instance doesn't need a copy)
* avmplus::RegExpClass passes extra constructor parameters to RegExpObject()
* avmplus::VectorClass throws kConstructOfNonFunctionError

The rest just create an instance with no extra logic or constructor parameters.  All but two above could be easily made generic.

ObjectVectorClass could be generic if we moved the type parameter to the instance vtable instead of the instance itself.  VectorClass might be able to be generic if we throw the error in construct() instead of createInstance() (needs investigation).  

For the remaining generic createInstance methods, we could have nativegen.py generate the createInstance method and add an extra field in NativeClassInfo to point to it.  Then, copy that pointer into VTable::createInstance instead of using slowCreateInstance -- code size is a wash but we replace handwritten boilerplate with machine written boilerplate.

avmshell::ByteArrayClass
avmshell::DomainClass
avmplus::DeleteObjectSampleClass
avmplus::DoubleVectorClass
avmplus::IntVectorClass
avmplus::NewObjectSampleClass
avmplus::UIntVectorClass
avmplus::SampleClass
avmplus::StackFrameClass
avmplus::ArgumentErrorClass
avmplus::DefinitionErrorClass
avmplus::ErrorClass
avmplus::EvalErrorClass
avmplus::RangeErrorClass
avmplus::ReferenceErrorClass
avmplus::SecurityErrorClass
avmplus::SyntaxErrorClass
avmplus::TypeErrorClass
avmplus::UninitializedErrorClass
avmplus::URIErrorClass
avmplus::VerifyErrorClass

	Edwin Smith
	Comment 3 • 14 years ago

This 1997 article by Scott Meyers is interesting in how it organizes and documents checkable rules.  The article is also an interesting survey of static analysis tools.

http://www.aristeia.com/ddjpaper1.html

	Edwin Smith
	Comment 4 • 14 years ago

A while back, I wrote an easy-to-use script to automate building dehydra in a linux VMware image.  Here it is:

http://hg.mozilla.org/users/edwsmith_adobe.com/build-dehydra/

	Alex Macdonald
	Comment 5 • 14 years ago

Google is using clang based semantic analysis for chrome. Some interesting links:

http://code.google.com/p/chromium/wiki/Clang
http://dev.chromium.org/developers/coding-style/chromium-style-checker-errors

	Tommy Reilly Reporter
	Comment 6 • 14 years ago

Another couple ideas: 

find cases where a C++ ctor may throw an exception, this can lead to weird bugs and should probably be outlawed.

find cases where an exception if thrown would trigger a leak, the analyzer would have to recognize that unmanaged memory was a) allocated and b) not freed before the throw site.  This is a common error in code utilizing the older unmanaged String classes.

	Sylvestre Ledru [:Sylvestre]
	Comment 7 • 6 years ago

Tamarin isn't maintained anymore. WONTFIX remaining bugs.