Old software, new code analysis tools

ATM I'm doing a little experiment running cppcheck:

http://cppcheck.sourceforge.net

on Firefox 2.0.0.20. The first run is 7% complete, and has found several memory leaks and some possible null pointer derefs. It's probably missing a lot of stuff due to the number of ifdefs though, it keeps interrupting checks because of that.

Anyway I'm kind of curious if anyone else has given old/abandoned FOSS projects a once-over with modern static analysis tools. How many memory leaks, holes, etc. do free static code analyzers typically find? How many turn out to be the real deal? How does this tend to compare with results for modern versions/equivalents of old programs?

Edit: Wowza there are a lot of memory leaks. Also some off-by-one-errors. Yick.

 

Interesting tool. Thanks.

 

You're welcome. Be warned though that false positives seem to abound with these tools. cppcheck is supposed to be better than most as far as FPs, not sure about false negatives though.

I wonder if anyone has used these with Xorg. Or are most Xorg flaws logic errors, the kind of thing that static analysis wouldn't necessarily catch?

Edit: BTW to elaborate on the FP thing - sometimes legitimate but dodgy looking things get caught by static code analysis. e.g. in links2, there are a bunch of uses of "argv[-1]" which cppcheck says is out of bounds. But arrays use pointer arithmetic; the use in links is actually okay, as it occurs in a loop after "argv++" (i.e. moving the pointer one element forward). So, not really an error.

(But programming this way is still stupid IMO, even if it's recommended by the K&R text. There is *zero* reason to make code confusing when it doesn't have to be.)

 

Now this is interesting. Running cppcheck against webkitgtk-2.4.2, and I at 11% progress I am seeing nothing.

Now of course this doesn't mean there are no bugs, just that cppcheck with default settings cannot find any. But this does seem like it might be a hint doesn't it? Zero might-be-a-bugs vs. six or seven in about the same volume?

I'm going to install cppcheck on my AMD A4 machine, and run through the entire WebkitGTK and (current) Mozilla source codes later this evening. I would guess that Webkit > current Mozilla > old Mozilla in terms of code cleanliness, but it will be interesting to get a real indication.

Edit: I'll also have to take splint for a spin on the Linux kernel. And hey, I wonder about OpenSSL too... Though I've heard crypto libraries sometimes do rather odd things with respect to C standards?

(And in any case I'm still not sure, on a percentage basis, how many of the might-be-a-bugs that cppcheck reports are FPs.)

Edit 2: might also be interesting to see if I can compile any browser whatsoever with gcc/g++ and -Wall -Werror.

 

Tried to run against the current Mozilla suite last night on my workstation, but it bailed out before it could complete - tried to snarf up about 100 GB of virtual memory. Ouch.