Re: CII Best Practices Badge Status

[Andrew Johnson <anj@aps.anl.gov>]

On 12/05/2016 05:25 PM, Michael Davidsaver wrote:
> On 12/05/2016 05:31 PM, Andrew Johnson wrote:
>> Does anyone have recent experience with static code analysis tools?
>> There are examples and links under the "show details" area for this
>> section of the Best Practices page. I could use some help here.
> 
> I made some use of cppcheck with a project this past spring.  It's easy
> to run, packaged by debian (thus available on travis-ci.org), and FOSS.
> The downsides are those common to static analysis.  It's chatty.
> 
> That said.  I just ran it on src/libCom/ and quickly parsed through the
> output.  cppcheck finds an potential memory leak in macEnv.c.
> 
>> [src/libCom/macLib/macEnv.c:66]: (error) Common realloc mistake: 'dest' nulled but not freed upon failure
> 
>> dest = realloc(dest, n);

I believe that particular spot is actually a false positive, the
realloc() call there only ever _reduces_ the size of the allocated
buffer, so it should never actually fail. If the destination buffer is
no longer needed (n==0, but I don't know if that is actually possible)
then the realloc() call would free the buffer and return NULL, which is
exactly what would be wanted anyway.

> Sorting through this for all of Base will take some time.
> 
> http://cppcheck.sourceforge.net/

Thanks, I will take a look (it is packaged for RHEL-7 as is the GUI so I
just installed both). I like that there's a Jenkins plugin, although
it's currently orphaned (in search of a maintainer). Do you have any
config files for Base already?

- Andrew

-- 
Arguing for surveillance because you have nothing to hide is no
different than making the claim, "I don't care about freedom of
speech because I have nothing to say." -- Edward Snowdon