The Debian key generation issue is a particularly well known example, but there are lots of others. Lots of projects have had bad experiences with it. Here's one: sqlite.org/testing.html#s.
Conversation
"Static analysis has found a few bugs in SQLite, but those are the exceptions. More bugs have been introduced into SQLite while trying to get it to compile without warnings than have been found by static analysis."
1
1
It's like that for Linux kernel as well. There are classes of bugs that defy casual static analysis and you have to basically make your own runtime correctness checking tools (lockdep etc)
1
1
This Tweet was deleted by the Tweet author. Learn more
Choosing safe architectures and tools is obviously part of good design. Those design choices made before starting to write any code for the implementation are some of the most important. Static analysis can be quite helpful, but depends a lot on the language making it work well.
1
1
Static analysis doesn't work well for C, due to the lack of memory safety and very weak type system. It's very difficult to accurately analyze. It loses far more of the intent behind the design than a safer language and/or one with features for writing more structured code.
1
This Tweet was deleted by the Tweet author. Learn more
I haven't made any statements that resemble "it seems plausible to me". You keep taking the approach of attacking me and misrepresenting what I've been saying.
The statements I made about static analysis and self-explanatory. It works better when code has stronger guarantees.
1
1
1
In C, there are not many guarantees that *enforced* at compile-time. Static analysis works much better when it can build on lots of guarantees including about pointer aliasing. It can't work as well with something like references in Java vs. Rust where they are very constrained.
1
1
Type systems themselves can be used to enforce many guarantees. That's a much more rigorous form of static analysis compared to heuristic-based checks. Rust's type system statically guarantees things like methods requiring an open file not ever being called on a closed file.
1
1
An external static analyzer has to build on top of the type system. When it looks at code doing something like writing to a reference, knowing that the reference is guaranteed to point to only something with that type is a big deal, as are further memory dependency guarantees.
So, for example, in Rust, a write through a mutable reference *cannot* do anything that would be seen through any of the current immutable references. The static analyzer knows that the write to &mut T does not impact what &T references can see and so on. That's how they work.
1