As far as I know we ran Coverity on Gecko way back in the day and it didn’t really do anything to address the flood of security problems.
This Tweet was deleted by the Tweet author. Learn more
Conversation
I think a distinction needs to be made between claims. I agree it's implausible that static analysis can find/fix any significant portion of flaws in C code with fundamentally bad object lifetime and ownership policy. OTOH...
1
This Tweet was deleted by the Tweet author. Learn more
I already wrote a thread explaining what I mean, which you know:
twitter.com/DanielMicay/st
Deliberating going out of the way to misrepresent my statements and then pretending I didn't clearly explain my thoughts on this is dishonest.
Quote Tweet
Replying to @vyodaiken @billhuey and 5 others
I haven't made any statements that resemble "it seems plausible to me". You keep taking the approach of attacking me and misrepresenting what I've been saying.
The statements I made about static analysis and self-explanatory. It works better when code has stronger guarantees.
1
Quote Tweet
Replying to @DanielMicay @vyodaiken and 6 others
In C, there are not many guarantees that *enforced* at compile-time. Static analysis works much better when it can build on lots of guarantees including about pointer aliasing. It can't work as well with something like references in Java vs. Rust where they are very constrained.
1
Quote Tweet
Replying to @DanielMicay @vyodaiken and 6 others
Type systems themselves can be used to enforce many guarantees. That's a much more rigorous form of static analysis compared to heuristic-based checks. Rust's type system statically guarantees things like methods requiring an open file not ever being called on a closed file.
1
Quote Tweet
Replying to @DanielMicay @vyodaiken and 6 others
An external static analyzer has to build on top of the type system. When it looks at code doing something like writing to a reference, knowing that the reference is guaranteed to point to only something with that type is a big deal, as are further memory dependency guarantees.
1
Quote Tweet
Replying to @DanielMicay @vyodaiken and 6 others
So, for example, in Rust, a write through a mutable reference *cannot* do anything that would be seen through any of the current immutable references. The static analyzer knows that the write to &mut T does not impact what &T references can see and so on. That's how they work.
1
Similarly, static analysis can infer much more about code in Java than Python, more in Go than Java and more in Rust than Go. A language allowing the code to be more dynamic and not enforcing as many useful invariants for static analysis in the type system impacts other analysis.
1
Of course, it might be more *useful* in Java than Rust, because in Rust you don't need it to prevent as many errors like null pointer dereferences and dynamic casting errors. That's a different thing than how much it can infer and how deeply it can analyze while avoiding guesses.
Just like an optimizing compiler, an expression like `*x = y` constrains what it can do. When this pointer is guaranteed to point to a certain type and not to alias any other pointers of that type, that gives it more information. It knows far more about what the code is doing.