university of minnesota today coming out with groundbreaking research that the best C programmers in the world can't tell if you're giving them bad C
maybe C is bad
Conversation
Replying to
I feel like I would have been tricked by this regardless of the programming language literally just on the basis of the authority of "affiliated with the university of minnesota"
4
1
38
yeah this is mostly that they sent a bunch of patches claiming to be fixing issues found by static analysis tools, implying that they knew what they were doing, and coming from a reasonably trustworthy source
--> the patches got fairly little review
3
18
I've glanced through their paper and I don't see them accounting for or even mentioning the bias that would exist when you submit patches from a university Vs say, an individual account.
1
They didn't submit them that way. You're confusing the good faith patches that are being reverted from the university with the ones submitted from sockpuppet email addresses for the experiment using Gmail.
1
Are you sure? This patch doesn't seem to be very "good faith" (though it's possible I'm missing something here?).
lore.kernel.org/linux-nfs/YH5%
1
They've been regularly involved in submitting fixes based on static analysis. Not all of those patches are correct. Tools have many false positives and the students make mistakes. Do you have any evidence that this has to do with the study, which seemed to use gmail addresses?
2
You could look through lots of other fixes submitted to fix issues uncovered by static analysis from many other sources and find the same thing. Many of those patches are not fixing real issues. Some attempt to fix real issues incorrectly. Others attempt to fix non-issues.
Static analysis does uncover real issues, but most of the issues are usually false positives. It's then up to the programmer to make a proper fix. They're often unfamiliar with the code, and the issues are often quite subtle. It's C, so many tiny mistakes lead to code exec bugs.