Thread: Android kernel: revealed 359 software defects
View Single Post
javispedro's Avatar
javispedro is offline javispedro
2010-11-04 , 21:46
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#14
Originally Posted by microe View Post
FWIW, Coverity does a very good job on showing only real invalid pointer defects (or real defects of any type for that matter). If you have experience w/ the tool, I am surprised that you would still have that opinion.
I have no doubt it makes the best good job it could do. The problem is that it is theoretically impossible for it to do the perfect job. I have no experience with Coverity, but I do have some experience in compiler design.

Only in an insane world 359 "potential" null dereferences implies 359 software defects, and only in an even more insane world 359 software defects imply 359 CRITICAL security issues.

Originally Posted by PMaff View Post
I would ask why there is no
check for c and f at first.
;-)
Plain defensive programming.
Ah, a Java user! Do you know that GCC has both a always-check-for-nulls-before-first-deference and a array bounds checking patch? I leave as an exercise to the reader why Linux doesn't use them.

You know that sometimes when you look at your code over and over again you simply miss certain points.
Especially after long nights, much coffee and pizza.
And I agree, as I said: the more eyes the better.
Last edited by javispedro; 2010-11-04 at 21:48.