On Fri, Apr 25, 2014 at 07:14:25PM +0200, Dag-Erling Sm=F8rgrav wrote: > Ben Laurie <[email protected]> writes: > > Dag-Erling Sm=F8rgrav <[email protected]> writes: > > > https://en.wikipedia.org/wiki/Halting_problem > > Curious what the halting problem can tell us about finding/fixing bugs? > = > Some participants in this thread claim that there is no such thing as a > false positive from a static analyzer. A corollary of the halting > problem is that it is impossible to write a program capable to proving > or disproving the correctness of all programs. Hence, static analysis > must perforce produce both false positive and false negative results. > The purpose of static analysis in a compiler is to identify possible > optimizations; therefore it must be conservative, because a false > negative may result in incorrect code; therefore it will produce many > false positives. While I'm letting myself get embroiled in this, I have a question: Do you claim that the Clang static analyzer is essentially worthless for finding and fixing security-related bugs because it is more trouble to make use of its output than its output is worth, or does it only *seem* like that is your claim? -- = Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"