[SystemSafety] Static Analysis
David MENTRE
dmentre at linux-france.org
Wed Feb 26 09:26:43 CET 2014
Hello Peter,
Le 25/02/2014 21:40, Peter Bernard Ladkin a écrit :
> As the article points out, a simple automated reachability analysis
> would have highlighted the anomaly.
But one needs to review the result of the analysis, or determine a
criteria (e.g. over a given number of lines of dead code) to send an
error (without too many or no false positive, otherwise the error report
won't be used). And this should be integrated within the development
process (e.g. check before releasing a new version). The devil is in the
detail.
> Note that it has been out there
> in the open for a while - the code is open source.
Which show that without adequate manual or automated review, having code
(being open source or proprietary) does not help.
On a more positive note, yes having open-source code can allow some
formal verification by third parties, like for PolarSSL library:
http://blog.frama-c.com/index.php?post/2014/02/23/CVE-2013-5914
Sincerely yours,
david
More information about the systemsafety
mailing list