Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101294
Return-Path: <tom@ctors.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 75565 invoked from network); 10 Dec 2017 15:19:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Dec 2017 15:19:21 -0000
Authentication-Results: pb1.pair.com header.from=tom@ctors.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tom@ctors.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ctors.net designates 209.85.217.180 as permitted sender)
X-PHP-List-Original-Sender: tom@ctors.net
X-Host-Fingerprint: 209.85.217.180 mail-ua0-f180.google.com  
Received: from [209.85.217.180] ([209.85.217.180:37197] helo=mail-ua0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EA/52-53433-8705D2A5 for <internals@lists.php.net>; Sun, 10 Dec 2017 10:19:20 -0500
Received: by mail-ua0-f180.google.com with SMTP id l36so10374721uae.4
        for <internals@lists.php.net>; Sun, 10 Dec 2017 07:19:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ctors-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=ces8TXblKpDizwfbjKHfL5AFYmsyty7CdhpOH65ZUf4=;
        b=kuT9A3pu/RbXjOK+s7fAa8eIJnlw+DVhp8Adr5fbj6vYJtyWAzVYXhB6pjaLTLjYQd
         Qm2yYYRRzMfwrI8T6nS4EEk22S3gdeWRT5NJkI3QO+I0d4+yt68IySpYAXW+1SwGt4QM
         iBjNIhjH+nspZ0WrgOdxUMV1Ik9I5uhOyvpCumibb4VTQ7t0BYkxhc/p7YF+6z51S/Pe
         +A/GejSa1WJ6dcs4MZrWAGJsOuk0INGGk44GD1krELs12GV+CTq5Kd0JJ8c7Uce00OCf
         Jll+un+tjuv2CNxY/Rquk1qRC0P2m8lUleTkbpgq48aCaNDSH8uceRbOhEB60i+tJh29
         2o/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=ces8TXblKpDizwfbjKHfL5AFYmsyty7CdhpOH65ZUf4=;
        b=gtINxi+wiWRj8OyQjudYMzN3VACrcF/1VowAFp9eMbLX7DzHA8Blo9fVcwXYbqZmfP
         Sj94zcjVEef0/ogeif4lC+84rJSNF+GOfx5UnDsPOHA73clc60/p0JiwSyPtcAh4ejo8
         YoB8VHev8gzsBz5aSdF6/KyFwvammXeSzTrpQQDkkBe5f7URRxkr7ht4sHCoXTmEGdp0
         kYXSyiAp3tj9Xboje330coiVAkqo9Cvn2EIJom/fFF7JaSdy9iO5NbrRRrPW6x7AdQTE
         1+SSzibEbAHv2WFVt3QaQ2rhn14SgslUomopJ9m51PSmzZfg939C8AGB5Hvr45lDWUz7
         DY/g==
X-Gm-Message-State: AKGB3mK8P4Q/fh94ndqCvmND4lrpLt0p4rvzItvNT7qPEZIoEieIeraA
	+mnyY8+/hdkksdFvtgzJifud2ox5kRAdqXDvvYX5PggFA3Y=
X-Google-Smtp-Source: AGs4zMbaqM5tU85pmYWKgReMKapLg0WMW3msp87bTXx8A+dNci4V6CJZ3OMg+eSCyRhDht/UpzIrduS2gwt+a5gIwCY=
X-Received: by 10.176.23.81 with SMTP id k17mr13924948uaf.131.1512919157315;
 Sun, 10 Dec 2017 07:19:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.56.203 with HTTP; Sun, 10 Dec 2017 07:19:16 -0800 (PST)
X-Originating-IP: [94.226.33.191]
Date: Sun, 10 Dec 2017 16:19:16 +0100
Message-ID: <CAN+C6bW7_zW7M5yWnNYch7eU94d4ZVY0BMK0+-_vq=6=5rqMfg@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="f40304361f32f22cc6055ffdf01b"
Subject: Improving php-src with static analyzers
From: tom@ctors.net (Tom Van Looy)

--f40304361f32f22cc6055ffdf01b
Content-Type: text/plain; charset="UTF-8"

Hi folks

I have the idea to improve the PHP source by using static analyzers. The
first one that I would use for this is clang's scan-build and the second
one is Coverity. The idea is not new, because I can find people talking
about this on the internals mailing list, but that is all at least 4-6
years ago.

I found some interesting things with these tools already but there are some
false positives too. It just takes time to look into the reports and figure
it out, but for me it's a good way to learn more about C and php-src. If
you could share your experience with static analyzers that would be great,
maybe there are better analyzers out there that I don't know about, let me
know. Is there are reasons why PHP doesn't use these tools in the build
process, or maybe they are used but I just don't know, also let me know.
Maybe you think this is just a bad idea, please share your opinion.

I see that there is already a php-src project on Coverity but it was not
analyzed for years. I have my own project on Coverity
https://scan.coverity.com/projects/php-src-tvlooy just ask if you want
access.

I don't have much C experience. So before I get more people on board with
this idea I would welcome some feedback from people that know better than
me.

Thanks in advance!

Kind regards,

Tom Van Looy

--f40304361f32f22cc6055ffdf01b--