Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:46188
Return-Path: <michael@no-surprises.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44320 invoked from network); 25 Nov 2009 12:40:28 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Nov 2009 12:40:28 -0000
Authentication-Results: pb1.pair.com header.from=michael@no-surprises.co.uk; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=michael@no-surprises.co.uk; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain no-surprises.co.uk designates 80.68.93.37 as permitted sender)
X-PHP-List-Original-Sender: michael@no-surprises.co.uk
X-Host-Fingerprint: 80.68.93.37 river.mgdm.net  
Received: from [80.68.93.37] ([80.68.93.37:51355] helo=river.mgdm.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BE/09-33335-1952D0B4 for <internals@lists.php.net>; Wed, 25 Nov 2009 07:39:45 -0500
Received: from [192.168.1.118] (213-78-200-191.ppp.onetel.net.uk [213.78.200.191])
	(Authenticated sender: michael)
	by river.mgdm.net (Postfix) with ESMTPSA id AB46628075;
	Wed, 25 Nov 2009 12:39:42 +0000 (GMT)
Message-ID: <4B0D258E.3060403@no-surprises.co.uk>
Date: Wed, 25 Nov 2009 12:39:42 +0000
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: Jess Portnoy <jess@zend.com>
CC: internals@lists.php.net
References: <4B0BE3B5.1030606@no-surprises.co.uk> <4B0D23E4.4070305@zend.com>
In-Reply-To: <4B0D23E4.4070305@zend.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c
From: michael@no-surprises.co.uk (Michael Maclean)

Hi,

Jess Portnoy wrote:
> clang is indeed a great tool but since it does a lot more than just 
> static analysis.

Yeah, it looked like an interesting thing and so I decided to play with 
it. Incidentally, I discovered later that clang appears to compile PHP 
5.3 pretty much flawlessly just now (at least for my particular set of 
configure options). The scan-build analyser thing I used ran the code 
through clang before forwarding it on to gcc for the actual compilation.

> For those cases where one wants source code analysis, especially 
> security oriented, I'd recommend flawfinder 
> [http://www.dwheeler.com/flawfinder].

I'll have a look. Thanks for the tip.

> I ran it against the PHP 5.2.11 sources and am now sorting through 
> results, patching suggestions may follow :)

Heh. If anyone wants to see the output from scan-build that I got, it's 
at http://mgdm.net/~michael/php-5.3-clang/ along with the notes.txt that 
I'm filling in as I go along.

Michael