Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:46189
Return-Path: <jess@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47848 invoked from network); 25 Nov 2009 13:14:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Nov 2009 13:14:44 -0000
Authentication-Results: pb1.pair.com smtp.mail=jess@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jess@zend.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.185 as permitted sender)
X-PHP-List-Original-Sender: jess@zend.com
X-Host-Fingerprint: 212.25.124.185 il-mr1.zend.com  
Received: from [212.25.124.185] ([212.25.124.185:45526] helo=il-mr1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BC/50-45906-2CD2D0B4 for <internals@lists.php.net>; Wed, 25 Nov 2009 08:14:43 -0500
Received: from il-gw1.zend.com (unknown [10.1.1.21])
	by il-mr1.zend.com (Postfix) with ESMTP id CF77D50444;
	Wed, 25 Nov 2009 15:01:22 +0200 (IST)
Received: from [10.1.2.102] ([10.1.2.102]) by il-gw1.zend.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Wed, 25 Nov 2009 15:14:39 +0200
Message-ID: <4B0D2DBE.6000000@zend.com>
Date: Wed, 25 Nov 2009 15:14:38 +0200
User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706)
MIME-Version: 1.0
To: Michael Maclean <michael@no-surprises.co.uk>
CC: internals@lists.php.net
References: <4B0BE3B5.1030606@no-surprises.co.uk> <4B0D23E4.4070305@zend.com> <4B0D258E.3060403@no-surprises.co.uk>
In-Reply-To: <4B0D258E.3060403@no-surprises.co.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 25 Nov 2009 13:14:39.0326 (UTC) FILETIME=[3E3D07E0:01CA6DD1]
Subject: Re: [PHP-DEV] [PATCH] potential null dereference in ext/ftp/ftp.c
From: jess@zend.com (Jess Portnoy)

Hey,

The thing I like a lot about clang is that it can be used as a drop-in 
substitute for GCC so you can actual call clang or clang++ instead of 
executing gcc/g++, see here:
http://clang.llvm.org/get_started.html

The results you published certainly look interesting :)

May the source be with you,
Best regards,
Jess Portnoy



Michael Maclean wrote:
> Hi,
>
> Jess Portnoy wrote:
>> clang is indeed a great tool but since it does a lot more than just 
>> static analysis.
>
> Yeah, it looked like an interesting thing and so I decided to play 
> with it. Incidentally, I discovered later that clang appears to 
> compile PHP 5.3 pretty much flawlessly just now (at least for my 
> particular set of configure options). The scan-build analyser thing I 
> used ran the code through clang before forwarding it on to gcc for the 
> actual compilation.
>
>> For those cases where one wants source code analysis, especially 
>> security oriented, I'd recommend flawfinder 
>> [http://www.dwheeler.com/flawfinder].
>
> I'll have a look. Thanks for the tip.
>
>> I ran it against the PHP 5.2.11 sources and am now sorting through 
>> results, patching suggestions may follow :)
>
> Heh. If anyone wants to see the output from scan-build that I got, 
> it's at http://mgdm.net/~michael/php-5.3-clang/ along with the 
> notes.txt that I'm filling in as I go along.
>
> Michael