xazax.hun added a comment. In D35068#1361902 <https://reviews.llvm.org/D35068#1361902>, @Szelethus wrote:
> In D35068#1069880 <https://reviews.llvm.org/D35068#1069880>, @koldaniel wrote: > > > I've evaluated this checker on LLVM+Clang, there were only a few (about 15) > > warnings, because of the C11 flag check at the beginning of the checker > > body. However, if this check was removed, number of the warnings would be > > increased significantly. I wouldn't say the findings were real security > > issues, most of the warnings were about usages of deprecated functions, > > which has not been considered unsecure (but which may cause problems if the > > code is modified in an improper way in the future). > > > My problem is that LLVM+Clang isn't really a C (nor a C11) project, and I > think judging this checker on it is a little misleading. Could you please > test it on some C11 projects? I think tmux uses C11. > > Edit: it doesn't, but CMake is mostly a C project and it does! What do we want to validate here? The lack of crashes? Or evaluate false positive ratio? I have some doubts about evaluating this checker on open source projects. If a project does not care about the safe versions of these functions all of the results will be false positive (or a project might actually care but will not be able to comply due to portability constraints). If a project does care about using the safe variants, they are most likely already using another tool to verify this. So I think the main value here is to subsume other tools. CHANGES SINCE LAST ACTION https://reviews.llvm.org/D35068/new/ https://reviews.llvm.org/D35068 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
