the newer fortify/security work in gcc provides some nice checks which portage
doesnt currently flag. those are:
": warning: array subscript is below array bounds$"
": warning: array subscript is above array bounds$"
": warning: attempt to free a non-heap object"
": warning: .* called with .*bigger.* than .* destination buffer$"
": warning: call to .* will always overflow destination buffer$"
this should catch the kind of checks where people check for pointer math
overflow but dont realize that gcc optimizes it away:
": warning: assuming pointer wraparound does not occur when comparing "
these tend to be typos in code:
": warning: hex escape sequence out of range$"
": warning: [^ ]*-hand operand of comma .*has no effect$"
these too are typos/thinkos involving NULL instead of a value of 0, or
misordering of arguments:
": warning: converting to non-pointer type .* from NULL"
": warning: NULL used in arithmetic$"
": warning: passing NULL to non-pointer argument"
these tend to be thinkos which result in incorrect behavior:
": warning: the address of [^ ]* will always evaluate as"
": warning: the address of [^ ]* will never be NULL"
think "char foo" and later doing "if (foo) ..."
i cant see this being valid:
": warning: too few arguments for format"
or trying to return addresses to function locals:
": warning: reference to local variable .* returned"
": warning: returning reference to temporary"
": warning: function returns address of local variable"
07-19-2010, 10:22 PM
new warnings to catch from gcc in portage
no feed back, so pushed to latest portage. guess we'll see what blows up.