-
In theory, sound static analyzers could be another method by which this is achieved in existing projects. They claim to be able to catch all instances of this. Some examples of sound static analyzers include:
https://www.absint.com/astree/index.htm
https://github.com/NASA-SW-VnV/ikos
https://github.com/static-analysis-engineering/CodeHawk-C
I have planned to try using this on OpenZFS for a while, but I am still busy reviewing and fixing reports made by conventional static analyzers. I plan to look into these next.
That said, at least one of them claims to be able to prove the absence of issues in C that checked C explicitly says it cannot prevent. The obvious one is use-after-free.
-
InfluxDB
InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
-
In theory, sound static analyzers could be another method by which this is achieved in existing projects. They claim to be able to catch all instances of this. Some examples of sound static analyzers include:
https://www.absint.com/astree/index.htm
https://github.com/NASA-SW-VnV/ikos
https://github.com/static-analysis-engineering/CodeHawk-C
I have planned to try using this on OpenZFS for a while, but I am still busy reviewing and fixing reports made by conventional static analyzers. I plan to look into these next.
That said, at least one of them claims to be able to prove the absence of issues in C that checked C explicitly says it cannot prevent. The obvious one is use-after-free.
-
checkedc
Checked C is an extension to C that lets programmers write C code with bounds checking and improved type-safety. The goal is to let people easily make their existing C code type-safe and eliminate entire classes of errors.
-
checkedc-llvm-project
This was a fork of Checked C clang used from 2021-2024. The changes have been merged into the original Checked C clang repo, which is now at https://github.com/checkedc/checkedc-clang.
Note that active development seems to be continuing here:
https://github.com/secure-sw-dev/checkedc-llvm-project
-
c2nim
c2nim is a tool to translate Ansi C code to Nim. The output is human-readable Nim code that is meant to be tweaked by hand before and after the translation process.
Well I'm 99.5% certain at least. Even now I'm uncertain of the C syntax. And I've not been bold enough to test 3rd order C function pointers. I figure that's probably C code you don't wanna touch if possible.
https://github.com/nim-lang/c2nim/blob/11f2c5363dfe7e8c7c8ce...
The other annoying one is that "signed" and "unsigned" are basically adjectives, but "long" can be both a type and a modifier. So it's difficult to parse unless you're the target C compiler. Technically you can, but you have to use backtracking.
-
Does anybody know how does this compare to https://compcert.org/ ?
-
> difficult to parse
Not really. Just create a bit mask.
https://github.com/dlang/dmd/blob/master/compiler/src/dmd/cp...
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
codeql
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
-
-
That sounds a bit like what WUFFS is doing
WUFFS: https://github.com/google/wuffs
-
static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
https://github.com/analysis-tools-dev/static-analysis
-
Related posts
-
PVS\-Studio 7\.34: support for Apple Silicon ARM64, \.NET 9, taint analysis in Java analyzer, and more
-
CodeChecker - code quality control using PVS-Studio
-
The NSA list of memory-safe programming languages has been updated
-
The Fil-C Manifesto: Garbage In, Memory Safety Out
-
Show HN: MicroTCP, a minimal TCP/IP stack