Post Syndicated from original https://lwn.net/Articles/844525/rss

David Malcolm describes
the progress in the GCC static analyzer for the upcoming GCC 11
release. “In GCC 10, I added the new -fanalyzer option, a static
analysis pass for identifying various problems at compile-time, rather than
at runtime. The initial implementation was aimed at early adopters, who
found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd
Edlinger, who discovered the issue, had to wade through many false
positives accompanying the real issue. Other users also managed to get the
analyzer to crash on their code.

I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust.”