>> I'm testing on Fedora 32, which provides GCC 10.1. GCC 10 offers an analyzer. You can engage the analyzer with
>> -fanalyzer.
>
> I didn't actually try to understand these exact issues but just want to emphasize that these are still early days for
> the -fanalyzer option.
>
> I spent significant time on the issues it found in curl and they all ended up false positives (without any proper and
> non-introsive way to silence them). For this reason I do not yet enable gcc -fanalyzer in any CI builds in my projects.
>
I haven't yet analyzed your result. But I don't personally have problems with accepting PRs that silence analyzer
warnings, even if they are false positives.
On other projects I work on, we actually mandate any commits pass clang's static analyzer cleanly, along with a very
aggressive set of compiler warning flags, even if the reports are all false positives. Some times silencing involves
adding a NULL check even if you know its impossible for the variable to be NULL but the analyzer doesn't. The end
result usually means you start thinking about coding differently which results in more obvious code not only to the
analyzer but to other humans. It also means its much easier to catch real issues when you don't have to sift through
hundreds of false positives. Conversely, if you've ever messed with Coverity, its impossible to silence some of their
false positives my modifying code, you have to use their dashboard, I never could figure that one out :/
-Brad
Received on 2020-07-18