Using static analyze in Asterisk

Unfortunately the frequent changes in the project led to a large Number of bugs. We use PVS-Studio (and some others to) as one of the best of static code analyzers. Its an advantage that it is not obvious errors, such as typos and violations of logic.

I am not an employee of the company and do not have to do with them. I just want that the quality of your project finally improved.

They have recently opened their system to open source projects.

Sample analysis Aasterisk project in 2014 (since then the system has greatly improved)

I beg to introduce this (or better, and others) analyzers in continuous build system.

Example of usage in CI and linux:

How to use for free in Asterisk and other opensource projects:

Auto create comments for free use:

We’ve used static analyzers in the past. Sometimes they have been successful; more often than not, they raise more false positives than actual bugs.

A good example of this would be Asterisk’s ao2_callback function. That function can return both a pointer to an allocated ref counted object (which must be decremented with ao2_ref) or NULL, depending on whether or not OBJ_NODATA is passed to the function. Static analysis tools almost always flag every usage of that as leaking memory as the function technically can return an allocated object, despite the fact that the function cannot leak memory with that flag being absent. They aren’t smart enough to recognize that a lack of OBJ_NODATA will always return NULL.

Because these tools typically produce vast amounts of false reports, integrating them into our CI processes has a substantially high developer cost that - so far - has not been deemed to be worthwhile. Going through vast reams of data looking for one valid bug is not a good use of developer time.

That being said, all of our CI processes are also open source, so if someone wanted to integrate a static analysis tool into them, they could propose that on Gerrit.

If you feel like a static analysis tool has found a valid issue, please feel free to report that on the issue tracker. It would be highly preferred if you also provided patches to fix said issues, as - again - most static analysis tools raise false positives with Asterisk, and the development team is highly unlikely to spend any time to investigate a report for you.