[Cryptech Tech] [FORGED] More ideas for improved code quality

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Oct 12 03:27:58 UTC 2018

Previous message (by thread): [Cryptech Tech] More ideas for improved code quality
Next message (by thread): [Cryptech Tech] [FORGED] More ideas for improved code quality
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Linus Nordberg <linus at nordberg.se> writes:

>  Run static code analysis beyond what the compiler usually
>  performs. Useful tools include Coverity, the clang static analyzer and
>  runtime sanitizers.

cppcheck is also very useful, its emphasis is less on semantic analysis and
more on design rules violations, which most other static analysers don't do. A
notable exception is PVS Studio, but that's kinda pricey.

>- Detecting memory leakage
>
>  Running code under valgrind to find out if and where a program leaks
>  memory can help in spotting memory handling errors.

Using the clang sanitisers also does a good job of finding issues like this,
I'd use ASAN and UBSAN at a minimum.

>  Useful fuzzers include AFL [0], libFuzzer [1] and OSS-Fuzz.

honggfuzz is also quite good, and uses the same API as libFuzzer.

Peter.

Previous message (by thread): [Cryptech Tech] More ideas for improved code quality
Next message (by thread): [Cryptech Tech] [FORGED] More ideas for improved code quality
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list