Comment by jokoon

4 days ago

Does it require annotations or can it validate any c code?

It's odd that so many people promote rust, yet we don't even use static analysis and validators for c or C++.

How about enforcing coding standards automatically first, before switching to a new language?

5 comments

jokoon

Reply
haileys  4 days ago

Not sure what this post has to do with Rust, but people do use static analysis on C and C++. The problem is that C and C++ are so flexible that retrofitting static verification after the fact becomes quite difficult.

Rust restricts the shape of program you are able to write so that it's possible to statically guarantee memory safety.

> Does it require annotations or can it validate any c code?

If you had clicked through you would see that it requires annotations.

01HNNWZ0MV43FF  4 days ago

Today's experts are the novices of 40 years ago, and today's novices will be the experts in 40 years.

C and C++ don't require static analysis, and it's difficult to set up, and so most of us slide down the incentive gradient of using C / C++ without any helpers except CMake and gdb.

Rust requires it, so the noobies use it, so in 40 years the experts will accept it.

  • ranger_danger  4 days ago

    > it's difficult to set up

    Is it though? I've only ever had to run "scan-build make" for my projects and it spits out a full folder of HTML pages that details any static analysis issues, and I didn't have to change my build system at all.

    • jpc0  2 days ago

      For a company codebase maybe not but for solo projects yeah it can be, what exact options do you enable in clang tidy? Have they changed since the last version you used and now you need to change the config? Do you run cpp-check?

      This version of Qt has leaks on exit so you need to ignore them when running asan/valgrind etc...

      I agree it's not that hard and should be standard, same regarding enabling all warnings that are reasonable and enable warnings as errors.

RossBencina  4 days ago

> we don't even use static analysis and validators for c or C++

There is some use, how much I don't know. I guess it should be established best practice by now. Also run test suites with valgrind.

Historically many of the C/C++ static analyzers were proprietary. I haven't checked lately but I think Coverity was (is?) free for open source projects.