> not actually make them on your OWN fork? Clickbait, gross.
Yup. Something like :
> You have bugs in your codebase of 1M+ line, you want to fix them ? Buy my proprietary software for 30$/Month per user , which was built 100% on open source tech obviously.
Getting traffic using linting issues from a large codebase to promote a proprietary software , Outrageous.
One thing that puzzles is me is why some of these checks aren't just part of the warnings that a compiler emits. I get that you wouldn't want to enable them all the time, but usually comparing a variable to itself is not what you want.
gcc and clang have been getting better at this recently. For instance if you do an "x == x" comparison for an int x clang will warn "warning: self-comparison always evaluates to true [-Wtautological-compare]".
I completely agree that having these warnings in the compiler is much better than a standalone analysis tool, because they're less likely to be ignored. But I think it may have been a bit of a shift of mindset for the compiler developers to put more effort into warnings and diagnosing dubious code rather than simply being a code generator for correct code.
I agree, but my sense is that the number of people and projects willing to fix complaints reported by compiler warnings is larger than the number of people who care enough to run a separate tool over their codebase. This is purely a UI thing -- if the compiler had a -Wlint option that ran lint and integrated its reports into its own warning output it would probably have a similar effect, especially if enabled by default...
To add on this, clang-tidy is a tool specifically for static code analysis. I don't know if it implements all the checks mentioned in the article, but it is quite powerful, being able to detect eg. array overruns through several layers of function calls and ifs.
Sure, and there are cases where you may been reading from some volatile register or something. But that's why I mentioned that this is usually what you want, not always :)
Two main reasons: Many warnings that a static analyzer will emit are quite costly to detect, so the compilation would get slower. And since compilation speed is an important benchmark (if not the most important), one would usually not sacrifice this for some warning.
Also, people usually do not accept false-positives in compiler warnings. Static analyzers often have heuristics to detect typos like these:
a.x = x;
a.y = y;
a.y = z; <==
But those heuristics will usually also emit false-positives. This is why pretty much all static analyzers have an easy way to suppress warnings for a certain line (usually through a "magic comment"), but suppressing compiler warnings for a single line is much more cumbersome, since it has to be done through the preprocessor.
One of the best blog-ads for a product I've seen in a long time.
It effectively shows value of their software while being interesting enough and relevant to something popular that already has (some) following. Perfect.
Makes me wish they had something similar for JS or Python. I know I've made these mistakes all too often.
Yeah. I think the analyzer is pretty neat. It's cool to focus on human mistakes writing code rather than validity of code itself. I see a bunch of errors I've made before, especially when copying and pasting. Time to find something like this for vscode to do realtime linting of human errors.
That being said, I think this article really overstates the dire state of Lumberyard. Yep, it has bugs. I don't think this convinces me that the sky is falling if the devs don't change their ways.
I work at one of the companies who's product they "reviewed" and many of us got unsolicited emails basically saying, we found all these bugs using our code analyzer. Buy a license from us to fix them or we will post a negative review of your code.
It's a horrible business practice and they do that with many open source products. This behavior shouldn't be praised.
No, that's not blackmail. You can only blackmail through exclusive knowledge. If they tested your code, then I'll assume your code is out there in the open, so anyone can run your code through a static analyzer and write a blog post about it.
Yes, these posts are advertisements for PVS-Studio, and since they frequently land on HN, they obviously work for them. Besides, you don't even have to buy PVS-Studio, since the Demo already will show you the complete analyzer output, you just won't be able to directly jump to the source.
I understand why you feel bad about them, and certainly I would feel the same in the same situation, but it's hard not to admit that revealing bugs to the public is very often the only way to make coders pay attention. So even if their intention is only to squeeze money out of targeted companies, at the end of the day they force devs to eliminate bugs this way, or another. Which is good for users, I suppose.
Judging by the errors they describe the code in question really wants some static analyzer love. Even the free/OSS ones can handle 'em. x==x, true || true, etc...
Maybe something got lost in translation? "Fix the bugs or we will publish" seems to be standard operating procedure for security researchers who randomly find a vulnerability. Maybe they just wanted to tell you that you'd be able to use their tool to fix those bugs more easily.
The difference to me is whether they list all the bugs (while suggesting that their product would help) to the developer before publishing or not. If the only way to satisfy them is to pay, then it's incredibly scummy and moreover is a big disincentive for companies to open their source code. After all, every code base has bugs and I'm sure their developers were working on fixing bugs already, but only open source projects can be extorted over their bugs.
In this case, they shouldn’t have to ask. If you’re going to provide a vulnerability report, provide a vulnerability report. Don’t dance around it to see if you can make money first.
It clearly does not apply to Amazon affiliate payments only, but is asking for a specific affiliate program with the manufacturer being set up - if it were Amazon affiliates, there'd be no need for them to be involved.
The optics of asking for that and after being denied changing the recommendation (presumably to something where they do get affiliate payouts) are quite bad.
That's a problem for the Wirecutter with products not available on Amazon: their (IMHO reasonable) argument has been that since they get the payout from a Amazon and not the individual vendors, they have no incentive to recommend a product that's not the best, since they get paid for whatever they recommend. This only works as long as everything tested is on Amazon. As soon as they start creating individual agreements with manufacturers, it becomes a lot less obvious that they can be trusted to not optimize for the most profitable affiliate terms. (Maybe there'd be something about having a policy that all agreements have to be the same, but that's tricky)
Yeah, me too. Thought they were a legit site, and always checked them for 3-4 things I've bought they cover. Now I see them as any other site, to be read with a grain of salt.
You are saying you and your company do not want to fix your buggy code but at the same time you do not want your customers/users to know that your product contains buggy code. Interesting.
Not what I said. Will gladly fix bugs someone discovers. You can also freely point them out, you can even publish them if you want to bring it to our attention. You can even use it to sell your code analysis tool. That's cool with me.
But don't email me asking for money and threatening to write a bad review if I don't do as you say.
Why would anyone choose Lumberyard over CryEngine directly? I would think that ones core product will always be better maintained then just some side project that was bought in.
Well, Crytek's financial state isn't the most stable for one. Also Lumberyard's aim is to replace pretty much everything in the long run, some parts of the CryEngine are quite...interesting compared to other engines and the work Amazon has done for example regarding animation and workflow improvements has been great.
Cryengine is notoriously difficult to use. Crytek have also had severe financial difficulties. Amazon have their own team working on the source, I'm not sure how this has worked out but clearly amazon have plenty of resources to throw at it if they choose to.
Crytek recently (and it may still be going on) sued Cloud Imperium Games (CIG, the people behind StarCitizen) for switching from Cryengine to Lumberyard.
The details are few and far between, but the possibility or being sued by the vendor would be a bit off putting for me.
I remember reading about this and being left with the impression that CryTek was in the green there. Don't remember any details, but it wasn't as ugly as it sounds, though I also got the impression that CryTek weren't entirely graceful.
I think you might have written CryTek there when you meant CIG so I'm not sure quite what you meant. Was it:
> I remember reading about this and being left with the impression that [CIG] was in the green there.
If so, ISTR CIG is fine, but then they have a lot of money and fancy lawyers, a lot of smaller companies might have fared less well, and it doesn't really look good when a vendor is seen to be suing their customers because it is rumoured they are running out of money.
Would someone like Unreal have swallowed that from a client in order to avoid bad PR? Possibly. But if the allegations are true then I wouldn't go so far as to expect (in the moral sense) CryTek to let it slide.
I'm not sure that CryTek have the moral high ground here as you seem to suggest.
CIG have moved to Lumberyard, a tech based on CryEngine, so lines of similar looking code are seemingly expected.
And the license was negotiated for a single game, not two as StarCitizen now is, but this would seem to be negated by the fact that these games are no-longer using CryEngine.
On the subject of CIG passing back engine improvements or not to CryEngine, I don't know.
Intel is still around but a number of game technologies they bought are not anymore. Lumberyard appears to be rather far from the core (or even the periphery) of Amazon's business, so it's a valid concern.
The version lumberyard started with a 2016 engine, a few revisions behind Crytek's current engine. Crytek had fixed some of the logic bombs, as mentioned in the article, in their current release.
Similar to linting, where often I need variation in rules, sometimes there's red herrings even in static code analysis.
Game software in general can be fly-by-the-wind because it's real-world software
... of course this is all me reacting and trying to argue with the clickbait :/