Today all bets are off. Does the tool do anything anybody needed? Does it work? Who knows. It might just be 700 lines of convincing-looking C churned out by a model.
However both PVS-Studio and clang-tidy have a few complaints about the code, since it is a single file, it is rather easy to try out on Compiler Explorer.
https://godbolt.org/z/n4M1vGccq
As for your remark, most folks seem to have not followed that C authors also created lint in 1979, Dennis Ritchie proposed fat pointers to WG14, Plan9 was going to use Alef, which failed but its ideas were re-used for Limbo on Inferno, and they were also involved with Go.
Finally Rust's borrow checker ideas steam from AT&T research with Cyclone, as way to create a safe C.
As such the real question is why still use C in new projects, when even the language authors have moved beyond it, or at least reduce their use of it on userspace applications.
I always use "-std=c99 -Wall -Wextra -Wpedantic -Werror". You could replace "-Wpedantic" with "-pedantic" though (it is more supported). You may omit "-Werror".
Sometimes I also use "-D_XOPEN_SOURCE=700" and "-D_FORTIFY_SOURCE=2" along with "-fstack-protector-strong".
For debug builds you want "-O0 -g" at the very least.
I also have a make target that uses "scan-build", "cppcheck", and "clang-tidy".
Few C-specific references I found just now, but haven't tried myself yet:
https://github.com/systemd/systemd/blob/0885e4a6e7ca93d3aef8... https://github.com/airbus-seclab/c-compiler-security
Also a good idea to regularly run the program with sanitizers, using them in tests is a good way to do that I think. Why not during development as well if the performance is acceptable for that specific program.
In practice I've found -Wall with GCC to offer a good warning level and clang-tidy to not offer a lot of constructive feedback (besides it being very slow). For more ambitious projects, it's possible to fine-tune GCC warnings.
You can also, you know, just _use_ a program and see if there are any anomalies when running it. With some discipline to code structure, many problems get hit on the first run, and extensive testing can come a lot closer to static verification than you would think. For non-real-time constrained stuff there is also valgrind and other run-time instrumentation.
Naturally on a real project there would be an heavily customised static analysis tool, that would only allow a build to succeed with the feedback from the SecDevOps team, alongside feedback loop from pentesters.
We have seen how far just _use_ the program has been a thing tracking down C security issues for the last 37 years, starting with Morris Worm.
And to quote Dennis Ritchie,
> To encourage people to pay more attention to the official language rules, to detect legal but suspicious constructions, and to help find interface mismatches undetectable with simple mechanisms for separate compilation, Steve Johnson adapted his pcc compiler to produce lint [Johnson 79b], which scanned a set of files and remarked on dubious constructions.
-- https://www.nokia.com/bell-labs/about/dennis-m-ritchie/chist...
Oh, and to disprove your other claim, here is a link to the godbolt with added clang-tidy flag: https://godbolt.org/z/G31Ws8aa1 . This has the clang-tidy invocation changed to disable a single warning category : --checks='-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling' . Running with that, there remains only a single warning. Which is probably a false positive as well.
If there are real concerns about this code, show them. I'm not saying there can't be any. But it doesn't help your credibility if you continue to push words that are easily disproved.
if (rtt < config.min_rtt)
rtt = config.min_rtt;
else if (rtt > config.max_rtt)
rtt = config.max_rtt;
Comments in an earlier version [2] make no sense to me:
/* Use standard timersub for more accurate results */
if (rtt < 0)
rtt = 0;
/* Cap at reasonable maximum to handle outliers */
if (rtt > 1000)
rtt = 1000;
[2] https://github.com/davidesantangelo/fastrace/commit/79d92744...
if (rtt < 0.0)
{
fprintf(stderr, "Warning: Negative RTT detected (%.3f ms) - clock issue?\n", rtt);
rtt = 0.0;
}
"Fixed Removed artificial RTT clamping that was hiding legitimate network measurements Previously clamped RTT between 0.05ms and 800ms Now reports actual values including sub-50µs localhost responses and >800ms satellite/long-distance links Added sanity check for negative RTT to detect clock issues without corrupting data This fix restores full diagnostic capability for detecting network anomalies like bufferbloat and measuring true round-trip times across all network types."
It shouldn't be legal to vibe this hard, honestly. If convicted in court, you should face punishment of, say, XXX hours doing something actually useful to society with your own two hands.
Unlike traceroute and mtr, this utility must be run as root.
fastrace 1.1.1.1
fastrace 0.2.1
Tracing route to 1.1.1.1 (1.1.1.1)
Maximum hops: 30, Probes per hop: 3, Protocol: UDP
TTL │ IP Address (RTT ms) Hostname
────┼───────────────────────────────────────────
Error creating ICMP socket. Are you running as root?: Operation not permitted
9029•5h ago
raphman•5h ago
https://github.com/davidesantangelo/fastrace/commit/79d92744...
(For me, this does not necessarily say anything about code quality. However, if a whole project is AI-generated, the author has no enforceable copyright IMHO, and thus, the 2-clause BSD license is void.)
Sesse__•5h ago
checker659•4h ago