For the past 15 years the Smatch static analysis tool has been routinely run for uncovering countless bugs within the Linux kernel. Dan Carpenter who authored Smatch and has been routinely analyzing the Linux kernel with it has authored more than 5,568 patches over the years to become one of the top bug fixers for the kernel. But his funding at Linaro has been cut and the project’s future now in question.
The Smatch static analysis on the kernel in recent years has been led by Dan Carpenter while working for Linaro. It’s fallen under a “Linux kernel quality” project but now that Linaro project is surprisingly ending:
“I have been doing Smatch static analysis work at Linaro under a larger umbrella project to do with Linux kernel quality but unfortunately that project has ended so I will be wrapping up at the end of the year unless we can raise new support.
Smatch is an important tool for kernel development so hopefully there are enough companies willing to support it financially and I will be able to continue. In fact, there potentially is an opportunity to expand if companies with other large C projects and want static analysis.”
At a time when Linux kernel usage continues growing and more important than ever for hyperscalers, AI firms, and more, it’s surprising a large organization such as Linaro now has a “Linux kernel quality” project ending.
Carpenter noted in his call for funding help:
“This is borne out in the numbers. I have been working on Smatch since 2010, first at Oracle and now at Linaro. Over that period I have been the number 12 bug fixer with 5568 patches and the number 2 bug reporter with 2587 bug reports and almost all those fixes are driven by Smatch. Smatch is included in several subsystem CI tools, such as Media and Wireless and many maintainers use Smatch as well.
I like to say that static analysis is not just a product, it is an on-going process. I regularly review CVEs to consider how these bugs could have been caught earlier with static analysis. Also the kernel is constantly changing and adding new APIs. Without continuous updates then a static checker will eventually bit rot.”
More details on the state of Smatch and its imminent loss of funding via the public mailing list call for help.
