On 10/23/2012 08:28 PM, Amos Jeffries wrote:
> On 22.10.2012 07:03, Kinkie wrote:
>> Hi all,
>> so far I have checked 134 defects uncovered by Coverity out of 334,
>> I think I have seen enough to report some numbers.
>> There are 49 false positives, and 24 intentional risky behaviors.
>> 61 are bugs; but in most cases they are not real issues, just poor
>> practice: things like undocumented assumptions on callers' handling of
>> buffer sizes.
>>
>> I hope this can be enough help you understand whether Coverity is a
>> good deal - triaging without fixing is a bit of a drag.
>> The UI is nice but maybe due to me not sitting on the server it's not
>> really as responsive as it could be.
>
>
> I think we need to do one more thing along with this.
>
> We are not utilizing all the compiler warnings we could be which might
> find a lot of these problems without involving any further static
> analysis than the build farm already provides. For example GCC offers
> -Weffc++ which will catch the constructor/destructor problems in our
> practice vs policy.
>
> I'm doing a build of Squid with -Weffc++ -Wno-error=effc++ right now to
> produce a report for you to compare with Coverity issues of that same type.
Sounds good. We need to redo the test to enable similar checks in
Coverity. For some strange reason, newer Coverity versions do not
auto-enable some of those checks despite "--all" checks being used.
Alex.
Received on Wed Oct 24 2012 - 16:24:32 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 25 2012 - 12:00:08 MDT