Re: Report on Coverity

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 25 Oct 2012 13:07:31 +1300

On 25.10.2012 06:11, Kinkie wrote:
>> A) Squid code review practices eliminate nearly all real bugs
>> that static analysis can find. Thus, SA is not very helpful.
>>
>> B) We have already found (the "hard way") and fixed nearly all
>> real bugs so static analysis cannot find them until new bugs
>> are added. When they are added, SA will be helpful so that we
>> do not need to find those bugs the "hard way".
>>
>> I wonder if it makes sense to test a much earlier version of Squid
>> (e.g., 3.1.0 or perhaps even 3.0.1). That way, we can see whether
>> Coverity can detect the real bugs that we have found the "hard way"
>> (and
>> since fixed)?
>
> I fully agree with your analysis.

So do I.

We have earlier code runs by the free Coverity scanner years back. In
3.0 it was helpful for finding a number of real bugs. IIRC there were
around a dozen NULL ptr dereferences and input validation bugs found at
the time and fixed. Mostly in the third-party helpers. (will check for
better numbers later if the stats are still there on the free sites
login).

The code review process has been useful in maintaining the absence of
those type of issues once the initial scans were done and old code
fixed.

If we were to take up this scanning I think it would be more beneficial
to run periodically and check for new bugs rather than constantly. Once
per year (~100K lines of code change each year) or after any large logic
changes should be sufficient to check for new issues.

Amos
Received on Thu Oct 25 2012 - 00:07:36 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 25 2012 - 12:00:08 MDT