[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Monotone-devel] Monotone and Coverity
|
From: |
Nathaniel Smith |
|
Subject: |
[Monotone-devel] Monotone and Coverity |
|
Date: |
Tue, 24 Oct 2006 00:56:05 -0700 |
|
User-agent: |
Mutt/1.5.13 (2006-08-11) |
Coverity is a proprietary tool based on the old Stanford Checker,
which uses fancy static analysis technology in an attempt to detect
buggy code (especially things like null pointer dereferences, memory
leaks, buffer overruns, and so forth). They received some publicity
back in March when they announced a program of providing regular scans
of FOSS projects at http://scan.coverity.com (under government
contract).
While ATM monotone does not show up on that front page, monotone is in
fact now included in the scans (and has been for a week or two)[1].
This means that monotone developers can now get a password, and browse
around in the database of potential bugs.
As a validation of our development methodology, in the first run,
coverity found _zero_ _potential_ bugs in monotone proper. Go team!
...OTOH, as a validation of coverity, it has for the last week been
reporting two real bugs that were just introduced... (a new[] paired
with a non-[] delete, and a vector iterator overrun, both in automate
stdio parsing, both just fixed).
Also interesting is that because we ship a number of 3rd-party
packages (parts of lua, sqlite, botan, libidna, etc.), we see the
results for them as well. Botan in particular has some interesting
warnings about its Karatsuba multiplication algorithm...
(unfortunately we are still using a somewhat behind-the-times Botan,
so maybe these are irrelevant, but, as soon as we upgrade the scanner
will notice within 24h). There's also a netxx warning that concerns
me a bit, except that I can't figure out what the heck it's warning
about.
To get a password, send an email to address@hidden,
including:
-- project requesting a password for (i.e., monotone)
-- full name
-- email
-- "Your association with the project and purpose of access"
-- Nathaniel
[1] How we got included: The scan.coverity.com system is not, in
general, adding any new projects. But, Jeff Rizzo, who is doing some
consulting work for Coverity Inc. on scan.coverity.com, happens to be
a monotone fan. So, since he needed a test project for adding new
projects to the system, and it turned out that monotone's result
database was so small that it could fit on the overloaded server... we
snuck in.
On that note, Jeff has to move on to other things, if you or anyone
you know is in the SF Bay Area and wants some consulting work running
scan.coverity.com, Coverity is looking...
--
IBM manual SENG-5155-01: Power Supply and Air Moving Device Installation
Instruction for iSeries 820 and 5075.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Monotone-devel] Monotone and Coverity,
Nathaniel Smith <=