[haiku-development] Haiku on Coverity: Take Two

  • From: Urias McCullough <umccullough@xxxxxxxxx>
  • To: haiku-development@xxxxxxxxxxxxx
  • Date: Wed, 29 Jul 2009 21:12:12 -0700

While at OSCON, I had the opportunity to meet and chat with David
Maxwell, who is in charge of Coverity's open source offerring. We
chatted about some of the previous results from our Coverity scans. I
explained to him that we hadn't been using it much, and that we needed
to probably do an updated scan soon.

In short, this email is both a notification, and request for
information from the developers.

The notification part is that I plan to setup my Coverity scan
environment again, and run an entire "alpha" image build through it. I
will get this published ASAP.

FWIW, we are still using the "old" version of their software. I was
told by David that for projects on "Rung 1" who have many issues left,
they usually leave them on the old software because the newer versions
of their software reports tremendously more issues and will usually
overwhelm the developers (his words, not mine). Given that our initial
scan found some ~1400 potential issues, I believe it.

So, this means we'll need to go through all of the currently reported
issues and either mark them as "FALSE" if they are a false-positive,
"IGNORE" if we don't plan to fix them (for example, if they are in 3rd
party libs that we don't care about), or whatever.

Issues in prior runs that no longer exist should probably be marked as
either "RESOLVED" or "IGNORE" i guess (if they were in code that has
been rewritten/replaced, I suppose).

If there's anything I can do to help this process, let me know. I
would gladly start evaluating issues, changing their status, and
assigning them if we can come up with some basic rules. Unfortunately
I have less chance of identifying a true false-positive.

Now, I also need to ask for a list of developers with commit access
who wish to have a Coverity login to view results. I will need a
username, full name, and email address for each individual who would
like access. If you already have an account for our results, you don't
need to respond :)

For those who have forgotten, the link to our Coverity login is:
http://scan.coverity.com:9065/

BTW, I was asked if the results helped and I told him that we were
able to fix several subtle issues that increased the stability of
various areas of Haiku, can anyone name a couple areas that benefited
directly? I think there were some issues resolved in the VM, and the
USB stack at least, but I don't remember offhand.

One last request: David was wondering if any of the core developers
were interested in a Q&A/Interview where he could ask some questions
about the focus of quality and security for Haiku. Anyone interested?
He asked me if I could do it, but I don't feel qualified.

Thanks, let me know if there are any questions,

Urias McCullough

Other related posts: