wiki:Coverity

Version 38 (modified by umccullough, 12 years ago) ( diff )

added new run

What is Coverity?

"Coverity Prevent is a static code analysis tool for C, C++, C# and Java source code. It is a commercial product which originated as the Stanford Checker, which used abstract interpretation to identify defects in source code." Wikipedia

The Coverity Scan Initiative

Dev FAQ

Haiku is currently a Rung 1 project.

Prerequisites for Use

  1. Commit rights to Haiku's source repository
  2. Coverity account (Ask Urias McCullough (umccullough@…) - he coordinates with Coverity's admins)
  3. Accepting the TOS upon first login (see: http://scan.coverity.com/policy.html )
  4. Supported web browser (modern version of IE, Firefox, Chrome (or other webkit based). WebPositive doesn't currently work.

Workflow

  • Log on to Coverity Scan Site. (Review account info you were given via email)
  • Select Haiku project
  • Look up a Haiku defect
  • Assess and assign the defect. (To yourself, most likely.)
  • Commit fixes to defects assigned to you. Mention the CID number in the commit message. ("Bug so and so. CID XXXXX.")
  • Mark the defect as resolved. Mentioning the commit revision number. ("fixed in hrevXXXXX")

Query hints

Once on the Defects tab, use the filters down the left side of the page to filter the list:

  • Helpful to use file path to filter query - Example: *servers/app* - lists all defects in the app_server

Source to avoid

  • 3rd party code (send patches upstream?)

Source that needs special treatment

  • Kernel/app_server/input_server/registrar?

Common defects and their resolutions

  • PARSE_ERROR - Not necessarily a code issue - this happens when Coverity's tools could not parse the code that was compiled for one reason or another. We don't intend to spend time investigating these as long as we have a significant number of other issues outstanding.
  • SECURE_CODING - Usually a warning about potential buffer/string overflow. In most cases, replacing a strcpy() with strlcpy() (DO NOT use strncpy!), sprintf() with snprintf(), or strcat() with strlcat() will satisfy this checker.
  • STACK_USE - Not really a bug. It turns out that the new version of the Coverity software automatically enabled this checker with default values, when it had been disabled before. This checker is usually used to analyze for defects in kernel or embedded system code which have tight stack limits. For Haiku, "Ignore" is probably the best resolution for now.

Runs submitted

  • Run 15: hrev44338 nightly-raw with GPL gcc4 build processed on 2012-07-14
  • Run 14: hrev44149 nightly-raw with GPL gcc4 build processed on 2012-05-13 (first run with Scan 5.5)
  • Run 13: hrev43983 nightly-raw with GPL gcc4 build processed on 2012-04-10
  • Run 12: hrev43696 nightly-raw gcc4 build processed on 2012-01-29
  • Run 11: hrev43316 nightly-raw with GPL gcc4 build processed on 2011-11-29
  • Run 10: hrev42464 nightly-raw with GPL gcc4 build processed on 2011-07-26
  • Run 09: hrev41462 nightly-raw gcc4 build processed on 2011-05-12
  • Run 08: hrev40855 nightly-raw with GPL gcc4 build processed on 2011-03-08
  • Run 07: hrev39894 nightly-raw gcc4 build processed on 2010-12-19
  • Run 06: hrev37534 nightly-raw gcc2hybrid build processed on 2010-07-20
  • Run 05: Deleted due to issue with submission
  • Run 04: hrev28644 haiku-image gcc2 build processed on 2008-11-18
  • Run 03: hrev27211 haiku-image gcc2 build processed on 2008-09-03
  • Run 02: Deleted due to issue with submission
  • Run 01: hrev25116 haiku-image gcc2 build processed on 2008-05-21

Coverity Users

Accounts already created:

  • aldeck
  • aljen
  • anevilyak
  • axeld
  • bonefish
  • brechtm
  • czeidler
  • dlmcpaul
  • dr_evil
  • emitrax
  • jackburton
  • julun
  • kallisti5
  • kirilla
  • korli
  • laplace
  • leavengood
  • mauricek
  • mmadia
  • mmlr
  • mmu_man
  • modeenf
  • nielx
  • PulkoMandy
  • scottmc
  • siarzhuk
  • stippi
  • stpere
  • tqh
  • umccullough
  • yourpalal
  • xyzzy
  • zooey

Known issues to be resolved by Coverity

  • Haiku's listing on the Rung page(s)
    • does not have a clickable project site link
    • does not have updated statistics (defect count, LOC, etc.)
    • does not have a working "Sign in" link
  • We cannot yet administer the list of users with access
  • We cannot yet administer extra features such as "Product" and "Component"
Note: See TracWiki for help on using the wiki.