[Geany-Devel] using Coverity to audit the code base
Liviu Andronic
landronimirc at xxxxx
Thu Feb 19 09:46:40 UTC 2015
On Wed, Feb 18, 2015 at 2:57 PM, Nick Treleaven
<nick.treleaven at btinternet.com> wrote:
>
> On 12/02/2015 21:21, Liviu Andronic wrote:
>>
>> Coverity has uncovered ~55 implementation defects in the code
>> base, with 25 or so of high severity (memory corruption, resource
>> leaks, etc.)
>
>
> Thanks. Some of this should be useful, but AFAICT some of the serious items seem to occur when certain assertions have failed, e.g. TagManager Assert, which cause a lot of false positives.
>
Coverity has some facilities to deal with false positives. For
instance, it is possible to classify an identified issue as "false
positive" or "intentional", meaning that Coverity shall ignore it in
future code scans.
But more usefully we can specify a Modeling File:
"Static code analysis has some limitations in its ability to
understand certain dynamic operations. This limitation may result in
falsely detecting defects. Since most false-positive defects are
caused by few functions in your code base, Coverity allows you to tell
the analysis engine to treat these functions differently. This is
called a Modeling File. By providing a modeling file, most projects
reduce their false-positive rate to the ballpark of 10%."
Maybe we should look into that?
Cheers,
Liviu
>
> _______________________________________________
> Devel mailing list
> Devel at lists.geany.org
> https://lists.geany.org/cgi-bin/mailman/listinfo/devel
--
Do you think you know what math is?
http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02
Or what it means to be intelligent?
http://www.ideasroadshow.com/issues/john-duncan-2013-08-30
Think again:
http://www.ideasroadshow.com/library
More information about the Devel
mailing list