Hi Sergei,
MySQL was under the Coverity Scan twice (at least twice - that's what I've personally was involved in). The first report found about 300 defects, and about 200 of them were false positives, 50 of them were real, and others were not in the MySQL code. The second has found only about 20 defects, and only because Coverity has implemented new checkers since the first scan.
I cannot believe that in the few years since the last report we've introduced 1200 new defects.
Even if the tool's true/false positive rate hasn't changed, there are still four times as many reports. Perhaps the larger number of issue-reports due to Coverity's tool having added new analyzers since it was last used for MySQL.
Okay, you can create an account for me. But it would be better if you could find which of those defects are real.
I'm perfectly content to follow the path which you consider to be the better one: me checking each individual issue reported. It will take a long time, but at least I'll learn a lot about the code. Some of the bugs that Coverity finds will only come up with very unusual paths through the code. Coverity now provides a very clear explanation of how such a path through the code could occur. When this happens, as a C++ programmer I find myself well-convinced that there's a bug. But, especially as a newbie, it could require many hours for me to create a test case which actually triggers that bug during execution. In such cases, what would be better: report the bug once I'm personally convinced it's real, or to report it only after I've created a test case which reliably triggers the bug? Thanks, Christian