[Maria-developers] Coverity scan results
Hey guys, For those of you who missed it, I volunteered to try gettin MariaDB scanned as part of the Coverity Scan service. I just got the trunk scanned for the first time, and a lot of potential-problem reports came up. I did a spot check on one of them, and the report looks like a true-positive. Coverity Scan reports: 178 high-impact problems 1020 medium-impact problems 47 low-impact problems. Any suggestions for how to get these looked at by the appropriate developers? It seems crazy for me to enter 1000+ bug reports into the bug tracker. I believe I have the power to create new user accounts in Coverity Scan's MariaDB project, for any MariaDB developer who wants to see the results. Thanks, Christian
Hi, Christian! On Feb 06, Christian Convey wrote:
Hey guys,
For those of you who missed it, I volunteered to try gettin MariaDB scanned as part of the Coverity Scan service. I just got the trunk scanned for the first time, and a lot of potential-problem reports came up. I did a spot check on one of them, and the report looks like a true-positive.
Coverity Scan reports: 178 high-impact problems 1020 medium-impact problems 47 low-impact problems.
MySQL was under the Coverity Scan twice (at least twice - that's what I've personally was involved in). The first report found about 300 defects, and about 200 of them were false positives, 50 of them were real, and others were not in the MySQL code. The second has found only about 20 defects, and only because Coverity has implemented new checkers since the first scan. I cannot believe that in the few years since the last report we've introduced 1200 new defects.
Any suggestions for how to get these looked at by the appropriate developers? It seems crazy for me to enter 1000+ bug reports into the bug tracker.
I believe I have the power to create new user accounts in Coverity Scan's MariaDB project, for any MariaDB developer who wants to see the results.
Okay, you can create an account for me. But it would be better if you could find which of those defects are real. Regards, Sergei
Hi Sergei,
MySQL was under the Coverity Scan twice (at least twice - that's what I've personally was involved in). The first report found about 300 defects, and about 200 of them were false positives, 50 of them were real, and others were not in the MySQL code. The second has found only about 20 defects, and only because Coverity has implemented new checkers since the first scan.
I cannot believe that in the few years since the last report we've introduced 1200 new defects.
Even if the tool's true/false positive rate hasn't changed, there are still four times as many reports. Perhaps the larger number of issue-reports due to Coverity's tool having added new analyzers since it was last used for MySQL.
Okay, you can create an account for me. But it would be better if you could find which of those defects are real.
I'm perfectly content to follow the path which you consider to be the better one: me checking each individual issue reported. It will take a long time, but at least I'll learn a lot about the code. Some of the bugs that Coverity finds will only come up with very unusual paths through the code. Coverity now provides a very clear explanation of how such a path through the code could occur. When this happens, as a C++ programmer I find myself well-convinced that there's a bug. But, especially as a newbie, it could require many hours for me to create a test case which actually triggers that bug during execution. In such cases, what would be better: report the bug once I'm personally convinced it's real, or to report it only after I've created a test case which reliably triggers the bug? Thanks, Christian
Hi, Christian! On Feb 07, Christian Convey wrote:
Okay, you can create an account for me. But it would be better if you could find which of those defects are real.
I'm perfectly content to follow the path which you consider to be the better one: me checking each individual issue reported. It will take a long time, but at least I'll learn a lot about the code.
Usually there's a pattern, and many false positives fall under it. Please create an account for me, and I'll see if we could quickly discard many false positives.
Some of the bugs that Coverity finds will only come up with very unusual paths through the code. Coverity now provides a very clear explanation of how such a path through the code could occur. When this happens, as a C++ programmer I find myself well-convinced that there's a bug. But, especially as a newbie, it could require many hours for me to create a test case which actually triggers that bug during execution. In such cases, what would be better: report the bug once I'm personally convinced it's real, or to report it only after I've created a test case which reliably triggers the bug?
No, I didn't mean that you need to create a test case - only to look at what Coverity reports. Sometimes it might be very difficult to trigger a bug, for example, it may happen only if, say, malloc(10) in some specific place would return NULL. Regards, Sergei
Hi Sergei
Usually there's a pattern, and many false positives fall under it. Please create an account for me, and I'll see if we could quickly discard many false positives.
Done. If you don't receive an email from the Scan project soon, let me know.
No, I didn't mean that you need to create a test case - only to look at what Coverity reports. Sometimes it might be very difficult to trigger a bug, for example, it may happen only if, say, malloc(10) in some specific place would return NULL.
Thank goodness. I think either answer would have been reasonable, but I really wasn't looking forward to doing that much coding just to verify a bug that I was already convinced of. - Christian
Hi, Christian! On Feb 07, Christian Convey wrote:
Hi Sergei
Usually there's a pattern, and many false positives fall under it. Please create an account for me, and I'll see if we could quickly discard many false positives.
Done. If you don't receive an email from the Scan project soon, let me know.
Thanks. Indeed they've added quite a few new checks. Anyway, about 3/4th of the issues I've checked (like, 15 out of 20) were false positives. But there were real issues too. So far, all I've seen was trivial to fix though, I wouldn't bother creating a bug report per defect. Regards, Sergei
Thanks. So what would you suggest? Is there some way I can map Coverity reports to individual developers, and then ask each of them to take a look at their portion of the Scan results? - Christian On Thu, Feb 7, 2013 at 10:49 AM, Sergei Golubchik <serg@askmonty.org> wrote:
Hi, Christian!
On Feb 07, Christian Convey wrote:
Hi Sergei
Usually there's a pattern, and many false positives fall under it. Please create an account for me, and I'll see if we could quickly discard many false positives.
Done. If you don't receive an email from the Scan project soon, let me know.
Thanks. Indeed they've added quite a few new checks.
Anyway, about 3/4th of the issues I've checked (like, 15 out of 20) were false positives. But there were real issues too. So far, all I've seen was trivial to fix though, I wouldn't bother creating a bug report per defect.
Regards, Sergei
Hi, Christian! On Feb 07, Christian Convey wrote:
Thanks. So what would you suggest?
I'd suggest you to start looking at the issues and fix those that are simple, like, those you can fix in a few minutes. They should be in a majority anyway. For example, there were issues where va_end() was forgotten. Or where memcmp return value was casted to char. This issues take just a few seconds to fix.
Is there some way I can map Coverity reports to individual developers, and then ask each of them to take a look at their portion of the Scan results?
Sorry, but not now. All our developers (myself included) are completely booked at the moment and have no spare cycles. And as the chance of finding anything serious in this coverity report isn't high (from what I've seen), sorting through the list won't get a very high priority. Regards, Sergei
Hi Christian, Perhaps you can create a list of those minor issues and in the list we can take advantage of more developer, I'd like to fix some of them in next days. 2013/2/7 Sergei Golubchik <serg@askmonty.org>
Hi, Christian!
On Feb 07, Christian Convey wrote:
Thanks. So what would you suggest?
I'd suggest you to start looking at the issues and fix those that are simple, like, those you can fix in a few minutes. They should be in a majority anyway.
For example, there were issues where va_end() was forgotten. Or where memcmp return value was casted to char. This issues take just a few seconds to fix.
Is there some way I can map Coverity reports to individual developers, and then ask each of them to take a look at their portion of the Scan results?
Sorry, but not now. All our developers (myself included) are completely booked at the moment and have no spare cycles. And as the chance of finding anything serious in this coverity report isn't high (from what I've seen), sorting through the list won't get a very high priority.
Regards, Sergei
_______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
-- Giacomo Picchiarelli <gpicchiarelli@gmail.com>
Hi Giacomo,
Perhaps you can create a list of those minor issues and in the list we can take advantage of more developer, I'd like to fix some of them in next days.
Sure, no problem. I just added you as a user to that project. You should get an email for completing your registration very soon. For any issue ("CID") you tackle, please change the "Owner" field to your user name. That way you and I can avoid working on the same issues. - Christian
Hi Sergei,
I'd suggest you to start looking at the issues and fix those that are simple, like, those you can fix in a few minutes. They should be in a majority anyway.
For example, there were issues where va_end() was forgotten. Or where memcmp return value was casted to char. This issues take just a few seconds to fix.
No problem. I'll tackle any low-hanging fruit I come across, and save the less obvious ones for later and/or someone else.
Is there some way I can map Coverity reports to individual developers, and then ask each of them to take a look at their portion of the Scan results?
Sorry, but not now. All our developers (myself included) are completely booked at the moment and have no spare cycles. And as the chance of finding anything serious in this coverity report isn't high (from what I've seen), sorting through the list won't get a very high priority.
I could be wrong, but it sounds like you don't see much point in going through the Coverity output. Is that true? Because if it's all a giant waste of time, I'm perfectly willing to contribute in some other way to the project. Thanks, Christian
Hi, Christian! On Feb 07, Christian Convey wrote:
Is there some way I can map Coverity reports to individual developers, and then ask each of them to take a look at their portion of the Scan results?
Sorry, but not now. All our developers (myself included) are completely booked at the moment and have no spare cycles. And as the chance of finding anything serious in this coverity report isn't high (from what I've seen), sorting through the list won't get a very high priority.
I could be wrong, but it sounds like you don't see much point in going through the Coverity output. Is that true? Because if it's all a giant waste of time, I'm perfectly willing to contribute in some other way to the project.
I didn't want to sound like that, sorry. It's just that we're all really busy now at the moment. If you don't like to do that Coverity report, I will go through it myself. But just not now, only after I finish the feature I'm working on. Regards, Sergei
No problem. I'm happy to go through the Coverity reports. Hopefully I can at least do some research on Coverity's output by the time you guys are ready to look at it. - C On Thu, Feb 7, 2013 at 2:35 PM, Sergei Golubchik <serg@askmonty.org> wrote:
Hi, Christian!
On Feb 07, Christian Convey wrote:
Is there some way I can map Coverity reports to individual developers, and then ask each of them to take a look at their portion of the Scan results?
Sorry, but not now. All our developers (myself included) are completely booked at the moment and have no spare cycles. And as the chance of finding anything serious in this coverity report isn't high (from what I've seen), sorting through the list won't get a very high priority.
I could be wrong, but it sounds like you don't see much point in going through the Coverity output. Is that true? Because if it's all a giant waste of time, I'm perfectly willing to contribute in some other way to the project.
I didn't want to sound like that, sorry. It's just that we're all really busy now at the moment. If you don't like to do that Coverity report, I will go through it myself. But just not now, only after I finish the feature I'm working on.
Regards, Sergei
participants (3)
-
Christian Convey -
Giacomo Picchiarelli -
Sergei Golubchik