Announcing UDS 13.05
Hello everybody, Just a note to let everybody know that the dates and times for the next UDS (13.05), registration is open, and you can now register right from Summit itself. http://fridge.ubuntu.com/2013/04/09/uds-13-05-ubuntus-second-online-developer-summit/ tl;dr UDS 13.05 will be May 14th-16th, same times and tracks as the last one, but several improvements to the tools and processes over last UDS. -- Michael Hall mhall...@ubuntu.com -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Coverity static analysis for C, C++ and Java code
On 08/04/13 14:45, Colin Ian King wrote: > On 08/04/13 14:40, James Hunt wrote: >> On 08/04/13 13:57, Matthias Klose wrote: >>> Am 08.04.2013 14:13, schrieb James Hunt: As a precis of my earlier blog post [1], I'd like to encourage those involved with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan static-analysis service offered free to OSS projects [2]. We're already using it for critical packages including Upstart and Whoopsie [3], but it would be great to expand its scope to make it use the norm rather than the exception. >>> >>> Did it catch the wrong use of the malloc attribute in upstart? ;) >> I don't know - we were using it in anger then and I've now fixed that gcc >> function attribute issue :) >> >>> For those who have either never used static analysis tools, or have simply never used Coverity, don't fall into the trap of thinking that "gcc -pedantic -Wall" should be good enough for anyone - it simply is not. >>> >>> I don't know where you did get this from ... Anyway, not using -Wextra >>> leaves >>> out more things. >>> >>> while not static analysis tools, you might want to look at >>> -fsanitize=address >>> and -fsanitize=thread in GCC 4.8 (available in the ubuntu-toolchain-r/test >>> PPA). >> Will do, thanks. >> >>> >>> There's also clang --analyze, scan-view and scan-build in the clang package >>> as a >>> static analyzer. >> Yes, I have used and continue to use these tools. However, from my >> experiences, >> they are not as thorough as Coverity for the codebases I'm regularly looking >> at. >> >>> >>> And all of these are free software. >> Back in the day, splint [1] rocked on static analysis but the project >> appears to >> have languished - it doesn't even appear to handle C99. YMMV but IMHO, >> Coverity >> Scan is the most thorough static-analysis tool available to OSS developers >> today >> that I've seen. Maybe if splint were to be revived my opinion may change... >> ;) > > smatch [1] is quite a useful tool too, it has helped me find a variety > of bugs in applications I've written, Agreed - I'm using smatch alongside Coverity. however, I'd rather use coverity > if we had access to it. > > [1] http://smatch.sourceforge.net/ > >> >>> >>> Matthias >>> >>> >> >> Kind regards, >> >> James. >> >> [1] - http://splint.sourceforge.net/ >> -- >> James Hunt >> >> #upstart on freenode >> http://upstart.ubuntu.com/cookbook >> https://lists.ubuntu.com/mailman/listinfo/upstart-devel >> > > -- Kind regards, James. -- James Hunt #upstart on freenode http://upstart.ubuntu.com/cookbook https://lists.ubuntu.com/mailman/listinfo/upstart-devel -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Now possible to look up a problem by its bug number on https://errors.ubuntu.com
Stuart has helpfully pointed at that because of the current restrictions, most of you cannot see that page. Apologies - we're working quickly to open up access. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Coverity static analysis for C, C++ and Java code
On 08/04/13 14:40, James Hunt wrote: > On 08/04/13 13:57, Matthias Klose wrote: >> Am 08.04.2013 14:13, schrieb James Hunt: >>> As a precis of my earlier blog post [1], I'd like to encourage those >>> involved >>> with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan >>> static-analysis service offered free to OSS projects [2]. >>> >>> We're already using it for critical packages including Upstart and Whoopsie >>> [3], >>> but it would be great to expand its scope to make it use the norm rather >>> than >>> the exception. >> >> Did it catch the wrong use of the malloc attribute in upstart? ;) > I don't know - we were using it in anger then and I've now fixed that gcc > function attribute issue :) > >> >>> For those who have either never used static analysis tools, or have simply >>> never >>> used Coverity, don't fall into the trap of thinking that "gcc -pedantic >>> -Wall" >>> should be good enough for anyone - it simply is not. >> >> I don't know where you did get this from ... Anyway, not using -Wextra >> leaves >> out more things. >> >> while not static analysis tools, you might want to look at -fsanitize=address >> and -fsanitize=thread in GCC 4.8 (available in the ubuntu-toolchain-r/test >> PPA). > Will do, thanks. > >> >> There's also clang --analyze, scan-view and scan-build in the clang package >> as a >> static analyzer. > Yes, I have used and continue to use these tools. However, from my > experiences, > they are not as thorough as Coverity for the codebases I'm regularly looking > at. > >> >> And all of these are free software. > Back in the day, splint [1] rocked on static analysis but the project appears > to > have languished - it doesn't even appear to handle C99. YMMV but IMHO, > Coverity > Scan is the most thorough static-analysis tool available to OSS developers > today > that I've seen. Maybe if splint were to be revived my opinion may change... ;) smatch [1] is quite a useful tool too, it has helped me find a variety of bugs in applications I've written, however, I'd rather use coverity if we had access to it. [1] http://smatch.sourceforge.net/ > >> >> Matthias >> >> > > Kind regards, > > James. > > [1] - http://splint.sourceforge.net/ > -- > James Hunt > > #upstart on freenode > http://upstart.ubuntu.com/cookbook > https://lists.ubuntu.com/mailman/listinfo/upstart-devel > -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Now possible to look up a problem by its bug number on https://errors.ubuntu.com
I just wanted to let you know that it's now possible to look up a problem on https://errors.ubuntu.com by bug number: https://errors.ubuntu.com/bug/1094218 For those unfamiliar with errors.ubuntu.com, this website measures the quality of each Ubuntu release and gives us a prioritised list of problems to fix. You can learn more about it at: http://wiki.ubuntu.com/ErrorTracker Thanks, Evan -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Coverity static analysis for C, C++ and Java code
On 08/04/13 13:57, Matthias Klose wrote: > Am 08.04.2013 14:13, schrieb James Hunt: >> As a precis of my earlier blog post [1], I'd like to encourage those involved >> with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan >> static-analysis service offered free to OSS projects [2]. >> >> We're already using it for critical packages including Upstart and Whoopsie >> [3], >> but it would be great to expand its scope to make it use the norm rather than >> the exception. > > Did it catch the wrong use of the malloc attribute in upstart? ;) I don't know - we were using it in anger then and I've now fixed that gcc function attribute issue :) > >> For those who have either never used static analysis tools, or have simply >> never >> used Coverity, don't fall into the trap of thinking that "gcc -pedantic >> -Wall" >> should be good enough for anyone - it simply is not. > > I don't know where you did get this from ... Anyway, not using -Wextra leaves > out more things. > > while not static analysis tools, you might want to look at -fsanitize=address > and -fsanitize=thread in GCC 4.8 (available in the ubuntu-toolchain-r/test > PPA). Will do, thanks. > > There's also clang --analyze, scan-view and scan-build in the clang package > as a > static analyzer. Yes, I have used and continue to use these tools. However, from my experiences, they are not as thorough as Coverity for the codebases I'm regularly looking at. > > And all of these are free software. Back in the day, splint [1] rocked on static analysis but the project appears to have languished - it doesn't even appear to handle C99. YMMV but IMHO, Coverity Scan is the most thorough static-analysis tool available to OSS developers today that I've seen. Maybe if splint were to be revived my opinion may change... ;) > > Matthias > > Kind regards, James. [1] - http://splint.sourceforge.net/ -- James Hunt #upstart on freenode http://upstart.ubuntu.com/cookbook https://lists.ubuntu.com/mailman/listinfo/upstart-devel -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Coverity static analysis for C, C++ and Java code
Am 08.04.2013 14:13, schrieb James Hunt: > As a precis of my earlier blog post [1], I'd like to encourage those involved > with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan > static-analysis service offered free to OSS projects [2]. > > We're already using it for critical packages including Upstart and Whoopsie > [3], > but it would be great to expand its scope to make it use the norm rather than > the exception. Did it catch the wrong use of the malloc attribute in upstart? ;) > For those who have either never used static analysis tools, or have simply > never > used Coverity, don't fall into the trap of thinking that "gcc -pedantic -Wall" > should be good enough for anyone - it simply is not. I don't know where you did get this from ... Anyway, not using -Wextra leaves out more things. while not static analysis tools, you might want to look at -fsanitize=address and -fsanitize=thread in GCC 4.8 (available in the ubuntu-toolchain-r/test PPA). There's also clang --analyze, scan-view and scan-build in the clang package as a static analyzer. And all of these are free software. Matthias -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Coverity static analysis for C, C++ and Java code
A big +1 to this. Coverity has found a few interesting bugs in whoopsie that our other tools missed. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Coverity static analysis for C, C++ and Java code
As a precis of my earlier blog post [1], I'd like to encourage those involved with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan static-analysis service offered free to OSS projects [2]. We're already using it for critical packages including Upstart and Whoopsie [3], but it would be great to expand its scope to make it use the norm rather than the exception. For those who have either never used static analysis tools, or have simply never used Coverity, don't fall into the trap of thinking that "gcc -pedantic -Wall" should be good enough for anyone - it simply is not. Kind regards, James. [1] - http://ifdeflinux.blogspot.co.uk/2013/04/coverity-static-analysis-for-c-c-and.html [2] - http://scan.coverity.com/ [3] - http://scan.coverity.com/all-projects.html -- James Hunt #upstart on freenode http://upstart.ubuntu.com/cookbook https://lists.ubuntu.com/mailman/listinfo/upstart-devel -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
