Stephen Frost <sfr...@snowman.net> writes: > * Joe Conway (m...@joeconway.com) wrote: >> FWIW, strcpy() was being used in src/bin/pg_config/pg_config.c that I >> started with -- does that mean we are not getting Coverity coverage of >> src/bin?
> Coverity does run against src/bin also. It's possible this was > identified as an issue in pg_config.c, but, as Tom notes, it may not be > an actual bug and might have been marked as a non-bug in Coverity. It looks to me like the previous coding was static char mypath[MAXPGPATH]; ... char path[MAXPGPATH]; ... strcpy(path, mypath); so Coverity probably didn't complain because it could see that the source was also a buffer of size MAXPGPATH. With the new arrangement it was probably using an assumption that get_configdata() could be called with any length of string. I am not sure how much cross-file analysis Coverity does --- it seems to do some, but in other cases it acts like it doesn't know anything about the call sites. It's possible that it did know that the existing callers all use MAXPGPATH-sized buffers, but whined anyway on the not-unreasonable grounds that global functions should be prepared for new callers. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers