On 08/04/13 14:45, Colin Ian King wrote: > On 08/04/13 14:40, James Hunt wrote: >> On 08/04/13 13:57, Matthias Klose wrote: >>> Am 08.04.2013 14:13, schrieb James Hunt: >>>> As a precis of my earlier blog post [1], I'd like to encourage those >>>> involved >>>> with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan >>>> static-analysis service offered free to OSS projects [2]. >>>> >>>> We're already using it for critical packages including Upstart and >>>> Whoopsie [3], >>>> but it would be great to expand its scope to make it use the norm rather >>>> than >>>> the exception. >>> >>> Did it catch the wrong use of the malloc attribute in upstart? ;) >> I don't know - we were using it in anger then and I've now fixed that gcc >> function attribute issue :) >> >>> >>>> For those who have either never used static analysis tools, or have simply >>>> never >>>> used Coverity, don't fall into the trap of thinking that "gcc -pedantic >>>> -Wall" >>>> should be good enough for anyone - it simply is not. >>> >>> I don't know where you did get this from ... Anyway, not using -Wextra >>> leaves >>> out more things. >>> >>> while not static analysis tools, you might want to look at >>> -fsanitize=address >>> and -fsanitize=thread in GCC 4.8 (available in the ubuntu-toolchain-r/test >>> PPA). >> Will do, thanks. >> >>> >>> There's also clang --analyze, scan-view and scan-build in the clang package >>> as a >>> static analyzer. >> Yes, I have used and continue to use these tools. However, from my >> experiences, >> they are not as thorough as Coverity for the codebases I'm regularly looking >> at. >> >>> >>> And all of these are free software. >> Back in the day, splint [1] rocked on static analysis but the project >> appears to >> have languished - it doesn't even appear to handle C99. YMMV but IMHO, >> Coverity >> Scan is the most thorough static-analysis tool available to OSS developers >> today >> that I've seen. Maybe if splint were to be revived my opinion may change... >> ;) > > smatch [1] is quite a useful tool too, it has helped me find a variety > of bugs in applications I've written, Agreed - I'm using smatch alongside Coverity.
however, I'd rather use coverity > if we had access to it. > > [1] http://smatch.sourceforge.net/ > >> >>> >>> Matthias >>> >>> >> >> Kind regards, >> >> James. >> >> [1] - http://splint.sourceforge.net/ >> -- >> James Hunt >> ____________________________________ >> #upstart on freenode >> http://upstart.ubuntu.com/cookbook >> https://lists.ubuntu.com/mailman/listinfo/upstart-devel >> > > -- Kind regards, James. -- James Hunt ____________________________________ #upstart on freenode http://upstart.ubuntu.com/cookbook https://lists.ubuntu.com/mailman/listinfo/upstart-devel -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
