Coverity static analysis for C, C++ and Java code

Colin Ian King colin.king at canonical.com
Mon Apr 8 13:45:29 UTC 2013 

On 08/04/13 14:40, James Hunt wrote:
> On 08/04/13 13:57, Matthias Klose wrote:
>> Am 08.04.2013 14:13, schrieb James Hunt:
>>> As a precis of my earlier blog post [1], I'd like to encourage those involved
>>> with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan
>>> static-analysis service offered free to OSS projects [2].
>>>
>>> We're already using it for critical packages including Upstart and Whoopsie [3],
>>> but it would be great to expand its scope to make it use the norm rather than
>>> the exception.
>>
>> Did it catch the wrong use of the malloc attribute in upstart? ;)
> I don't know - we were using it in anger then and I've now fixed that gcc
> function attribute issue :)
> 
>>
>>> For those who have either never used static analysis tools, or have simply never
>>> used Coverity, don't fall into the trap of thinking that "gcc -pedantic -Wall"
>>> should be good enough for anyone - it simply is not.
>>
>> I don't know where you did get this from ...  Anyway, not using -Wextra leaves
>> out more things.
>>
>> while not static analysis tools, you might want to look at -fsanitize=address
>> and -fsanitize=thread in GCC 4.8 (available in the ubuntu-toolchain-r/test PPA).
> Will do, thanks.
> 
>>
>> There's also clang --analyze, scan-view and scan-build in the clang package as a
>> static analyzer.
> Yes, I have used and continue to use these tools. However, from my experiences,
> they are not as thorough as Coverity for the codebases I'm regularly looking at.
> 
>>
>> And all of these are free software.
> Back in the day, splint [1] rocked on static analysis but the project appears to
> have languished - it doesn't even appear to handle C99. YMMV but IMHO, Coverity
> Scan is the most thorough static-analysis tool available to OSS developers today
> that I've seen. Maybe if splint were to be revived my opinion may change... ;)

smatch [1] is quite a useful tool too, it has helped me find a variety
of bugs in applications I've written, however, I'd rather use coverity
if we had access to it.

[1] http://smatch.sourceforge.net/

> 
>>
>>   Matthias
>>
>>
> 
> Kind regards,
> 
> James.
> 
> [1] - http://splint.sourceforge.net/
> --
> James Hunt
> ____________________________________
> #upstart on freenode
> http://upstart.ubuntu.com/cookbook
> https://lists.ubuntu.com/mailman/listinfo/upstart-devel
>

More information about the ubuntu-devel mailing list