Coverity static analysis for C, C++ and Java code
james.hunt at ubuntu.com
Mon Apr 8 15:09:50 UTC 2013
On 08/04/13 14:45, Colin Ian King wrote:
> On 08/04/13 14:40, James Hunt wrote:
>> On 08/04/13 13:57, Matthias Klose wrote:
>>> Am 08.04.2013 14:13, schrieb James Hunt:
>>>> As a precis of my earlier blog post , I'd like to encourage those involved
>>>> with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan
>>>> static-analysis service offered free to OSS projects .
>>>> We're already using it for critical packages including Upstart and Whoopsie ,
>>>> but it would be great to expand its scope to make it use the norm rather than
>>>> the exception.
>>> Did it catch the wrong use of the malloc attribute in upstart? ;)
>> I don't know - we were using it in anger then and I've now fixed that gcc
>> function attribute issue :)
>>>> For those who have either never used static analysis tools, or have simply never
>>>> used Coverity, don't fall into the trap of thinking that "gcc -pedantic -Wall"
>>>> should be good enough for anyone - it simply is not.
>>> I don't know where you did get this from ... Anyway, not using -Wextra leaves
>>> out more things.
>>> while not static analysis tools, you might want to look at -fsanitize=address
>>> and -fsanitize=thread in GCC 4.8 (available in the ubuntu-toolchain-r/test PPA).
>> Will do, thanks.
>>> There's also clang --analyze, scan-view and scan-build in the clang package as a
>>> static analyzer.
>> Yes, I have used and continue to use these tools. However, from my experiences,
>> they are not as thorough as Coverity for the codebases I'm regularly looking at.
>>> And all of these are free software.
>> Back in the day, splint  rocked on static analysis but the project appears to
>> have languished - it doesn't even appear to handle C99. YMMV but IMHO, Coverity
>> Scan is the most thorough static-analysis tool available to OSS developers today
>> that I've seen. Maybe if splint were to be revived my opinion may change... ;)
> smatch  is quite a useful tool too, it has helped me find a variety
> of bugs in applications I've written,
Agreed - I'm using smatch alongside Coverity.
however, I'd rather use coverity
> if we had access to it.
>  http://smatch.sourceforge.net/
>> Kind regards,
>>  - http://splint.sourceforge.net/
>> James Hunt
>> #upstart on freenode
#upstart on freenode
More information about the ubuntu-devel