Coverity static analysis of Upstart?

[Evan Huus]

On Sat, Jun 4, 2011 at 7:14 AM, Adam Spragg <adam at spra.gg> wrote:
> On Friday 03 Jun 2011 09:55:59 James Hunt wrote:
>> On 02/06/11 18:11, Andrew Pollock wrote:
>> > On Thu, Jun 02, 2011 at 05:54:46PM +0100, James Hunt wrote:
>> >> I'm considering submitting Upstart (and NIH) to the Coverity Scan site
>> >> to allow the source code to be statically analysed:
>> >
>> > Any reason not to?
>>
>> Apologies for the somewhat terse mail, since it didn't really outline my
>> thoughts on this: I was wondering if anyone has a view on any viable OSS
>> equivalents to Coverity?
>>
>> My personal view is that the OSS tooling in this area is lacking.
>> Although gcc has got a lot better over time wrt warnings and checks it
>> is IMHO no match for the likes of the commercial tools such as Coverity,
>> Klocwork, QA C/C++, etc.
>>
>> It's a shame splint has languished for so long (it doesn't even handle
>> variadic macros). Maybe one day clang will provide similar capabilities...
>
> Have you tried the clang static analyzer <http://clang-analyzer.llvm.org/>?
>
> I've not tried much in the way of the commercial tools in this area, so can't
> really compare the clang analyzer to them, but on a couple of my own source
> trees it found a couple of problems gcc missed.

I've never used clang before, so just for kicks I ran the clang
analyzer on the stable upstart-0.6.7 source. It was very easy to set
up and integrate into the build environment.

It found exactly one issue.

reboot.c:141 - the value stored to 'mode' is overwritten without being read

Not a false positive per say, but neither is it really a problem or
something we want to fix. The compiler will optimize it out, and it
makes for cleaner (and safer) code.

We'll have to see if Coverity can come up with anything more interesting.

Cheers,
Evan