I found the errors reported by cppcheck much easier to fix than bug
reports (e.g. generated by my keytest). For example:
[./development/lyxserver/server_monitor.c:173]: (error) Memory
leak: pipename
This had the obvious solution of adding free(pipename) to line 173.
Convincing myself that this fix was correct wasn't quite so trivial,
but still much easier than tracing down the cause of a traditional bug
report.
Unfortunately the cppcheck didn't seem very powerful and only found
bugs in code that was virtually unused.
My understanding is that Coverity is not only a much more powerful
check, but also focuses on making their bug reports easy to understand
and free of false-positives [1]. As such it seems that fixing many of
the bugs reported by Coverity would be trivial, and may even save time
as fixing dangerous code may close some of the hard to track down bugs
sitting in trac.
If we were to request that Coverity scan LyX would anyone either be
interested in either looking through the bugs, or having someone else
such as myself look through the bug reports? I understand that those
who wish to see the bug reports have to agree to a click through
license agreeing that if you produce a competing product to Coverity
you won't use any "IP" you learnt about Coverity from looking their
bug reports.
--
John C. McCabe-Dansted
[1]
http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext
