Alan Coopersmith wrote: > When I asked the Coverity guys at OSCON last week, they said that it probably > wouldn't be free for us, since they're in the business of selling this > service, > and generally won't be offering free service to projects that are mainly > driven > by a single company which they make money off of, and should thus be able to > afford a commercial license.
> I'd love to see us find some way to get Coverity scans of OpenSolaris code, > but I think Sun's going to have to put money in for that. Rob Clark wrote: > Doesn't seem fair. Can you ask if there is a budget for it ? (so if it is not > free you might offer to pay). personally, I don't agree w/ trying to cheat companies out of business. Coverity has a business model, and I think it's well w/in its rights to try to earn money. Kyle wrote: > I don' t know for sure, but Coverity's competitor Klokwork > (www.klocwork.com) probably also does Opensource scans, and might be > willing to scan a project that Coverity had rejected. Personally I > prefer KlocWork, but really any static analysis is better than none. Both have been run on the Mozilla codebase at times. I prefer not wasting my time on more than one at a time, because as mentioned elsewhere, it takes a significant amount of effort to train a tool to stop bugging you. Mozilla is considerably smaller than OpenSolaris.... Last I checked (and this was a number of years ago), Klokwork did not have any real support for multiple users in comment fields, or version control in the same, which I considered to be close to a show stopper. I sent them feedback, but I don't know if this was fixed (I hope it was). Rob Clark wrote: > TWO (or three) heads are better than one (unless it's on my body or I turn > into a Hydra). No. wasting 2 or 3 times as much time is not better than spending x time to review a project. > Any (quality) scanner that uses someone else's CPU to scan OpenSolaris and > provides a neat interface that a small group of people can use to submit > cleaned up reports to http://defect.opensolaris.org/ is better than not > knowing. Drowning in bug reports is a very serious risk. Especially if the reports are public and bad guys use them first. (This is among the reasons that both Coverity and Klokwork do not provide reports to the general public.) James Carlson wrote: > On the plus side, there are nuggets of gold buried in the voluminous > reports generated. The question is whether you want to invest your > time and money into eyeballing those (and teaching all developers how > to cope with slow run times and complicated output), or put more > effort into traditional design and code reviews. Rob Clark wrote: > We don't need to give "all" developers access. Ask for volunteers and then a > few of the core Sun OpenSolaris developers can pick a half dozen people and > assign them to that group. this isn't unreasonable, although the amount of time required is non trivial. (I've looked at a fairly large portion of the Mozilla reports in both tools....) > As for the "run times" it does not run on _our_ computers is my understanding. actually, this is an option. At OSCON, they announced that you could run part of it on your computers and send the results to them. The chief advantage is if your build system is "complicated", you don't have to rely on them to setup and maintain that system. Mozilla's build system "changed" at some point, which rendered Coverity reports useless. We will most likely take advantage of this feature in the near future (once we find an engineer w/ the time to set it up). I think OpenSolaris's system probably fits the definition of "complicated". Note that not everything is run locally, but the build integration bits are (I believe the analysis/reporting is done by Coverity later). James Carlson wrote: > put more effort into traditional design and code reviews. Rob Clark wrote: > Good plan. Pick a half dozen people (volunteers) and ask them to go through > the code. Have them send an email to the code's "owner" - "fix it or I will" > and threats are bad :) > simply create "fix patches" that _we_ can apply (and the "owner" (origonator) > can look at) so that lint is clean. This sort of thing happens over at linux > and > gcc -- but they have a larger user base in the bugzilla. Jorg wrote: > If you like to scan Solaris ON and work on the results, this would take > probably one man year. Rob Clark wrote: > With a half dozen volunteers it might take one quarter the time. > We might get a few dozen people interested. It doesn't work that way. Each person has to learn the tool, and each person has to learn the quirks. In some cases you are able to teach the tool once and have it learn "forever", but it depends where you do the teaching. Alan Coopersmith wrote: > Another project I saw at OSCON is Mozilla's static analysis tools ... Rob Clark wrote: > The more the merrier. no. the more diluted the less effective. > Lets see how many volunteers we get, figure > out which tools we want to use and how to divide things up. > > Once we pull out most of the weeds the rest of the garden will be easier to > maintain. fwiw, I like Coverity, and don't really dislike Klokwork, but focus is actually a valuable thing. A quick check of Coverity historical stats showed that we had nearly 1 false positive for every uninspected item, with about 1 fix for every 4 falses (this is very coarse and based on trying to find a report which had possibly valid numbers). Coverity /could/ be more useful to OpenSolaris than it has been to Mozilla, however, I personally suspect that Coverity has been run against Solaris in the past. _______________________________________________ opensolaris-code mailing list opensolaris-code@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
