On 12/21/2013 10:10 AM, Roy Smith wrote:
On the last large C++ project I worked on, we decided (i.e. obeyed a corporate mandate) to start using Coverity's static analysis tool on our 15 year old codebase. I learned a few things about static analysis then.
CPython was about that old when Coverity started giving us reports on the C part of CPython (about 400000 loc). CPython is now essentially free of errors detected by Coverity.
1) It finds bugs you would never find yourself.
Coverity apparently found several for CPython.
2) If your code does tricky things, you can fool the static analyzer, leading to false positives.
One can define code patterns that are false positives, to silence such reports.
Presumably, it also leads to false negatives, but you don't know about those :-(
We use unit tests to find logic bugs ;-).
3) If you're going to use static analysis, probably the best way is to start using it from day one. Trying to duct-tape a static analysis step into your development process for a legacy codebase is probably more effort than it's worth.
Some of the C coders on the development team thought it *was* for CPython. The fact that CPython has been compiled for, say, 20 different systems may have meant that it already depended less on 'implementation-defined' behavior.
-- Terry Jan Reedy -- https://mail.python.org/mailman/listinfo/python-list
