Is there interest in static code analysis?
Because of some interest on this topic, I would like to clarify some things: Of course you can have some trial version and use it by yourself, BUT more mature solution would be to find a "boost's liason contact". This contact will interact with the company, provide access to reports for developers. In that case all developers can get access to reports without downloading/installing the trial version and use static analysis tool for a longer time. That case will also require from a "boost's liason contact" to look carefully through the license for that tool and agree to it as a maintainer of a whole boost project (I am not permitted to take such solutions). Best regards, Antony Polukhin
Antony Polukhin wrote:
Is there interest in static code analysis?
Anthony, did you search the mailing list archive for "coverity"? See e.g. this thread: http://thread.gmane.org/gmane.comp.lib.boost.devel/185556/focus=185588 (and try to ignore the 75% of the posts that aren't helpful...) Cheers, Phil.
2012/2/29 Phil Endecott <spam_from_boost_dev@chezphil.org>:
Anthony, did you search the mailing list archive for "coverity"? See e.g. this thread:
http://thread.gmane.org/gmane.comp.lib.boost.devel/185556/focus=185588 (and try to ignore the 75% of the posts that aren't helpful...)
I was talking here about the exactly same tool. In thread that you supported no clear answer to shall we use it or not. There are some remarks about the license, but I`m not a lawyer and can tell nothing about the license. Only thing I know, is that in some countries such licenses are void, exactly because of the "we can change the license at any time, without your permission" paragraph. I also see, that the Linux kernel uses that tool, and as I know a lot of lawyers cooperate with linux kernel project. Has someone contacts with good lawyers? Is license safe? Best regards, Antony Polukhin
on Wed Feb 29 2012, Antony Polukhin <antoshkka-AT-gmail.com> wrote:
2012/2/29 Phil Endecott <spam_from_boost_dev@chezphil.org>:
Anthony, did you search the mailing list archive for "coverity"? See e.g. this thread:
http://thread.gmane.org/gmane.comp.lib.boost.devel/185556/focus=185588 (and try to ignore the 75% of the posts that aren't helpful...)
I was talking here about the exactly same tool. In thread that you supported no clear answer to shall we use it or not.
There are some remarks about the license, but I`m not a lawyer and can tell nothing about the license. Only thing I know, is that in some countries such licenses are void, exactly because of the "we can change the license at any time, without your permission" paragraph. I also see, that the Linux kernel uses that tool, and as I know a lot of lawyers cooperate with linux kernel project.
Has someone contacts with good lawyers? Is license safe?
If we decide we want to use it, we have lawyers (through the Software Conservancy) we can call on to help us evaluate the license. IMO, if the Linux kernel can make good use of coverity and coverity can handle C++, it would be a good idea for us to try it. -- Dave Abrahams BoostPro Computing http://www.boostpro.com
Antony Polukhin wrote:
2012/2/29 Phil Endecott <spam_from_boost_dev@chezphil.org>:
Anthony, did you search the mailing list archive for "coverity"? ?See e.g. this thread:
http://thread.gmane.org/gmane.comp.lib.boost.devel/185556/focus=185588 (and try to ignore the 75% of the posts that aren't helpful...)
I was talking here about the exactly same tool. In thread that you supported no clear answer to shall we use it or not.
My recollection is: - The license is obnoxious, but many people could probably agree to it because you do have the choice of just walking away if you later decide that you don't like it. (People who contribute to Boost as part of their employment might have stricter restrictions on what they can agree to, though.) - Crucially the people who are shown the secret Coverity reports are not allowed to show them to anyone else. While this might work for other projects, because Boost is a collection of libraries that are only loosely coupled we don't have a single individual who could evaluate all the reports and prepare fixes for every library. Instead, we'd need to have each individual library author sign up with Coverity. - As with most things, the ultimate limitation is probably that everyone has more urgent things to do. At the technical level, I'd be interested to know how well Coverity copes with template (header-only) library functionality. Can it analyse templates in isolation, without a concrete instantiation? If it does, does that lead to false positives due to "documentation-only" preconditions? There are similar issues with compiler warnings and errors. Regards, Phil.
2012/3/1 Phil Endecott <spam_from_boost_dev@chezphil.org>:
- Crucially the people who are shown the secret Coverity reports are not allowed to show them to anyone else.
I could find nothing about that on their page. They just do not publish errors on they site for all (just for project members), but do not restrict you from publishing it. May be I missed something?
- As with most things, the ultimate limitation is probably that everyone has more urgent things to do.
And after that, done urgent things shall be checked for bugs. By users, or automated tools. IMO better when by both. Best regards, Antony Polukhin
participants (3)
-
Antony Polukhin -
Dave Abrahams -
Phil Endecott