Subject: Re: [boost] Is there interest in static code analysis?
From: Phil Endecott (spam_from_boost_dev_at_[hidden])
Date: 2012-02-29 19:05:10
Antony Polukhin wrote:
> 2012/2/29 Phil Endecott <spam_from_boost_dev_at_[hidden]>:
>> Anthony, did you search the mailing list archive for "coverity"? ?See e.g.
>> this thread:
>> (and try to ignore the 75% of the posts that aren't helpful...)
> I was talking here about the exactly same tool. In thread that you
> supported no clear answer to shall we use it or not.
My recollection is:
- The license is obnoxious, but many people could probably agree to it
because you do have the choice of just walking away if you later decide
that you don't like it. (People who contribute to Boost as part of
their employment might have stricter restrictions on what they can
agree to, though.)
- Crucially the people who are shown the secret Coverity reports are
not allowed to show them to anyone else. While this might work for
other projects, because Boost is a collection of libraries that are
only loosely coupled we don't have a single individual who could
evaluate all the reports and prepare fixes for every library. Instead,
we'd need to have each individual library author sign up with Coverity.
- As with most things, the ultimate limitation is probably that
everyone has more urgent things to do.
At the technical level, I'd be interested to know how well Coverity
copes with template (header-only) library functionality. Can it
analyse templates in isolation, without a concrete instantiation? If
it does, does that lead to false positives due to "documentation-only"
preconditions? There are similar issues with compiler warnings and errors.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk