auditing code base using Coverity

OtterBrowser / otter-browser

Otter Browser aims to recreate the best aspects of the classic Opera (12.x) UI using Qt5

https://otter-browser.org

GNU General Public License v3.0

1.8k stars 277 forks source link

auditing code base using Coverity #693

Open landroni opened 9 years ago

landroni commented 9 years ago

Have you considered auditing your code using the automated scan utility Coverity? https://scan.coverity.com/

Their tool is being used by heavy-hitters like LibreOffice, Linux Kernel, Firefox or Python. It may be worth submitting Otter to Coverity, too, to watch out for pesky implementation omissions.

If there is interest, I could set up the coverity scan and perform an initial assessment of defects.

Emdek commented 9 years ago

It seems to be a good idea. :-)

srgloureiro commented 9 years ago

By the way, some staff at Codegears decided to analyze the Unreal Engine code using CppDepend and CQLinq, described in the article http://www.codergears.com/Blog/?p=965

In my opinion, it is needed to know first the best practices, and the link speaks about some ones in C++.

The-Compiler commented 9 years ago

Some days ago I also set up a buildbot for otter which is already running:

http://qutebrowser.org:8011/waterfall

It currently runs cppcheck and scan-build (from clang).

landroni commented 9 years ago

Here we go:

https://scan.coverity.com/projects/4221

The code is pretty uniformly clean, with no high impact issues, and with only 0.12 Defect Density. You need to connect with your Github account to view the bugs.

uahim commented 9 years ago

excuse this question from a technically interested casual user: 164,617 lines of code? is that all written exclusively for Otter or does it also include QtWebKit?

landroni commented 9 years ago

The stats concern only Otter, so I suspect it's 164,617 lines of C code in Otter.

The-Compiler commented 9 years ago

Hm, I wonder where it's getting this metric from - I get something quite different:

$ find . \( -iname '*.cpp' -o -iname '*.h' -o -iname '*.js' \) -exec cat {} \; | wc -l  # inside the src/ dir
41839

landroni commented 9 years ago

Yeah, not sure about that. Maybe they explain their methodology in the docs...

landroni commented 9 years ago

As per http://codemonkey.org.uk/2014/08/13/year-coverity-linux-kernel-scans/

(LOC based on C preprocessor output)

I don't know what that means...

ShadowCreator commented 9 years ago

@landroni That probably means the lines of code count includes the expanded #include sections in the code.

Zero3K commented 8 years ago

It should be ran through it again in order to see if any new bugs have popped up.