[Ksummit-2013-discuss] [ATTEND] static checking; COMPILE_TEST

Kees Cook keescook at chromium.org
Fri Jul 19 21:57:03 UTC 2013


On Fri, Jul 19, 2013 at 9:17 AM, Wolfram Sang <wsa at the-dreams.de> wrote:
> On Fri, Jul 19, 2013 at 06:55:39PM +0300, Dan Carpenter wrote:
>> On Fri, Jul 19, 2013 at 11:21:01AM +0200, Jiri Slaby wrote:
>> > Yes, this is exactly my point. There are outputs of analyzers (I give
>> > coverity as an example), but maintainers ignore those (one random
>> > example is at [1]). Then people which do not understand the code well
>> > enough, come up with fixes which are inappropriate.
>>
>> These days Fengguang will send a warning to the person who
>> introduces the bug as soon as it shows up on a public git tree.
>> He does GCC warnings, Sparse, and Coccinelle.  I do the same for
>> Smatch warnings.  If you warn the right people while the code is
>> still fresh in their mind then it tends to get fixed.
>
> I run all these checks automatically when applying patches to my trees.
> Yes, there are some false positives, but it still helps a lot.

How are you currently dealing with false positives that come out of
coccicheck? I have a rule I want to put in the tree, but it does end
up with a few false positives.

-Kees

--
Kees Cook
Chrome OS Security


More information about the Ksummit-2013-discuss mailing list