[webkit-dev] Pre-proposal: Adding a Coverity instance for WebKIt

Eric Seidel eric at webkit.org
Mon Sep 17 16:33:40 PDT 2012


I wish to subscribe to this product and or service.  Count me in.

I'm not particularly worried about who has access.  But maybe I should
be?  Its not like the bad-guys can't run coverity themselves.

On Mon, Sep 17, 2012 at 6:11 PM, James Hawkins <jhawkins at chromium.org> wrote:
> Hey folks,
>
> TL;DR - If you have opinions one way or another about having a Coverity
> instance available for WebKit developers, please respond to this message.
>
>
> Coverity is a static analysis tool [1] which scans source code and reports
> defects in the code.  We've been using Coverity to find defects in Chrome
> for a while now, and though there is sometimes a bit of subjectivity
> involved in the defect types (e.g. whether a return value should be
> checked), the signal is generally high.
>
> Off the top of my head, the following are the defects I spend most of my
> time fixing:
> * Uninitialized variables (including member variables).
>   - Chrome has had at least 4 crash fixes in the past few months due to this
> defect (which were caught by Coverity).
> * Passing large parameters by value.
>   - Generally a trivial fix.  I don't have performance data to say what
> affect fixing these hash, but 'death by a thousand cuts' eh?
> * Forward/Reverse/I - Nulls.
>   - Coverity is very good at understanding when a value is NULL and the tool
> will tell you which code paths are using a NULL value.
> * Tons of security issue-causing defects.
>
>
> I'd like to propose adding a Coverity instance for the WebKit community, but
> I want to make sure there's general support before writing up the detailed
> proposal.
>
> A few details:
> * Google will front the cost of the license (non-zero...very far from zero)
> and the infrastructure.
> * I'd leave it up to the WebKit leadership to decide who has access (most
> likely limited to WebKit committers for security purposes).
>
> The biggest rationale is to provide a strong defect signal for the entire
> WebKit community, which would directly impact the success of all
> WebKit-based projects.  Coverity has provided free licenses for unsponsored
> (by larger corporations anyway) open-source projects; this has resulted in
> significant improvements [2] to the code bases of these projects, one of
> which I was directly involved with years ago (Wine).
>
> Let me know if you love the idea or hate it.
>
> Thanks,
> James
>
>
> [1] http://www.coverity.com/products/static-analysis.html
> [2]
> http://softwareintegrity.coverity.com/coverity-scan-2011-open-source-integrity-report-registration.html
> - registration required now :(
>
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo/webkit-dev
>


More information about the webkit-dev mailing list