[webkit-dev] Pre-proposal: Adding a Coverity instance for WebKIt

Filip Pizlo fpizlo at apple.com
Mon Sep 17 17:45:48 PDT 2012

I approve. 

Regardless of opinions of how good Coverity is at catching real bugs (I have doubts), we already have changesets based on its advice. That ship has already sailed. So, it would be great if the tool was more broadly available if only so that others could see how it works. 


On Sep 17, 2012, at 4:11 PM, James Hawkins <jhawkins at chromium.org> wrote:

> Hey folks,
> TL;DR - If you have opinions one way or another about having a Coverity instance available for WebKit developers, please respond to this message.
> Coverity is a static analysis tool [1] which scans source code and reports defects in the code.  We've been using Coverity to find defects in Chrome for a while now, and though there is sometimes a bit of subjectivity involved in the defect types (e.g. whether a return value should be checked), the signal is generally high.
> Off the top of my head, the following are the defects I spend most of my time fixing:
> * Uninitialized variables (including member variables).
>   - Chrome has had at least 4 crash fixes in the past few months due to this defect (which were caught by Coverity).
> * Passing large parameters by value.
>   - Generally a trivial fix.  I don't have performance data to say what affect fixing these hash, but 'death by a thousand cuts' eh?
> * Forward/Reverse/I - Nulls.
>   - Coverity is very good at understanding when a value is NULL and the tool will tell you which code paths are using a NULL value.
> * Tons of security issue-causing defects.
> I'd like to propose adding a Coverity instance for the WebKit community, but I want to make sure there's general support before writing up the detailed proposal.
> A few details:
> * Google will front the cost of the license (non-zero...very far from zero) and the infrastructure.
> * I'd leave it up to the WebKit leadership to decide who has access (most likely limited to WebKit committers for security purposes).
> The biggest rationale is to provide a strong defect signal for the entire WebKit community, which would directly impact the success of all WebKit-based projects.  Coverity has provided free licenses for unsponsored (by larger corporations anyway) open-source projects; this has resulted in significant improvements [2] to the code bases of these projects, one of which I was directly involved with years ago (Wine).
> Let me know if you love the idea or hate it.
> Thanks,
> James
> [1] http://www.coverity.com/products/static-analysis.html
> [2] http://softwareintegrity.coverity.com/coverity-scan-2011-open-source-integrity-report-registration.html - registration required now :(
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo/webkit-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20120917/94429578/attachment.html>

More information about the webkit-dev mailing list