[webkit-dev] Pre-proposal: Adding a Coverity instance for WebKIt

Nico Weber thakis at chromium.org
Mon Sep 17 18:21:47 PDT 2012

On Tue, Sep 18, 2012 at 8:11 AM, James Hawkins <jhawkins at chromium.org> wrote:
> Hey folks,
> TL;DR - If you have opinions one way or another about having a Coverity
> instance available for WebKit developers, please respond to this message.

I don't have an opinion, but:

> Coverity is a static analysis tool [1] which scans source code and reports
> defects in the code.  We've been using Coverity to find defects in Chrome
> for a while now, and though there is sometimes a bit of subjectivity
> involved in the defect types (e.g. whether a return value should be
> checked), the signal is generally high.
> Off the top of my head, the following are the defects I spend most of my
> time fixing:
> * Uninitialized variables (including member variables).
>   - Chrome has had at least 4 crash fixes in the past few months due to this
> defect (which were caught by Coverity).

This sounds very useful. Do you know how this is done? If you have a
class whose constructor calls a clear() function which sets all
variables, will it warn about the constructor not initializing all
members? If so, how do you suppress the warning in this case?

(There was a thread on the clang mailing list on having a warning like
this, and we couldn't come up with a good way to handle this case.)

> * Passing large parameters by value.
>   - Generally a trivial fix.  I don't have performance data to say what
> affect fixing these hash, but 'death by a thousand cuts' eh?

I have seen at least three crashes in the last few months that were
cause by changes to fix this warning (something that used to be a
copied object became a dangling reference). I'm not sure this warning
is worth it.

> * Forward/Reverse/I - Nulls.
>   - Coverity is very good at understanding when a value is NULL and the tool
> will tell you which code paths are using a NULL value.
> * Tons of security issue-causing defects.
> I'd like to propose adding a Coverity instance for the WebKit community, but
> I want to make sure there's general support before writing up the detailed
> proposal.
> A few details:
> * Google will front the cost of the license (non-zero...very far from zero)
> and the infrastructure.
> * I'd leave it up to the WebKit leadership to decide who has access (most
> likely limited to WebKit committers for security purposes).
> The biggest rationale is to provide a strong defect signal for the entire
> WebKit community, which would directly impact the success of all
> WebKit-based projects.  Coverity has provided free licenses for unsponsored
> (by larger corporations anyway) open-source projects; this has resulted in
> significant improvements [2] to the code bases of these projects, one of
> which I was directly involved with years ago (Wine).
> Let me know if you love the idea or hate it.
> Thanks,
> James
> [1] http://www.coverity.com/products/static-analysis.html
> [2]
> http://softwareintegrity.coverity.com/coverity-scan-2011-open-source-integrity-report-registration.html
> - registration required now :(
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo/webkit-dev

More information about the webkit-dev mailing list