Coverity Scan

Discussion of chess software programming and technical issues.

Moderators: hgm, Harvey Williamson, bob

Forum rules
This textbox is used to restore diagrams posted with the [d] tag before the upgrade.
Post Reply
jdart
Posts: 3787
Joined: Fri Mar 10, 2006 4:23 am
Location: http://www.arasanchess.org

Coverity Scan

Post by jdart » Thu Jul 25, 2019 1:24 am

I have mentioned this before but there is a free (for open source) code static analysis website: https://scan.coverity.com/. This was broken for a while but they have since fixed it. It will scan your code (C/C++/Java/Ruby/Javascript/C#/Python) and report possible bugs.

--Jon

User avatar
flok
Posts: 156
Joined: Tue Jul 03, 2018 8:19 am
Full name: Folkert van Heusden
Contact:

Re: Coverity Scan

Post by flok » Thu Jul 25, 2019 5:09 am

jdart wrote:
Thu Jul 25, 2019 1:24 am
I have mentioned this before but there is a free (for open source) code static analysis website: https://scan.coverity.com/. This was broken for a while but they have since fixed it. It will scan your code (C/C++/Java/Ruby/Javascript/C#/Python) and report possible bugs.

--Jon
FWIW: it looks like c++17 still gives problems but with c++11 and below you'll be fine.
www.vanheusden.com: Micah / Embla / PuppetMaster / DeepBrutePos / Pos / Feeks

elcabesa
Posts: 806
Joined: Sun May 23, 2010 11:32 am
Contact:

Re: Coverity Scan

Post by elcabesa » Thu Jul 25, 2019 2:31 pm

coverity search for security vulnerability in your code. I have found a greater benefits using codacy or his backend "cppcheck"

User avatar
flok
Posts: 156
Joined: Tue Jul 03, 2018 8:19 am
Full name: Folkert van Heusden
Contact:

Re: Coverity Scan

Post by flok » Thu Jul 25, 2019 3:58 pm

elcabesa wrote:
Thu Jul 25, 2019 2:31 pm
coverity search for security vulnerability in your code
That's not entirely correct.
They also find dead code, null pointer dereferencing and tons of other things.
www.vanheusden.com: Micah / Embla / PuppetMaster / DeepBrutePos / Pos / Feeks

mar
Posts: 1981
Joined: Fri Nov 26, 2010 1:00 pm
Location: Czech Republic
Full name: Martin Sedlak

Re: Coverity Scan

Post by mar » Thu Jul 25, 2019 5:29 pm

There is also PVS studio which can be used in open-source and personal projects:
https://www.viva64.com/en/b/0457/

It's hands down the best static analysis tool out there, very low amount of false positives and also very fast and very high bug detection rate.

They also had a product called CppCat some time ago (now canceled) which I was really happy with.

I remember Coverity from my previous job, but it produced way too many FPs for my taste.
CppCheck is even worse, unfortunately, so many FPs or annoying warnings, that it's basically unusable for me.

Static analysis should help you find bugs, not force you to code around false positives. The latter is just a waste of time.

I rely more on compiler warning these days, just try to compile with different compilers now and then (msc, gcc and clang)
Martin Sedlak

JohnWoe
Posts: 73
Joined: Sat Mar 02, 2013 10:31 pm

Re: Coverity Scan

Post by JohnWoe » Thu Jul 25, 2019 10:57 pm

I used valgrind to check Sapeli 1.34. Found out it reported 92000+ errors. :P
Pretty easy fix. But these tools are useful. g++ shows lots of warnings. But Sapeli is a C program so those can be ignored.

DustyMonkey
Posts: 43
Joined: Wed Feb 19, 2014 9:11 pm

Re: Coverity Scan

Post by DustyMonkey » Fri Jul 26, 2019 12:08 am

flok wrote:
Thu Jul 25, 2019 3:58 pm
elcabesa wrote:
Thu Jul 25, 2019 2:31 pm
coverity search for security vulnerability in your code
That's not entirely correct.
They also find dead code, null pointer dereferencing and tons of other things.
One mans "dead code" is another mans "old version of the eval" or "known to be bug-free alphabeta"

Yes these are things you wouldnt want in the production source of a team project maintained by source control, but at the same time you would want them to be there in your own single-developer source not maintained by source control.

User avatar
xr_a_y
Posts: 663
Joined: Sat Nov 25, 2017 1:28 pm
Location: France

Re: Coverity Scan

Post by xr_a_y » Tue Jul 30, 2019 11:12 am

Isn't clang with Weverything and a little cppcheck gives the same thing ?

Anyway, do you know SonarQube ?

Sesse
Posts: 179
Joined: Mon Apr 30, 2018 9:51 pm
Contact:

Re: Coverity Scan

Post by Sesse » Wed Jul 31, 2019 3:15 pm

flok wrote:
Thu Jul 25, 2019 5:09 am
FWIW: it looks like c++17 still gives problems but with c++11 and below you'll be fine.
It has huge problems with C++11, too. E.g., the latest version finally understands lock_guard<T>, but still not unique_lock<T>, so it produces tons of false positives around locking.

I really want to like Coverity. On the surface of it, it sounds like a very useful product. But for me, even after extensive use of various versions of Scan across my code, adding modeling files, annotations, etc., it's pure garbage. 95%+ of the warnings it gives me are false positives, and the rest is nearly always in unit test code where I don't honestly care about memory cleanup and the likes. From my git logs, it's found one line of dead line, one 2 kB object that was passed by value and shouldn't, and one off-by-one in a memcpy-like thing. Apart from that, well, no. Sorry :-)

(The Scan web interface is utter garbage, too. Super-duper-buggy, to the point where I had to create another account and share my projects with it just to get to view anything at all.)

jdart
Posts: 3787
Joined: Fri Mar 10, 2006 4:23 am
Location: http://www.arasanchess.org

Re: Coverity Scan

Post by jdart » Thu Aug 01, 2019 9:51 pm

I have found Coverity somewhat useful. It does spit out some false positives but I have seen worse. I am reminded of the line that as I remember was in the man page of early versions of lint: "There are some things you cannot get lint to shut up about." There are of course lots of other tools including compiler diagnostics, the MSVC code analyzer, and the clang code checker.

--Jon

Post Reply