← Back to team overview

maria-developers team mailing list archive

Re: Coverity scan results

 

Hi Sergei,

> MySQL was under the Coverity Scan twice (at least twice - that's what
> I've personally was involved in). The first report found about 300
> defects, and about 200 of them were false positives, 50 of them were
> real, and others were not in the MySQL code. The second has found only
> about 20 defects, and only because Coverity has implemented new checkers
> since the first scan.
>
> I cannot believe that in the few years since the last report we've
> introduced 1200 new defects.

Even if the tool's true/false positive rate hasn't changed, there are
still four times as many reports.  Perhaps the larger number of
issue-reports due to Coverity's tool having added new analyzers since
it was last used for MySQL.

>
> Okay, you can create an account for me. But it would be better if you
> could find which of those defects are real.

I'm perfectly content to follow the path which you consider to be the
better one: me checking each individual issue reported.  It will take
a long time, but at least I'll learn a lot about the code.

Some of the bugs that Coverity finds will only come up with very
unusual paths through the code.  Coverity now provides a very clear
explanation of how such a path through the code could occur.  When
this happens, as a C++ programmer I find myself well-convinced that
there's a bug.  But, especially as a newbie, it could require many
hours for me to create a test case which actually triggers that bug
during execution.  In such cases, what would be better: report the bug
once I'm personally convinced it's real, or to report it only after
I've created a test case which reliably triggers the bug?

Thanks,
Christian


Follow ups

References