Re: Coverity Open Source Defect Scan of PostgreSQL

On Mon, 2006-03-06 at 11:55 -0300, Alvaro Herrera wrote:
> AFAIR they got a private scan done and they fixed the reported defects.

Indeed: EnterpriseDB paid for a license for the Coverity static analysis
tool, and then ran that tool on the open-source Postgres tree. One of
their engineers then worked with me to get a bunch of patches committed
to fix the issues the tool identified -- e.g.

http://archives.postgresql.org/pgsql-committers/2005-06/msg00428.php
http://archives.postgresql.org/pgsql-committers/2005-06/msg00314.php
http://archives.postgresql.org/pgsql-committers/2005-06/msg00315.php
http://archives.postgresql.org/pgsql-committers/2005-06/msg00298.php

The tool found a few significant bugs, but most of the fixes were
somewhat cosmetic. (Perhaps one reason for this is that the Stanford
checker was run on an earlier version of PostgreSQL by some grad
students at Stanford, who submitted patches / bug reports for the more
serious issues they found.)

I'm a bit surprised to see that there are ~300 unfixed defects: AFAIR I
fixed all the issues the EDB guys passed on to me, with the exception of
some false positives and a handful of minor issues in ECPG that I
couldn't be bothered fixing (frankly I would rather not touch the ECPG
code). I've requested access to the Coverity results -- I'll be curious
to see if we can get any more useful fixes from the tool.

-Neil