Re: Coverity Open Source Defect Scan of PostgreSQL

Neil Conway wrote:

>On Mon, 2006-03-06 at 11:55 -0300, Alvaro Herrera wrote:
>
>
>>AFAIR they got a private scan done and they fixed the reported defects.
>>
>>
>
>Indeed: EnterpriseDB paid for a license for the Coverity static analysis
>tool, and then ran that tool on the open-source Postgres tree. One of
>their engineers then worked with me to get a bunch of patches committed
>to fix the issues the tool identified -- e.g.
>
>http://archives.postgresql.org/pgsql-committers/2005-06/msg00428.php
>http://archives.postgresql.org/pgsql-committers/2005-06/msg00314.php
>http://archives.postgresql.org/pgsql-committers/2005-06/msg00315.php
>http://archives.postgresql.org/pgsql-committers/2005-06/msg00298.php
>
>The tool found a few significant bugs, but most of the fixes were
>somewhat cosmetic. (Perhaps one reason for this is that the Stanford
>checker was run on an earlier version of PostgreSQL by some grad
>students at Stanford, who submitted patches / bug reports for the more
>serious issues they found.)
>
>I'm a bit surprised to see that there are ~300 unfixed defects: AFAIR I
>fixed all the issues the EDB guys passed on to me, with the exception of
>some false positives and a handful of minor issues in ECPG that I
>couldn't be bothered fixing (frankly I would rather not touch the ECPG
>code). I've requested access to the Coverity results -- I'll be curious
>to see if we can get any more useful fixes from the tool.
>
>
>

For a short while EDB were pushing their Coverity results up to the
buildfarm server, too. But it didn't last long.

cheers

andrew