Coverity Scan, Python upgraded to rung 2
I read the announcement of the Python Users list and figured out that some of the other core developers might be interested in the news, too. Among other projects Python was upgraded to Rung 2 on the Coverity Scan list: http://scan.coverity.com/ Christian
Christian> I read the announcement of the Python Users list and figured Christian> out that some of the other core developers might be Christian> interested in the news, too. Christian> Among other projects Python was upgraded to Rung 2 on the Christian> Coverity Scan list: http://scan.coverity.com/ I went to the run2 page: http://scan.coverity.com/rung2.html I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score? Skip
skip@pobox.com wrote: I shows 6 uninspected defects for Python. How do we see what they are?
What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score?
I can't answer your question. I don't have access to the Python project on their site and the project is currently under maintenance. Maybe Neal can sheds some light on the Coverity Scan project. Christian
On Jan 9, 2008 9:47 AM, Christian Heimes <lists@cheimes.de> wrote:
skip@pobox.com wrote: I shows 6 uninspected defects for Python. How do we see what they are?
What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score?
I can't answer your question. I don't have access to the Python project on their site and the project is currently under maintenance. Maybe Neal can sheds some light on the Coverity Scan project.
I'm pretty sure I have an account and I can't get in either. I have contacted coverity asking if they can give accounts to other core developers besides Neal and myself. -- --Guido van Rossum (home page: http://www.python.org/~guido/)
Guido van Rossum schrieb:
On Jan 9, 2008 9:47 AM, Christian Heimes <lists@cheimes.de> wrote:
skip@pobox.com wrote: I shows 6 uninspected defects for Python. How do we see what they are?
What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score?
I can't answer your question. I don't have access to the Python project on their site and the project is currently under maintenance. Maybe Neal can sheds some light on the Coverity Scan project.
I'm pretty sure I have an account and I can't get in either. I have contacted coverity asking if they can give accounts to other core developers besides Neal and myself.
As I said in the other reply, I can still login on this page: http://scan.coverity.com:7475/ It looks like about 20 users are registered; if wanted I can post the list here. Thomas
skip@pobox.com schrieb:
Christian> I read the announcement of the Python Users list and figured Christian> out that some of the other core developers might be Christian> interested in the news, too.
Christian> Among other projects Python was upgraded to Rung 2 on the Christian> Coverity Scan list: http://scan.coverity.com/
I went to the run2 page:
On this page, when I click the 'sign in' link, I see the page http://scan.coverity.com/maintenance.html which says: """ Scan administrators are performing maintenance on the selected project. Normally, project members will have received notification in advance of any lengthy unavailability of their project. Please try again later, or contact scan-admin@coverity.com with any questions. Return to Main Page """ Could it be that they were a little bit early with the press release, and the rung2 scanner is not yet active?
I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score?
Seems they are referring to the results of the rung 1 run (what ever 'rung' means ;-). With the account Neal made me some months ago, I can login on this page: http://scan.coverity.com:7475/ and see the scan results for Python. Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked "uninspected", 3 marked "pending", and 2 marked "bug". Thomas
Thomas Heller wrote:
Seems they are referring to the results of the rung 1 run (what ever 'rung' means ;-). With the account Neal made me some months ago, I can login on this page:
http://scan.coverity.com:7475/
and see the scan results for Python.
Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked "uninspected", 3 marked "pending", and 2 marked "bug".
My dict says: rung (of a ladder)- Leitersprossen Python has climbed up one step (or rung) of the ladder. Do you have the required permission to add more users to the site? Christian
Christian Heimes schrieb:
Thomas Heller wrote:
Seems they are referring to the results of the rung 1 run (what ever 'rung' means ;-). With the account Neal made me some months ago, I can login on this page:
http://scan.coverity.com:7475/
and see the scan results for Python.
Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked "uninspected", 3 marked "pending", and 2 marked "bug".
My dict says: rung (of a ladder)- Leitersprossen
Python has climbed up one step (or rung) of the ladder.
Thanks. I was too lazy to fire up dict.leo.org ;-)
Do you have the required permission to add more users to the site?
No, I can only view the results (and add comments or so...). Thomas
On Jan 9, 2008 1:12 PM, Christian Heimes <lists@cheimes.de> wrote:
Thomas Heller wrote:
Seems they are referring to the results of the rung 1 run (what ever 'rung' means ;-). With the account Neal made me some months ago, I can login on this page:
http://scan.coverity.com:7475/
and see the scan results for Python.
Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked "uninspected", 3 marked "pending", and 2 marked "bug".
My dict says: rung (of a ladder)- Leitersprossen
Python has climbed up one step (or rung) of the ladder.
They botched the link where it says Sign in. Use the link Thomas posted, ie: http://scan.coverity.com:7475/ That will show you the results from the latest coverity checker.
Do you have the required permission to add more users to the site?
I think only Coverity can add people. You can send them a message if you would like to be added: scan-admin@coverity.com. Or you can send mail to me and I can forward along all the people that would like to be added. I'll wait a few days to collect names so I can batch up the request. n
Neal Norwitz wrote:
I think only Coverity can add people. You can send them a message if you would like to be added: scan-admin@coverity.com. Or you can send mail to me and I can forward along all the people that would like to be added.
I'll wait a few days to collect names so I can batch up the request.
Count me in! Christian
I am not a developer but i'm interested in browsing it. Is it possible to be added? On Jan 10, 2008 10:57 AM, Christian Heimes <lists@cheimes.de> wrote:
Neal Norwitz wrote:
I think only Coverity can add people. You can send them a message if you would like to be added: scan-admin@coverity.com. Or you can send mail to me and I can forward along all the people that would like to be added.
I'll wait a few days to collect names so I can batch up the request.
Count me in!
Christian
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/josepharmbruster%40gmail.c...
On Jan 10, 2008 8:01 AM, Joseph Armbruster <josepharmbruster@gmail.com> wrote:
I am not a developer but i'm interested in browsing it. Is it possible to be added?
Yes, I've added you to the list. I'll probably send the list off tomorrow, so let me know if you would like to be added. n --
On Jan 10, 2008 10:57 AM, Christian Heimes <lists@cheimes.de> wrote:
Neal Norwitz wrote:
I think only Coverity can add people. You can send them a message if you would like to be added: scan-admin@coverity.com. Or you can send mail to me and I can forward along all the people that would like to be added.
I'll wait a few days to collect names so I can batch up the request.
Count me in!
Christian
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/josepharmbruster%40gmail.c...
On Jan 9, 2008 9:08 AM, <skip@pobox.com> wrote:
Christian> I read the announcement of the Python Users list and figured Christian> out that some of the other core developers might be Christian> interested in the news, too.
Christian> Among other projects Python was upgraded to Rung 2 on the Christian> Coverity Scan list: http://scan.coverity.com/
I went to the run2 page:
http://scan.coverity.com/rung2.html
I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score?
The 6 have been inspected by me and I never came to a conclusion of whether they were a problem or not. There are 3 things which should be fixed and I haven't gotten around to them. They are not a big deal: Python/traceback.c line 177 Objects/codeobject.c line 322 Modules/mmapmodule.c line 1080 For traceback.c, namebuf defined on line 155 should be moved out one block since filename is an alias to namebuf and it is used outside the current scope. I think this is unlikely to be a problem in practice, but is technically wrong and should be fixed. For codeobject.c, line 327 should not be reachable. I kinda like the code as it is even though it is currently dead. I never decided if I wanted to change that or suppress the warning. For mmapmodule.c, fd should be checked for -1 before calling stat on line 1064. The rest were not obvious problems to me, and I never returned to them. n
On Wed, Jan 09, 2008 at 09:11:21PM -0800, Neal Norwitz wrote:
For mmapmodule.c, fd should be checked for -1 before calling stat on line 1064.
On looking at this, it doesn't seem like an actual problem. fstat(-1, ...) returns a -1 and errno is set to EBADF, 'bad file descriptor'. /* on OpenVMS we must ensure that all bytes are written to the file */ fsync(fd); # endif if (fstat(fd, &st) == 0 && S_ISREG(st.st_mode)) { ... In rev. 59888, I've added 'fd != -1' to the 'if' just to save a pointless fstat() call, and made the OpenVMS fsync() call similarly conditional, but I don't think this item is a bug, much less a security bug. I won't bother backporting this to 25-maint, unless asked to do so by the 2.5 maintainer. --amk
Neal Norwitz wrote:
For traceback.c, namebuf defined on line 155 should be moved out one block since filename is an alias to namebuf and it is used outside the current scope. I think this is unlikely to be a problem in practice, but is technically wrong and should be fixed.
Agreed, the early allocation of a few hundreds bytes on the stack won't kill us.
For codeobject.c, line 327 should not be reachable. I kinda like the code as it is even though it is currently dead. I never decided if I wanted to change that or suppress the warning.
Please suppress the warning. I removed the last two lines and GCC complained "control reaches end of non-void function". It's not clever enough to understand that cmp can never be 0.
For mmapmodule.c, fd should be checked for -1 before calling stat on line 1064.
if (fd != -1 && fstat(fd, &st) == 0 && S_ISREG(st.st_mode)) Christian
On Jan 9, 2008 9:08 AM, <skip@pobox.com> wrote:
I went to the run2 page:
http://scan.coverity.com/rung2.html
I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score?
Sorry, I forgot to answer the second part of your question. I have no idea how they compute Defects/KLOC. But the data is very old so I wouldn't worry about what that says. The most recent run has 286622 lines in 602 files. I already mentioned the 3 defects that should be fixed. Not sure what to do about the rest. n
participants (7)
-
A.M. Kuchling -
Christian Heimes -
Guido van Rossum -
Joseph Armbruster -
Neal Norwitz -
skip@pobox.com -
Thomas Heller