#title #ubuntu-meeting Meeting Meeting started by mmrazik at 15:31:46 UTC. The full logs are available at http://ubottu.com/meetingology/logs/ubuntu-meeting/2012/ubuntu-meeting.2012-02-28-15.31.log.html . == Meeting summary == *Static Code Analysis (Coverity) ''LINK:'' https://wiki.ubuntu.com/CanonicalProductStrategy/Coverity (alesage, 15:35:09) ''LINK:'' https://wiki.ubuntu.com/CoverityCheckerDictionary (alesage, 15:38:52) ''LINK:'' https://bugs.launchpad.net/~coverity-uploader (alesage, 15:46:00) ''LINK:'' https://bugs.launchpad.net/bamf/+bug/937402 (alesage, 15:48:13) ''LINK:'' https://bugs.launchpad.net/libindicator/+bug/937387 (alesage, 15:51:09) Meeting ended at 15:59:52 UTC. == Votes == == Action items == * (none) == People present (lines said) == * alesage (55) * mmrazik (12) * gema_ (6) * meetingology (3) * ubottu (2) == Full Log == 15:31:46 #startmeeting 15:31:46 Meeting started Tue Feb 28 15:31:46 2012 UTC. The chair is mmrazik. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 15:31:46 15:31:46 Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 15:32:07 lets wait for a minute or so 15:32:58 the only topic today is a short talk about Static Code Analysis and what we do in Canonical with Unity et al 15:33:03 [TOPIC] Static Code Analysis (Coverity) 15:33:19 alesage: I think we can start 15:33:59 ok thanks mmrazik 15:34:20 so this will be a short chat about our use of Coverity 15:34:35 which is a static analyzer 15:35:02 here's our wiki page for our Coverity integration project: 15:35:09 https://wiki.ubuntu.com/CanonicalProductStrategy/Coverity 15:35:35 and here's a link to the company's site: http://coverity.com/products/static-analysis.html 15:36:01 we're using static analysis as a means to improve quality: 15:36:52 the idea behind "static analysis" is kind-of a step further than what a compiler offers your C/C++/Java/etc. code 15:37:24 in the case of Coverity, for example, the static analyzer sits on GCC and finds bugs in our code 15:37:54 by producing 'models' of the execution-- 15:38:13 specifically by running 'checkers', which find common (or not so common ;) ) errors 15:38:36 I'll link to a list of these checkers . . . 15:38:52 https://wiki.ubuntu.com/CoverityCheckerDictionary 15:39:20 so taking DIVIDE_BY_ZERO as an example, 15:39:54 here's a condition that might take an exceptional condition to encounter in production, e.g. 15:40:34 but Coverity finds this using its sophisticated analysis 15:41:14 so we wanted to add this to our process for developing Ubuntu 15:41:32 at the moment our licensing covers everything that's a dependency of Unity 15:42:02 and there's talk about expanding--we'll see how the evaluation goes 15:42:10 are there any questions at this point? 15:42:34 o/ 15:42:46 I have to thank tvoss for this link, meanwhile: http://drdobbs.com/open-source/232601492 15:42:51 gema_, go ahead 15:42:52 alesage: are you raising bugs as you find them? are you gettting a lot of false positivies? 15:43:08 gema_ excellent question 15:43:19 so my part of the project has been a "syncing" tool 15:43:28 which submits bugs to Launchpad when these defects are found 15:43:37 automatically? 15:43:47 automatically-- 15:43:53 agreed :) 15:44:06 the scanner is run as part of a Jenkins/Continuous Integration process 15:44:22 so when we get a build, the scanner runs and finds its Coverity defects, 15:44:38 and then a little Python script interprets these and submits them to Launchpad 15:44:51 where they enter the normal Ubuntu developer workflow 15:45:00 let me get the link for some existing bugs . . . 15:46:00 https://bugs.launchpad.net/~coverity-uploader 15:46:33 so we haven't found a full set as yet, and it's still to early to show our 'defect density' (ref. the link above) 15:47:00 and gema_ as this is still and informal process I'm not aware of complaints about false positives 15:47:19 alesage: I am very impressed, looks pretty good 15:47:21 this is up and running for about a week 15:47:41 after some time we might want to do some queries and get the % of invalid bugs or something like that 15:47:42 gema_ yeah it's fun to go through the defects 15:47:50 that should give us some idea about the false positives 15:47:57 mmrazik: ack 15:48:12 let's take an example 15:48:13 https://bugs.launchpad.net/bamf/+bug/937402 15:48:14 Launchpad bug 937402 in BAMF trunk "Coverity UNINIT - CID 10451" [Low,Triaged] 15:48:40 so here's an uninitialized variable somewhere deep in bamf 15:49:06 you see that you get a little code snippet in the bug body there 15:49:19 and also an attachment with a prettier rendering of the source code 15:50:12 Coverity offers a more sophisticated product called the "Integrity Manger" 15:50:37 most of the features of which this 'syncer' is offering to Launchpad users 15:50:58 one more interesting case: 15:51:09 https://bugs.launchpad.net/libindicator/+bug/937387 15:51:11 Launchpad bug 937387 in libindicator "Coverity PW.USELESS_TYPE_QUALIFIER_ON_RETURN_TYPE - CID 10617" [High,Fix committed] 15:51:47 here's a case in which Coverity has found the same defect in multiple projects 15:52:06 in this case the root of the problem is in libindicator 15:52:26 and ted has tackled and ably squashed the bug 15:53:16 but note that Coverity's tracking of defects enables us to keep the defects in one place, as one Launchpad bug 15:53:40 any questions at this point? 15:55:48 so honestly this is my first encounter with static analysis 15:56:44 do people have more extensive experience with this, or with Coverity itself? 15:58:33 so we'll have some metrics to offer in our Quality Hour blog at some point in the future 15:58:39 please stay tuned :) 15:58:53 and feel free to follow up with me for questions anytime 15:59:09 thanks all--anything else mmrazik? 15:59:18 any last questions? 15:59:42 in that case -- thank you for the meeting and lets meet in a month :) 15:59:44 bb 15:59:52 #endmeeting Generated by MeetBot 0.1.5 (http://wiki.ubuntu.com/meetingology)