20120228

Meeting started by mmrazik at 15:31:46 UTC. The full logs are available at http://ubottu.com/meetingology/logs/ubuntu-meeting/2012/ubuntu-meeting.2012-02-28-15.31.log.html .

Meeting summary

  • Static Code Analysis (Coverity)

LINK: https://wiki.ubuntu.com/CanonicalProductStrategy/Coverity (alesage, 15:35:09) LINK: https://wiki.ubuntu.com/CoverityCheckerDictionary (alesage, 15:38:52) LINK: https://bugs.launchpad.net/~coverity-uploader (alesage, 15:46:00) LINK: https://bugs.launchpad.net/bamf/+bug/937402 (alesage, 15:48:13) LINK: https://bugs.launchpad.net/libindicator/+bug/937387 (alesage, 15:51:09)

Meeting ended at 15:59:52 UTC.

Votes

Action items

  • (none)

People present (lines said)

  • alesage (55)
  • mmrazik (12)
  • gema_ (6)
  • meetingology (3)
  • ubottu (2)

Full Log

  • 15:31:46 <mmrazik> #startmeeting

    15:31:46 <meetingology> Meeting started Tue Feb 28 15:31:46 2012 UTC. The chair is mmrazik. Information about MeetBot at http://wiki.ubuntu.com/meetingology.

    15:31:46 <meetingology>

    15:31:46 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired

    15:32:07 <mmrazik> lets wait for a minute or so

    15:32:58 <mmrazik> the only topic today is a short talk about Static Code Analysis and what we do in Canonical with Unity et al

    15:33:03 <mmrazik> [TOPIC] Static Code Analysis (Coverity)

    15:33:19 <mmrazik> alesage: I think we can start

    15:33:59 <alesage> ok thanks mmrazik

    15:34:20 <alesage> so this will be a short chat about our use of Coverity

    15:34:35 <alesage> which is a static analyzer

    15:35:02 <alesage> here's our wiki page for our Coverity integration project:

    15:35:09 <alesage> https://wiki.ubuntu.com/CanonicalProductStrategy/Coverity

    15:35:35 <alesage> and here's a link to the company's site: http://coverity.com/products/static-analysis.html

    15:36:01 <alesage> we're using static analysis as a means to improve quality:

    15:36:52 <alesage> the idea behind "static analysis" is kind-of a step further than what a compiler offers your C/C++/Java/etc. code

    15:37:24 <alesage> in the case of Coverity, for example, the static analyzer sits on GCC and finds bugs in our code

    15:37:54 <alesage> by producing 'models' of the execution--

    15:38:13 <alesage> specifically by running 'checkers', which find common (or not so common Wink ;) ) errors

    15:38:36 <alesage> I'll link to a list of these checkers . . .

    15:38:52 <alesage> https://wiki.ubuntu.com/CoverityCheckerDictionary

    15:39:20 <alesage> so taking DIVIDE_BY_ZERO as an example,

    15:39:54 <alesage> here's a condition that might take an exceptional condition to encounter in production, e.g.

    15:40:34 <alesage> but Coverity finds this using its sophisticated analysis

    15:41:14 <alesage> so we wanted to add this to our process for developing Ubuntu

    15:41:32 <alesage> at the moment our licensing covers everything that's a dependency of Unity

    15:42:02 <alesage> and there's talk about expanding--we'll see how the evaluation goes

    15:42:10 <alesage> are there any questions at this point?

    15:42:34 <gema_> o/

    15:42:46 <alesage> I have to thank tvoss for this link, meanwhile: http://drdobbs.com/open-source/232601492

    15:42:51 <alesage> gema_, go ahead

    15:42:52 <gema_> alesage: are you raising bugs as you find them? are you gettting a lot of false positivies?

    15:43:08 <alesage> gema_ excellent question

    15:43:19 <alesage> so my part of the project has been a "syncing" tool

    15:43:28 <alesage> which submits bugs to Launchpad when these defects are found

    15:43:37 <gema_> automatically?

    15:43:47 <alesage> automatically--

    15:43:53 <gema_> agreed Smile :)

    15:44:06 <alesage> the scanner is run as part of a Jenkins/Continuous Integration process

    15:44:22 <alesage> so when we get a build, the scanner runs and finds its Coverity defects,

    15:44:38 <alesage> and then a little Python script interprets these and submits them to Launchpad

    15:44:51 <alesage> where they enter the normal Ubuntu developer workflow

    15:45:00 <alesage> let me get the link for some existing bugs . . .

    15:46:00 <alesage> https://bugs.launchpad.net/~coverity-uploader

    15:46:33 <alesage> so we haven't found a full set as yet, and it's still to early to show our 'defect density' (ref. the link above)

    15:47:00 <alesage> and gema_ as this is still and informal process I'm not aware of complaints about false positives

    15:47:19 <gema_> alesage: I am very impressed, looks pretty good

    15:47:21 <mmrazik> this is up and running for about a week

    15:47:41 <mmrazik> after some time we might want to do some queries and get the % of invalid bugs or something like that

    15:47:42 <alesage> gema_ yeah it's fun to go through the defects

    15:47:50 <mmrazik> that should give us some idea about the false positives

    15:47:57 <gema_> mmrazik: ack

    15:48:12 <alesage> let's take an example

    15:48:13 <alesage> https://bugs.launchpad.net/bamf/+bug/937402

    15:48:14 <ubottu> Launchpad bug 937402 in BAMF trunk "Coverity UNINIT - CID 10451" [Low,Triaged]

    15:48:40 <alesage> so here's an uninitialized variable somewhere deep in bamf

    15:49:06 <alesage> you see that you get a little code snippet in the bug body there

    15:49:19 <alesage> and also an attachment with a prettier rendering of the source code

    15:50:12 <alesage> Coverity offers a more sophisticated product called the "Integrity Manger"

    15:50:37 <alesage> most of the features of which this 'syncer' is offering to Launchpad users

    15:50:58 <alesage> one more interesting case:

    15:51:09 <alesage> https://bugs.launchpad.net/libindicator/+bug/937387

    15:51:11 <ubottu> Launchpad bug 937387 in libindicator "Coverity PW.USELESS_TYPE_QUALIFIER_ON_RETURN_TYPE - CID 10617" [High,Fix committed]

    15:51:47 <alesage> here's a case in which Coverity has found the same defect in multiple projects

    15:52:06 <alesage> in this case the root of the problem is in libindicator

    15:52:26 <alesage> and ted has tackled and ably squashed the bug

    15:53:16 <alesage> but note that Coverity's tracking of defects enables us to keep the defects in one place, as one Launchpad bug

    15:53:40 <alesage> any questions at this point?

    15:55:48 <alesage> so honestly this is my first encounter with static analysis

    15:56:44 <alesage> do people have more extensive experience with this, or with Coverity itself?

    15:58:33 <alesage> so we'll have some metrics to offer in our Quality Hour blog at some point in the future

    15:58:39 <alesage> please stay tuned Smile :)

    15:58:53 <alesage> and feel free to follow up with me for questions anytime

    15:59:09 <alesage> thanks all--anything else mmrazik?

    15:59:18 <mmrazik> any last questions?

    15:59:42 <mmrazik> in that case -- thank you for the meeting and lets meet in a month Smile :)

    15:59:44 <mmrazik> bb

    15:59:52 <mmrazik> #endmeeting

Generated by MeetBot 0.1.5 (http://wiki.ubuntu.com/meetingology)

PSQATeam/Meetings/PSQA/20120228 (last edited 2012-03-26 14:54:47 by ip-89-103-229-44)