+1 I think it would be really good to scan the classlib code. I spent some time last year fixing bugs found by FindBugs and although a lot of them were minor there were a handful of quite serious ones that were definitely worth the time spent. There is a fair amount of manual post-evaluation work, but surely it can't hurt to get the report and then fix the issues as and when people have time.
On 10/01/2008, Aleksey Shipilev <[EMAIL PROTECTED]> wrote: > > I'm convinced that the more bug reports you have the better, even if > they are generated by automatic tools like this one - because it's > always better to know where to go next rather than keeping false sense > of complete validity. That mean, I don't like to think "There are > enough bugs, don't post anything else". Of course, the evaluation need > some human intervention, if not, why we are here? :) > > But before obtaining such the list we should express the willingness > to complete such the scan. For number of security reasons, Coverity > accepts such disclaimers only from project developers, probably from > those who called "committers" in terms of ASF. > > Thanks, > Aleksey. > > On Jan 10, 2008 4:00 PM, Alexei Fedotov <[EMAIL PROTECTED]> wrote: > > Alexey, > > > > Vladimir Nenashev evaluated this and related tools last year. We had > > experience that bugs found by automatic tools generally require manual > > post-evaluation, so we decided to delay an application since we had > > enough bugs to fix at that moment. If one has time to evaluate the > > Coverity scan results, I believe he is very welcome to apply. This > > would be interesting experience I think. :-) > > > > Thanks. > > > > > > > > On Jan 10, 2008 2:40 PM, Aleksey Shipilev <[EMAIL PROTECTED]> > wrote: > > > Hi All, > > > > > > I've just recently noticed the tool [1] developed by Coverity, which > > > does static code analysis for projects. It seems to be used by major > > > OSS players as another opportunity for QA: that include but no limited > > > to Linux kernel, Samba, Perl, Python, PHP. Moreover, they recently > > > introduce Java support. Even though it's focus is security, judging on > > > reports it could detect memory leaks and other stability-important > > > stuff. I think it's worth to try scan Harmony. What do you think? > > > > > > Thanks, > > > Aleksey. > > > > > > [1] http://scan.coverity.com/ > > > > > > > > > > > -- > > With best regards, > > Alexei, > > ESSD, Intel > > > -- Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
