On 08/19/2013 07:09 PM, Koch, Rick (Subcontractor) wrote:
> I'm directing to this e-mail, as it seems to be the approved forum for 
> posting Git bugs. We ran CPPCheck against Git v. and found 24 high 
> risk bugs.  Please see the attachment xlsx. 
> Is there a method to post to the Git community to allow the community to 
> review and debunk as faults positive or develop patches to fix lists code 
> files?


if you're using cppcheck as found at https://github.com/danmar/cppcheck 
or http://sourceforge.net/apps/trac/cppcheck/ you really need to review 
the results, as there are many false positives.

I used that tool for my contributions so far (bug fixes as reported by 
However you *really* need to manually review any message cppcheck generates.
This is because git is using a C, asm-like coding style for many routines,
whereas that cppcheck is rather optimized to find typical C++ errors.
And the styles vary wildy! (cppcheck tries to become no false positives, 
but it's hard I guess)

I am running that cppcheck tool on git regulary (cppcheck master branch on
git master branch), and review for real findings, you're welcome to do so
as well. :) 

There are other static code analyzers, which have slightly different 
goals, such as http://css.csail.mit.edu/stack/ which has an incredibly 
low false positive rate (I found none as of now).
However I think having different tools is a great thing, but you'd need
to know your tools. ;)


Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to