Re: [Python-Dev] Coverity Scan Spotlight Python
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am 30.08.2013 01:24, schrieb Sturla Molden: Do the numbers add up? .005 defects in 1,000 lines of code is one defect in every 200,000 lines of code. However they also claim that to date, the Coverity Scan service has analyzed nearly 400,000 lines of Python code and identified 996 new defects – 860 of which have been fixed by the Python community. Yes, the numbers add up. The difference between 860 and 996 are false positive defects and code that is intentionally written in a way, which looks suspicious to Coverity Scan. I have documented the most common limitations in the devguide [1]. By the way Coverity Scan doesn't understand Python code. It can only analyzes C, C++ and Java code. [1] Christian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCgAGBQJSII1+AAoJEMeIxMHUVQ1FNsIP/jmiMD8p39zHj8Ggb6NM1q9W WotnQzM2vLE90s9VfewQB914u4rFjEtYVWD6P88QQEwdcrBfnMs/xvFBcyW/yuVd EB57hTjqWKSgGdcFsKoAmlFtSzFTUtM3Yc4aiyYHwsn7vJPTbxAO/6GAToGhHeP6 96f0oXz4uqeM4RJNCbHPt57kHT9OUhsITiZ11rtlsYziGwpRKL5K7bd+bbh/HlPy BDRVfU112vDjOiCRFGPlmMy2ShJabZwT5uZ4+0VGgGo5/Af3H3UU7pYw1cuwnjgh CIv/jYFH8OgNvC+hwvai2OxQfH7aXtUhcSPUSOOmPUQ/pbkTMY65Ya2iIRtEoIrY 8FwayYTMzGkCkEZoS4HXO1wGNCcj3tM8ivGP89aJDpySYLmuJoLa5x/aNKKxyo+X n9HT4BAkuYuFi1qQsPh9kW+FR4VCWTob7BSjOXrY7T8X6plon+fwFseQMkE8JUqI ckwTJCHDIc23d/HiTNhI8Ank3v28JQLdVTIPYnSKU6YpxjDAO0J+BgExAHpAyVwZ snEz9zVj/x4YRkUgxWwTMj/ctKDEpX9mehg5rytlWIaKUtPbTmR+aWxG06+TCd1c dg0cEYso+tvVUAYfZX24dn/7NPrmkBHjGM0ph2PH0S+GcpHF861GvflaSwzQ/ceD kYF3msFihRocFXfy8iNj =Usp8 -END PGP SIGNATURE- ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan Spotlight Python
On 8/30/2013 8:18 AM, Christian Heimes wrote: By the way Coverity Scan doesn't understand Python code. It can only analyzes C, C++ and Java code. Have you (or Coverity) thought about which, if any, of the C defect categories apply to Python? (Assuming no use of ctypes ;-). Would it make any sense to apply their technology to Python code scanning? -- Terry Jan Reedy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan Spotlight Python
On Fri, 30 Aug 2013 00:10:27 +0200 Christian Heimes christ...@python.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, Coverity has published its Coverity Scan Spotlight Python a couple of hours ago. It features a summary of Python's ecosystem, an interview with me about Python core development and a defect report. The report is awesome. We have reached a defect density of .005 defects per 1,000 lines of code. What is a defect? Isn't it a bit weird to keep having a non-zero defect density, if those defects are identified? (or, if those defects are not bugs, what is the metric supposed to measure?) Regards Antoine. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan Spotlight Python
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am 30.08.2013 00:46, schrieb Antoine Pitrou: On Fri, 30 Aug 2013 00:10:27 +0200 Christian Heimes christ...@python.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, Coverity has published its Coverity Scan Spotlight Python a couple of hours ago. It features a summary of Python's ecosystem, an interview with me about Python core development and a defect report. The report is awesome. We have reached a defect density of .005 defects per 1,000 lines of code. What is a defect? Isn't it a bit weird to keep having a non-zero defect density, if those defects are identified? (or, if those defects are not bugs, what is the metric supposed to measure?) The last defect is http://bugs.python.org/issue18550 internal_setblocking() doesn't check return value of fcntl(). It's unlikely that the missing check is going to cause trouble. It's tedious to fix it, too. At least one affected function can't signal an error because it is defined as void. Christian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCgAGBQJSH9adAAoJEMeIxMHUVQ1FU+wQAKEQcZbCrOgD1vIzOdfZXgGV qRHRqhhSoxfhApQ+zhCem/qPGNYBhQyZ4ReXVdCtlvd15p28oa5thFDO7wFfbaBm iQ9mV6nUn3vWgKr2PueEtUrQFd80t4t97AHyU04KblBJjesq8tv5l26i2SGl5YtS QWAJMi3zCbv2iZ2DlyjSs3zpGMzk2mj85dKYtU6ql+mKXH7utR3HUpFiHiL7sjCw D6Q5leORscqoqRxSwNtaT+vAWold5cmWHaH2nGOKj6vaBGKQbFEXRuMAj0sKyPj/ h3N/o+8DAdWH4J3eP8RcIKsai65vmXnzc77s8V2t9kFbuqZn/6CyMwkhsGxsl86h DyN24LhwcB+pK45KFBX92JEhYWQ8OumcfE3Hb/2wIHNFClEvMNSbh7N+5GzjXE0u xpsPjQpT9cldhWOcbPpVFx77zDVvsQczGSiqeH90zKCT7T9AIwUOYrjA0GiO/Nm/ wDMbmyL2/EMkDrnZ+X1YIwWaZOBEQlQofSSVnd1/g0fMm+5kJrW44W1D4grt0hpK TB2uApUCls4qdh3Juu630rMZNKm5/Tvfmtjr/mKHtRCcQvMmhRs2x901/I8ZdwQ+ AoL+yM2qPmsriSTkANGwZHJw2yzTJOv2PXG41ohitE2GdS10i5aRhySVepcjZx/k Gn/FRAsP/AVKReqOVooF =AyxK -END PGP SIGNATURE- ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan Spotlight Python
Do the numbers add up? .005 defects in 1,000 lines of code is one defect in every 200,000 lines of code. However they also claim that to date, the Coverity Scan service has analyzed nearly 400,000 lines of Python code and identified 996 new defects – 860 of which have been fixed by the Python community. Sturla Sendt fra min iPad Den 30. aug. 2013 kl. 00:10 skrev Christian Heimes christ...@python.org: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, Coverity has published its Coverity Scan Spotlight Python a couple of hours ago. It features a summary of Python's ecosystem, an interview with me about Python core development and a defect report. The report is awesome. We have reached a defect density of .005 defects per 1,000 lines of code. In 2012 the average defect density of Open Source Software was 0.69. http://www.coverity.com/company/press-releases/read/coverity-finds-python-sets-new-level-of-quality-for-open-source-software http://wpcme.coverity.com/wp-content/uploads/2013-Coverity-Scan-Spotlight-Python.pdf The internet likes it, too. http://www.prnewswire.com/news-releases/coverity-finds-python-sets-new-level-of-quality-for-open-source-software-221629931.html http://www.securityweek.com/python-gets-high-marks-open-source-software-security-report Thank you very much to Kristin Brennan and Dakshesh Vyas from Coverity as well as everybody who has helped to fix the remaining issues! Christian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCgAGBQJSH8bEAAoJEMeIxMHUVQ1FFQcQAL1/Tb5PFMdLXwWsMt9D06aP A2qQPunEnfDBMdQz4GTEeDmHPdjs/EgAtUz4sLI48HlAmpdWEtoVPCdg1GvKSvMi IRVHR5LAtxe5p8M42+8DnSFyIOtEsbtv06W5cHvRxr6RuIkY3bTy0SVhtP9JW+N7 wQKsp2cOIOz/FHDWWQWjxwlZmUWEGkvSSggzbYxcdsaJeGHoJgkuzoChQ3mCtUCo w231OTKBZhGQp/VpMK+Q7OXWm78BZdB6d4GcSR3meCU9GpRMfPBxPF7v4IWvDPv9 4l/y922hmLLoOchJG+PDqcDhX1dnFm1t3Q199iqS5c0c+ttgaMRdSJEXZpZrubxe k+frJiOivG4G7BuzgQ39yF01rRHpjs57FW9FBbt4pp2c+4iOEkgARH+L/e2ZwOnk puXE45AfKwJwHLc4RDOhxdaPy/ovOh53HY68UxXoKjeZKWK5ShRopk0muvYG0y5O +8PbAKOYgJbe//NC3ac89V/1eu4rrFhN7xsK2Wc8i+kcbTB2XIVFElLHuV5wjmLd MMXFlm9LDJFOw12E4sF3MPaHyXQYpNJHvbnuxCkcHRQoLKzrcRJ2Y0Jj4HPSUCsj JhfmHX7Zu+/akmT4haqXUdtRrn4wji0OYqGydEqi4aLy7ELrC1EVNZY4OkbUhJO8 gGbpseJXtVThXQ7fymMS =++g9 -END PGP SIGNATURE- ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/sturla%40molden.no ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan Spotlight Python
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/29/2013 07:24 PM, Sturla Molden wrote: Do the numbers add up? .005 defects in 1,000 lines of code is one defect in every 200,000 lines of code. However they also claim that to date, the Coverity Scan service has analyzed nearly 400,000 lines of Python code and identified 996 new defects – 860 of which have been fixed by the Python community. FWIW: David Wheeler's 'sloccount' reports 800,489 lines of code in the Python 3.3.1 tarball, of which 403,266 lines are Python code, and 368,474 are ANSI C. That defect rate would imply 4 open defects in Python itself. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlIf6e0ACgkQ+gerLs4ltQ6X6wCgosAIUJyGjcBqbeAMLwMH24TJ j3cAoNKPEuKEbVmke2IZuSdtl2nMAFL4 =MoZm -END PGP SIGNATURE- ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan Spotlight Python
On 8/29/2013 7:24 PM, Sturla Molden wrote: Do the numbers add up? .005 defects in 1,000 lines of code is one defect in every 200,000 lines of code. However they also claim that to date, the Coverity Scan service has analyzed nearly 400,000 lines of Python code and identified 996 new defects – 860 of which have been fixed by the Python community. Some marked as 'false positive', some as 'intentional'. -- Terry Jan Reedy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
Just a quick question - is there a chance to convince Coverity to detect Python refcounting leaks in C API code :-) ? This could be useful not only for Python but for extensions too. As it stands now, Coverity's leak detection is Python must be pretty weak because almost everything is done via PyObject refcounts. Eli On Thu, Jul 25, 2013 at 11:48 AM, Christian Heimes christ...@python.orgwrote: Hello, this is an update on my work and the current status of Coverity Scan. Maybe you have noticed a checkins made be me that end with the line CID #. These are checkins that fix an issue that was discovered by the static code analyzer Coverity. Coverity is a commercial product but it's a free service for some Open Source projects. Python has been analyzed by Coverity since about 2007. Guido, Neal, Brett, Stefan and some other developers have used Coverity before I took over. I fixed a couple of issues before 3.3 reached the RC phase and more bugs in the last couple of months. Coverity is really great and its web GUI is fun to use, too. I was able to identify and fix resource leaks, NULL pointer issues, buffer overflows and missing checks all over the place. Because it's a static analyzer that follows data-flows and control-flows the tool can detect issues in error paths that are hardly visited at all. I have started to document Coverity here: http://docs.python.org/devguide/coverity.html Interview - A week ago I was contacted by Coverity. They have started a series of articles and press releases about Open Source projects that use their free service Coverity Scan, see http://www.coverity.com/company/press-releases/read/coverity-introduces-monthly-spotlight-series-for-coverity-scan-open-source-projects Two days ago I had a lovely phone interview about my involvement in the Python project and our development style. They are going to release a nice article in a couple of weeks. In the mean time we have time to fix the remaining couple issues. We *might* be able to reach the highest coverity integrity level! I have dealt with all major issues so we just have to fix a couple of issues. Current stats - Lines of Code: 396,179 Defect Density: 0.05 Total defects: 1,054 Outstanding: 21 (Coverity Connect shows less) Dismissed:222 Fixed:811 http://i.imgur.com/NoELjcj.jpg http://i.imgur.com/eJSzTUX.jpg open issues --- http://bugs.python.org/issue17899 http://bugs.python.org/issue18556 http://bugs.python.org/issue18555 http://bugs.python.org/issue18552 http://bugs.python.org/issue18551 http://bugs.python.org/issue18550 http://bugs.python.org/issue18528 Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/eliben%40gmail.com ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
Am 26.07.2013 14:56, schrieb Eli Bendersky: Just a quick question - is there a chance to convince Coverity to detect Python refcounting leaks in C API code :-) ? This could be useful not only for Python but for extensions too. As it stands now, Coverity's leak detection is Python must be pretty weak because almost everything is done via PyObject refcounts. Coverity is able to detect some cases of refcount leaks. I don't know if the software is able to keep track of all reference counts. But it understands missing Py_DECREF() in error branches. For example: PyObject *n = PyLong_FromLong(0); PyObject *u = PyUnicode_FromString(example); if (u == NULL) { return NULL; /* Coverity detects that 'n' leaks memory */ } Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
On Thu, Jul 25, 2013 at 6:56 PM, Christian Heimes christ...@python.orgwrote: Am 26.07.2013 00:32, schrieb Terry Reedy: I found the answer here https://docs.google.com/file/d/0B5wQCOK_TiRiMWVqQ0xPaDEzbkU/edit Coverity Integrity Level 1 is 1 (defect/1000 lines) Level 2 is .1 (we have passed that) Level 3 is .01 + no major defects + 20% (all all defects?) false positives as that is their normal rate.# A higher false positive rates requires auditing by Coverity. They claim A higher false positive rate indicates misconfiguration, usage of unusual idioms, or incorrect diagnosis of a large number of defects. They else add or a flaw in our analysis. # Since false positives should stay constant as true positives are reduced toward 0, false / all should tend toward 1 (100%) if I understand the ratio correctly. About 40% of the dismissed cases are cause by a handful of issues. I have documented these issues as known limitations http://docs.python.org/devguide/coverity.html#known-limitations . For example about 35 false positives are related to PyLong_FromLong() and our small integer optimization. A correct modeling file would eliminate the false positive defects. My attempts don't work as hoped and I don't have access to all professional coverity tools to debug my trials. Have you tried asking for help from Coverity? They have been rather nice so far and they may be willing to just give us free help in getting the modeling file set up properly. -Brett Nearly 20 false positives are caused by Py_BuildValue(N). I'm still astonished that Coverity understands Python's reference counting most of the time. :) Did I mention that we have almost reached Level 3? All major defects have been dealt with (one of them locally on the test machine until Larry pushes his patch soonish), 4 of 7 minor issues must be closed and our dismissed rate is just little over 20% (222 out of 1054 = 21%). ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
On Fri, Jul 26, 2013 at 8:56 AM, Eli Bendersky eli...@gmail.com wrote: Just a quick question - is there a chance to convince Coverity to detect Python refcounting leaks in C API code :-) ? You can always ask. =) This could be useful not only for Python but for extensions too. As it stands now, Coverity's leak detection is Python must be pretty weak because almost everything is done via PyObject refcounts. Just an FYI (mostly for others since I think Eli was at PyCon in the relevant talk), David Malcolm has his work with gcc and refleak detection. But yes, it would be nice if it was in Coverity as it would then be part of the daily check. -Brett Eli On Thu, Jul 25, 2013 at 11:48 AM, Christian Heimes christ...@python.orgwrote: Hello, this is an update on my work and the current status of Coverity Scan. Maybe you have noticed a checkins made be me that end with the line CID #. These are checkins that fix an issue that was discovered by the static code analyzer Coverity. Coverity is a commercial product but it's a free service for some Open Source projects. Python has been analyzed by Coverity since about 2007. Guido, Neal, Brett, Stefan and some other developers have used Coverity before I took over. I fixed a couple of issues before 3.3 reached the RC phase and more bugs in the last couple of months. Coverity is really great and its web GUI is fun to use, too. I was able to identify and fix resource leaks, NULL pointer issues, buffer overflows and missing checks all over the place. Because it's a static analyzer that follows data-flows and control-flows the tool can detect issues in error paths that are hardly visited at all. I have started to document Coverity here: http://docs.python.org/devguide/coverity.html Interview - A week ago I was contacted by Coverity. They have started a series of articles and press releases about Open Source projects that use their free service Coverity Scan, see http://www.coverity.com/company/press-releases/read/coverity-introduces-monthly-spotlight-series-for-coverity-scan-open-source-projects Two days ago I had a lovely phone interview about my involvement in the Python project and our development style. They are going to release a nice article in a couple of weeks. In the mean time we have time to fix the remaining couple issues. We *might* be able to reach the highest coverity integrity level! I have dealt with all major issues so we just have to fix a couple of issues. Current stats - Lines of Code: 396,179 Defect Density: 0.05 Total defects: 1,054 Outstanding: 21 (Coverity Connect shows less) Dismissed:222 Fixed:811 http://i.imgur.com/NoELjcj.jpg http://i.imgur.com/eJSzTUX.jpg open issues --- http://bugs.python.org/issue17899 http://bugs.python.org/issue18556 http://bugs.python.org/issue18555 http://bugs.python.org/issue18552 http://bugs.python.org/issue18551 http://bugs.python.org/issue18550 http://bugs.python.org/issue18528 Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/eliben%40gmail.com ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/brett%40python.org ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
Le Fri, 26 Jul 2013 16:29:59 +0200, Christian Heimes christ...@python.org a écrit : Coverity is able to detect some cases of refcount leaks. I don't know if the software is able to keep track of all reference counts. But it understands missing Py_DECREF() in error branches. For example: PyObject *n = PyLong_FromLong(0); PyObject *u = PyUnicode_FromString(example); if (u == NULL) { return NULL; /* Coverity detects that 'n' leaks memory */ } But 'n' doesn't leak memory since PyLong_FromLong(0) is statically allocated ;-) More generally, in similar cases (e.g. replace 0 with a non-small integer), you don't need any knowledge of reference counts to infer that there is a memory leak. When the code discards the only existing pointer to a heap-allocated memory area, there's a leak. What we call refcount leaks is generally when an area is still pointer-accessible, but failure to decrement the reference count appropriately means it will never be released. Regards Antoine. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
On Fri, Jul 26, 2013 at 7:29 AM, Christian Heimes christ...@python.orgwrote: Am 26.07.2013 14:56, schrieb Eli Bendersky: Just a quick question - is there a chance to convince Coverity to detect Python refcounting leaks in C API code :-) ? This could be useful not only for Python but for extensions too. As it stands now, Coverity's leak detection is Python must be pretty weak because almost everything is done via PyObject refcounts. Coverity is able to detect some cases of refcount leaks. I don't know if the software is able to keep track of all reference counts. But it understands missing Py_DECREF() in error branches. For example: PyObject *n = PyLong_FromLong(0); PyObject *u = PyUnicode_FromString(example); if (u == NULL) { return NULL; /* Coverity detects that 'n' leaks memory */ } Interesting. I was thinking of something more general though. Especially if we can mark function arguments and return values as stealing references / creating new ones / etc, many many common refcount bugs can be detected with static analysis. This is definitely research-y, probably too much for our current stage of relationship with Coverity :) Eli ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
Am 26.07.2013 16:29, schrieb Brett Cannon: Have you tried asking for help from Coverity? They have been rather nice so far and they may be willing to just give us free help in getting the modeling file set up properly. Yes, I'm in contact with Dakshesh. I was able to figure out one model for a false positive on my own. Dakshesh is helping me with another. Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
On 7/25/2013 2:48 PM, Christian Heimes wrote: Hello, this is an update on my work and the current status of Coverity Scan. Great work. Maybe you have noticed a checkins made be me that end with the line CID #. These are checkins that fix an issue that was discovered by the static code analyzer Coverity. Coverity is a commercial product but it's a free service for some Open Source projects. Python has been analyzed by Coverity since about 2007. Guido, Neal, Brett, Stefan and some other developers have used Coverity before I took over. I fixed a couple of issues before 3.3 reached the RC phase and more bugs in the last couple of months. The benefit for us is not just improving Python having external verification of its excellence in relation both to other open-source projects and commercial software. Coverity is really great and its web GUI is fun to use, too. I was able to identify and fix resource leaks, NULL pointer issues, buffer overflows and missing checks all over the place. Because it's a static analyzer that follows data-flows and control-flows the tool can detect issues in error paths that are hardly visited at all. I have started to document Coverity here: http://docs.python.org/devguide/coverity.html Interview - A week ago I was contacted by Coverity. They have started a series of articles and press releases about Open Source projects that use their free service Coverity Scan, see http://www.coverity.com/company/press-releases/read/coverity-introduces-monthly-spotlight-series-for-coverity-scan-open-source-projects The intention is to promote the best of open source to industry. Two days ago I had a lovely phone interview about my involvement in the Python project and our development style. They are going to release a nice article in a couple of weeks. In the mean time we have time to fix the remaining couple issues. We *might* be able to reach the highest coverity integrity level! I have dealt with all major issues so we just have to fix a couple of issues. Current stats - Lines of Code: 396,179 C only? or does Python code now count as 'source code'? Defect Density: 0.05 = defects per thousand lines = 20/400 Anything under 1 is good. The release above reports Samba now at .6. http://www.pcworld.com/article/2038244/linux-code-is-the-benchmark-of-quality-study-concludes.html reports Linux 3.8 as having the same for 7.6 million lines. Total defects: 1,054 Outstanding: 21 (Coverity Connect shows less) Dismissed:222 This implies that they accept our designation of some things as False Positives or Intentional. Does Coverity do any review of such designations, so a project cannot cheat? Fixed:811 http://i.imgur.com/NoELjcj.jpg http://i.imgur.com/eJSzTUX.jpg open issues --- http://bugs.python.org/issue17899 http://bugs.python.org/issue18556 http://bugs.python.org/issue18555 http://bugs.python.org/issue18552 http://bugs.python.org/issue18551 http://bugs.python.org/issue18550 http://bugs.python.org/issue18528 -- Terry Jan Reedy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
On 7/25/2013 6:00 PM, Terry Reedy wrote: Defect Density:0.05 = defects per thousand lines = 20/400 Anything under 1 is good. The release above reports Samba now at .6. http://www.pcworld.com/article/2038244/linux-code-is-the-benchmark-of-quality-study-concludes.html reports Linux 3.8 as having the same for 7.6 million lines. Total defects:1,054 Outstanding: 21 (Coverity Connect shows less) Dismissed: 222 This implies that they accept our designation of some things as False Positives or Intentional. Does Coverity do any review of such designations, so a project cannot cheat? I found the answer here https://docs.google.com/file/d/0B5wQCOK_TiRiMWVqQ0xPaDEzbkU/edit Coverity Integrity Level 1 is 1 (defect/1000 lines) Level 2 is .1 (we have passed that) Level 3 is .01 + no major defects + 20% (all all defects?) false positives as that is their normal rate.# A higher false positive rates requires auditing by Coverity. They claim A higher false positive rate indicates misconfiguration, usage of unusual idioms, or incorrect diagnosis of a large number of defects. They else add or a flaw in our analysis. # Since false positives should stay constant as true positives are reduced toward 0, false / all should tend toward 1 (100%) if I understand the ratio correctly. Fixed: 811 http://i.imgur.com/NoELjcj.jpg http://i.imgur.com/eJSzTUX.jpg -- Terry Jan Reedy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
On Thu, 25 Jul 2013 18:00:55 -0400 Terry Reedy tjre...@udel.edu wrote: On 7/25/2013 2:48 PM, Christian Heimes wrote: Hello, this is an update on my work and the current status of Coverity Scan. Great work. Maybe you have noticed a checkins made be me that end with the line CID #. These are checkins that fix an issue that was discovered by the static code analyzer Coverity. Coverity is a commercial product but it's a free service for some Open Source projects. Python has been analyzed by Coverity since about 2007. Guido, Neal, Brett, Stefan and some other developers have used Coverity before I took over. I fixed a couple of issues before 3.3 reached the RC phase and more bugs in the last couple of months. The benefit for us is not just improving Python having external verification of its excellence in relation both to other open-source projects and commercial software. Excellence? The term is too weak, I would say perfection at least, but perhaps we should go as far as divinity. Regards Antoine. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
Am 26.07.2013 00:32, schrieb Terry Reedy: I found the answer here https://docs.google.com/file/d/0B5wQCOK_TiRiMWVqQ0xPaDEzbkU/edit Coverity Integrity Level 1 is 1 (defect/1000 lines) Level 2 is .1 (we have passed that) Level 3 is .01 + no major defects + 20% (all all defects?) false positives as that is their normal rate.# A higher false positive rates requires auditing by Coverity. They claim A higher false positive rate indicates misconfiguration, usage of unusual idioms, or incorrect diagnosis of a large number of defects. They else add or a flaw in our analysis. # Since false positives should stay constant as true positives are reduced toward 0, false / all should tend toward 1 (100%) if I understand the ratio correctly. About 40% of the dismissed cases are cause by a handful of issues. I have documented these issues as known limitations http://docs.python.org/devguide/coverity.html#known-limitations . For example about 35 false positives are related to PyLong_FromLong() and our small integer optimization. A correct modeling file would eliminate the false positive defects. My attempts don't work as hoped and I don't have access to all professional coverity tools to debug my trials. Nearly 20 false positives are caused by Py_BuildValue(N). I'm still astonished that Coverity understands Python's reference counting most of the time. :) Did I mention that we have almost reached Level 3? All major defects have been dealt with (one of them locally on the test machine until Larry pushes his patch soonish), 4 of 7 minor issues must be closed and our dismissed rate is just little over 20% (222 out of 1054 = 21%). Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
Am 26.07.2013 00:50, schrieb Antoine Pitrou: Excellence? The term is too weak, I would say perfection at least, but perhaps we should go as far as divinity. Don't forget that Python can offer lots of places to keep your bike clean and dry ... *scnr* ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
Am 26.07.2013 00:00, schrieb Terry Reedy: http://www.coverity.com/company/press-releases/read/coverity-introduces-monthly-spotlight-series-for-coverity-scan-open-source-projects The intention is to promote the best of open source to industry. I think it's also a marketing tool. They like to sell their product. I don't have a problem with that. After all Coverity provides a useful service for free that supplements our own debugging tools. Lines of Code:396,179 C only? or does Python code now count as 'source code'? It's just C code and headers. Coverity doesn't analyze Python code. According to cloc Python has 296707 + 78126 == 374833 lines of code in C and header files. I'm not sure why Coverity detects more. Defect Density:0.05 = defects per thousand lines = 20/400 Anything under 1 is good. The release above reports Samba now at .6. http://www.pcworld.com/article/2038244/linux-code-is-the-benchmark-of-quality-study-concludes.html reports Linux 3.8 as having the same for 7.6 million lines. These are amazing numbers. Python is much smaller. Total defects:1,054 Outstanding: 21 (Coverity Connect shows less) Dismissed: 222 This implies that they accept our designation of some things as False Positives or Intentional. Does Coverity do any review of such designations, so a project cannot cheat? What's the point of cheating? :) I could dismiss any remaining defect as intentionally or false positive but that would only harm ourselves. As you already pointed out Coverity reserves the right to inspect dismissed bugs for their highest ranking. I'm in the process of looking through all dismissed defects. Some of them are relics of deleted files and removed code. Some other may go away with proper modeling. Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan
On 7/25/2013 6:56 PM, Christian Heimes wrote: Am 26.07.2013 00:32, schrieb Terry Reedy: # Since false positives should stay constant as true positives are reduced toward 0, false / all should tend toward 1 (100%) if I understand the ratio correctly. Which I did not ;-). About 40% of the dismissed cases are cause by a handful of issues. I have documented these issues as known limitations http://docs.python.org/devguide/coverity.html#known-limitations . For example about 35 false positives are related to PyLong_FromLong() and our small integer optimization. A correct modeling file would eliminate the false positive defects. My attempts don't work as hoped and I don't have access to all professional coverity tools to debug my trials. Perhaps Coverity will help when doing an audit. Nearly 20 false positives are caused by Py_BuildValue(N). I'm still astonished that Coverity understands Python's reference counting most of the time. :) Did I mention that we have almost reached Level 3? All major defects It is hard to measure the benefit of preventitive medicine, but I imagine that we should see fewer mysterious crashes and heisenbugs than we would have. In any case, Level 3 certification should help people promoting the use of Python in organizational settings, whether as employees or consultants. have been dealt with (one of them locally on the test machine until Larry pushes his patch soonish), 4 of 7 minor issues must be closed and .1 * 390 allows 3 defects (or 4 if they round up) -- astonishingly good! our dismissed rate is just little over 20% (222 out of 1054 = 21%). So merely verifying the 35 PyLong_FromLong dismissals will put us under. Thanks for clarifying the proper denominator -- all defects ever found. It seems obvious in retrospect, but I was focused on current stats, not the history. -- Terry Jan Reedy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Christian Heimes li...@cheimes.de wrote: IMHO it makes sense to define a workflow how we are going to handle Coverity issues. Each coverity issue has an identifier and can have information like an external reference and an action. I've seen that you have started to create bugs in our tracker. How about we mention the Coverity # in the bug and add a link to the bug in the Ext. Reference field of the Coverity issue and set the Action to Claimed, being worked on. That sounds good in principle. I'm only worried that for casual readers of either the commit messages or the tracker issues the importance of the Coverity tool might be overstated. After all, 99.99% of issues are either found by developers themselves or by gcc, Visual Studio, Valgrind, etc. It just occurred to me that for example we don't credit other tools in commit messages. That said, for users of the Coverity web interface it's clearly useful. Stefan Krah ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Zitat von Stefan Krah ste...@bytereef.org: After all, 99.99% of issues are either found by developers themselves or by gcc, Visual Studio, Valgrind, etc. It just occurred to me that for example we don't credit other tools in commit messages. I agree that Coverity doesn't need to be mentioned in commit message. We do cite tools occasionally, but in a negative way, such as silence gcc warning, where the commit message and/or comment explains why some code is ugly for some non-obvious reason. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
On Sat, Sep 8, 2012 at 6:41 AM, mar...@v.loewis.de wrote: Zitat von Stefan Krah ste...@bytereef.org: After all, 99.99% of issues are either found by developers themselves or by gcc, Visual Studio, Valgrind, etc. It just occurred to me that for example we don't credit other tools in commit messages. I agree that Coverity doesn't need to be mentioned in commit message. We do cite tools occasionally, but in a negative way, such as silence gcc warning, where the commit message and/or comment explains why some code is ugly for some non-obvious reason. Well, when I fix bugs found by Clang's static analyzer (which I ran out time to do for 3.3) I try to remember to thank the tool. IOW I don't think thanking a tool hurts, but in no way is required required either. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Am 08.09.2012 11:35, schrieb Stefan Krah: That sounds good in principle. I'm only worried that for casual readers of either the commit messages or the tracker issues the importance of the Coverity tool might be overstated. After all, 99.99% of issues are either found by developers themselves or by gcc, Visual Studio, Valgrind, etc. It just occurred to me that for example we don't credit other tools in commit messages. I'd like to avoid that two people create two bug tracker entries or work on the same issue at the same time. The CID (coverity id) also makes it easier to find the entry on the Coverity site. IMHO it's sufficient to mention the CID in the tracker entry. As Brett has said it's also nice to give credits, too. By the way I've automated the build and upload process. Every six hours the default branch is pulled from hg and a build is triggere when changes are detected. Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Am 06.09.2012 10:59, schrieb Stefan Krah: The mailing list would be nice especially if we could get the results in verbose text form, but I don't know if that's possible. I've added my account to the notification list but I've not yet received a mail as no new issue was introduced. Coverity also sends an email for every successful or failed build. So far the mails end up in my inbox. BTW, do we keep all buffer overruns secret or can we post them on the tracker if it's an off-by-one and unlikely to be exploitable? I'd say use your best discretion. In the unlikely case that Coverity finds a buffer overflow that can be abused remotely we have to go through PSRT and publish security fix releases. At a first glance no bug looked that severe to me. IMHO it makes sense to define a workflow how we are going to handle Coverity issues. Each coverity issue has an identifier and can have information like an external reference and an action. I've seen that you have started to create bugs in our tracker. How about we mention the Coverity # in the bug and add a link to the bug in the Ext. Reference field of the Coverity issue and set the Action to Claimed, being worked on. In case you got curious about Coverity I've created a screenshot for you http://imm.io/Duel . Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Christian Heimes li...@cheimes.de wrote: Coverity has some new features like notification of new possible issue and build steps. We could create a new mailing list for coverity scan builds and results, The mailing list should be exclusive to core devs as the issues may be security relevant. The mailing list would be nice especially if we could get the results in verbose text form, but I don't know if that's possible. BTW, do we keep all buffer overruns secret or can we post them on the tracker if it's an off-by-one and unlikely to be exploitable? Stefan Krah ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Am 03.09.2012 15:59, schrieb Christian Heimes: It be nice if we get Coverity scans up and running this week to check the upcoming release candidate for issues. Updates: - Noah has set up a VM for me on the PSF infrastructure. I've installed the Coverity tools, build dependencies of Python and a hg clone of the default branch. The instrumented coverage builds are working, too. - Brett has contacted Coverity to establish me as a second administrative contact besides him. Once it's done I'll request an upload account to submit the coverage data. I try to get everything in place by tomorrow so we have some time to check for bugs before the next RC is deployed. Stefan: Has Brett already requested an account for you or shall I request one for you? Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
On Wed, Sep 5, 2012 at 8:43 AM, Christian Heimes li...@cheimes.de wrote: Am 03.09.2012 15:59, schrieb Christian Heimes: It be nice if we get Coverity scans up and running this week to check the upcoming release candidate for issues. Updates: - Noah has set up a VM for me on the PSF infrastructure. I've installed the Coverity tools, build dependencies of Python and a hg clone of the default branch. The instrumented coverage builds are working, too. - Brett has contacted Coverity to establish me as a second administrative contact besides him. Once it's done I'll request an upload account to submit the coverage data. I try to get everything in place by tomorrow so we have some time to check for bugs before the next RC is deployed. Stefan: Has Brett already requested an account for you or shall I request one for you? I have not for no other reason than I had not thought about it. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Am 05.09.2012 14:45, schrieb Brett Cannon: I have not for no other reason than I had not thought about it. Whatever, I wasn't even sure if Stefan has contacted you or asked for a account in a public message. He might have proclaimed his wish in a private mail. Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Christian Heimes li...@cheimes.de wrote: I try to get everything in place by tomorrow so we have some time to check for bugs before the next RC is deployed. Fantastic. Thanks for pushing this forward! Stefan: Has Brett already requested an account for you or shall I request one for you? Not yet, please do if it's no problem. Stefan Krah ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Am 05.09.2012 14:43, schrieb Christian Heimes: I try to get everything in place by tomorrow so we have some time to check for bugs before the next RC is deployed. The people at Coverity are even faster than I hoped. I'm now in the possession of the Project password which mean I can upload the builds and add new users. I've already added Stefan and uploaded an instrumented build successfully: Your request for analysis of Python has been completed. The results should be available now in the database: http://scan5.coverity.com:8080/ Have fun! Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Christian Heimes li...@cheimes.de wrote: The people at Coverity are even faster than I hoped. I'm now in the possession of the Project password which mean I can upload the builds and add new users. I've already added Stefan and uploaded an instrumented build successfully: Your request for analysis of Python has been completed. The results should be available now in the database: http://scan5.coverity.com:8080/ Thanks Christian, works perfectly! Stefan Krah ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
And a thanks to Christian and Stefan for picking this up and running with it. I have not been the best keeper of this stuff as of late, but now that Christian, Stefan, and I all have admin access to the data we can spread the load so that none of us become a bottleneck. On Wed, Sep 5, 2012 at 12:50 PM, Stefan Krah ste...@bytereef.org wrote: Christian Heimes li...@cheimes.de wrote: The people at Coverity are even faster than I hoped. I'm now in the possession of the Project password which mean I can upload the builds and add new users. I've already added Stefan and uploaded an instrumented build successfully: Your request for analysis of Python has been completed. The results should be available now in the database: http://scan5.coverity.com:8080/ Thanks Christian, works perfectly! Stefan Krah ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/brett%40python.org ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Am 05.09.2012 18:56, schrieb Brett Cannon: And a thanks to Christian and Stefan for picking this up and running with it. I have not been the best keeper of this stuff as of late, but now that Christian, Stefan, and I all have admin access to the data we can spread the load so that none of us become a bottleneck. You are welcome! Sharing is caring (or so) *g* Coverity has some new features like notification of new possible issue and build steps. We could create a new mailing list for coverity scan builds and results, The mailing list should be exclusive to core devs as the issues may be security relevant. Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
On Mon, 03 Sep 2012 15:59:59 +0200 Christian Heimes li...@cheimes.de wrote: It's easy, doesn't take much effort and can easily be automated, but somebody has to do it. The process should also be placed on the Python infrastructure and I don't have access. Secondly somebody has to contact Coverity to apply for an upload account. I tried my user account without success. You could ask infrastruct...@python.org for an account on an existing machine (dinsdale perhaps, it looks much less loaded now that some services have been migrated). Regards Antoine. -- Software development and contracting: http://pro.pitrou.net ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity scan
Am 03.09.2012 16:27, schrieb Antoine Pitrou: You could ask infrastruct...@python.org for an account on an existing machine (dinsdale perhaps, it looks much less loaded now that some services have been migrated). Thanks Antoine! I've contacted the infrastructure team. Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
On Wed, Jan 09, 2008 at 09:11:21PM -0800, Neal Norwitz wrote: For mmapmodule.c, fd should be checked for -1 before calling stat on line 1064. I'll fix the mmap problem. --amk ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
On Wed, Jan 09, 2008 at 09:11:21PM -0800, Neal Norwitz wrote: For mmapmodule.c, fd should be checked for -1 before calling stat on line 1064. On looking at this, it doesn't seem like an actual problem. fstat(-1, ...) returns a -1 and errno is set to EBADF, 'bad file descriptor'. /* on OpenVMS we must ensure that all bytes are written to the file */ fsync(fd); # endif if (fstat(fd, st) == 0 S_ISREG(st.st_mode)) { ... In rev. 59888, I've added 'fd != -1' to the 'if' just to save a pointless fstat() call, and made the OpenVMS fsync() call similarly conditional, but I don't think this item is a bug, much less a security bug. I won't bother backporting this to 25-maint, unless asked to do so by the 2.5 maintainer. --amk ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
Neal Norwitz wrote: I think only Coverity can add people. You can send them a message if you would like to be added: [EMAIL PROTECTED] Or you can send mail to me and I can forward along all the people that would like to be added. I'll wait a few days to collect names so I can batch up the request. Count me in! Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
Neal Norwitz wrote: For traceback.c, namebuf defined on line 155 should be moved out one block since filename is an alias to namebuf and it is used outside the current scope. I think this is unlikely to be a problem in practice, but is technically wrong and should be fixed. Agreed, the early allocation of a few hundreds bytes on the stack won't kill us. For codeobject.c, line 327 should not be reachable. I kinda like the code as it is even though it is currently dead. I never decided if I wanted to change that or suppress the warning. Please suppress the warning. I removed the last two lines and GCC complained control reaches end of non-void function. It's not clever enough to understand that cmp can never be 0. For mmapmodule.c, fd should be checked for -1 before calling stat on line 1064. if (fd != -1 fstat(fd, st) == 0 S_ISREG(st.st_mode)) Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
I am not a developer but i'm interested in browsing it. Is it possible to be added? On Jan 10, 2008 10:57 AM, Christian Heimes [EMAIL PROTECTED] wrote: Neal Norwitz wrote: I think only Coverity can add people. You can send them a message if you would like to be added: [EMAIL PROTECTED] Or you can send mail to me and I can forward along all the people that would like to be added. I'll wait a few days to collect names so I can batch up the request. Count me in! Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/josepharmbruster%40gmail.com ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
On Jan 10, 2008 8:01 AM, Joseph Armbruster [EMAIL PROTECTED] wrote: I am not a developer but i'm interested in browsing it. Is it possible to be added? Yes, I've added you to the list. I'll probably send the list off tomorrow, so let me know if you would like to be added. n -- On Jan 10, 2008 10:57 AM, Christian Heimes [EMAIL PROTECTED] wrote: Neal Norwitz wrote: I think only Coverity can add people. You can send them a message if you would like to be added: [EMAIL PROTECTED] Or you can send mail to me and I can forward along all the people that would like to be added. I'll wait a few days to collect names so I can batch up the request. Count me in! Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/josepharmbruster%40gmail.com ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
Joseph Armbruster wrote: Christian, Is there any way you (or someone else) could post up the results? It looks like you need a log in to check them out. I haven't figured out how to access the results. Who has a login and access to the site? Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
Christian Heimes wrote: Joseph Armbruster wrote: Christian, Is there any way you (or someone else) could post up the results? It looks like you need a log in to check them out. I haven't figured out how to access the results. Who has a login and access to the site? I know Neal has access (if I'm recalling the various checkin message correctly, he did the lion's share of the work in addressing the problems Coverity reported). I think some of the other folks on the security list may have one also. Searching the SVN version history for references to Coverity may provide an interesting list. Cheers, Nick. -- Nick Coghlan | [EMAIL PROTECTED] | Brisbane, Australia --- http://www.boredomandlaziness.org ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
Christian I read the announcement of the Python Users list and figured Christian out that some of the other core developers might be Christian interested in the news, too. Christian Among other projects Python was upgraded to Rung 2 on the Christian Coverity Scan list: http://scan.coverity.com/ I went to the run2 page: http://scan.coverity.com/rung2.html I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score? Skip ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
[EMAIL PROTECTED] wrote: I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score? I can't answer your question. I don't have access to the Python project on their site and the project is currently under maintenance. Maybe Neal can sheds some light on the Coverity Scan project. Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
On Jan 9, 2008 9:47 AM, Christian Heimes [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score? I can't answer your question. I don't have access to the Python project on their site and the project is currently under maintenance. Maybe Neal can sheds some light on the Coverity Scan project. I'm pretty sure I have an account and I can't get in either. I have contacted coverity asking if they can give accounts to other core developers besides Neal and myself. -- --Guido van Rossum (home page: http://www.python.org/~guido/) ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
[EMAIL PROTECTED] schrieb: Christian I read the announcement of the Python Users list and figured Christian out that some of the other core developers might be Christian interested in the news, too. Christian Among other projects Python was upgraded to Rung 2 on the Christian Coverity Scan list: http://scan.coverity.com/ I went to the run2 page: http://scan.coverity.com/rung2.html On this page, when I click the 'sign in' link, I see the page http://scan.coverity.com/maintenance.html which says: Scan administrators are performing maintenance on the selected project. Normally, project members will have received notification in advance of any lengthy unavailability of their project. Please try again later, or contact [EMAIL PROTECTED] with any questions. Return to Main Page Could it be that they were a little bit early with the press release, and the rung2 scanner is not yet active? I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score? Seems they are referring to the results of the rung 1 run (what ever 'rung' means ;-). With the account Neal made me some months ago, I can login on this page: http://scan.coverity.com:7475/ and see the scan results for Python. Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked uninspected, 3 marked pending, and 2 marked bug. Thomas ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
Guido van Rossum schrieb: On Jan 9, 2008 9:47 AM, Christian Heimes [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score? I can't answer your question. I don't have access to the Python project on their site and the project is currently under maintenance. Maybe Neal can sheds some light on the Coverity Scan project. I'm pretty sure I have an account and I can't get in either. I have contacted coverity asking if they can give accounts to other core developers besides Neal and myself. As I said in the other reply, I can still login on this page: http://scan.coverity.com:7475/ It looks like about 20 users are registered; if wanted I can post the list here. Thomas ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
Thomas Heller wrote: Seems they are referring to the results of the rung 1 run (what ever 'rung' means ;-). With the account Neal made me some months ago, I can login on this page: http://scan.coverity.com:7475/ and see the scan results for Python. Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked uninspected, 3 marked pending, and 2 marked bug. My dict says: rung (of a ladder)- Leitersprossen Python has climbed up one step (or rung) of the ladder. Do you have the required permission to add more users to the site? Christian ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
Christian Heimes schrieb: Thomas Heller wrote: Seems they are referring to the results of the rung 1 run (what ever 'rung' means ;-). With the account Neal made me some months ago, I can login on this page: http://scan.coverity.com:7475/ and see the scan results for Python. Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked uninspected, 3 marked pending, and 2 marked bug. My dict says: rung (of a ladder)- Leitersprossen Python has climbed up one step (or rung) of the ladder. Thanks. I was too lazy to fire up dict.leo.org ;-) Do you have the required permission to add more users to the site? No, I can only view the results (and add comments or so...). Thomas ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
On Jan 9, 2008 1:12 PM, Christian Heimes [EMAIL PROTECTED] wrote: Thomas Heller wrote: Seems they are referring to the results of the rung 1 run (what ever 'rung' means ;-). With the account Neal made me some months ago, I can login on this page: http://scan.coverity.com:7475/ and see the scan results for Python. Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked uninspected, 3 marked pending, and 2 marked bug. My dict says: rung (of a ladder)- Leitersprossen Python has climbed up one step (or rung) of the ladder. They botched the link where it says Sign in. Use the link Thomas posted, ie: http://scan.coverity.com:7475/ That will show you the results from the latest coverity checker. Do you have the required permission to add more users to the site? I think only Coverity can add people. You can send them a message if you would like to be added: [EMAIL PROTECTED] Or you can send mail to me and I can forward along all the people that would like to be added. I'll wait a few days to collect names so I can batch up the request. n ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
On Jan 9, 2008 9:08 AM, [EMAIL PROTECTED] wrote: Christian I read the announcement of the Python Users list and figured Christian out that some of the other core developers might be Christian interested in the news, too. Christian Among other projects Python was upgraded to Rung 2 on the Christian Coverity Scan list: http://scan.coverity.com/ I went to the run2 page: http://scan.coverity.com/rung2.html I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score? The 6 have been inspected by me and I never came to a conclusion of whether they were a problem or not. There are 3 things which should be fixed and I haven't gotten around to them. They are not a big deal: Python/traceback.c line 177 Objects/codeobject.cline 322 Modules/mmapmodule.cline 1080 For traceback.c, namebuf defined on line 155 should be moved out one block since filename is an alias to namebuf and it is used outside the current scope. I think this is unlikely to be a problem in practice, but is technically wrong and should be fixed. For codeobject.c, line 327 should not be reachable. I kinda like the code as it is even though it is currently dead. I never decided if I wanted to change that or suppress the warning. For mmapmodule.c, fd should be checked for -1 before calling stat on line 1064. The rest were not obvious problems to me, and I never returned to them. n ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2
On Jan 9, 2008 9:08 AM, [EMAIL PROTECTED] wrote: I went to the run2 page: http://scan.coverity.com/rung2.html I shows 6 uninspected defects for Python. How do we see what they are? What is an uninspected defect? Any idea how the Coverity folks compute Defects/KLOC? For example, how does tcl manage to get a 0.0 score? Sorry, I forgot to answer the second part of your question. I have no idea how they compute Defects/KLOC. But the data is very old so I wouldn't worry about what that says. The most recent run has 286622 lines in 602 files. I already mentioned the 3 defects that should be fixed. Not sure what to do about the rest. n ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com