Re: [Python-Dev] Coverity Scan Spotlight Python

2013-08-30 Thread Christian Heimes 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 30.08.2013 01:24, schrieb Sturla Molden:
 
 Do the numbers add up?
 
 .005 defects in 1,000 lines of code is one defect in every 200,000
 lines of code.
 
 However they also claim that to date, the Coverity Scan service
 has analyzed nearly 400,000 lines of Python code and identified 996
 new defects – 860 of which have been fixed by the Python
 community.

Yes, the numbers add up.

The difference between 860 and 996 are false positive defects and code
that is intentionally written in a way, which looks suspicious to
Coverity Scan. I have documented the most common limitations in the
devguide [1].

By the way Coverity Scan doesn't understand Python code. It can only
analyzes C, C++ and Java code.

[1] Christian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJSII1+AAoJEMeIxMHUVQ1FNsIP/jmiMD8p39zHj8Ggb6NM1q9W
WotnQzM2vLE90s9VfewQB914u4rFjEtYVWD6P88QQEwdcrBfnMs/xvFBcyW/yuVd
EB57hTjqWKSgGdcFsKoAmlFtSzFTUtM3Yc4aiyYHwsn7vJPTbxAO/6GAToGhHeP6
96f0oXz4uqeM4RJNCbHPt57kHT9OUhsITiZ11rtlsYziGwpRKL5K7bd+bbh/HlPy
BDRVfU112vDjOiCRFGPlmMy2ShJabZwT5uZ4+0VGgGo5/Af3H3UU7pYw1cuwnjgh
CIv/jYFH8OgNvC+hwvai2OxQfH7aXtUhcSPUSOOmPUQ/pbkTMY65Ya2iIRtEoIrY
8FwayYTMzGkCkEZoS4HXO1wGNCcj3tM8ivGP89aJDpySYLmuJoLa5x/aNKKxyo+X
n9HT4BAkuYuFi1qQsPh9kW+FR4VCWTob7BSjOXrY7T8X6plon+fwFseQMkE8JUqI
ckwTJCHDIc23d/HiTNhI8Ank3v28JQLdVTIPYnSKU6YpxjDAO0J+BgExAHpAyVwZ
snEz9zVj/x4YRkUgxWwTMj/ctKDEpX9mehg5rytlWIaKUtPbTmR+aWxG06+TCd1c
dg0cEYso+tvVUAYfZX24dn/7NPrmkBHjGM0ph2PH0S+GcpHF861GvflaSwzQ/ceD
kYF3msFihRocFXfy8iNj
=Usp8
-END PGP SIGNATURE-
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan Spotlight Python

2013-08-30 Thread Terry Reedy 

On 8/30/2013 8:18 AM, Christian Heimes wrote:


By the way Coverity Scan doesn't understand Python code. It can only
analyzes C, C++ and Java code.


Have you (or Coverity) thought about which, if any, of the C defect 
categories apply to Python? (Assuming no use of ctypes ;-). Would it 
make any sense to apply their technology to Python code scanning?


--
Terry Jan Reedy

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan Spotlight Python

2013-08-29 Thread Antoine Pitrou 
On Fri, 30 Aug 2013 00:10:27 +0200
Christian Heimes christ...@python.org wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 Hello,
 
 Coverity has published its Coverity Scan Spotlight Python a couple
 of hours ago. It features a summary of Python's ecosystem, an
 interview with me about Python core development and a defect report.
 The report is awesome. We have reached a defect density of .005
 defects per 1,000 lines of code.

What is a defect? Isn't it a bit weird to keep having a non-zero defect
density, if those defects are identified?

(or, if those defects are not bugs, what is the metric supposed to
measure?)

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan Spotlight Python

2013-08-29 Thread Christian Heimes 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 30.08.2013 00:46, schrieb Antoine Pitrou:
 On Fri, 30 Aug 2013 00:10:27 +0200 Christian Heimes
 christ...@python.org wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
 
 Hello,
 
 Coverity has published its Coverity Scan Spotlight Python a
 couple of hours ago. It features a summary of Python's ecosystem,
 an interview with me about Python core development and a defect
 report. The report is awesome. We have reached a defect density
 of .005 defects per 1,000 lines of code.
 
 What is a defect? Isn't it a bit weird to keep having a non-zero
 defect density, if those defects are identified?
 
 (or, if those defects are not bugs, what is the metric supposed to 
 measure?)

The last defect is http://bugs.python.org/issue18550
internal_setblocking() doesn't check return value of fcntl(). It's
unlikely that the missing check is going to cause trouble. It's
tedious to fix it, too. At least one affected function can't signal an
error because it is defined as void.

Christian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJSH9adAAoJEMeIxMHUVQ1FU+wQAKEQcZbCrOgD1vIzOdfZXgGV
qRHRqhhSoxfhApQ+zhCem/qPGNYBhQyZ4ReXVdCtlvd15p28oa5thFDO7wFfbaBm
iQ9mV6nUn3vWgKr2PueEtUrQFd80t4t97AHyU04KblBJjesq8tv5l26i2SGl5YtS
QWAJMi3zCbv2iZ2DlyjSs3zpGMzk2mj85dKYtU6ql+mKXH7utR3HUpFiHiL7sjCw
D6Q5leORscqoqRxSwNtaT+vAWold5cmWHaH2nGOKj6vaBGKQbFEXRuMAj0sKyPj/
h3N/o+8DAdWH4J3eP8RcIKsai65vmXnzc77s8V2t9kFbuqZn/6CyMwkhsGxsl86h
DyN24LhwcB+pK45KFBX92JEhYWQ8OumcfE3Hb/2wIHNFClEvMNSbh7N+5GzjXE0u
xpsPjQpT9cldhWOcbPpVFx77zDVvsQczGSiqeH90zKCT7T9AIwUOYrjA0GiO/Nm/
wDMbmyL2/EMkDrnZ+X1YIwWaZOBEQlQofSSVnd1/g0fMm+5kJrW44W1D4grt0hpK
TB2uApUCls4qdh3Juu630rMZNKm5/Tvfmtjr/mKHtRCcQvMmhRs2x901/I8ZdwQ+
AoL+yM2qPmsriSTkANGwZHJw2yzTJOv2PXG41ohitE2GdS10i5aRhySVepcjZx/k
Gn/FRAsP/AVKReqOVooF
=AyxK
-END PGP SIGNATURE-
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan Spotlight Python

2013-08-29 Thread Sturla Molden 

Do the numbers add up?

.005 defects in 1,000 lines of code is one defect in every 200,000 lines of 
code. 

However they also claim that to date, the Coverity Scan service has analyzed 
nearly 400,000 lines of Python code and identified 996 new defects – 860 of 
which have been fixed by the Python community.

Sturla

Sendt fra min iPad

Den 30. aug. 2013 kl. 00:10 skrev Christian Heimes christ...@python.org:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 Hello,
 
 Coverity has published its Coverity Scan Spotlight Python a couple
 of hours ago. It features a summary of Python's ecosystem, an
 interview with me about Python core development and a defect report.
 The report is awesome. We have reached a defect density of .005
 defects per 1,000 lines of code. In 2012 the average defect density of
 Open Source Software was 0.69.
 
 http://www.coverity.com/company/press-releases/read/coverity-finds-python-sets-new-level-of-quality-for-open-source-software
 
 http://wpcme.coverity.com/wp-content/uploads/2013-Coverity-Scan-Spotlight-Python.pdf
 
 The internet likes it, too.
 
 http://www.prnewswire.com/news-releases/coverity-finds-python-sets-new-level-of-quality-for-open-source-software-221629931.html
 
 http://www.securityweek.com/python-gets-high-marks-open-source-software-security-report
 
 
 Thank you very much to Kristin Brennan and Dakshesh Vyas from Coverity
 as well as everybody who has helped to fix the remaining issues!
 
 Christian
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.12 (GNU/Linux)
 Comment: Using GnuPG with undefined - http://www.enigmail.net/
 
 iQIcBAEBCgAGBQJSH8bEAAoJEMeIxMHUVQ1FFQcQAL1/Tb5PFMdLXwWsMt9D06aP
 A2qQPunEnfDBMdQz4GTEeDmHPdjs/EgAtUz4sLI48HlAmpdWEtoVPCdg1GvKSvMi
 IRVHR5LAtxe5p8M42+8DnSFyIOtEsbtv06W5cHvRxr6RuIkY3bTy0SVhtP9JW+N7
 wQKsp2cOIOz/FHDWWQWjxwlZmUWEGkvSSggzbYxcdsaJeGHoJgkuzoChQ3mCtUCo
 w231OTKBZhGQp/VpMK+Q7OXWm78BZdB6d4GcSR3meCU9GpRMfPBxPF7v4IWvDPv9
 4l/y922hmLLoOchJG+PDqcDhX1dnFm1t3Q199iqS5c0c+ttgaMRdSJEXZpZrubxe
 k+frJiOivG4G7BuzgQ39yF01rRHpjs57FW9FBbt4pp2c+4iOEkgARH+L/e2ZwOnk
 puXE45AfKwJwHLc4RDOhxdaPy/ovOh53HY68UxXoKjeZKWK5ShRopk0muvYG0y5O
 +8PbAKOYgJbe//NC3ac89V/1eu4rrFhN7xsK2Wc8i+kcbTB2XIVFElLHuV5wjmLd
 MMXFlm9LDJFOw12E4sF3MPaHyXQYpNJHvbnuxCkcHRQoLKzrcRJ2Y0Jj4HPSUCsj
 JhfmHX7Zu+/akmT4haqXUdtRrn4wji0OYqGydEqi4aLy7ELrC1EVNZY4OkbUhJO8
 gGbpseJXtVThXQ7fymMS
 =++g9
 -END PGP SIGNATURE-
 
 ___
 Python-Dev mailing list
 Python-Dev@python.org
 http://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 http://mail.python.org/mailman/options/python-dev/sturla%40molden.no
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan Spotlight Python

2013-08-29 Thread Tres Seaver 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/29/2013 07:24 PM, Sturla Molden wrote:
 
 Do the numbers add up?
 
 .005 defects in 1,000 lines of code is one defect in every 200,000
 lines of code.
 
 However they also claim that to date, the Coverity Scan service has 
 analyzed nearly 400,000 lines of Python code and identified 996 new 
 defects – 860 of which have been fixed by the Python community.


FWIW:  David Wheeler's 'sloccount' reports 800,489 lines of code in the
Python 3.3.1 tarball, of which 403,266 lines are Python code, and 368,474
are ANSI C.  That defect rate would imply 4 open defects in Python itself.



Tres.
- -- 
===
Tres Seaver  +1 540-429-0999  tsea...@palladion.com
Palladion Software   Excellence by Designhttp://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlIf6e0ACgkQ+gerLs4ltQ6X6wCgosAIUJyGjcBqbeAMLwMH24TJ
j3cAoNKPEuKEbVmke2IZuSdtl2nMAFL4
=MoZm
-END PGP SIGNATURE-

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan Spotlight Python

2013-08-29 Thread Terry Reedy 

On 8/29/2013 7:24 PM, Sturla Molden wrote:


Do the numbers add up?

.005 defects in 1,000 lines of code is one defect in every 200,000 lines of 
code.

However they also claim that to date, the Coverity Scan service has analyzed nearly 
400,000 lines of Python code and identified 996 new defects – 860 of which have been 
fixed by the Python community.


Some marked as 'false positive', some as 'intentional'.

--
Terry Jan Reedy


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-26 Thread Eli Bendersky 
Just a quick question - is there a chance to convince Coverity to detect
Python refcounting leaks in C API code :-) ? This could be useful not only
for Python but for extensions too. As it stands now, Coverity's leak
detection is Python must be pretty weak because almost everything is done
via PyObject refcounts.

Eli


On Thu, Jul 25, 2013 at 11:48 AM, Christian Heimes christ...@python.orgwrote:

 Hello,

 this is an update on my work and the current status of Coverity Scan.

 Maybe you have noticed a checkins made be me that end with the line CID
 #. These are checkins that fix an issue that was discovered by the
 static code analyzer Coverity. Coverity is a commercial product but it's
 a free service for some Open Source projects. Python has been analyzed
 by Coverity since about 2007. Guido, Neal, Brett, Stefan and some other
 developers have used Coverity before I took over. I fixed a couple of
 issues before 3.3 reached the RC phase and more bugs in the last couple
 of months.

 Coverity is really great and its web GUI is fun to use, too. I was able
 to identify and fix resource leaks, NULL pointer issues, buffer
 overflows and missing checks all over the place. Because it's a static
 analyzer that follows data-flows and control-flows the tool can detect
 issues in error paths that are hardly visited at all. I have started to
 document Coverity here:

   http://docs.python.org/devguide/coverity.html


 Interview
 -

 A week ago I was contacted by Coverity. They have started a series of
 articles and press releases about Open Source projects that use their
 free service Coverity Scan, see



 http://www.coverity.com/company/press-releases/read/coverity-introduces-monthly-spotlight-series-for-coverity-scan-open-source-projects

 Two days ago I had a lovely phone interview about my involvement in the
 Python project and our development style. They are going to release a
 nice article in a couple of weeks. In the mean time we have time to fix
 the remaining couple issues. We *might* be able to reach the highest
 coverity integrity level! I have dealt with all major issues so we just
 have to fix a couple of issues.


 Current stats
 -

 Lines of Code:  396,179
 Defect Density: 0.05
 Total defects:  1,054
 Outstanding:   21 (Coverity Connect shows less)
 Dismissed:222
 Fixed:811

 http://i.imgur.com/NoELjcj.jpg
 http://i.imgur.com/eJSzTUX.jpg


 open issues
 ---

 http://bugs.python.org/issue17899
 http://bugs.python.org/issue18556
 http://bugs.python.org/issue18555
 http://bugs.python.org/issue18552
 http://bugs.python.org/issue18551
 http://bugs.python.org/issue18550
 http://bugs.python.org/issue18528


 Christian

 ___
 Python-Dev mailing list
 Python-Dev@python.org
 http://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe:
 http://mail.python.org/mailman/options/python-dev/eliben%40gmail.com

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-26 Thread Christian Heimes 
Am 26.07.2013 14:56, schrieb Eli Bendersky:
 Just a quick question - is there a chance to convince Coverity to detect
 Python refcounting leaks in C API code :-) ? This could be useful not
 only for Python but for extensions too. As it stands now, Coverity's
 leak detection is Python must be pretty weak because almost everything
 is done via PyObject refcounts.

Coverity is able to detect some cases of refcount leaks. I don't know if
the software is able to keep track of all reference counts. But it
understands missing Py_DECREF() in error branches.

For example:

PyObject *n = PyLong_FromLong(0);
PyObject *u = PyUnicode_FromString(example);

if (u == NULL) {
return NULL;
/* Coverity detects that 'n' leaks memory */
}

Christian
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-26 Thread Brett Cannon 
On Thu, Jul 25, 2013 at 6:56 PM, Christian Heimes christ...@python.orgwrote:

 Am 26.07.2013 00:32, schrieb Terry Reedy:
  I found the answer here
  https://docs.google.com/file/d/0B5wQCOK_TiRiMWVqQ0xPaDEzbkU/edit
  Coverity Integrity Level 1 is 1 (defect/1000 lines)
  Level 2 is .1 (we have passed that)
  Level 3 is .01 + no major defects + 20% (all all defects?) false
  positives as that is their normal rate.#
 
  A higher false positive rates requires auditing by Coverity. They claim
  A higher false positive rate indicates misconfiguration, usage of
  unusual idioms, or incorrect diagnosis of a large number of defects.
  They else add or a flaw in our analysis.
 
  # Since false positives should stay constant as true positives are
  reduced toward 0, false / all should tend toward 1 (100%) if I
  understand the ratio correctly.

 About 40% of the dismissed cases are cause by a handful of issues. I
 have documented these issues as known limitations
 http://docs.python.org/devguide/coverity.html#known-limitations .

 For example about 35 false positives are related to PyLong_FromLong()
 and our small integer optimization. A correct modeling file would
 eliminate the false positive defects. My attempts don't work as hoped
 and I don't have access to all professional coverity tools to debug my
 trials.


Have you tried asking for help from Coverity? They have been rather nice so
far and they may be willing to just give us free help in getting the
modeling file set up properly.

-Brett



 Nearly 20 false positives are caused by Py_BuildValue(N). I'm still
 astonished that Coverity understands Python's reference counting most of
 the time. :)

 Did I mention that we have almost reached Level 3? All major defects
 have been dealt with (one of them locally on the test machine until
 Larry pushes his patch soonish), 4 of 7 minor issues must be closed and
 our dismissed rate is just little over 20% (222 out of 1054 = 21%).

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-26 Thread Brett Cannon 
On Fri, Jul 26, 2013 at 8:56 AM, Eli Bendersky eli...@gmail.com wrote:

 Just a quick question - is there a chance to convince Coverity to detect
 Python refcounting leaks in C API code :-) ?


You can always ask. =)


 This could be useful not only for Python but for extensions too. As it
 stands now, Coverity's leak detection is Python must be pretty weak because
 almost everything is done via PyObject refcounts.


Just an FYI (mostly for others  since I think Eli was at PyCon in the
relevant talk), David Malcolm has his work with gcc and refleak detection.
But yes, it would be nice if it was in Coverity as it would then be part of
the daily check.

-Brett



 Eli


 On Thu, Jul 25, 2013 at 11:48 AM, Christian Heimes 
 christ...@python.orgwrote:

 Hello,

 this is an update on my work and the current status of Coverity Scan.

 Maybe you have noticed a checkins made be me that end with the line CID
 #. These are checkins that fix an issue that was discovered by the
 static code analyzer Coverity. Coverity is a commercial product but it's
 a free service for some Open Source projects. Python has been analyzed
 by Coverity since about 2007. Guido, Neal, Brett, Stefan and some other
 developers have used Coverity before I took over. I fixed a couple of
 issues before 3.3 reached the RC phase and more bugs in the last couple
 of months.

 Coverity is really great and its web GUI is fun to use, too. I was able
 to identify and fix resource leaks, NULL pointer issues, buffer
 overflows and missing checks all over the place. Because it's a static
 analyzer that follows data-flows and control-flows the tool can detect
 issues in error paths that are hardly visited at all. I have started to
 document Coverity here:

   http://docs.python.org/devguide/coverity.html


 Interview
 -

 A week ago I was contacted by Coverity. They have started a series of
 articles and press releases about Open Source projects that use their
 free service Coverity Scan, see



 http://www.coverity.com/company/press-releases/read/coverity-introduces-monthly-spotlight-series-for-coverity-scan-open-source-projects

 Two days ago I had a lovely phone interview about my involvement in the
 Python project and our development style. They are going to release a
 nice article in a couple of weeks. In the mean time we have time to fix
 the remaining couple issues. We *might* be able to reach the highest
 coverity integrity level! I have dealt with all major issues so we just
 have to fix a couple of issues.


 Current stats
 -

 Lines of Code:  396,179
 Defect Density: 0.05
 Total defects:  1,054
 Outstanding:   21 (Coverity Connect shows less)
 Dismissed:222
 Fixed:811

 http://i.imgur.com/NoELjcj.jpg
 http://i.imgur.com/eJSzTUX.jpg


 open issues
 ---

 http://bugs.python.org/issue17899
 http://bugs.python.org/issue18556
 http://bugs.python.org/issue18555
 http://bugs.python.org/issue18552
 http://bugs.python.org/issue18551
 http://bugs.python.org/issue18550
 http://bugs.python.org/issue18528


 Christian

 ___
 Python-Dev mailing list
 Python-Dev@python.org
 http://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe:
 http://mail.python.org/mailman/options/python-dev/eliben%40gmail.com



 ___
 Python-Dev mailing list
 Python-Dev@python.org
 http://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe:
 http://mail.python.org/mailman/options/python-dev/brett%40python.org


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-26 Thread Antoine Pitrou 
Le Fri, 26 Jul 2013 16:29:59 +0200,
Christian Heimes christ...@python.org a écrit :
 Coverity is able to detect some cases of refcount leaks. I don't know
 if the software is able to keep track of all reference counts. But it
 understands missing Py_DECREF() in error branches.
 
 For example:
 
 PyObject *n = PyLong_FromLong(0);
 PyObject *u = PyUnicode_FromString(example);
 
 if (u == NULL) {
 return NULL;
 /* Coverity detects that 'n' leaks memory */
 }

But 'n' doesn't leak memory since PyLong_FromLong(0) is statically
allocated ;-)

More generally, in similar cases (e.g. replace 0 with a non-small
integer), you don't need any knowledge of reference counts to infer
that there is a memory leak. When the code discards the only existing
pointer to a heap-allocated memory area, there's a leak.

What we call refcount leaks is generally when an area is still
pointer-accessible, but failure to decrement the reference count
appropriately means it will never be released.

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-26 Thread Eli Bendersky 
On Fri, Jul 26, 2013 at 7:29 AM, Christian Heimes christ...@python.orgwrote:

 Am 26.07.2013 14:56, schrieb Eli Bendersky:
  Just a quick question - is there a chance to convince Coverity to detect
  Python refcounting leaks in C API code :-) ? This could be useful not
  only for Python but for extensions too. As it stands now, Coverity's
  leak detection is Python must be pretty weak because almost everything
  is done via PyObject refcounts.

 Coverity is able to detect some cases of refcount leaks. I don't know if
 the software is able to keep track of all reference counts. But it
 understands missing Py_DECREF() in error branches.

 For example:

 PyObject *n = PyLong_FromLong(0);
 PyObject *u = PyUnicode_FromString(example);

 if (u == NULL) {
 return NULL;
 /* Coverity detects that 'n' leaks memory */
 }


Interesting.

I was thinking of something more general though. Especially if we can mark
function arguments and return values as stealing references / creating new
ones / etc, many many common refcount bugs can be detected with static
analysis. This is definitely research-y, probably too much for our current
stage of relationship with Coverity :)

Eli
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-26 Thread Christian Heimes 
Am 26.07.2013 16:29, schrieb Brett Cannon:
 Have you tried asking for help from Coverity? They have been rather nice
 so far and they may be willing to just give us free help in getting the
 modeling file set up properly.

Yes, I'm in contact with Dakshesh. I was able to figure out one model
for a false positive on my own. Dakshesh is helping me with another.

Christian

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-25 Thread Terry Reedy 

On 7/25/2013 2:48 PM, Christian Heimes wrote:

Hello,

this is an update on my work and the current status of Coverity Scan.


Great work.



Maybe you have noticed a checkins made be me that end with the line CID
#. These are checkins that fix an issue that was discovered by the
static code analyzer Coverity. Coverity is a commercial product but it's
a free service for some Open Source projects. Python has been analyzed
by Coverity since about 2007. Guido, Neal, Brett, Stefan and some other
developers have used Coverity before I took over. I fixed a couple of
issues before 3.3 reached the RC phase and more bugs in the last couple
of months.


The benefit for us is not just improving Python having external 
verification of its excellence in relation both to other open-source 
projects and commercial software.



Coverity is really great and its web GUI is fun to use, too. I was able
to identify and fix resource leaks, NULL pointer issues, buffer
overflows and missing checks all over the place. Because it's a static
analyzer that follows data-flows and control-flows the tool can detect
issues in error paths that are hardly visited at all. I have started to
document Coverity here:

   http://docs.python.org/devguide/coverity.html


Interview
-

A week ago I was contacted by Coverity. They have started a series of
articles and press releases about Open Source projects that use their
free service Coverity Scan, see

http://www.coverity.com/company/press-releases/read/coverity-introduces-monthly-spotlight-series-for-coverity-scan-open-source-projects


The intention is to promote the best of open source to industry.


Two days ago I had a lovely phone interview about my involvement in the
Python project and our development style. They are going to release a
nice article in a couple of weeks. In the mean time we have time to fix
the remaining couple issues. We *might* be able to reach the highest
coverity integrity level! I have dealt with all major issues so we just
have to fix a couple of issues.




Current stats
-

Lines of Code:  396,179


C only? or does Python code now count as 'source code'?


Defect Density: 0.05


= defects per thousand lines = 20/400

Anything under 1 is good. The release above reports Samba now at .6.
http://www.pcworld.com/article/2038244/linux-code-is-the-benchmark-of-quality-study-concludes.html
reports Linux 3.8 as having the same for 7.6 million lines.


Total defects:  1,054
Outstanding:   21 (Coverity Connect shows less)
Dismissed:222


This implies that they accept our designation of some things as False 
Positives or Intentional. Does Coverity do any review of such 
designations, so a project cannot cheat?



Fixed:811

http://i.imgur.com/NoELjcj.jpg
http://i.imgur.com/eJSzTUX.jpg


open issues
---

http://bugs.python.org/issue17899
http://bugs.python.org/issue18556
http://bugs.python.org/issue18555
http://bugs.python.org/issue18552
http://bugs.python.org/issue18551
http://bugs.python.org/issue18550
http://bugs.python.org/issue18528


--
Terry Jan Reedy

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-25 Thread Terry Reedy 

On 7/25/2013 6:00 PM, Terry Reedy wrote:


Defect Density:0.05


= defects per thousand lines = 20/400

Anything under 1 is good. The release above reports Samba now at .6.
http://www.pcworld.com/article/2038244/linux-code-is-the-benchmark-of-quality-study-concludes.html

reports Linux 3.8 as having the same for 7.6 million lines.


Total defects:1,054
Outstanding:   21 (Coverity Connect shows less)
Dismissed:  222


This implies that they accept our designation of some things as False
Positives or Intentional. Does Coverity do any review of such
designations, so a project cannot cheat?


I found the answer here
https://docs.google.com/file/d/0B5wQCOK_TiRiMWVqQ0xPaDEzbkU/edit
Coverity Integrity Level 1 is 1 (defect/1000 lines)
Level 2 is .1 (we have passed that)
Level 3 is .01 + no major defects + 20% (all all defects?) false 
positives as that is their normal rate.#


A higher false positive rates requires auditing by Coverity. They claim 
A higher false positive rate indicates misconfiguration, usage of 
unusual idioms, or incorrect diagnosis of a large number of defects. 
They else add or a flaw in our analysis.


# Since false positives should stay constant as true positives are 
reduced toward 0, false / all should tend toward 1 (100%) if I 
understand the ratio correctly.





Fixed:  811

http://i.imgur.com/NoELjcj.jpg
http://i.imgur.com/eJSzTUX.jpg


--
Terry Jan Reedy

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-25 Thread Antoine Pitrou 
On Thu, 25 Jul 2013 18:00:55 -0400
Terry Reedy tjre...@udel.edu wrote:
 On 7/25/2013 2:48 PM, Christian Heimes wrote:
  Hello,
 
  this is an update on my work and the current status of Coverity Scan.
 
 Great work.
 
 
  Maybe you have noticed a checkins made be me that end with the line CID
  #. These are checkins that fix an issue that was discovered by the
  static code analyzer Coverity. Coverity is a commercial product but it's
  a free service for some Open Source projects. Python has been analyzed
  by Coverity since about 2007. Guido, Neal, Brett, Stefan and some other
  developers have used Coverity before I took over. I fixed a couple of
  issues before 3.3 reached the RC phase and more bugs in the last couple
  of months.
 
 The benefit for us is not just improving Python having external 
 verification of its excellence in relation both to other open-source 
 projects and commercial software.

Excellence? The term is too weak, I would say perfection at least,
but perhaps we should go as far as divinity.

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-25 Thread Christian Heimes 
Am 26.07.2013 00:32, schrieb Terry Reedy:
 I found the answer here
 https://docs.google.com/file/d/0B5wQCOK_TiRiMWVqQ0xPaDEzbkU/edit
 Coverity Integrity Level 1 is 1 (defect/1000 lines)
 Level 2 is .1 (we have passed that)
 Level 3 is .01 + no major defects + 20% (all all defects?) false
 positives as that is their normal rate.#
 
 A higher false positive rates requires auditing by Coverity. They claim
 A higher false positive rate indicates misconfiguration, usage of
 unusual idioms, or incorrect diagnosis of a large number of defects.
 They else add or a flaw in our analysis.
 
 # Since false positives should stay constant as true positives are
 reduced toward 0, false / all should tend toward 1 (100%) if I
 understand the ratio correctly.

About 40% of the dismissed cases are cause by a handful of issues. I
have documented these issues as known limitations
http://docs.python.org/devguide/coverity.html#known-limitations .

For example about 35 false positives are related to PyLong_FromLong()
and our small integer optimization. A correct modeling file would
eliminate the false positive defects. My attempts don't work as hoped
and I don't have access to all professional coverity tools to debug my
trials.

Nearly 20 false positives are caused by Py_BuildValue(N). I'm still
astonished that Coverity understands Python's reference counting most of
the time. :)

Did I mention that we have almost reached Level 3? All major defects
have been dealt with (one of them locally on the test machine until
Larry pushes his patch soonish), 4 of 7 minor issues must be closed and
our dismissed rate is just little over 20% (222 out of 1054 = 21%).

Christian



___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-25 Thread Christian Heimes 
Am 26.07.2013 00:50, schrieb Antoine Pitrou:
 Excellence? The term is too weak, I would say perfection at least,
 but perhaps we should go as far as divinity.

Don't forget that Python can offer lots of places to keep your bike
clean and dry ... *scnr*
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-25 Thread Christian Heimes 
Am 26.07.2013 00:00, schrieb Terry Reedy:
 http://www.coverity.com/company/press-releases/read/coverity-introduces-monthly-spotlight-series-for-coverity-scan-open-source-projects

 
 The intention is to promote the best of open source to industry.

I think it's also a marketing tool. They like to sell their product. I
don't have a problem with that. After all Coverity provides a useful
service for free that supplements our own debugging tools.

 Lines of Code:396,179
 
 C only? or does Python code now count as 'source code'?

It's just C code and headers. Coverity doesn't analyze Python code.
According to cloc Python has 296707 + 78126 == 374833 lines of code in C
and header files. I'm not sure why Coverity detects more.

 
 Defect Density:0.05
 
 = defects per thousand lines = 20/400
 
 Anything under 1 is good. The release above reports Samba now at .6.
 http://www.pcworld.com/article/2038244/linux-code-is-the-benchmark-of-quality-study-concludes.html
 
 reports Linux 3.8 as having the same for 7.6 million lines.

These are amazing numbers. Python is much smaller.

 
 Total defects:1,054
 Outstanding:   21 (Coverity Connect shows less)
 Dismissed:  222
 
 This implies that they accept our designation of some things as False
 Positives or Intentional. Does Coverity do any review of such
 designations, so a project cannot cheat?

What's the point of cheating? :)

I could dismiss any remaining defect as intentionally or false positive
but that would only harm ourselves. As you already pointed out Coverity
reserves the right to inspect dismissed bugs for their highest ranking.

I'm in the process of looking through all dismissed defects. Some of
them are relics of deleted files and removed code. Some other may go
away with proper modeling.

Christian

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan

2013-07-25 Thread Terry Reedy 

On 7/25/2013 6:56 PM, Christian Heimes wrote:

Am 26.07.2013 00:32, schrieb Terry Reedy:



# Since false positives should stay constant as true positives are
reduced toward 0, false / all should tend toward 1 (100%) if I
understand the ratio correctly.


Which I did not ;-).


About 40% of the dismissed cases are cause by a handful of issues. I
have documented these issues as known limitations
http://docs.python.org/devguide/coverity.html#known-limitations .

For example about 35 false positives are related to PyLong_FromLong()
and our small integer optimization. A correct modeling file would
eliminate the false positive defects. My attempts don't work as hoped
and I don't have access to all professional coverity tools to debug my
trials.


Perhaps Coverity will help when doing an audit.


Nearly 20 false positives are caused by Py_BuildValue(N). I'm still
astonished that Coverity understands Python's reference counting most of
the time. :)

Did I mention that we have almost reached Level 3? All major defects


It is hard to measure the benefit of preventitive medicine, but I 
imagine that we should see fewer mysterious crashes and heisenbugs than 
we would have. In any case, Level 3 certification should help people 
promoting the use of Python in organizational settings, whether as 
employees or consultants.



have been dealt with (one of them locally on the test machine until
Larry pushes his patch soonish), 4 of 7 minor issues must be closed and


.1 * 390 allows 3 defects (or 4 if they round up) -- astonishingly good!


our dismissed rate is just little over 20% (222 out of 1054 = 21%).


So merely verifying the 35 PyLong_FromLong dismissals will put us under.
Thanks for clarifying the proper denominator -- all defects ever found. 
It seems obvious in retrospect, but I was focused on current stats, not 
the history.


--
Terry Jan Reedy

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-08 Thread Stefan Krah 
Christian Heimes li...@cheimes.de wrote:
 IMHO it makes sense to define a workflow how we are going to handle
 Coverity issues. Each coverity issue has an identifier and can have
 information like an external reference and an action. I've seen that you
 have started to create bugs in our tracker. How about we mention the
 Coverity # in the bug and add a link to the bug in the Ext. Reference
 field of the Coverity issue and set the Action to Claimed, being worked
 on.

That sounds good in principle. I'm only worried that for casual readers
of either the commit messages or the tracker issues the importance of
the Coverity tool might be overstated.

After all, 99.99% of issues are either found by developers themselves or
by gcc, Visual Studio, Valgrind, etc. It just occurred to me that for example
we don't credit other tools in commit messages.


That said, for users of the Coverity web interface it's clearly useful.


Stefan Krah


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-08 Thread martin 


Zitat von Stefan Krah ste...@bytereef.org:

After all, 99.99% of issues are either found by developers themselves or
by gcc, Visual Studio, Valgrind, etc. It just occurred to me that for example
we don't credit other tools in commit messages.


I agree that Coverity doesn't need to be mentioned in commit message.
We do cite tools occasionally, but in a negative way, such as silence
gcc warning, where the commit message and/or comment explains why some
code is ugly for some non-obvious reason.

Regards,
Martin


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-08 Thread Brett Cannon 
On Sat, Sep 8, 2012 at 6:41 AM, mar...@v.loewis.de wrote:


 Zitat von Stefan Krah ste...@bytereef.org:

  After all, 99.99% of issues are either found by developers themselves or
 by gcc, Visual Studio, Valgrind, etc. It just occurred to me that for
 example
 we don't credit other tools in commit messages.


 I agree that Coverity doesn't need to be mentioned in commit message.
 We do cite tools occasionally, but in a negative way, such as silence
 gcc warning, where the commit message and/or comment explains why some
 code is ugly for some non-obvious reason.


Well, when I fix bugs found by Clang's static analyzer (which I ran out
time to do for 3.3) I try to remember to thank the tool. IOW I don't think
thanking a tool hurts, but in no way is required required either.
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-08 Thread Christian Heimes 
Am 08.09.2012 11:35, schrieb Stefan Krah:
 That sounds good in principle. I'm only worried that for casual readers
 of either the commit messages or the tracker issues the importance of
 the Coverity tool might be overstated.
 
 After all, 99.99% of issues are either found by developers themselves or
 by gcc, Visual Studio, Valgrind, etc. It just occurred to me that for example
 we don't credit other tools in commit messages.

I'd like to avoid that two people create two bug tracker entries or work
on the same issue at the same time. The CID (coverity id) also makes it
easier to find the entry on the Coverity site. IMHO it's sufficient to
mention the CID in the tracker entry. As Brett has said it's also nice
to give credits, too.

By the way I've automated the build and upload process. Every six hours
the default branch is pulled from hg and a build is triggere when
changes are detected.

Christian


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-07 Thread Christian Heimes 
Am 06.09.2012 10:59, schrieb Stefan Krah:
 The mailing list would be nice especially if we could get the results in
 verbose text form, but I don't know if that's possible.

I've added my account to the notification list but I've not yet received
a mail as no new issue was introduced. Coverity also sends an email for
every successful or failed build. So far the mails end up in my inbox.

 BTW, do we keep all buffer overruns secret or can we post them on the tracker
 if it's an off-by-one and unlikely to be exploitable?

I'd say use your best discretion. In the unlikely case that Coverity
finds a buffer overflow that can be abused remotely we have to go
through PSRT and publish security fix releases. At a first glance no bug
looked that severe to me.

IMHO it makes sense to define a workflow how we are going to handle
Coverity issues. Each coverity issue has an identifier and can have
information like an external reference and an action. I've seen that you
have started to create bugs in our tracker. How about we mention the
Coverity # in the bug and add a link to the bug in the Ext. Reference
field of the Coverity issue and set the Action to Claimed, being worked
on.

In case you got curious about Coverity I've created a screenshot for you
http://imm.io/Duel .

Christian
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-06 Thread Stefan Krah 
Christian Heimes li...@cheimes.de wrote:
 Coverity has some new features like notification of new possible issue
 and build steps. We could create a new mailing list for coverity scan
 builds and results, The mailing list should be exclusive to core devs as
 the issues may be security relevant.

The mailing list would be nice especially if we could get the results in
verbose text form, but I don't know if that's possible.


BTW, do we keep all buffer overruns secret or can we post them on the tracker
if it's an off-by-one and unlikely to be exploitable?


Stefan Krah



___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-05 Thread Christian Heimes 
Am 03.09.2012 15:59, schrieb Christian Heimes:
 It be nice if we get Coverity scans up and running this week to check
 the upcoming release candidate for issues.

Updates:

- Noah has set up a VM for me on the PSF infrastructure. I've installed
the Coverity tools, build dependencies of Python and a hg clone of the
default branch. The instrumented coverage builds are working, too.

- Brett has contacted Coverity to establish me as a second
administrative contact besides him. Once it's done I'll request an
upload account to submit the coverage data.

I try to get everything in place by tomorrow so we have some time to
check for bugs before the next RC is deployed.

Stefan:
Has Brett already requested an account for you or shall I request one
for you?

Christian

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-05 Thread Brett Cannon 
On Wed, Sep 5, 2012 at 8:43 AM, Christian Heimes li...@cheimes.de wrote:

 Am 03.09.2012 15:59, schrieb Christian Heimes:
  It be nice if we get Coverity scans up and running this week to check
  the upcoming release candidate for issues.

 Updates:

 - Noah has set up a VM for me on the PSF infrastructure. I've installed
 the Coverity tools, build dependencies of Python and a hg clone of the
 default branch. The instrumented coverage builds are working, too.

 - Brett has contacted Coverity to establish me as a second
 administrative contact besides him. Once it's done I'll request an
 upload account to submit the coverage data.

 I try to get everything in place by tomorrow so we have some time to
 check for bugs before the next RC is deployed.

 Stefan:
 Has Brett already requested an account for you or shall I request one
 for you?


I have not for no other reason than I had not thought about it.
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-05 Thread Christian Heimes 
Am 05.09.2012 14:45, schrieb Brett Cannon:
 I have not for no other reason than I had not thought about it.

Whatever, I wasn't even sure if Stefan has contacted you or asked for a
account in a public message. He might have proclaimed his wish in a
private mail.

Christian
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-05 Thread Stefan Krah 
Christian Heimes li...@cheimes.de wrote:
 I try to get everything in place by tomorrow so we have some time to
 check for bugs before the next RC is deployed.

Fantastic. Thanks for pushing this forward!


 Stefan:
 Has Brett already requested an account for you or shall I request one
 for you?

Not yet, please do if it's no problem.


Stefan Krah


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-05 Thread Christian Heimes 
Am 05.09.2012 14:43, schrieb Christian Heimes:
 I try to get everything in place by tomorrow so we have some time to
 check for bugs before the next RC is deployed.

The people at Coverity are even faster than I hoped. I'm now in the
possession of the Project password which mean I can upload the builds
and add new users. I've already added Stefan and uploaded an
instrumented build successfully:

Your request for analysis of Python has been completed.  The results
should be available now in the database: http://scan5.coverity.com:8080/


Have fun!
Christian

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-05 Thread Stefan Krah 
Christian Heimes li...@cheimes.de wrote:
 The people at Coverity are even faster than I hoped. I'm now in the
 possession of the Project password which mean I can upload the builds
 and add new users. I've already added Stefan and uploaded an
 instrumented build successfully:
 
 Your request for analysis of Python has been completed.  The results
 should be available now in the database: http://scan5.coverity.com:8080/

Thanks Christian, works perfectly!


Stefan Krah


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-05 Thread Brett Cannon 
And a thanks to Christian and Stefan for picking this up and running with
it. I have not been the best keeper of this stuff as of late, but now that
Christian, Stefan, and I all have admin access to the data we can spread
the load so that none of us become a bottleneck.

On Wed, Sep 5, 2012 at 12:50 PM, Stefan Krah ste...@bytereef.org wrote:

 Christian Heimes li...@cheimes.de wrote:
  The people at Coverity are even faster than I hoped. I'm now in the
  possession of the Project password which mean I can upload the builds
  and add new users. I've already added Stefan and uploaded an
  instrumented build successfully:
 
  Your request for analysis of Python has been completed.  The results
  should be available now in the database: http://scan5.coverity.com:8080/

 Thanks Christian, works perfectly!


 Stefan Krah


 ___
 Python-Dev mailing list
 Python-Dev@python.org
 http://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe:
 http://mail.python.org/mailman/options/python-dev/brett%40python.org

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-05 Thread Christian Heimes 
Am 05.09.2012 18:56, schrieb Brett Cannon:
 And a thanks to Christian and Stefan for picking this up and running
 with it. I have not been the best keeper of this stuff as of late, but
 now that Christian, Stefan, and I all have admin access to the data we
 can spread the load so that none of us become a bottleneck.

You are welcome! Sharing is caring (or so) *g*

Coverity has some new features like notification of new possible issue
and build steps. We could create a new mailing list for coverity scan
builds and results, The mailing list should be exclusive to core devs as
the issues may be security relevant.

Christian
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-03 Thread Antoine Pitrou 
On Mon, 03 Sep 2012 15:59:59 +0200
Christian Heimes li...@cheimes.de wrote:
 
 It's easy, doesn't take much effort and can easily be automated, but
 somebody has to do it. The process should also be placed on the Python
 infrastructure and I don't have access. Secondly somebody has to contact
 Coverity to apply for an upload account. I tried my user account without
 success.

You could ask infrastruct...@python.org for an account on an existing
machine (dinsdale perhaps, it looks much less loaded now that some
services have been migrated).

Regards

Antoine.


-- 
Software development and contracting: http://pro.pitrou.net


___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity scan

2012-09-03 Thread Christian Heimes 
Am 03.09.2012 16:27, schrieb Antoine Pitrou:
 You could ask infrastruct...@python.org for an account on an existing
 machine (dinsdale perhaps, it looks much less loaded now that some
 services have been migrated).

Thanks Antoine! I've contacted the infrastructure team.

Christian



___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-10 Thread A.M. Kuchling 
On Wed, Jan 09, 2008 at 09:11:21PM -0800, Neal Norwitz wrote:
 For mmapmodule.c, fd should be checked for -1 before calling stat on line 
 1064.

I'll fix the mmap problem.

--amk
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-10 Thread A.M. Kuchling 
On Wed, Jan 09, 2008 at 09:11:21PM -0800, Neal Norwitz wrote:
 For mmapmodule.c, fd should be checked for -1 before calling stat on line 
 1064.

On looking at this, it doesn't seem like an actual problem.  fstat(-1,
...) returns a -1 and errno is set to EBADF, 'bad file descriptor'.

/* on OpenVMS we must ensure that all bytes are written to the file */
fsync(fd);
#  endif
if (fstat(fd, st) == 0  S_ISREG(st.st_mode)) {
 ...

In rev. 59888, I've added 'fd != -1' to the 'if' just to save a
pointless fstat() call, and made the OpenVMS fsync() call similarly
conditional, but I don't think this item is a bug, much less a
security bug.  I won't bother backporting this to 25-maint, unless
asked to do so by the 2.5 maintainer.

--amk
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-10 Thread Christian Heimes 
Neal Norwitz wrote:
 I think only Coverity can add people.  You can send them a message if
 you would like to be added: [EMAIL PROTECTED]  Or you can send
 mail to me and I can forward along all the people that would like to
 be added.
 
 I'll wait a few days to collect names so I can batch up the request.

Count me in!

Christian
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-10 Thread Christian Heimes 
Neal Norwitz wrote:
 For traceback.c, namebuf defined on line 155 should be moved out one
 block since filename is an alias to namebuf and it is used outside the
 current scope.  I think this is unlikely to be a problem in practice,
 but is technically wrong and should be fixed.

Agreed, the early allocation of a few hundreds bytes on the stack won't
kill us.

 For codeobject.c, line 327 should not be reachable.  I kinda like the
 code as it is even though it is currently dead.  I never decided if I
 wanted to change that or suppress the warning.

Please suppress the warning. I removed the last two lines and GCC
complained control reaches end of non-void function. It's not clever
enough to understand that cmp can never be 0.

 For mmapmodule.c, fd should be checked for -1 before calling stat on line 
 1064.

if (fd != -1  fstat(fd, st) == 0  S_ISREG(st.st_mode))

Christian
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-10 Thread Joseph Armbruster 
I am not a developer but i'm interested in browsing it.  Is it
possible to be added?

On Jan 10, 2008 10:57 AM, Christian Heimes [EMAIL PROTECTED] wrote:
 Neal Norwitz wrote:
  I think only Coverity can add people.  You can send them a message if
  you would like to be added: [EMAIL PROTECTED]  Or you can send
  mail to me and I can forward along all the people that would like to
  be added.
 
  I'll wait a few days to collect names so I can batch up the request.

 Count me in!

 Christian

 ___
 Python-Dev mailing list
 Python-Dev@python.org
 http://mail.python.org/mailman/listinfo/python-dev
 Unsubscribe: 
 http://mail.python.org/mailman/options/python-dev/josepharmbruster%40gmail.com

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-10 Thread Neal Norwitz 
On Jan 10, 2008 8:01 AM, Joseph Armbruster [EMAIL PROTECTED] wrote:
 I am not a developer but i'm interested in browsing it.  Is it
 possible to be added?

Yes, I've added you to the list.  I'll probably send the list off
tomorrow, so let me know if you would like to be added.

n
--


 On Jan 10, 2008 10:57 AM, Christian Heimes [EMAIL PROTECTED] wrote:
  Neal Norwitz wrote:
   I think only Coverity can add people.  You can send them a message if
   you would like to be added: [EMAIL PROTECTED]  Or you can send
   mail to me and I can forward along all the people that would like to
   be added.
  
   I'll wait a few days to collect names so I can batch up the request.
 
  Count me in!
 
  Christian
 
  ___
  Python-Dev mailing list
  Python-Dev@python.org
  http://mail.python.org/mailman/listinfo/python-dev
  Unsubscribe: 
  http://mail.python.org/mailman/options/python-dev/josepharmbruster%40gmail.com
 

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Christian Heimes 
Joseph Armbruster wrote:
 Christian,
 
 Is there any way you (or someone else) could post up the results?  It
 looks like you need a log in to check them out.

I haven't figured out how to access the results.

Who has a login and access to the site?

Christian

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Nick Coghlan 
Christian Heimes wrote:
 Joseph Armbruster wrote:
 Christian,

 Is there any way you (or someone else) could post up the results?  It
 looks like you need a log in to check them out.
 
 I haven't figured out how to access the results.
 
 Who has a login and access to the site?

I know Neal has access (if I'm recalling the various checkin message 
correctly, he did the lion's share of the work in addressing the 
problems Coverity reported). I think some of the other folks on the 
security list may have one also.

Searching the SVN version history for references to Coverity may provide 
an interesting list.

Cheers,
Nick.

-- 
Nick Coghlan   |   [EMAIL PROTECTED]   |   Brisbane, Australia
---
 http://www.boredomandlaziness.org
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread skip 

Christian I read the announcement of the Python Users list and figured
Christian out that some of the other core developers might be
Christian interested in the news, too.

Christian Among other projects Python was upgraded to Rung 2 on the
Christian Coverity Scan list: http://scan.coverity.com/

I went to the run2 page:

http://scan.coverity.com/rung2.html

I shows 6 uninspected defects for Python.  How do we see what they are?
What is an uninspected defect?  Any idea how the Coverity folks compute
Defects/KLOC?  For example, how does tcl manage to get a 0.0 score?

Skip
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Christian Heimes 
[EMAIL PROTECTED] wrote:
I shows 6 uninspected defects for Python.  How do we see what they are?
 What is an uninspected defect?  Any idea how the Coverity folks compute
 Defects/KLOC?  For example, how does tcl manage to get a 0.0 score?

I can't answer your question. I don't have access to the Python project
on their site and the project is currently under maintenance. Maybe Neal
can sheds some light on the Coverity Scan project.

Christian
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Guido van Rossum 
On Jan 9, 2008 9:47 AM, Christian Heimes [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] wrote:
 I shows 6 uninspected defects for Python.  How do we see what they are?
  What is an uninspected defect?  Any idea how the Coverity folks compute
  Defects/KLOC?  For example, how does tcl manage to get a 0.0 score?

 I can't answer your question. I don't have access to the Python project
 on their site and the project is currently under maintenance. Maybe Neal
 can sheds some light on the Coverity Scan project.

I'm pretty sure I have an account and I can't get in either. I have
contacted coverity asking if they can give accounts to other core
developers besides Neal and myself.

-- 
--Guido van Rossum (home page: http://www.python.org/~guido/)
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Thomas Heller 
[EMAIL PROTECTED] schrieb:
 Christian I read the announcement of the Python Users list and figured
 Christian out that some of the other core developers might be
 Christian interested in the news, too.
 
 Christian Among other projects Python was upgraded to Rung 2 on the
 Christian Coverity Scan list: http://scan.coverity.com/
 
 I went to the run2 page:
 
 http://scan.coverity.com/rung2.html

On this page, when I click the 'sign in' link, I see the page 
  http://scan.coverity.com/maintenance.html
which says:


Scan administrators are performing maintenance on the selected project.

Normally, project members will have received notification in advance of any 
lengthy unavailability of their project.

Please try again later, or contact [EMAIL PROTECTED] with any questions.
Return to Main Page



Could it be that they were a little bit early with the press release,
and the rung2 scanner is not yet active?

 I shows 6 uninspected defects for Python.  How do we see what they are?
 What is an uninspected defect?  Any idea how the Coverity folks compute
 Defects/KLOC?  For example, how does tcl manage to get a 0.0 score?

Seems they are referring to the results of the rung 1 run (what ever 'rung' 
means ;-).
With the account Neal made me some months ago, I can login on this page:

   http://scan.coverity.com:7475/

and see the scan results for Python.

Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked uninspected,
3 marked pending, and 2 marked bug.

Thomas

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Thomas Heller 
Guido van Rossum schrieb:
 On Jan 9, 2008 9:47 AM, Christian Heimes [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] wrote:
 I shows 6 uninspected defects for Python.  How do we see what they are?
  What is an uninspected defect?  Any idea how the Coverity folks compute
  Defects/KLOC?  For example, how does tcl manage to get a 0.0 score?

 I can't answer your question. I don't have access to the Python project
 on their site and the project is currently under maintenance. Maybe Neal
 can sheds some light on the Coverity Scan project.
 
 I'm pretty sure I have an account and I can't get in either. I have
 contacted coverity asking if they can give accounts to other core
 developers besides Neal and myself.
 
As I said in the other reply, I can still login on this page:

http://scan.coverity.com:7475/

It looks like about 20 users are registered; if wanted I can post the list here.

Thomas

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Christian Heimes 
Thomas Heller wrote:
 Seems they are referring to the results of the rung 1 run (what ever 'rung' 
 means ;-).
 With the account Neal made me some months ago, I can login on this page:
 
http://scan.coverity.com:7475/
 
 and see the scan results for Python.
 
 Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked 
 uninspected,
 3 marked pending, and 2 marked bug.

My dict says: rung (of a ladder)-  Leitersprossen

Python has climbed up one step (or rung) of the ladder.

Do you have the required permission to add more users to the site?

Christian
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Thomas Heller 
Christian Heimes schrieb:
 Thomas Heller wrote:
 Seems they are referring to the results of the rung 1 run (what ever 'rung' 
 means ;-).
 With the account Neal made me some months ago, I can login on this page:
 
http://scan.coverity.com:7475/
 
 and see the scan results for Python.
 
 Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked 
 uninspected,
 3 marked pending, and 2 marked bug.
 
 My dict says: rung (of a ladder)-  Leitersprossen
 
 Python has climbed up one step (or rung) of the ladder.

Thanks.  I was too lazy to fire up dict.leo.org ;-)

 Do you have the required permission to add more users to the site?

No, I can only view the results (and add comments or so...).

Thomas

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Neal Norwitz 
On Jan 9, 2008 1:12 PM, Christian Heimes [EMAIL PROTECTED] wrote:
 Thomas Heller wrote:
  Seems they are referring to the results of the rung 1 run (what ever 'rung' 
  means ;-).
  With the account Neal made me some months ago, I can login on this page:
 
 http://scan.coverity.com:7475/
 
  and see the scan results for Python.
 
  Last run at 2007-12-27: 11 Outstanding Defects, 6 of them marked 
  uninspected,
  3 marked pending, and 2 marked bug.

 My dict says: rung (of a ladder)-  Leitersprossen

 Python has climbed up one step (or rung) of the ladder.

They botched the link where it says Sign in.  Use the link Thomas posted, ie:
http://scan.coverity.com:7475/

That will show you the results from the latest coverity checker.

 Do you have the required permission to add more users to the site?

I think only Coverity can add people.  You can send them a message if
you would like to be added: [EMAIL PROTECTED]  Or you can send
mail to me and I can forward along all the people that would like to
be added.

I'll wait a few days to collect names so I can batch up the request.

n
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Neal Norwitz 
On Jan 9, 2008 9:08 AM,  [EMAIL PROTECTED] wrote:

 Christian I read the announcement of the Python Users list and figured
 Christian out that some of the other core developers might be
 Christian interested in the news, too.

 Christian Among other projects Python was upgraded to Rung 2 on the
 Christian Coverity Scan list: http://scan.coverity.com/

 I went to the run2 page:

 http://scan.coverity.com/rung2.html

 I shows 6 uninspected defects for Python.  How do we see what they are?
 What is an uninspected defect?  Any idea how the Coverity folks compute
 Defects/KLOC?  For example, how does tcl manage to get a 0.0 score?

The 6 have been inspected by me and I never came to a conclusion of
whether they were a problem or not.  There are 3 things which should
be fixed and I haven't gotten around to them.  They are not a big
deal:

Python/traceback.c  line 177
Objects/codeobject.cline 322
Modules/mmapmodule.cline 1080

For traceback.c, namebuf defined on line 155 should be moved out one
block since filename is an alias to namebuf and it is used outside the
current scope.  I think this is unlikely to be a problem in practice,
but is technically wrong and should be fixed.

For codeobject.c, line 327 should not be reachable.  I kinda like the
code as it is even though it is currently dead.  I never decided if I
wanted to change that or suppress the warning.

For mmapmodule.c, fd should be checked for -1 before calling stat on line 1064.

The rest were not obvious problems to me, and I never returned to them.

n
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Scan, Python upgraded to rung 2

2008-01-09 Thread Neal Norwitz 
On Jan 9, 2008 9:08 AM,  [EMAIL PROTECTED] wrote:

 I went to the run2 page:

 http://scan.coverity.com/rung2.html

 I shows 6 uninspected defects for Python.  How do we see what they are?
 What is an uninspected defect?  Any idea how the Coverity folks compute
 Defects/KLOC?  For example, how does tcl manage to get a 0.0 score?

Sorry, I forgot to answer the second part of your question.  I have no
idea how they compute Defects/KLOC.  But the data is very old so I
wouldn't worry about what that says.

The most recent run has 286622 lines in 602 files.  I already
mentioned the 3 defects that should be fixed.  Not sure what to do
about the rest.

n
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com