Hey folks, TL;DR - If you have opinions one way or another about having a Coverity instance available for WebKit developers, please respond to this message.
Coverity is a static analysis tool [1] which scans source code and reports defects in the code. We've been using Coverity to find defects in Chrome for a while now, and though there is sometimes a bit of subjectivity involved in the defect types (e.g. whether a return value should be checked), the signal is generally high. Off the top of my head, the following are the defects I spend most of my time fixing: * Uninitialized variables (including member variables). - Chrome has had at least 4 crash fixes in the past few months due to this defect (which were caught by Coverity). * Passing large parameters by value. - Generally a trivial fix. I don't have performance data to say what affect fixing these hash, but 'death by a thousand cuts' eh? * Forward/Reverse/I - Nulls. - Coverity is very good at understanding when a value is NULL and the tool will tell you which code paths are using a NULL value. * Tons of security issue-causing defects. I'd like to propose adding a Coverity instance for the WebKit community, but I want to make sure there's general support before writing up the detailed proposal. A few details: * Google will front the cost of the license (non-zero...very far from zero) and the infrastructure. * I'd leave it up to the WebKit leadership to decide who has access (most likely limited to WebKit committers for security purposes). The biggest rationale is to provide a strong defect signal for the entire WebKit community, which would directly impact the success of all WebKit-based projects. Coverity has provided free licenses for unsponsored (by larger corporations anyway) open-source projects; this has resulted in significant improvements [2] to the code bases of these projects, one of which I was directly involved with years ago (Wine). Let me know if you love the idea or hate it. Thanks, James [1] http://www.coverity.com/products/static-analysis.html [2] http://softwareintegrity.coverity.com/coverity-scan-2011-open-source-integrity-report-registration.html - registration required now :(
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
