[cfe-dev] Coverity vs Clang Static analyzer

G Raghuram contactraghu at gmail.com
Thu Feb 20 23:16:01 PST 2014 

Hi All,
Thank you for your responses. I get a feeling that clang can do a lot of
things that Coverity does, so switching to it may not be a problem.

Manuel,
We are using it for C++.




On Thu, Feb 20, 2014 at 6:01 AM, miroslav.fontan <
miroslav.fontan at wincor-nixdorf.cz> wrote:

> Hi,
>
> We use Coverity, Clang, CPPCheck, PC-Lint. Each of these program reports
> different errors, intersection is almost empty. Coverity can find the most
> "real" runtime problems, false positive rate depends on aggressity level.
>
> For bugtracking we redirect all reports/outputs to the SonarQube
>
> Mira
>
> > -----Original Message-----
> > From: cfe-dev-bounces at cs.uiuc.edu [mailto:cfe-dev-bounces at cs.uiuc.edu]
> > On Behalf Of David Chisnall
> > Sent: Thursday, February 20, 2014 9:43 AM
> > To: G Raghuram
> > Cc: Clang Dev
> > Subject: Re: [cfe-dev] Coverity vs Clang Static analyzer
> >
> > Hi,
> >
> > On 20 Feb 2014, at 06:42, G Raghuram <contactraghu at gmail.com> wrote:
> >
> > > Can someone please comment on features of Clang static analyzer vs
> > Coverity? Does coverity catch any extra errors or can we just do a
> > drop-in replacement.?
> >
> > We use both for FreeBSD.  Coverity catches more things, but also has a
> > somewhat higher false positive rate.  Currently, the most useful
> > feature that Coverity has and the clang static analyser lacks is the
> > ability to track bugs over source code changes.  Clang requires
> > annotations to be placed in the source code to silence warnings.  This
> > is fine for our code, but a pain for third-party code where we don't
> > want to increase the effort for merging.  Coverity lets you flag a bug
> > as a false positive.  This is also nicer from a review perspective - it
> > lets you investigate the bugs other people have marked as false
> > positives and check that they really were.
> >
> > The other difference is momentum.  The clang analyser is under very
> > active development and it catches a lot more things than it did a year
> > ago.  It's also much easier to write plugins for if you want to check
> > for correct usage of your own APIs or idioms.
> >
> > David
> >
> >
> > _______________________________________________
> > cfe-dev mailing list
> > cfe-dev at cs.uiuc.edu
> > http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140220/3f04f045/attachment.html>

More information about the cfe-dev mailing list