[cfe-dev] Coverity vs Clang Static analyzer

Manuel Klimek klimek at google.com
Sun Feb 23 04:16:40 PST 2014 

On Fri, Feb 21, 2014 at 8:16 AM, G Raghuram <contactraghu at gmail.com> wrote:

> Hi All,
> Thank you for your responses. I get a feeling that clang can do a lot of
> things that Coverity does, so switching to it may not be a problem.
>
> Manuel,
> We are using it for C++.
>

I'd say C++ is still the weak part of the analyzer (your milage might vary
depending on how "C++" your code base actually is). We currently get > 50%
false positives (on the Chromium code base). If you're interested in
helping with a solution, I can point you at the bugs to start (we've found
mainly one hairy bug that's left over - correct tracking of destructors of
temporaries).

Cheers,
/Manuel


>
>
>
>
> On Thu, Feb 20, 2014 at 6:01 AM, miroslav.fontan <
> miroslav.fontan at wincor-nixdorf.cz> wrote:
>
>> Hi,
>>
>> We use Coverity, Clang, CPPCheck, PC-Lint. Each of these program reports
>> different errors, intersection is almost empty. Coverity can find the most
>> "real" runtime problems, false positive rate depends on aggressity level.
>>
>> For bugtracking we redirect all reports/outputs to the SonarQube
>>
>> Mira
>>
>> > -----Original Message-----
>> > From: cfe-dev-bounces at cs.uiuc.edu [mailto:cfe-dev-bounces at cs.uiuc.edu]
>> > On Behalf Of David Chisnall
>> > Sent: Thursday, February 20, 2014 9:43 AM
>> > To: G Raghuram
>> > Cc: Clang Dev
>> > Subject: Re: [cfe-dev] Coverity vs Clang Static analyzer
>> >
>> > Hi,
>> >
>> > On 20 Feb 2014, at 06:42, G Raghuram <contactraghu at gmail.com> wrote:
>> >
>> > > Can someone please comment on features of Clang static analyzer vs
>> > Coverity? Does coverity catch any extra errors or can we just do a
>> > drop-in replacement.?
>> >
>> > We use both for FreeBSD.  Coverity catches more things, but also has a
>> > somewhat higher false positive rate.  Currently, the most useful
>> > feature that Coverity has and the clang static analyser lacks is the
>> > ability to track bugs over source code changes.  Clang requires
>> > annotations to be placed in the source code to silence warnings.  This
>> > is fine for our code, but a pain for third-party code where we don't
>> > want to increase the effort for merging.  Coverity lets you flag a bug
>> > as a false positive.  This is also nicer from a review perspective - it
>> > lets you investigate the bugs other people have marked as false
>> > positives and check that they really were.
>> >
>> > The other difference is momentum.  The clang analyser is under very
>> > active development and it catches a lot more things than it did a year
>> > ago.  It's also much easier to write plugins for if you want to check
>> > for correct usage of your own APIs or idioms.
>> >
>> > David
>> >
>> >
>> > _______________________________________________
>> > cfe-dev mailing list
>> > cfe-dev at cs.uiuc.edu
>> > http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140223/b9057920/attachment.html>

More information about the cfe-dev mailing list