[cfe-dev] Coverity vs Clang Static analyzer

[miroslav.fontan]

Hi,

We use Coverity, Clang, CPPCheck, PC-Lint. Each of these program reports
different errors, intersection is almost empty. Coverity can find the most
"real" runtime problems, false positive rate depends on aggressity level.

For bugtracking we redirect all reports/outputs to the SonarQube

Mira

> -----Original Message-----
> From: cfe-dev-bounces at cs.uiuc.edu [mailto:cfe-dev-bounces at cs.uiuc.edu]
> On Behalf Of David Chisnall
> Sent: Thursday, February 20, 2014 9:43 AM
> To: G Raghuram
> Cc: Clang Dev
> Subject: Re: [cfe-dev] Coverity vs Clang Static analyzer
> 
> Hi,
> 
> On 20 Feb 2014, at 06:42, G Raghuram <contactraghu at gmail.com> wrote:
> 
> > Can someone please comment on features of Clang static analyzer vs
> Coverity? Does coverity catch any extra errors or can we just do a
> drop-in replacement.?
> 
> We use both for FreeBSD.  Coverity catches more things, but also has a
> somewhat higher false positive rate.  Currently, the most useful
> feature that Coverity has and the clang static analyser lacks is the
> ability to track bugs over source code changes.  Clang requires
> annotations to be placed in the source code to silence warnings.  This
> is fine for our code, but a pain for third-party code where we don't
> want to increase the effort for merging.  Coverity lets you flag a bug
> as a false positive.  This is also nicer from a review perspective - it
> lets you investigate the bugs other people have marked as false
> positives and check that they really were.
> 
> The other difference is momentum.  The clang analyser is under very
> active development and it catches a lot more things than it did a year
> ago.  It's also much easier to write plugins for if you want to check
> for correct usage of your own APIs or idioms.
> 
> David
> 
> 
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev