Re: [Qemu-devel] Can we make better use of Coverity?

[Markus Armbruster <armbru@redhat.com>]

Peter Maydell <peter.maydell@linaro.org> writes:

> On 21 January 2015 at 12:47, Markus Armbruster <armbru@redhat.com> wrote:
>> We're using the Coverity Scan service[*].  We've put in some effort, and
>> we've gotten some mileage out of it, but I feel we could get more.
>>
>> Judging from the report e-mail I have lying about, we're scanning about
>> once a month on average.  These reports cuts off after 20 new defects.
>> When there are more, which is common, people have to go to the web
>> dashboard to see them.  When I get one with ten, I may have a look, when
>> I get one "Showing 20 of 100 defect(s)", I despair of the task, and put
>> it off.
>
> Right, but coverity reports lots of stuff, much of which is either
> wrong or just not very important. The interesting stats here are:
> (1) the "high impact outstanding" buglist: we have just 33 of these
> (2) the per-component lists: where somebody's been working on the
>     bug list for that component there are often not many bugs (there
>     are just 2 outstanding for "arm", for instance)

I agree the sky is most definitely not falling.

The defect density is quite uneven (see appended table).  "arm" is in
good shape indeed, and the largest low-density component.  Top-scorers
are bt, slirp and 9pfs.  Figures; they feel barely maintained these
days.

>> I think we should scan much more regularly.  Once a week, full auto?
>
> I think a regular automated scan would be useful, yes.

Need a volunteer to script that.  Any takers?

>> I further think we should send the e-mail report to the list, to have
>> more eyes on it.
>
> I agree that we'd benefit much more from more people seeing the
> list of coverity reports.

I figure that's just a matter of creating a dummy member with the list
address.  Any objections?


Defect density by component, from
https://scan.coverity.com/projects/378?tab=overview

    Component Name  Line of Code    Defect density
    bt                4,610         1.74
    slirp             6,968         1.44
    9pfs              9,493         1.37
    user             32,263         0.68
    mips             34,321         0.52
    Other           390,967         0.51
    net              29,412         0.44
    lm32              2,836         0.35
    ui               43,771         0.32
    block            55,171         0.31
    ppc              50,323         0.28
    disas            38,362         0.26
    i386             36,786         0.22
    migration         5,249         0.19
    usb              26,524         0.19
    m68k              5,533         0.18
    s390             17,171         0.17
    sparc            14,677         0.14
    tricore           7,801         0.13
    pci              11,292         0.09
    scsi             14,521         0.07
    arm              69,085         0.01
    cris              6,341         0.00
    libcacard         3,779         0.00
    microblaze        3,482         0.00
    monitor          30,044         0.00
    nbd               1,714         0.00
    openrisc          3,102         0.00
    tcg              10,659         0.00
    trace             9,090         0.00
    unicore32         3,191         0.00
    xtensa            7,393         0.00

The size of "Other" shows that our component definitions could use a
little love, too :)