Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues found by PVS-Studio #76

Closed
VasilievSerg opened this issue Nov 12, 2018 · 7 comments

Comments

@VasilievSerg
Copy link

commented Nov 12, 2018

Hello,
Developers of PVS-Studio static analyzer present their check report of the source code of 'Infer.NET' in the article, containing the review of the most suspicious code fragments they discovered.

You can read article at the official site:
(External link redacted)

Best regards,
Sergey Vasiliev

@tminka

This comment has been minimized.

Copy link
Contributor

commented Nov 12, 2018

An issue must contain details of the problem. It cannot simply link to another site. Please update or I will close the issue.

@VasilievSerg

This comment has been minimized.

Copy link
Author

commented Nov 12, 2018

Hi, @tminka .

I just wanted to report that there is a number of problems in the source code, which were detected by the analyzer. I'd like to share the link to the article where I cited places that seemed to be the most interesting for me.

I think if you could check the project yourself it would be more useful, as you know better which warnings point at real problems or which ones don't. We can give you a license key so that you could have the opportunity to check the project yourself and work with warnings.

If you are interested, please, let me know about it. If not - you can close the issue.

Best regards,
Sergey Vasiliev

@tminka tminka closed this Nov 12, 2018

@tzachshabtay

This comment has been minimized.

Copy link

commented Nov 12, 2018

I saw the article and immediately went to find the github repo to see if the issues were reported. I'm shocked to see that it's ignored. @tminka, did you read the article? It has detailed examples of dozens of bugs in your repo. This decision perplexes me.

@sq735

This comment has been minimized.

Copy link

commented Nov 13, 2018

@tminka I also read the article and I don't understand why are you ignore issues described in article? This is a pretty big article. It would be difficult to indicate all the problems here.

@a-vishar

This comment has been minimized.

Copy link
Contributor

commented Nov 13, 2018

@VasilievSerg With other projects you provided the log file with the issues in it, and those teams pulled the details from the log into the GitHub issue itself. We're happy to follow a similar pattern here and grab the log if you host it somewhere as you have done previously for other projects.

@tzachshabtay @sq735 The issue here is not an unwillingness to fix or look at the issues, it's a tracking issue. If we solely rely on an external website to track any issues, then at a later date that website stops operating, we run into a tracking problem.

@VasilievSerg

This comment has been minimized.

Copy link
Author

commented Nov 14, 2018

Hi @a-vishar,

No, I have not provided analysis logs to other teams (at least, I don't remember this :) ). In some cases I pointed at specific warnings if there were few of them. However, this is not the most optimal and convenient way to work with the analysis results. At one time, I even wrote a small note on this topic: "I've sent a PVS-Studio text log to the project authors! Did I really help?"

I will try to briefly describe here why.

The analyzer has a plugin for Visual Studio, through which working with the analysis results will be much more convenient than directly with the text log. When working with a plugin you can use various tools that will simplify working with the list of warnings: navigation, filtration, grouping, marking false positives and so on. This means you will be able to organize your work in the most convenient way. Without the plugin, you’ll not be able to work so conveniently with the log.

I also would like to note that some time has passed (about 2 weeks) from the analysis to publication, so some new suspicious places could appear in code. By the way, that’s why one shouldn’t address only the errors described in the article - I wrote about the places that seemed to me the most suspicious, but could miss out on something.

As I wrote earlier, we can provide you with the key, so you can work with the analyzer.

This is my subjective opinion on the way how to make your working process on bugs fixing the most convenient. :)

Best regards,
Sergey Vasiliev

@a-vishar

This comment has been minimized.

Copy link
Contributor

commented Nov 14, 2018

@VasilievSerg I was referring to this .

I understand you no longer wish to provide the log as you have previously. The log would have served as a means of tracking potential issues, without that you're relying on people downloading your tool individually, sorting through the errors/warnings, creating issues on GitHub, and then creating PRs to solve them.

Not being familiar with your tool, nor having the time myself to spend an unknown amount of time sorting through the false-positives by myself, without the log or some other means of tracking the issues via GitHub, I cannot re-open the issue.

We cannot start tracking issues offline via tools, especially tools which require a license and therefore might prohibit some people from using them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.