-
Notifications
You must be signed in to change notification settings - Fork 845
Coverity
Coverity is an official partner of the Open MPI project. They grant us access to their web-based tools for the glory of being listed in association with Open MPI.
The Coverity Prevent tool does sophisticated static source code analysis. It points out all kinds of possible problems in the code, most of which you probably didn't even know were there. More specifically, it can solve problems for you that you didn't even know you had. Coverity only runs nightly scans on master tarballs.
Click here to access Open MPI's Coverity results
NOTE: You can only view the Open MPI Coverity data if you have a Coverity account and have been granted access to the Open MPI Coverity project -- see below.
To use the tool, sign up for an account on scan.coverity.com (either with a standalone Coverity account or login with your Github account), and request "Contributor/Member" access on the Open MPI Coverity project.
Here's some guidelines on using the Coverity web Prevent tool:
- All issues that the scanner finds are uniquely identified by a "CID" number (Coverity ID). This number is unique across all runs, and will persist across multiple runs if the same issue exists. So you can safely say "CID 123" to uniquely refer to a specific issue identified by the tool.
- When fixing issues found by the Prevent tool, it is good to list the CID number in the commit message, just for reference back to the Prevent tool.
- Likewise, if there's a corresponding Github issue, don't hesitate to refer to CID numbers.
- Filling in fields on CID issues:
- Class:
- Uninspected: This is what all issues get by default. Once you actually dig into an issue, you should set this field to something else.
- Pending: Set the issue to "pending" if you're still digging into the problem and haven't decided how to classify it yet.
- False: Set the issue to "False" if the scanner is reporting something that doesn't matter (i.e., it's a false positive).
- Intentional: Set the issue to "Intentional" if the code is intentionally doing something that Prevent is reporting; for reasons that the scanner can't know, the code is ok.
- Bug: Set the issue to "Bug" if Prevent found an actual bug.
- Severity: this one is fairly subjective - it's "major", "moderate", and "minor". Here's my take:
- Major: likely to cause problems in non-erroneous situations.
- Moderate: not major and not minor.
- Minor: unlikely to cause problems (e.g,. it's a bug in an error-handling routine that is seldom/never tripped).
- Action: what are we going to/did we do?
- Undecided: Still don't know what to do about this issue.
- Fix: Means "we need to fix this, but haven't done so yet".
- Resolved: The bug was fixed in the OMPI code base.
- Ignore: Use this for false positives.
- Comment: Put some meaningful text in here. E.g., if you found someone else's bug, put a comment in there about "Notified Jeff about this issue because it's his code." Or "This is a false positive because ...".
- Ext Ref: this is intended to hold a reference to the OMPI source code repository where the issue was fixed (e.g., the Git hash in the master branch corresponding to the commit where the issue was fixes).
- Class: