SEO

Hello PostgreSQL Developers,

I'm the CTO of Coverity, Inc., a company that does static source code
analysis to look for defects in code. You may have heard of us or of our
technology from its days at Stanford (the "Stanford Checker"). The
reason I'm writing is because we have set up a framework internally to
continually scan open source projects and provide the results of our
analysis back to the developers of those projects. PostgreSQL is one of
the 32 projects currently scanned at:

http://scan.coverity.com

My belief is that we (Coverity) must reach out to the developers of
these packages (you) in order to make progress in actually fixing the
defects that we happen to find, so this is my first step in that
mission. Of course, I think Coverity technology is great, but I want to
hear what you think and that's why I worked with folks at Coverity to
put this infrastructure in place. The process is simple -- it checks out
your code each night from your repository and scans it so you can always
see the latest results.

Right now, we're guarding access to the actual defects that we report
for a couple of reasons: (1) We think that you, as developers of
PostgreSQL, should have the chance to look at the defects we find to
patch them before random other folks get to see what we found and (2)
From a support perspective, we want to make sure that we have the
appropriate time to engage with those who want to use the results to fix
the code. Because of this second point, I'd ask that if you are
interested in really digging into the results a bit further for your
project, please have a couple of core maintainers (or group nominated
individuals) reach out to me to request access. As this is a new process
for us and still involves a small number of packages, I want to make
sure that I personally can be involved with the activity that is
generated from this effort.

So I'm basically asking for people who want to play around with some
cool new technology to help make source code better. If this interests
you, please feel free to reach out to me directly. And of course, if
there are other packages you care about that aren't currently on the
list, I want to know about those too.

If this is the wrong list, my sincerest apologies and please let me
know where would be a more appropriate forum for this type of message.

Many thanks for reading this far...

-ben

Ben Chelf
Chief Technology Officer
Coverity, Inc.

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

Ben Chelf wrote:
> Hello PostgreSQL Developers,
>
> I'm the CTO of Coverity, Inc., a company that does static source code
> analysis to look for defects in code. You may have heard of us or of our
> technology from its days at Stanford (the "Stanford Checker"). The
> reason I'm writing is because we have set up a framework internally to
> continually scan open source projects and provide the results of our
> analysis back to the developers of those projects. PostgreSQL is one of
> the 32 projects currently scanned at:
>
> http://scan.coverity.com

Hm, interestingly and in contrast to some announcements, MySQL is not
included in this list. Did it blast the defects column ? :-)

Regards,
Andreas

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

Andreas Pflug wrote:
> Ben Chelf wrote:
> > Hello PostgreSQL Developers,
> >
> > I'm the CTO of Coverity, Inc., a company that does static source code
> > analysis to look for defects in code. You may have heard of us or of our
> > technology from its days at Stanford (the "Stanford Checker"). The
> > reason I'm writing is because we have set up a framework internally to
> > continually scan open source projects and provide the results of our
> > analysis back to the developers of those projects. PostgreSQL is one of
> > the 32 projects currently scanned at:
> >
> > http://scan.coverity.com
>
> Hm, interestingly and in contrast to some announcements, MySQL is not
> included in this list. Did it blast the defects column ? :-)

I thought we ran the Converity analysis a year ago and cleaned up the
warnings, so I am surprised at our high number, but I assume they are
mostly noise.

--
Bruce Momjian http://candle.pha.pa.us
SRA OSS, Inc. http://www.sraoss.com

+ If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

Andreas Pflug wrote:
> Ben Chelf wrote:
> >Hello PostgreSQL Developers,
> >
> > I'm the CTO of Coverity, Inc., a company that does static source code
> >analysis to look for defects in code. You may have heard of us or of our
> >technology from its days at Stanford (the "Stanford Checker"). The
> >reason I'm writing is because we have set up a framework internally to
> >continually scan open source projects and provide the results of our
> >analysis back to the developers of those projects. PostgreSQL is one of
> >the 32 projects currently scanned at:
> >
> >http://scan.coverity.com
>
> Hm, interestingly and in contrast to some announcements, MySQL is not
> included in this list. Did it blast the defects column ? :-)

AFAIR they got a private scan done and they fixed the reported defects.
After that they issued a press release telling how little defects they
got, or something ...

OTOH neither JBoss, BerkeleyDB, Qt are listed. Is there a pattern here?

--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

Alvaro Herrera wrote:

> AFAIR they got a private scan done and they fixed the reported defects.
> After that they issued a press release telling how little defects they
> got, or something ...
>
> OTOH neither JBoss, BerkeleyDB, Qt are listed. Is there a pattern here?

I guess the pattern is obvious indeed:
Coverity probably wants a shot at selling their services to these
companies and rightly so imho.

regards,
Lukas

>
>OTOH neither JBoss, BerkeleyDB, Qt are listed. Is there a pattern here?
>
>
>
http://www.coverity.com/news/news_02_15_05_story_6.html



---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

On Mon, 6 Mar 2006, Bruce Momjian wrote:

> Andreas Pflug wrote:
>> Ben Chelf wrote:
>>> Hello PostgreSQL Developers,
>>>
>>> I'm the CTO of Coverity, Inc., a company that does static source code
>>> analysis to look for defects in code. You may have heard of us or of our
>>> technology from its days at Stanford (the "Stanford Checker"). The
>>> reason I'm writing is because we have set up a framework internally to
>>> continually scan open source projects and provide the results of our
>>> analysis back to the developers of those projects. PostgreSQL is one of
>>> the 32 projects currently scanned at:
>>>
>>> http://scan.coverity.com
>>
>> Hm, interestingly and in contrast to some announcements, MySQL is not
>> included in this list. Did it blast the defects column ? :-)
>
> I thought we ran the Converity analysis a year ago and cleaned up the
> warnings, so I am surprised at our high number, but I assume they are
> mostly noise.

Got an account and will take a look at the details this evening ...

----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

On Mon, 2006-03-06 at 11:55 -0300, Alvaro Herrera wrote:
> AFAIR they got a private scan done and they fixed the reported defects.

Indeed: EnterpriseDB paid for a license for the Coverity static analysis
tool, and then ran that tool on the open-source Postgres tree. One of
their engineers then worked with me to get a bunch of patches committed
to fix the issues the tool identified -- e.g.

http://archives.postgresql.org/pgsql...6/msg00428.php
http://archives.postgresql.org/pgsql...6/msg00314.php
http://archives.postgresql.org/pgsql...6/msg00315.php
http://archives.postgresql.org/pgsql...6/msg00298.php

The tool found a few significant bugs, but most of the fixes were
somewhat cosmetic. (Perhaps one reason for this is that the Stanford
checker was run on an earlier version of PostgreSQL by some grad
students at Stanford, who submitted patches / bug reports for the more
serious issues they found.)

I'm a bit surprised to see that there are ~300 unfixed defects: AFAIR I
fixed all the issues the EDB guys passed on to me, with the exception of
some false positives and a handful of minor issues in ECPG that I
couldn't be bothered fixing (frankly I would rather not touch the ECPG
code). I've requested access to the Coverity results -- I'll be curious
to see if we can get any more useful fixes from the tool.

-Neil



---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

Neil Conway wrote:

>On Mon, 2006-03-06 at 11:55 -0300, Alvaro Herrera wrote:
>
>
>>AFAIR they got a private scan done and they fixed the reported defects.
>>
>>
>
>Indeed: EnterpriseDB paid for a license for the Coverity static analysis
>tool, and then ran that tool on the open-source Postgres tree. One of
>their engineers then worked with me to get a bunch of patches committed
>to fix the issues the tool identified -- e.g.
>
>http://archives.postgresql.org/pgsql...6/msg00428.php
>http://archives.postgresql.org/pgsql...6/msg00314.php
>http://archives.postgresql.org/pgsql...6/msg00315.php
>http://archives.postgresql.org/pgsql...6/msg00298.php
>
>The tool found a few significant bugs, but most of the fixes were
>somewhat cosmetic. (Perhaps one reason for this is that the Stanford
>checker was run on an earlier version of PostgreSQL by some grad
>students at Stanford, who submitted patches / bug reports for the more
>serious issues they found.)
>
>I'm a bit surprised to see that there are ~300 unfixed defects: AFAIR I
>fixed all the issues the EDB guys passed on to me, with the exception of
>some false positives and a handful of minor issues in ECPG that I
>couldn't be bothered fixing (frankly I would rather not touch the ECPG
>code). I've requested access to the Coverity results -- I'll be curious
>to see if we can get any more useful fixes from the tool.
>
>
>

For a short while EDB were pushing their Coverity results up to the
buildfarm server, too. But it didn't last long.

cheers

andrew

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

Ben,

> I'm the CTO of Coverity, Inc., a company that does static source code
> analysis to look for defects in code. You may have heard of us or of our
> technology from its days at Stanford (the "Stanford Checker"). The
> reason I'm writing is because we have set up a framework internally to
> continually scan open source projects and provide the results of our
> analysis back to the developers of those projects. PostgreSQL is one of
> the 32 projects currently scanned at:

Nice to hear from you! Coverity has previously worked with Sean
Chittenden, EnterpriseDB and Neil Conway. So we're glad to be continuing
our relationship with you.

--
--Josh

Josh Berkus
Aglio Database Solutions
San Francisco

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster