Hi Peff, On Fri, 26 Feb 2021, Jeff King wrote: > On Fri, Feb 26, 2021 at 11:31:02AM -0500, Taylor Blau wrote: > > > Dscho mentioned this to me privately when reviewing Coverity results for > > -rc0. This one is legitimate, and the fix is easy enough, too. > > I'm excited that we might get Coverity results again. There were a lot > of false positives, but I found its signal-to-noise ratio higher than > almost every other static analysis tool I've looked at. Indeed, the signal:noise ratio is pretty bad, mainly because of all the false positives (Coverity _really_ hates what we do with `strbuf_slopbuf`, it simply doesn't understand that we allocate `buf` only when needing to write characters into that buffer) and the "intentional" issues (we leak memory left and right in `builtin/`). It does not help at all that Coverity has a bug for a pretty long while now where it simply throws up its digital hands in the air when it sees a GCC v10.x. I did find a work-around for Git for Windows' automated Coverity run, a work-around that is somewhat ugly yet necessary, sadly: https://github.com/git-for-windows/build-extra/commit/23eea104d53 Ciao, Dscho
