Hi Peff & Taylor, On Thu, 7 Oct 2021, Jeff King wrote: > On Thu, Oct 07, 2021 at 12:07:39AM -0400, Taylor Blau wrote: > > > On Wed, Oct 06, 2021 at 10:38:18PM -0400, Jeff King wrote: > > > The reason for that is that I didn't find it by inspection; I've started > > > running my personal builds through coverity. It wasn't too bad to set up > > > with a GitHub Action, like so: > > > > > > [...] > > > > It looks like this would never cause the build to fail, but is merely > > responsible for sending any warnings off to Coverity's UI? > > Sort of. They basically wrap the "make" invocation to intercept "cc". My > understanding is that their faux-compiler is mostly about gathering data > about the code. That gets stuffed into a tarball and uploaded to their > servers, where the real analysis happens. > > It's very black-box, which I don't love. But in my experience it > produces by far the most useful static-analysis output of any tool I've > seen. It is pretty black box, but I have to disagree that the static analysis output is very useful. The majority are false positives about strbuf/strvec type usage of a static, fixed-size array that is dynamically replaced by a dynamically-allocated array. Coverity misses that subtlety and reports out-of-bounds accesses. Granted, I worked around those (I thought) by using the `-DFLEX_ARRAY=65536` trick, but I guess that is either not working as designed, or it stopped working at some stage. FWIW I have set up an Azure Pipeline to keep Git for Windows' `main` branch covered by Coverity: https://dev.azure.com/git-for-windows/git/_build?definitionId=35 It essentially calls into this scripted code: https://github.com/git-for-windows/build-extra/blob/4676f286a1ec830a5038b32400808a353dc6c48d/please.sh#L1820-L1915 Ciao, Dscho
