Hi Peff, On Tue, 11 Oct 2022, Jeff King wrote: > On Mon, Oct 10, 2022 at 10:21:40PM -0700, Junio C Hamano wrote: > > > Jeff King <peff@xxxxxxxx> writes: > > > > > There's a tiny leak in this one. Here's a fix that can go on top. > > > > > > -- >8 -- > > > Subject: [PATCH] fsmonitor: fix leak of warning message > > > > > > The fsm_settings__get_incompatible_msg() function returns an allocated > > > string. So we can't pass its result directly to warning(); we must hold > > > on to the pointer and free it to avoid a leak. > > > > > > The leak here is small and fixed size, but Coverity complained, and > > > presumably SANITIZE=leaks would eventually. > > > > > > Signed-off-by: Jeff King <peff@xxxxxxxx> > > > --- > > > fsmonitor.c | 4 +++- > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > Is there anybody else who is reading Coverity reports, I wonder. > > This one is a clear positive. > > I doubt it. As I mentioned to you previously (e.g. in https://lore.kernel.org/git/3896n74p-0r16-866o-r668-70q6pos078n9@xxxxxx/), I do have a look at them, usually a closer look during the -rc phases. > My personal fork still has the coverity github-action which I showed > last year[1]. We could merge that, but giving access to the project is a > minor pain. And of course the full list is full of false positives. One > nice thing about coverity is that it marks each defect by date, and > tells you how many new ones there are. So when I push up my > next+personal branches build, I usually just skim over any new ones it > reports. I'd say about 10% of them are actionable. That 10% number does not match up with my experience. In the v2.39.0-rc period, I looked through over a hundred new issues. Pretty much all of them were strvec/strbuf false positives, and even the remaining ones were not actionable. (I typically glance over leaks such as the one you reported, in favor of focusing on bugs that may cause crashes or other serious problems.) I also recall that https://lore.kernel.org/git/pull.1264.git.1655336146.gitgitgadget@xxxxxxxxx/ was the result of more than 150 new alerts that I sifted through, with 11 actionable ones, some of which were later decided to be false positives after all. Ciao, Johannes
