Potential problems in 2.1.12 discovered by Coverity static source code scan

Alan DeKok aland at deployingradius.com
Wed Oct 19 16:51:30 CEST 2011

John Dennis wrote:
> We've started to perform static source code analysis on things we ship
> in the interest of trying to improve quality. We've been very impressed
> with the Coverity tools, they do an excellent job of finding problems.

  Alas, the guy running the open source "scan" side recently moved on.
He used to sit in the cube next to me 10+ years ago.  We've known each
other for a long time.

> Coverity is not open source but they support open source projects by
> providing access to open source projects to some of their tools (you
> might consider registering with Covertiy).

  Registered, did a press release. :)

> We have a Coverity license
> and have been granted permission to share our scan results with our
> upstream open source projects. We have just completed a scan on version
> 2.1.12 and I wanted to share the results. They are attached.
> Not every item flagged by the scan is meaningful, but we've learned by
> running the scans on our own code quite a bit of what is reported were
> actually undiscovered problems worth fixing.


> I recognize the timing would have been better if the scan had been
> performed prior to the release but we're still in the process of getting
> Coverity integrated into our tool chain.

  I'll take a look.  On a first pass, most of the issues are minor.

> I wonder if the problems cropping up in 3.0 might be identified by a
> Coverity scan ...

  Hopefully none.

  I've been using similar tools for ~15 years.  The result has been my
coding style has changed, to avoid most of the common problems found by
the scanner.

  Alan DeKok.

More information about the Freeradius-Devel mailing list