#ubuntu-meeting log

15:31:46 <mmrazik> #startmeeting
15:31:46 <meetingology> Meeting started Tue Feb 28 15:31:46 2012 UTC.  The chair is mmrazik. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
15:31:46 <meetingology> 
15:31:46 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
15:32:07 <mmrazik> lets wait for a minute or so
15:32:58 <mmrazik> the only topic today is a short talk about Static Code Analysis and what we do in Canonical with Unity et al
15:33:03 <mmrazik> [TOPIC] Static Code Analysis (Coverity)
15:33:19 <mmrazik> alesage: I think we can start
15:33:59 <alesage> ok thanks mmrazik
15:34:20 <alesage> so this will be a short chat about our use of Coverity
15:34:35 <alesage> which is a static analyzer
15:35:02 <alesage> here's our wiki page for our Coverity integration project:
15:35:09 <alesage> https://wiki.ubuntu.com/CanonicalProductStrategy/Coverity
15:35:35 <alesage> and here's a link to the company's site: http://coverity.com/products/static-analysis.html
15:36:01 <alesage> we're using static analysis as a means to improve quality:
15:36:52 <alesage> the idea behind "static analysis" is kind-of a step further than what a compiler offers your C/C++/Java/etc. code
15:37:24 <alesage> in the case of Coverity, for example, the static analyzer sits on GCC and finds bugs in our code
15:37:54 <alesage> by producing 'models' of the execution--
15:38:13 <alesage> specifically by running 'checkers', which find common (or not so common ;) ) errors
15:38:36 <alesage> I'll link to a list of these checkers . . .
15:38:52 <alesage> https://wiki.ubuntu.com/CoverityCheckerDictionary
15:39:20 <alesage> so taking DIVIDE_BY_ZERO as an example,
15:39:54 <alesage> here's a condition that might take an exceptional condition to encounter in production, e.g.
15:40:34 <alesage> but Coverity finds this using its sophisticated analysis
15:41:14 <alesage> so we wanted to add this to our process for developing Ubuntu
15:41:32 <alesage> at the moment our licensing covers everything that's a dependency of Unity
15:42:02 <alesage> and there's talk about expanding--we'll see how the evaluation goes
15:42:10 <alesage> are there any questions at this point?
15:42:34 <gema_> o/
15:42:46 <alesage> I have to thank tvoss for this link, meanwhile: http://drdobbs.com/open-source/232601492
15:42:51 <alesage> gema_, go ahead
15:42:52 <gema_> alesage: are you raising bugs as you find them? are you gettting a lot of false positivies?
15:43:08 <alesage> gema_ excellent question
15:43:19 <alesage> so my part of the project has been a "syncing" tool
15:43:28 <alesage> which submits bugs to Launchpad when these defects are found
15:43:37 <gema_> automatically?
15:43:47 <alesage> automatically--
15:43:53 <gema_> agreed :)
15:44:06 <alesage> the scanner is run as part of a Jenkins/Continuous Integration process
15:44:22 <alesage> so when we get a build, the scanner runs and finds its Coverity defects,
15:44:38 <alesage> and then a little Python script interprets these and submits them to Launchpad
15:44:51 <alesage> where they enter the normal Ubuntu developer workflow
15:45:00 <alesage> let me get the link for some existing bugs . . .
15:46:00 <alesage> https://bugs.launchpad.net/~coverity-uploader
15:46:33 <alesage> so we haven't found a full set as yet, and it's still to early to show our 'defect density' (ref. the link above)
15:47:00 <alesage> and gema_ as this is still and informal process I'm not aware of complaints about false positives
15:47:19 <gema_> alesage: I am very impressed, looks pretty good
15:47:21 <mmrazik> this is up and running for about a week
15:47:41 <mmrazik> after some time we might want to do some queries and get the % of invalid bugs or something like that
15:47:42 <alesage> gema_ yeah it's fun to go through the defects
15:47:50 <mmrazik> that should give us some idea about the false positives
15:47:57 <gema_> mmrazik: ack
15:48:12 <alesage> let's take an example
15:48:13 <alesage> https://bugs.launchpad.net/bamf/+bug/937402
15:48:14 <ubottu> Launchpad bug 937402 in BAMF trunk "Coverity UNINIT - CID 10451" [Low,Triaged]
15:48:40 <alesage> so here's an uninitialized variable somewhere deep in bamf
15:49:06 <alesage> you see that you get a little code snippet in the bug body there
15:49:19 <alesage> and also an attachment with a prettier rendering of the source code
15:50:12 <alesage> Coverity offers a more sophisticated product called the "Integrity Manger"
15:50:37 <alesage> most of the features of which this 'syncer' is offering to Launchpad users
15:50:58 <alesage> one more interesting case:
15:51:09 <alesage> https://bugs.launchpad.net/libindicator/+bug/937387
15:51:11 <ubottu> Launchpad bug 937387 in libindicator "Coverity PW.USELESS_TYPE_QUALIFIER_ON_RETURN_TYPE - CID 10617" [High,Fix committed]
15:51:47 <alesage> here's a case in which Coverity has found the same defect in multiple projects
15:52:06 <alesage> in this case the root of the problem is in libindicator
15:52:26 <alesage> and ted has tackled and ably squashed the bug
15:53:16 <alesage> but note that Coverity's tracking of defects enables us to keep the defects in one place, as one Launchpad bug
15:53:40 <alesage> any questions at this point?
15:55:48 <alesage> so honestly this is my first encounter with static analysis
15:56:44 <alesage> do people have more extensive experience with this, or with Coverity itself?
15:58:33 <alesage> so we'll have some metrics to offer in our Quality Hour blog at some point in the future
15:58:39 <alesage> please stay tuned :)
15:58:53 <alesage> and feel free to follow up with me for questions anytime
15:59:09 <alesage> thanks all--anything else mmrazik?
15:59:18 <mmrazik> any last questions?
15:59:42 <mmrazik> in that case -- thank you for the meeting and lets meet in a month :)
15:59:44 <mmrazik> bb
15:59:52 <mmrazik> #endmeeting