[Audacity-devel] Coverity?

Discussion:

Henric Jungheim

2017-06-24 14:48:14 UTC

At some point, Coverity Scan was set up for Audacity.
Unfortunately, it is pointing to a non-existent SVN
repository on googlecode. Does anyone own this setup?

https://scan.coverity.com/projects/audacity

Martyn Shaw

2017-06-25 18:05:26 UTC

Permalink

Hi Henric

It would appear that I am an admin on Coverity for Audacity, although I
have not used it.

I logged in and changed the "Repository URL" to "
https://github.com/audacity/audacity" (and the Homepage URL). Does
anything else need to happen?

I think that Campbell Barton set this up for us.

TTFN
Martyn

Post by Henric Jungheim
At some point, Coverity Scan was set up for Audacity.
Unfortunately, it is pointing to a non-existent SVN
repository on googlecode. Does anyone own this setup?
https://scan.coverity.com/projects/audacity
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel

Arturo 'Buanzo' Busleiman

2017-06-25 18:12:21 UTC

Permalink

Thank you Martyn. If you have privileges to add admins, maybe it would be
useful for me to have an account.

Cheers!

Post by Martyn Shaw
Hi Henric
It would appear that I am an admin on Coverity for Audacity, although I
have not used it.
I logged in and changed the "Repository URL" to "
https://github.com/audacity/audacity" (and the Homepage URL). Does
anything else need to happen?
I think that Campbell Barton set this up for us.
TTFN
Martyn

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel

Martyn Shaw

2017-06-25 19:15:54 UTC

Permalink

Done!
Martyn

Post by Arturo 'Buanzo' Busleiman
Thank you Martyn. If you have privileges to add admins, maybe it would be
useful for me to have an account.
Cheers!

Arturo 'Buanzo' Busleiman

2017-06-26 13:33:08 UTC

Permalink

Yes, thank you Martyn!

Post by Martyn Shaw
Done!
Martyn

Post by Arturo 'Buanzo' Busleiman
Thank you Martyn. If you have privileges to add admins, maybe it would be
useful for me to have an account.
Cheers!

Henric Jungheim

2017-06-26 01:32:04 UTC

Permalink

To be really useful, some more recent builds have to be
analyzed and people need to look at the results. For the
former, perhaps this might be useful?

https://scan.coverity.com/travis_ci

For the latter, I'd be happy to take a look.

AppVeyor has the Coverity tools installed on the normal
build images, but I have no idea what it would take to set
that up. There is platform-specific code to interface with
audio drivers, and that kind of OS shim code is just the
place for hiding bugs. I'm not sure if there is a good
Xcode CI setup that would work well with Coverity Scan, but
it shouldn't be too hard to have someone run through it by
hand.

For more general code quality, this might be of interest:
http://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines

VS2015 and VS2017 have a checker for some of those
guidelines.

Post by Martyn Shaw
Hi Henric
It would appear that I am an admin on Coverity for Audacity, although I
have not used it.
I logged in and changed the "Repository URL" to
"[1]https://github.com/audacity/audacity" (and theÂ Homepage URL).Â
Does anything else need to happen?
I think thatÂ Campbell Barton set this up for us.
TTFN
Martyn
At some point, Coverity Scan was set up for Audacity.
Unfortunately, it is pointing to a non-existent SVN
repository on googlecode.Â Does anyone own this setup?
[3]https://scan.coverity.com/projects/audacity
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! [4]http://sdm.link/slashdot
_______________________________________________
audacity-devel mailing list
[6]https://lists.sourceforge.net/lists/listinfo/audacity-devel
References
1. https://github.com/audacity/audacity
3. https://scan.coverity.com/projects/audacity
4. http://sdm.link/slashdot
6. https://lists.sourceforge.net/lists/listinfo/audacity-devel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel

Arturo 'Buanzo' Busleiman

2017-06-26 13:32:52 UTC

Permalink

I had actually come across the C++ Core Guidelines, thru a post on
stackoverflow if my memory serves me right this weekend. Great work, indeed.

Post by Henric Jungheim
To be really useful, some more recent builds have to be
analyzed and people need to look at the results. For the
former, perhaps this might be useful?
https://scan.coverity.com/travis_ci
For the latter, I'd be happy to take a look.
AppVeyor has the Coverity tools installed on the normal
build images, but I have no idea what it would take to set
that up. There is platform-specific code to interface with
audio drivers, and that kind of OS shim code is just the
place for hiding bugs. I'm not sure if there is a good
Xcode CI setup that would work well with Coverity Scan, but
it shouldn't be too hard to have someone run through it by
hand.
http://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines
VS2015 and VS2017 have a checker for some of those
guidelines.

Post by Martyn Shaw
Hi Henric
It would appear that I am an admin on Coverity for Audacity, although

Post by Martyn Shaw
have not used it.
I logged in and changed the "Repository URL" to
"[1]https://github.com/audacity/audacity" (and theÃ Homepage URL).Ã
Does anything else need to happen?
I think thatÃ Campbell Barton set this up for us.
TTFN
Martyn
At some point, Coverity Scan was set up for Audacity.
Unfortunately, it is pointing to a non-existent SVN
repository on googlecode.Ã Does anyone own this setup?
[3]https://scan.coverity.com/projects/audacity
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! [4]http://sdm.link/slashdot
_______________________________________________
audacity-devel mailing list
[6]https://lists.sourceforge.net/lists/listinfo/audacity-devel
References
1. https://github.com/audacity/audacity
3. https://scan.coverity.com/projects/audacity
4. http://sdm.link/slashdot
6. https://lists.sourceforge.net/lists/listinfo/audacity-devel
------------------------------------------------------------

------------------

Post by Martyn Shaw
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel

Henric Jungheim

2017-06-26 19:21:56 UTC

Permalink

The data from the last official Audacity Coverity scan (from
May 18, 2014) and a new scan I ran on my x64 fork
(https://scan.coverity.com/projects/henricj-audacity) both
find two "out-of-bounds read" defects in AudioIO.cpp.
"RatesToTry[i]" after the for loop will have i ==
NumRatesToTry, which is past the end of the array.

https://github.com/audacity/audacity/blob/master/src/AudioIO.cpp#L2741
https://github.com/audacity/audacity/blob/master/src/AudioIO.cpp#L2807

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel