Coverity analysis of graphviz?

coverity is a static code analysis tool for software testing and security. It is said to be free for the open source community.

Erwin Janssen ran it before on graphviz, circa 2016. That code is now out of date.

I wonder if it would be worthwhile if someone was interesting in picking up where he left off.

There were 350 potential “defects.”

1 Like

There’s an open issue about this: https://gitlab.com/graphviz/graphviz/-/issues/1464. I had a brief look and many of the issues seemed legitimate. So far I’ve prioritized fixing other user issues, but we should certainly address this as well.

1 Like

Static analysis is a good friend. We could also try Clang-Tidy.

1 Like

Maybe this is just my personal opinion, but I don’t believe there is much value in running extra static analyzers until the build is compiler-warning-free. The compiler’s warnings are a form of static analysis from which we already have more than we can deal with.

1 Like

Strongly agree. I was just pushing this on the stack for future reference.

In skimming the logs from coverity there was not that much useful information. Leaking memory by not closing a file before exit is not a big deal.

2 Likes

Yes, the compiler warnings are absolutely the place to start.

1 Like