Re: static analysis run on ncurses 5.6

[Thomas Dickey]

On Fri, 1 Aug 2008, Larry Zhou wrote:

> It is a fact that Klocwork has a higher false positive rate than Coverity,
> possibly above 75%.

it's looking to be about 50% (I'm a quarter through the list, making notes 
for changes).

I'm going to be away tomorrow, and will probably have a patch with the
fixes on Sunday or Monday.

> If you can get 20 to 30 things in "possible" or "potential" range, that
> would be amazing.
>
> On Fri, Aug 1, 2008 at 12:32 PM, Thomas Dickey <address@hidden> wrote:
>
> > On Fri, 1 Aug 2008, Larry Zhou wrote:
> >
> >  Here it goes. 117 warnings total.
> > >
> >
> > some of them are false reports (I don't have a count yet, but will work
> > through the list...).
> >
> > For instance, the third in the list (for test/bs.c) appears to be seeing
> > the chunk from 447-457, seeing that 'ss' is set to a nonzero value if
> > c!='R', and not seeing that line 468 will not be executed when c=='R'.
>
>
> You are right about that. That is a false positive. If in anyway, you want
> to help static analyzer help you.
> add a debug assert right before line 468.
>    assert(ss);

I see - that's easy to markup...

> That would help make your intention clear.
>
>
> > (Some of Coverity's were false also - but I won't be surprised if they
> > find different things).  Even if half of them were false, that's still
> > a gain.
> >
> >
> > --
> > Thomas E. Dickey
> > http://invisible-island.net
> > ftp://invisible-island.net

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net