Mozilla and Coverity
Some of you might have noticed that on some of the checkins that are made recently the word coverity has been mentioned.
Coverity is a bug finding system that is capable of detecting defects and security vulnerabilities in the source code. Coverity detects at compile time bugs that will crash the system at runtime. Examples include memory leaks, use after frees, and illegal pointer accesses. Coverity also pinpoints security vulnerabilities in your source code that hackers can exploit. This eliminates serious problems such as denial of service, data/memory corruption and escalation of privileges in the earliest stage of development. Example vulnerabilities detected include buffer overruns, integer overflows, format string errors and SQL injections attacks and many more.
In collaboration with Stanford University, Coverity is scanning the Mozilla source code. This is great news for the Mozilla project. We're getting a free audit of the source code. This will improve the quality of the code and hopefully fix some of the bugs that still exists in the Mozilla source code.
Are those links really correct?Comment by Matthew Wilson at May 18, 2006 12:54 PM | Permalink
Matthew - 'coverity' is a keyword so you can easily search in Bugzilla for these bugs.Comment by Robin at May 18, 2006 02:35 PM | Permalink
If you log into the Coverity system there are 528 outstanding problems. Some of the difference is caused by problems marked as fixed, but the fix hasn't yet made it through Bugzilla, CVS and back to Coverity for verification. Last time I looked mozilla/security had the highest number of hits with about 1/3 of them.Comment by Jon Smirl at May 18, 2006 04:58 PM | Permalink
A big congrats to Coverity for finding all these bugs as well as the people fixing them. And while there are some Invalid, Duplicate, and Wontfix, this is a *good thing*.Comment by alanjstr at May 20, 2006 07:38 AM | Permalink
Most (all?) of the Coverity bugs fixed didn't make it into the 18.104.22.168 branch due to release timing. When will they be seen in a released code base? 1.8.1? 22.214.171.124?