[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: lgtm integration (automated detection of bugs and problems for programming languages)
From: alcinos <french.ebook.lover () gmail ! com>
Date: 2019-03-22 13:31:08
Message-ID: CAHJBWfkmT9Gjg0FbaVsteD8upyjge9A16apjadHOxXS4u=SZsA () mail ! gmail ! com
[Download RAW message or body]
Is there a way to somehow configure the build process? Their automatic
dependency pulling is getting an outdated version of Melt, and it breaks
the build for us in Kdenlive...
Le ven. 22 mars 2019 à 07:43, Tomaz Canabrava <tcanabrava@kde.org> a écrit :
> On Thu, Mar 21, 2019 at 9:27 PM Albert Astals Cid <aacid@kde.org> wrote:
> >
> > El dijous, 21 de març de 2019, a les 20:31:34 CET, Tomaz Canabrava va
> escriure:
> > > Em qui, 21 de mar de 2019 Ã s 19:48, Albert Astals Cid <aacid@kde.org>
> > > escreveu:
> > >
> > > > El dijous, 21 de març de 2019, a les 10:04:29 CET, Tomaz Canabrava va
> > > > escriure:
> > > > > Hello kdevelopers,
> > > > >
> > > > > I'v come to know the lgtm.com this week and started to enjoy it
> quite
> > > > > a bit. It provides code analisys for various languages like c/c++ /
> > > > > java / javascript / python, transforming code to data and
> extracting
> > > > > information using a QL Schema + Deep learning.
> > > > >
> > > > > It's opensource
> > > >
> > > > Is it? I can't seem to find the code.
> > > >
> > > > > , and *already* runs thru all the kde codebase because
> > > > > our code has a mirror on github (but it also supports gitlab,
> > > > > bitbucket). Some of the code from kde can't be analized yet
> because of
> > > > > unmatched dependencies, but here's an example of a software we all
> > > > > know and love, being analized by their tools.
> > > > >
> > > > > https://lgtm.com/projects/g/KDAB/GammaRay/alerts/?mode=list
> > > > >
> > > > > I belive we should get in contact with them and ask for a ~formal~
> > > > > partnership and integrate this into our phab / gitlab instances.
> > > >
> > > > I'm a bit hesitant about it's quality.
> > > >
> > > > It complains about
> > > >
> https://lgtm.com/projects/g/KDAB/GammaRay/snapshot/c9979de8f1206e13596392237af218cd3 \
> 5adc139/files/plugins/sceneinspector/paintanalyzerextension.cpp#x6a2cbfa5e54b631a:1
> > > > If you read the description it'd seem it's a memory leak.
> > > > That's because it doesn't understand QObject ownership and
> that
> > > > deleting a parent will delete its children.
> > > >
> > > > It says this is an error
> > > >
> https://lgtm.com/projects/g/KDE/okular/snapshot/9755abc39706567915f1d1b757b70e2a0f8e3f3a/files/core/synctex/synctex_parser_utils.c#x6d7e052c9ef1e80:1
>
> > > > It's not, i'll agree it's not very common to do this
> comparison,
> > > > but it's valid code
> > > >
> > > > It says this is a noop
> > > >
> https://lgtm.com/projects/g/KDE/okular/snapshot/9755abc39706567915f1d1b757b70e2a0f8e \
> 3f3a/files/autotests/parttest.cpp?sort=name&dir=ASC&mode=heatmap#x9525a92bb944ee97:1
>
> > > > It's not, qRegisterMetaType does things
> > > >
> > > > So I'm happy that those results are out there, but given the amount
> of
> > > > false/questionable positives i found in 5 minutes of looking at it,
> I'd be
> > > > very careful of giving it to "the general population", that may just
> > > > propose changes because a tool told them to.
> > > >
> > > > Cheers,
> > > > Albert
> > > >
> > >
> > > They are already working in two of the bugs that you described -
> reported
> > > by the subsurface team.
> > >
> > > The source for parts of the tools are here:
> > >
> > > https://github.com/Semmle/ql
> > >
> > > And of course as any tool that is starting there will be errors.
> >
> > Sure, i never said it's useless, in fact it did find some mismatched
> free/delete/delete[] calls in both okular and poppler.
> >
> > I just want to make sure we don't tell people "these are bugs, go fix
> them", because then people will take the tool at 100% correct rate value,
> when it's not that kind of tool.
>
> I opened bug reports to them:
>
> https://github.com/Semmle/ql/issues/1153
> this one I'm not convinced yet.
>
> https://github.com/Semmle/ql/issues/1154
> this one it seems that it was not false positive.
>
> > )
>
> > Cheers,
> > Albert
> >
> > >
> > >
> > > >
> > > > >
> > > > > Tomaz
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> >
> >
> >
>
[Attachment #3 (text/html)]
<div dir="ltr">Is there a way to somehow configure the build process? Their automatic \
dependency pulling is getting an outdated version of Melt, and it breaks the build \
for us in Kdenlive...</div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">Le ven. 22 mars 2019 Ã 07:43, Tomaz Canabrava <<a \
href="mailto:tcanabrava@kde.org">tcanabrava@kde.org</a>> a écrit \
:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, Mar 21, 2019 \
at 9:27 PM Albert Astals Cid <<a href="mailto:aacid@kde.org" \
target="_blank">aacid@kde.org</a>> wrote:<br> ><br>
> El dijous, 21 de març de 2019, a les 20:31:34 CET, Tomaz Canabrava va \
escriure:<br> > > Em qui, 21 de mar de 2019 Ã s 19:48, Albert Astals Cid <<a \
href="mailto:aacid@kde.org" target="_blank">aacid@kde.org</a>><br> > > \
escreveu:<br> > ><br>
> > > El dijous, 21 de març de 2019, a les 10:04:29 CET, Tomaz Canabrava \
va<br> > > > escriure:<br>
> > > > Hello kdevelopers,<br>
> > > ><br>
> > > > I'v come to know the <a href="http://lgtm.com" \
rel="noreferrer" target="_blank">lgtm.com</a> this week and started to enjoy it \
quite<br> > > > > a bit. It provides code analisys for various languages \
like c/c++ /<br> > > > > java / javascript / python, transforming code to \
data and extracting<br> > > > > information using a QL Schema + Deep \
learning.<br> > > > ><br>
> > > > It's opensource<br>
> > ><br>
> > > Is it? I can't seem to find the code.<br>
> > ><br>
> > > > , and *already* runs thru all the kde codebase because<br>
> > > > our code has a mirror on github (but it also supports gitlab,<br>
> > > > bitbucket). Some of the code from kde can't be analized yet \
because of<br> > > > > unmatched dependencies, but here's an example \
of a software we all<br> > > > > know and love, being analized by their \
tools.<br> > > > ><br>
> > > > <a \
href="https://lgtm.com/projects/g/KDAB/GammaRay/alerts/?mode=list" rel="noreferrer" \
target="_blank">https://lgtm.com/projects/g/KDAB/GammaRay/alerts/?mode=list</a><br> \
> > > ><br> > > > > I belive we should get in contact with \
them and ask for a ~formal~<br> > > > > partnership and integrate this \
into our phab / gitlab instances.<br> > > ><br>
> > > I'm a bit hesitant about it's quality.<br>
> > ><br>
> > > It complains about<br>
> > > <a href="https://lgtm.com/projects/g/KDAB/GammaRay/snapshot/c9979de8f12 \
06e13596392237af218cd35adc139/files/plugins/sceneinspector/paintanalyzerextension.cpp#x6a2cbfa5e54b631a:1" \
rel="noreferrer" target="_blank">https://lgtm.com/projects/g/KDAB/GammaRay/snapshot/c9 \
979de8f1206e13596392237af218cd35adc139/files/plugins/sceneinspector/paintanalyzerextension.cpp#x6a2cbfa5e54b631a:1</a><br>
> > > If you read the description it'd seem it's a \
memory leak.<br> > > > That's because it doesn't \
understand QObject ownership and that<br> > > > deleting a parent will \
delete its children.<br> > > ><br>
> > > It says this is an error<br>
> > > <a href="https://lgtm.com/projects/g/KDE/okular/snapshot/9755abc3970656 \
7915f1d1b757b70e2a0f8e3f3a/files/core/synctex/synctex_parser_utils.c#x6d7e052c9ef1e80:1" \
rel="noreferrer" target="_blank">https://lgtm.com/projects/g/KDE/okular/snapshot/9755a \
bc39706567915f1d1b757b70e2a0f8e3f3a/files/core/synctex/synctex_parser_utils.c#x6d7e052c9ef1e80:1</a><br>
> > > It's not, i'll agree it's not very common to \
do this comparison,<br> > > > but it's valid code<br>
> > ><br>
> > > It says this is a noop<br>
> > > <a href="https://lgtm.com/projects/g/KDE/okular/snapshot/9755abc3970656 \
7915f1d1b757b70e2a0f8e3f3a/files/autotests/parttest.cpp?sort=name&dir=ASC&mode=heatmap#x9525a92bb944ee97:1" \
rel="noreferrer" target="_blank">https://lgtm.com/projects/g/KDE/okular/snapshot/9755a \
bc39706567915f1d1b757b70e2a0f8e3f3a/files/autotests/parttest.cpp?sort=name&dir=ASC&mode=heatmap#x9525a92bb944ee97:1</a><br>
> > > It's not, qRegisterMetaType does things<br>
> > ><br>
> > > So I'm happy that those results are out there, but given the \
amount of<br> > > > false/questionable positives i found in 5 minutes of \
looking at it, I'd be<br> > > > very careful of giving it to "the \
general population", that may just<br> > > > propose changes because a \
tool told them to.<br> > > ><br>
> > > Cheers,<br>
> > > Albert<br>
> > ><br>
> ><br>
> > They are already working in two of the bugs that you described - \
reported<br> > > by the subsurface team.<br>
> ><br>
> > The source for parts of the tools are here:<br>
> ><br>
> > <a href="https://github.com/Semmle/ql" rel="noreferrer" \
target="_blank">https://github.com/Semmle/ql</a><br> > ><br>
> > And of course as any tool that is starting there will be errors.<br>
><br>
> Sure, i never said it's useless, in fact it did find some mismatched \
free/delete/delete[] calls in both okular and poppler.<br> ><br>
> I just want to make sure we don't tell people "these are bugs, go fix \
them", because then people will take the tool at 100% correct rate value, when \
it's not that kind of tool.<br> <br>
I opened bug reports to them:<br>
<br>
<a href="https://github.com/Semmle/ql/issues/1153" rel="noreferrer" \
target="_blank">https://github.com/Semmle/ql/issues/1153</a><br> this one I'm not \
convinced yet.<br> <br>
<a href="https://github.com/Semmle/ql/issues/1154" rel="noreferrer" \
target="_blank">https://github.com/Semmle/ql/issues/1154</a><br> this one it seems \
that it was not false positive.<br> <br>
> )<br>
<br>
> Cheers,<br>
> Albert<br>
><br>
> ><br>
> ><br>
> > ><br>
> > > ><br>
> > > > Tomaz<br>
> > > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> ><br>
><br>
><br>
><br>
><br>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic