'Re: lgtm integration (automated detection of bugs and problems for programming languages)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: lgtm integration (automated detection of bugs and problems for programming languages)
From:       Albert Astals Cid <aacid () kde ! org>
Date:       2019-03-23 18:02:00
Message-ID: 10958690.j5WEz6zd8X () xps
[Download RAW message or body]

El divendres, 22 de març de 2019, a les 7:43:09 CET, Tomaz Canabrava va escriure:
> On Thu, Mar 21, 2019 at 9:27 PM Albert Astals Cid <aacid@kde.org> wrote:
> > 
> > El dijous, 21 de març de 2019, a les 20:31:34 CET, Tomaz Canabrava va escriure:
> > > Em qui, 21 de mar de 2019 às 19:48, Albert Astals Cid <aacid@kde.org>
> > > escreveu:
> > > 
> > > > El dijous, 21 de març de 2019, a les 10:04:29 CET, Tomaz Canabrava va
> > > > escriure:
> > > > > Hello kdevelopers,
> > > > > 
> > > > > I'v come to know the lgtm.com this week and started to enjoy it quite
> > > > > a bit. It provides code analisys for various languages like c/c++ /
> > > > > java / javascript / python, transforming code to data and extracting
> > > > > information using a QL Schema + Deep learning.
> > > > > 
> > > > > It's opensource
> > > > 
> > > > Is it? I can't seem to find the code.
> > > > 
> > > > > , and *already* runs thru all the kde codebase because
> > > > > our code has a mirror on github (but it also supports gitlab,
> > > > > bitbucket). Some of the code from kde can't be analized yet because of
> > > > > unmatched dependencies, but here's an example of a software we all
> > > > > know and love, being analized by their tools.
> > > > > 
> > > > > https://lgtm.com/projects/g/KDAB/GammaRay/alerts/?mode=list
> > > > > 
> > > > > I belive we should get in contact with them and ask for a ~formal~
> > > > > partnership and integrate this into our phab / gitlab instances.
> > > > 
> > > > I'm a bit hesitant about it's quality.
> > > > 
> > > > It complains about
> > > > https://lgtm.com/projects/g/KDAB/GammaRay/snapshot/c9979de8f1206e13596392237af \
> > > > 218cd35adc139/files/plugins/sceneinspector/paintanalyzerextension.cpp#x6a2cbfa5e54b631a:1
> > > >  If you read the description it'd seem it's a memory leak.
> > > > That's because it doesn't understand QObject ownership and that
> > > > deleting a parent will delete its children.
> > > > 
> > > > It says this is an error
> > > > https://lgtm.com/projects/g/KDE/okular/snapshot/9755abc39706567915f1d1b757b70e2a0f8e3f3a/files/core/synctex/synctex_parser_utils.c#x6d7e052c9ef1e80:1
> > > >  It's not, i'll agree it's not very common to do this comparison,
> > > > but it's valid code
> > > > 
> > > > It says this is a noop
> > > > https://lgtm.com/projects/g/KDE/okular/snapshot/9755abc39706567915f1d1b757b70e \
> > > > 2a0f8e3f3a/files/autotests/parttest.cpp?sort=name&dir=ASC&mode=heatmap#x9525a92bb944ee97:1
> > > >  It's not, qRegisterMetaType does things
> > > > 
> > > > So I'm happy that those results are out there, but given the amount of
> > > > false/questionable positives i found in 5 minutes of looking at it, I'd be
> > > > very careful of giving it to "the general population", that may just
> > > > propose changes because a tool told them to.
> > > > 
> > > > Cheers,
> > > > Albert
> > > > 
> > > 
> > > They are already working in two of the bugs that you described - reported
> > > by the subsurface team.
> > > 
> > > The source for parts of the tools are here:
> > > 
> > > https://github.com/Semmle/ql
> > > 
> > > And of course as any tool that is starting there will be errors.
> > 
> > Sure, i never said it's useless, in fact it did find some mismatched \
> > free/delete/delete[] calls in both okular and poppler. 
> > I just want to make sure we don't tell people "these are bugs, go fix them", \
> > because then people will take the tool at 100% correct rate value, when it's not \
> > that kind of tool.
> 
> I opened bug reports to them:
> 
> https://github.com/Semmle/ql/issues/1153
> this one I'm not convinced yet.
> 
> https://github.com/Semmle/ql/issues/1154
> this one it seems that it was not false positive.

Interesting, wonder if that was always the case or just started happening recently.

Thanks for helping figure it out :)

Cheers,
  Albert

> 
> > )
> 
> > Cheers,
> > Albert
> > 
> > > 
> > > 
> > > > 
> > > > > 
> > > > > Tomaz
> > > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > 
> > 
> > 
> > 
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic