[Privoxy-devel] 0006-enable-lots-of-diagnostics

Fabian Keil fk at fabiankeil.de
Sun Sep 10 10:50:48 CEST 2023 

Lee <ler762 at protonmail.com> wrote on 2023-09-08 at 18:18:21:

> 
> On Wednesday, September 6th, 2023 at 9:51 AM, Fabian Keil wrote:
> 
> > Lee wrote on 2023-09-05 at 19:45:16:
 
> > > So it seems a lot easier to justify spending some time picking
> > > compiler flags than doing a code audit. Which leads to things
> > > like cppCheck or .. who was it that offered to do free automated
> > > code audits on open-source code?

> > Coverity used to allow "us" to run their proprietary scanner over
> > the Privoxy code but I just checked and the DNS name for the
> > web interface [0] no longer resolves to an IP address and
> > the website [1] redirects to another one [2] ...
> 
> That's too bad.  Did you get anything useful out of Coverity?

I always felt dirty running their proprietary tool chain
(in an ElectroBSD jail) and it was inconvenient as viewing
the actual results required uploading the data to their web
server, but it found a few issues.

I've committed the fixes with a commit messages that
contains the string "CID" (for Coverity ID) followed
by the ID number Coverity used to refer to the issue,
so you could look the fixes up if you're interested.

> I have a vague memory of a bug report where the user said
> they found the bug using cppCheck.  The version in cygwin
> is ancient; I just tried the current version of cppcheck
> and it died with a Segmentation fault :(   Maybe it's the
> way I built it?  *sigh*  My ability to look at a crash dump
> and figure out what went wrong went away with the mainframes
> decades ago.

I just ran Cppcheck 2.10.3 with "cppcheck --force *.c"
on ElectroBSD and it found:

| Checking ssl.c ...
| ssl.c:38:0: error: No header in #include [preprocessorErrorDirective]
| #  include MBEDTLS_CONFIG_FILE
| ^

and:

| Checking w32log.c ...
| w32log.c:868:59: error: Uninitialized variable: range [uninitvar]
|       SendMessage(g_hwndLogBox, EM_EXGETSEL, 0, (LPARAM) &range);
|                                                          ^

The first issue seems to be expected (MBEDTLS_CONFIG_FILE isn't
defined on my system but due to --force the code path is reached
anyway) and the latter is probably a false positive but I did not
find proper documentation for SendMessage() within a few minutes
to confirm this ...

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20230910/1ce6aa92/attachment.bin>

More information about the Privoxy-devel mailing list