[OSM-dev] Static analysis with coverity of osm2pgsql and mod_tile
kakrueger at gmail.com
Thu Dec 13 16:38:09 GMT 2012
in order to try and help ensure and improve the quality of the osm
rendering stack, I have registered osm2pglsql and mod_tile / renderd on
Coverity for their static analysis tools.
Static analysis tools check the source code during compilation time to
try and find various bugs, such as memory leaks, null pointer
dereference, potential buffer overflows or dead-locks. It analyses the
control flow of the source code and identifies routes through the code
which can lead to the various issues. As such, it is particularly useful
for finding errors on obscure control flow paths (e.g. error path ways)
that during typical operations aren't executed and thus are hard to find
with dynamic testing.
It has found 32 issues in osm2pgsql and 39 in renderd. I haven't worked
through them all yet and presumably a number of them are false
positives. But a bunch of them do appear to be genuine issues, albeit
luckily most of them do appear to be on paths that during normal
operations shouldn't be executed.
If anyone else is interested in more detailed results, I think I should
be able to add you as users to the projects so that you can then access
the data coverity provides.
While coverity is normally an expensive paid-for software, they offer
their services free of charge to open source projects  and quite a
number of large OS projects use it, including the linux kernel and
postgreSQL. As far as I can tell, it supports C, C++ and Java as source
Perhaps other OSM related projects like JOSM or Mapnik would also be
interested in using coverity?
More information about the dev