[FFmpeg-devel] Sovereign Tech Fund

Michael Niedermayer michael at niedermayer.cc
Mon Feb 5 12:21:30 EET 2024 

On Wed, Jan 31, 2024 at 09:55:00PM +0000, Kieran Kunhya wrote:
> On Wed, 31 Jan 2024 at 21:45, Derek Buitenhuis <derek.buitenhuis at gmail.com>
> wrote:
> 
> > On 1/30/2024 1:48 AM, Michael Niedermayer wrote:
> > > https://trac.ffmpeg.org/wiki/SponsoringPrograms/STF/2024
> >
> > Not to derail this fine thread, but what forks does the Merge Forks
> > project refer to?
> >
> > - Derek
> >
> 
> I also added a note that 70 USD for coverity is way too much. I picked a
> random issue 1503073 and within a minute saw that it was a false positive.
> I don't deserve 70USD for that.

I fixed 2 coverity issues yesterday and it took me over 3 hours
I cant do this for 70USD per issue
(you can see the ML for the 2 patches)

In the first, the issue depended on fbw_channels to be 0.
If you look at its initialization that is possible if you have a
mono LFE channel but is that possible and can the code be reached
in that case.
For someone who hasnt worked at that specific code it takes some time
to build an argument that this should not be possible

The second issue, its obvious a bug but how do we even reach that code?
No fate tests ....
luckily there are examples in the docs but it took me several tries to
get the code to execute with similar testcases.
now looking at it, i suspect the patch i posted probably should be split
so we need a 2nd iteration
and looking at the clock when i posted this and when i started yesterday
fact is it was 3-4h work for these 2 issues

did i pick these randomly? no, i started frm the top and skiped a few
i really did not want to work on like the flac parser.

Some coverity isssues are dead easy and need seconds to categorize
or even fix. But for others its difficult

Also to categorize coverity issues one needs to understand the affectd
code. coverity telling you that after 355 conditions theres a out of
array access, you need to know if the 355 conditions are inconsistant
and contradicting. If they contradict its a false positive otherwise
its a bug.
similar when you check the return code of a function most of the time
coverity will create an issue for cases where its not checked. Thats
trivial to fix IF you know the code. But IF you do not know the code
that can some decent time too. And i think noone knows all code.

Either way, iam interrested in helping with coverity work while
at the same time this environment where peole finger point and say
"is way too much" is something i dont feel comfortable to work in.

maybe doing it per hour instead of per issue is a safer way

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Republics decline into democracies and democracies degenerate into
despotisms. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240205/71a13685/attachment.sig>

More information about the ffmpeg-devel mailing list