Down to 0 issues on Coverity Scan.

by nickm | January 11, 2009

As of 7 January, we're down to 0 issues on Coverity Scan. This is great news!

In case you haven't heard of them, Coverity makes top-of-the-line static analysis tools (programs that analyse other programs looking for possible bugs). They're a big serious company, with a serious "enterprise" pricing structure. But, fortunately to us, they have a program to provide the use of these tools, free of charge, to selected open source projects. They've been scanning development snapshots of Tor for bugs since last September.

In September, they found 171 issues in our code. Many of these were just sloppiness in our unit tests' error handing, but a good fraction were real bugs in our main codebase, a couple of which could have resulted in crashes under unusual circumstances that probably would have been hard to debug. By December, we were down to 15 issues. Now we're at 0, at long last.

Congratulations and thanks to everybody who helped analyse and fix the bugs here, and many thanks to the administrators of Coverity Scan for helping us out.


Please note that the comment area below has been archived.

January 11, 2009


AM I blind? I can't find Tor on that website.


January 11, 2009

In reply to by Anonymous (not verified)


I asked them the same question back in December. It turns out they hadn't updated the official list (or most of the website) in a while. I wish they would, but I am glad that they are better at adding projects than updating their website.

January 12, 2009


I'm confused about something: The Tor network reveals the IP addresses of all its relay nodes (look at the "View the Network" button in your Vidalia control panel). Doesn't this reveal all the nodes running Tor, and therefore any Tor client and their IP address? It would seem to me that any person or organization with the ability to track down each IP address in the Tor network would still be able to find the user that they are looking for. Am misunderstanding something?

Clients aren't nodes. Nodes are volunteer-operated relays. Clients do not relay traffic by default.

There are about 1200 nodes, give or take. That's the list you see in Vidalia.[*] There are hundreds of thousands of clients. That list, you don't see.

[*] There are also nodes you don't see. Read up on "bridges" to learn more about these. The idea is to give people the option to run nodes that aren't advertised publicly in order to help people in censored countries.


January 14, 2009

In reply to arma


I wasn't aware Coverity was an mmorpg. ;)

February 04, 2009


Changes in version - 2009-01-21
o Security fixes:
- Fix a heap-corruption bug that may be remotely triggerable on
some platforms. Reported by Ilja van Sprundel.