[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [v2] Proposal for deviations in static analyser findings
Hi all, This is the V2 of the proposal for deviations tagging in the Xen codebase, this includes all the feedbacks from the FuSa session held at the Xen Summit 2022 and all the feedbacks received in the previous proposal sent on the mailing list. Here a link to the previous thread: https://lists.xenproject.org/archives/html/xen-devel/2022-10/msg00541.html Documenting violations ====================== Static analysers are used on the Xen codebase for both static analysis and MISRA compliance. There might be the need to suppress some findings instead of fixing them and many tools permit the usage of in-code comments that suppress findings so that they are not shown in the final report. Xen will include a tool capable of translating a specific comment used in its codebase to the right proprietary in-code comment understandable by the selected analyser that suppress its finding. In the Xen codebase, these tags will be used to document and suppress findings: - SAF-X-safe: This tag means that the next line of code contains a finding, but the non compliance to the checker is analysed and demonstrated to be safe. - SAF-X-false-positive-<tool>: This tag means that the next line of code contains a finding, but the finding is a bug of the tool. SAF stands for Static Analyser Finding, the X is a placeholder for a positive number, the number after SAF- shall be incremental and unique, base ten notation and without leading zeros. Entries in the database should never be removed, even if they are not used anymore in the code (if a patch is removing or modifying the faulty line). This is to make sure that numbers are not reused which could lead to conflicts with old branches or misleading justifications. An entry can be reused in multiple places in the code to suppress a finding if and only if the justification holds for the same non-compliance to the coding standard. An orphan entry, that is an entry who was justifying a finding in the code, but later that code was removed and there is no other use of that entry in the code, can be reused as long as the justification for the finding holds. This is done to avoid the allocation of a new entry with exactly the same justification, that would lead to waste of space and maintenance issues of the database. The files where to store all the justifications are in xen/docs/misra/ and are named as safe.json and false-positive-<tool>.json, they have JSON format, entries of these files have independent ID numbering. Here is an example to add a new justification in safe.json:: |{ | "version": "1.0", | "content": [ | { | "id":"SAF-0-safe", | "analyser": { | "cppcheck": "misra-c2012-20.7", | "coverity": "misra_c_2012_rule_20_7_violation", | "eclair": "MC3R1.R20.7" | }, | "name": “R20.7 C macro parameters not used as expression", | "text": "The macro parameters used in this […]" | }, | { | "id":”SAF-1-safe", | "analyser": { | "cppcheck": "unreadVariable", | "coverity": "UNUSED_VALUE" | }, | "name": “Variable set but not used", | "text": “It is safe because […]" | }, | { | "id":”SAF-2-safe", | "analyser": {}, | "name": "Sentinel", | "text": "" | } | ] |} Here is an example to add a new justification in false-positive-cppcheck.json:: |{ | "version": "1.0", | "content": [ | { | "id":"SAF-0-false-positive-cppcheck", | "analyser": { | "cppcheck": "misra-c2012-20.7" | }, | “tool-version”: “2.7", | "name": “R20.7 second operand of member-access operator", | "text": "The second operand of a member access operator shall be a name of a member of the type pointed to, so in this particular case it is wrong to use parentheses on the macro parameter." | }, | { | "id":”SAF-1-false-positive-cppcheck", | "analyser": {}, | “tool-version”: “", | "name": "Sentinel", | "text": "" | } | ] |} To document a finding, just add another block {[...]} before the sentinel block, using the id contained in the sentinel block and increment by one the number contained in the id of the sentinel block. Here a brief explanation of the field inside an object of the "content" array: - id: it is a unique string that is used to refer to the finding, many finding can be tagged with the same id, if the justification holds for any applied case. It tells the tool to substitute a Xen in-code comment having this structure: /* SAF-0-safe [...] \*/ - analyser: it is an object containing pair of key-value strings, the key is the analyser, so it can be cppcheck, coverity or eclair. The value is the proprietary id corresponding on the finding, for example when coverity is used as analyser, the tool will translate the Xen in-code coment in this way: /* SAF-0-safe [...] \*/ -> /* coverity[coverity-id] \*/ if the object doesn't have a key-value, then the corresponding in-code comment won't be translated. - name: a simple name for the finding - text: a proper justification to turn off the finding. Here an example of the usage of the in-code comment tags to suppress a finding for the Rule 8.6: Eclair reports it here: https://eclairit.com:3787/fs/var/lib/jenkins/jobs/XEN/configurations/axis-Target/ARM64/axis-agent/public/builds/549/archive/ECLAIR/out/PROJECT.ecd;/sources/xen/include/xen/kernel.h.html#R50743_1 Also coverity reports it, here an extract of the finding: xen/include/xen/kernel.h:68: 1. misra_c_2012_rule_8_6_violation: Function "_start" is declared but never defined. The analysers are complaining because we have this in xen/include/xen/kernel.h at line 68: extern char _start[], _end[], start[]; Those are symbols exported by the linker, hence we will need to have a proper deviation for this finding. We will prepare our entry in the database: |{ | "version": "1.0", | "content": [ | { | […] | }, | { | "id":”SAF-1-safe", | "analyser": { | “eclair": "MC3R1.R8.6", | "coverity": "misra_c_2012_rule_8_6_violation" | }, | "name": “Rule 8.6: linker defined symbols", | "text": “It is safe to declare this symbol because it is defined in the linker script." | }, | { | "id":”SAF-2-safe", | "analyser": {}, | "name": "Sentinel", | "text": "" | } | ] |} And we will use the proper tag above the violation line: /* SAF-1-safe [optional text] */ extern char _start[], _end[], start[]; This entry will fix also the violation on _end and start, because they are on the same line and the same “violation ID”. Also, the same tag can be used on other symbols from the linker that are declared in the codebase, because the justification holds for them too. Cheers, Luca
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |