[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[v2] Proposal for deviations in static analyser findings


  • To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Luca Fancellu <Luca.Fancellu@xxxxxxx>
  • Date: Tue, 25 Oct 2022 10:13:32 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eV0sSax2zUI3ikKKSJM07B1czfdYOo4pkIxA8fBQML8=; b=LRgdbTUe7GgY/Yqclg72rokh4vQcJa8ExS8LULQhSVOGk7AYaPoez2jM7F3aiEQPIWEzmRMBHDnpBflDlHGKJzO9DLDmc5oG22c12iqB5tw5KuBeIeMYermci2MCPkthJBmi2Vt/MzaCqG3AuksIvqB6lQkh+PiDyE3aCAJHcshtsKU4WLZBzErI4n/T22A2qWDnt6FKX42RTTRq8ZEXgkhSZPPahQoHUcd0yCk9go5t5GGVC2v0b7RjwdxsORST1quErkoYUUhmUw5qBacoZvCkeLJjTOAcUB0nuLGsw2ZjTNx84E3jR7ZkehgjsmPj2GVWjMFTSoNtvcgjqJVaBA==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eV0sSax2zUI3ikKKSJM07B1czfdYOo4pkIxA8fBQML8=; b=VFQha9um2BLcHIy+IO8GAbAflvicmR5lWP66vMzjHJFqX2riJCHUmLecp8Qz4w3nGY6IZBIIlCTiqsnmjIjbYsUd+DqNJFlgaiu5Ul+/GbztfvcmMTvvjubT9T+F6MIbgbZB6WI+zO9LKlTaSzghVLuMoEX/VpOZgGQ+lMH4pv+AdsxFa8Zc9WwEV2UbYmFgwZDvIla0RNSeLNz6Ge6SFjLpLupP0Og7V/gMsmYbUIR2LuAYrPfz8VFN6su0GjBc68OmVQcBG8i8Lm9oNR/+9+tTreNU1of2NRbPZlut3f9+/5mBvYFIBNQd+9NicDT8Yq6IG5cwI0HRX89V2aXM2A==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=iIfYR4OWj7sLhtodbdVe4ABRHH0qcrz2aU2xpPLxI+yng6s6jzGq/0nghK8jTKnPYod9DfblqFT96EmlALXLRXbvgDpX+CoVFWSxgsu1QnkNxbkJ6RXnYmh6/aN6jeA4jHYd5RzmoXGiIr7i1veKmOD0R4Lzyr0ESaLy4uJa0cbyyuUCMAzPRPUBqAYFu/za/8a/usIio1LyTIyPqflRtknZZuEotk9A7k59X+cJBDDKK/722v6+eGjV8weUovgTcT7MDlURfH/UXj4MNL+NrT4d94pnk27AidQXu51Jf6lgAO/ilTbrGFBuegIHKKm58FXzG9J/n8zn+X2SC1Bs9Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R+npQIWpKnoluMz6sqMUywKXU7YHhSFI6LIT0IM1unN9w8wvpE0ObWvwbEL4NMM7N/82KRncywgI/1GkeuIrOTBBYqyIF5AR8Gpq2AJ3EVHjJ81MYzs0cgw94K7LdtteAxLPfHI3PkO6HufuAtO/cU2C1hMVdAGyHSZOb1ePwJMXamrX82PyrRUT6oHM4ASPwcs6adiYtxV0f8WQukJ0DBajRdyRSBRFks4Le8Dj9jpDbS8E3qmrtqHOY5X5cUxOsPgaelMlLFnURd7pknOaGb1Imc5BQpBqHNFhzc7gRtug8TBEhr6hVn3UavkM3a5NC3JUt+dmdgBX5zMT1vkMnQ==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Wei Chen <Wei.Chen@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
  • Delivery-date: Tue, 25 Oct 2022 10:13:58 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHY6FpvIduyYvAcGUOy4Pq14Ntd1A==
  • Thread-topic: [v2] Proposal for deviations in static analyser findings

Hi all,

This is the V2 of the proposal for deviations tagging in the Xen codebase, this 
includes
all the feedbacks from the FuSa session held at the Xen Summit 2022 and all the
feedbacks received in the previous proposal sent on the mailing list.

Here a link to the previous thread: 
https://lists.xenproject.org/archives/html/xen-devel/2022-10/msg00541.html

Documenting violations
======================

Static analysers are used on the Xen codebase for both static analysis and MISRA
compliance.
There might be the need to suppress some findings instead of fixing them and
many tools permit the usage of in-code comments that suppress findings so that
they are not shown in the final report.

Xen will include a tool capable of translating a specific comment used in its
codebase to the right proprietary in-code comment understandable by the selected
analyser that suppress its finding.

In the Xen codebase, these tags will be used to document and suppress findings:

- SAF-X-safe: This tag means that the next line of code contains a finding, but
 the non compliance to the checker is analysed and demonstrated to be safe.
- SAF-X-false-positive-<tool>: This tag means that the next line of code 
contains a
 finding, but the finding is a bug of the tool.

SAF stands for Static Analyser Finding, the X is a placeholder for a positive
number, the number after SAF- shall be incremental and unique, base ten
notation and without leading zeros.

Entries in the database should never be removed, even if they are not used
anymore in the code (if a patch is removing or modifying the faulty line).
This is to make sure that numbers are not reused which could lead to conflicts
with old branches or misleading justifications.

An entry can be reused in multiple places in the code to suppress a finding if
and only if the justification holds for the same non-compliance to the coding
standard.

An orphan entry, that is an entry who was justifying a finding in the code, but 
later
that code was removed and there is no other use of that entry in the code, can 
be
reused as long as the justification for the finding holds. This is done to 
avoid the
allocation of a new entry with exactly the same justification, that would lead 
to waste
of space and maintenance issues of the database.

The files where to store all the justifications are in xen/docs/misra/ and are
named as safe.json and false-positive-<tool>.json, they have JSON format, 
entries
of these files have independent ID numbering.

Here is an example to add a new justification in safe.json::

|{
|    "version": "1.0",
|    "content": [
|        {
|            "id":"SAF-0-safe",
|            "analyser": {
|                "cppcheck": "misra-c2012-20.7",
|                "coverity": "misra_c_2012_rule_20_7_violation",
|                "eclair": "MC3R1.R20.7"
|            },
|            "name": “R20.7 C macro parameters not used as expression",
|            "text": "The macro parameters used in this […]"
|        },
|        {
|            "id":”SAF-1-safe",
|            "analyser": {
|                "cppcheck": "unreadVariable",
|                "coverity": "UNUSED_VALUE"
|            },
|            "name": “Variable set but not used",
|            "text": “It is safe because […]"
|        },
|        {
|            "id":”SAF-2-safe",
|            "analyser": {},
|            "name": "Sentinel",
|            "text": ""
|        }
|    ]
|}

Here is an example to add a new justification in false-positive-cppcheck.json::

|{
|    "version": "1.0",
|    "content": [
|        {
|            "id":"SAF-0-false-positive-cppcheck",
|            "analyser": {
|                "cppcheck": "misra-c2012-20.7"
|            },
|            “tool-version”: “2.7",
|            "name": “R20.7 second operand of member-access operator",
|            "text": "The second operand of a member access operator shall be a 
name of a member of the type pointed to, so in this particular case it is wrong 
to use parentheses on the macro parameter."
|        },
|        {
|            "id":”SAF-1-false-positive-cppcheck",
|            "analyser": {},
|            “tool-version”: “",
|            "name": "Sentinel",
|            "text": ""
|        }
|    ]
|}

To document a finding, just add another block {[...]} before the sentinel block,
using the id contained in the sentinel block and increment by one the number
contained in the id of the sentinel block.

Here a brief explanation of the field inside an object of the "content" array:
- id: it is a unique string that is used to refer to the finding, many finding
 can be tagged with the same id, if the justification holds for any applied
 case.
 It tells the tool to substitute a Xen in-code comment having this structure:
 /* SAF-0-safe [...] \*/
- analyser: it is an object containing pair of key-value strings, the key is
 the analyser, so it can be cppcheck, coverity or eclair. The value is the
 proprietary id corresponding on the finding, for example when coverity is
 used as analyser, the tool will translate the Xen in-code coment in this way:
 /* SAF-0-safe [...] \*/ -> /* coverity[coverity-id] \*/
 if the object doesn't have a key-value, then the corresponding in-code
 comment won't be translated.
- name: a simple name for the finding
- text: a proper justification to turn off the finding.



Here an example of the usage of the in-code comment tags to suppress a finding 
for the Rule 8.6:

Eclair reports it here:
https://eclairit.com:3787/fs/var/lib/jenkins/jobs/XEN/configurations/axis-Target/ARM64/axis-agent/public/builds/549/archive/ECLAIR/out/PROJECT.ecd;/sources/xen/include/xen/kernel.h.html#R50743_1

Also coverity reports it, here an extract of the finding:

xen/include/xen/kernel.h:68:
 1. misra_c_2012_rule_8_6_violation: Function "_start" is declared but never 
defined.

The analysers are complaining because we have this in xen/include/xen/kernel.h 
at line 68:

extern char _start[], _end[], start[];

Those are symbols exported by the linker, hence we will need to have a proper 
deviation for this finding.

We will prepare our entry in the database:

|{
|    "version": "1.0",
|    "content": [
|        {
|        […]
|        },
|        {
|            "id":”SAF-1-safe",
|            "analyser": {
|                “eclair": "MC3R1.R8.6",
|                "coverity": "misra_c_2012_rule_8_6_violation"
|            },
|            "name": “Rule 8.6: linker defined symbols",
|            "text": “It is safe to declare this symbol because it is defined 
in the linker script."
|        },
|        {
|            "id":”SAF-2-safe",
|            "analyser": {},
|            "name": "Sentinel",
|            "text": ""
|        }
|    ]
|}

And we will use the proper tag above the violation line:

/* SAF-1-safe [optional text] */
extern char _start[], _end[], start[];

This entry will fix also the violation on _end and start, because they are on 
the same line and the
same “violation ID”.

Also, the same tag can be used on other symbols from the linker that are 
declared in the codebase,
because the justification holds for them too.

Cheers,
Luca

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.