Static code analysis tool for openbmc

Static code analysis tool for openbmc

[Ratan Gupta]

Hi Team,

Is there any plan to use any static code analysis tool in openbmc? I 
find one of the tool which is good and used in multiple opensource 
projects is "coverity".

Regards
Ratan Gupta

Re: Static code analysis tool for openbmc

[Lei YU]

On Wed, Mar 13, 2019 at 6:15 PM Ratan Gupta <ratagupt@linux.vnet.ibm.com> wrote:
> Is there any plan to use any static code analysis tool in openbmc? I

In Jenkins job, we have cppcheck to do checks on the code.

> find one of the tool which is good and used in multiple opensource
> projects is "coverity".

I would prefer clang static analyzer, but other tools like coverity is also
welcome.
And if possible, there is much stronger analyzer PVS-Studio Analyzer (need
license though). I read [PVS-Studio's blog][1] and that tool is really really
good.

But I think the main question is, what to do with issues found by the static
analyzer? We need to define some rule to fix or ignore the issues.

[1]: https://www.viva64.com/en/b/

Re: Static code analysis tool for openbmc

[Stewart Smith]

Lei YU <mine260309@gmail.com> writes:
> On Wed, Mar 13, 2019 at 6:15 PM Ratan Gupta <ratagupt@linux.vnet.ibm.com> wrote:
>> Is there any plan to use any static code analysis tool in openbmc? I
>
> In Jenkins job, we have cppcheck to do checks on the code.
>
>> find one of the tool which is good and used in multiple opensource
>> projects is "coverity".
>
> I would prefer clang static analyzer, but other tools like coverity is also
> welcome.
> And if possible, there is much stronger analyzer PVS-Studio Analyzer (need
> license though). I read [PVS-Studio's blog][1] and that tool is really really
> good.
>
> But I think the main question is, what to do with issues found by the static
> analyzer? We need to define some rule to fix or ignore the issues.

In my experience with host firmware on OpenPOWER, each tool gets a
different set of things that it catches. Even the humble sparse catches
things that other tools do not (notably endian screw-ups).

A big advantage of Coverity is the tooling around it, the web site where
you can mark things permanently as a false positive, assign things to
people, etc. For other tools that you just run in a jenkins job, it's
way too easy to not see things grow, or just have a large list of false
positives you get used to ignoring.

-- 
Stewart Smith
OPAL Architect, IBM.

RE: Static code analysis tool for openbmc

[Tanous, Ed]

> 
> Is there any plan to use any static code analysis tool in openbmc? I find one
> of the tool which is good and used in multiple opensource projects is
> "coverity".
> 

I'm in full support of getting coverity started.  I had some troubles with performance (the analysis for a single app takes a very long time) and unexpected false positives when I attempted it a while back, and gave up at the time.  One person also did get the Facebook static analyzer, infer, running recently on an OpenBMC project and it seemed to give some results, about 10% of which were actionable, and generated some commits to OpenBMC.  I'm not sure I'd advocate for it, but it's certainly another option.

-Ed