Difference between revisions of "HOWTO-Static Analysis Tools"
(→PVS-Studio: added more links) |
|||
(One intermediate revision by one other user not shown) | |||
Line 19: | Line 19: | ||
== PVS-Studio == | == PVS-Studio == | ||
We use Open Source license from [https://pvs-studio.com/en/pvs-studio/?utm_source=github&utm_medium=organic&utm_campaign=open_source PVS-Studio | We use Open Source license from [https://pvs-studio.com/en/pvs-studio/?utm_source=github&utm_medium=organic&utm_campaign=open_source PVS-Studio] - static analyzer for C, C++, C#, and Java code. They were generous in providing us with free access. | ||
<font color=red>IMPORTANT:</font> Per our license requirement, you must mention PVS-Studio in your commit log messages. Please, use the following format: | <font color=red>IMPORTANT:</font> Per our license requirement, you must mention PVS-Studio in your commit log messages. Please, use the following format: | ||
SUBSYSTEM: Description. PVS-Studio VXXXX | SUBSYSTEM: Description. PVS-Studio VXXXX, VXXXX, ... | ||
Where VXXXX is the diagnostics number of PVS-Studio. | Where VXXXX is the diagnostics number of PVS-Studio. Add more numbers with comma if bulk-fixing them. | ||
The tool is run daily on the buildbot machine, every night at around 2am. The reports are available at [https://analysis.scummvm.org/ https://analysis.scummvm.org/]. | The tool is run daily on the buildbot machine, every night at around 2am. The reports are available at [https://analysis.scummvm.org/ https://analysis.scummvm.org/]. |
Latest revision as of 13:00, 21 August 2023
We use Static Analysis tools at ScummVM.
Here is some guidance on their usage
Coverity
Our major tool that is located at this URL.
To get access, you must be a member of the ScummVM Team and issue a request on that page. Ping sev for getting your request approved.
Some guidances:
- The analysis runs every Monday night EU time and completes at around 3 am. Ping sev if you want to have it re-analysed. But due to the size of our project, the limitation is to run an analysis every 24 hours.
- Use "Components -> All in Project" for viewing defects in your engine or subsystem (use the hamburger menu for navigation)
- Once you have fixed a bug, specify its classification and severity. Action should be "Fixed, tested & documented" and assign an owner to yourself (autocompletion works there)
- Address all possible issues. If you clearly see that it is a false positive, which is rare but happens, feel free to specify "False Positive" or "Ignore" but still assign it to yourself
- Be super vigilant regarding High Impact issues such as memory leaks, use-after-free and other things
- Regarding the TAINTED SCALAR issues, we have tons of those that we used to dismiss. Yes, it may lead to an issue when manually crafted game data might lead to a crash or some memory overflow exploits, but once we have the data integrity subsystem implemented, those will be eliminated.
PVS-Studio
We use Open Source license from PVS-Studio - static analyzer for C, C++, C#, and Java code. They were generous in providing us with free access.
IMPORTANT: Per our license requirement, you must mention PVS-Studio in your commit log messages. Please, use the following format:
SUBSYSTEM: Description. PVS-Studio VXXXX, VXXXX, ...
Where VXXXX is the diagnostics number of PVS-Studio. Add more numbers with comma if bulk-fixing them.
The tool is run daily on the buildbot machine, every night at around 2am. The reports are available at https://analysis.scummvm.org/.
To get access, please talk to sev or rootfather, then we add you to .htpasswd
There you may find a set of different log formats. The useful ones are:
- scummvm.html Single downloadable HTML file
- scummvm.fullhtml Multiple files HTML min-website, you may browse it online
- scummvm.vscode.sarif You may load this into Sarif plugin for VSCode. Here is how.
- scummvm.xml These are consumed by PVS-Studio internal tools
In general, read their manuals, they are comprehensive and nicely written.
Codacy
We use it on GitHub.
In sev's opinion it is mostly useless. It is an AI-based tool that seemingly runs by pattern matching. As a result, it produces tons of strange complaints about somebody's code formatting standards, etc.
Use at your discretion.
cppcheck
You may run it manually. Some team members periodically run it and fix the most outstanding issues.