Closed
Bug 1430749
Opened 7 years ago
Closed 7 years ago
Update the list of checkers in config.yaml to add some clang-analyzer-security checks
Categories
(Developer Infrastructure :: Source Code Analysis, enhancement)
Developer Infrastructure
Source Code Analysis
Tracking
(firefox59 fixed)
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | fixed |
People
(Reporter: andi, Assigned: andi)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
Bug 1430749 - Update the list of checkers in config.yaml to add some clang-analyzer-security checks.
59 bytes,
text/x-review-board-request
|
janx
:
review+
|
Details |
We want to add the following checkers to our default list:
- clang-analyzer-security.FloatLoopCounter
- clang-analyzer-security.insecureAPI.getpw
- clang-analyzer-security.insecureAPI.gets
- clang-analyzer-security.insecureAPI.mkstemp
- clang-analyzer-security.insecureAPI.mktemp
- clang-analyzer-security.insecureAPI.rand
- clang-analyzer-security.insecureAPI.vfork
These checkers have proved to be very reliable with 0 margin of false positive.
| Comment hidden (mozreview-request) |
|
||
Comment 2•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8942885 [details]
Bug 1430749 - Update the list of checkers in config.yaml to add some clang-analyzer-security checks.
https://reviewboard.mozilla.org/r/213154/#review218832
::: tools/clang-tidy/config.yaml:13
(Diff revision 1)
> publish: !!bool no
> - name: bugprone-forward-declaration-namespace
> publish: !!bool yes
> - name: clang-analyzer-deadcode.DeadStores
> publish: !!bool yes
> - - name: clang-analyzer-security.*
> + - name: clang-analyzer-security.FloatLoopCounter
Nit: Why not the following, simpler config?
```
- name: clang-analyzer-security.*
publish: !!bool yes
- name: -clang-analyzer-security.insecureAPI.strcpy
publish: !!bool no
```
Attachment #8942885 -
Flags: review?(janx)
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → bpostelnicu
|
|
||
Comment 3•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8942885 [details]
Bug 1430749 - Update the list of checkers in config.yaml to add some clang-analyzer-security checks.
https://reviewboard.mozilla.org/r/213154/#review218834
R+ with 1 nit.
::: tools/clang-tidy/config.yaml:13
(Diff revision 1)
> publish: !!bool no
> - name: bugprone-forward-declaration-namespace
> publish: !!bool yes
> - name: clang-analyzer-deadcode.DeadStores
> publish: !!bool yes
> - - name: clang-analyzer-security.*
> + - name: clang-analyzer-security.FloatLoopCounter
Hm, this wouldn't work with our current implementation:
https://dxr.mozilla.org/mozilla-central/source/python/mozbuild/mozbuild/mach_commands.py?q=with+open%28mozpath.join%28self.topsrcdir%2C+%22tools%22%2C+%22clang-tidy%22%2C+%22config.yaml%22%29%29+as+f%3A&redirect_type=single#1713
::: tools/clang-tidy/config.yaml:15
(Diff revision 1)
> publish: !!bool yes
> - name: clang-analyzer-deadcode.DeadStores
> publish: !!bool yes
> - - name: clang-analyzer-security.*
> + - name: clang-analyzer-security.FloatLoopCounter
> + publish: !!bool yes
> + - name: clang-analyzer-security.insecureAPI.getpw
Nit: Please add all 9 security checkers explicitly then, including `security.insecureAPI.UncheckedReturn`:
https://clang-analyzer.llvm.org/available_checks.html#security_checkers
Attachment #8942885 -
Flags: review+
|
|
Assignee | |
Comment 4•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8942885 [details]
Bug 1430749 - Update the list of checkers in config.yaml to add some clang-analyzer-security checks.
https://reviewboard.mozilla.org/r/213154/#review218838
::: tools/clang-tidy/config.yaml:13
(Diff revision 1)
> publish: !!bool no
> - name: bugprone-forward-declaration-namespace
> publish: !!bool yes
> - name: clang-analyzer-deadcode.DeadStores
> publish: !!bool yes
> - - name: clang-analyzer-security.*
> + - name: clang-analyzer-security.FloatLoopCounter
yep, that's why i put them by hand. We could extend this functionality and if you choose publish: !!bool no then the published key will look like:
-clang-analyzer-security.insecureAPI.strcpy
| Comment hidden (mozreview-request) |
Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9be7249e74fd
Update the list of checkers in config.yaml to add some clang-analyzer-security checks. r=janx
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
||
Updated•7 years ago
|
Product: Core → Firefox Build System
|
|
||
Updated•3 years ago
|
Product: Firefox Build System → Developer Infrastructure
You need to log in
before you can comment on or make changes to this bug.
Description
•