Codechecker Versions Save

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy

v6.24.0-rc1

1 month ago

:star2: Highlights

Listing of Enabled/Disabled Checkers in the WEB UI per run

CodeChecker provides a new view in the "Analysis information tab" which lists all checkers that were enabled during analysis.

image

New Checker Coverage Statistics view

CodeChecker provides a new view to display all enabled checkers for a set of selected runs. The new table lists all checkers that were enabled in a set of selected analysis runs, shows the number of outstanding reports and the number of closed reports per enabled checker.

How is this new view different compared to the existing "Checker Statistics View"? The Checker Statistics View only displays checkers that produced reports for the selected runs. This new view additionally lists all checkers that were enabled in the last analysis for the selected runs.

image

Faster run storage

Thanks to a new optimization, the run storage duration can be up to 50% faster.

New Static HTML Report Pages

  • [cmd] Restructure static HTML generation so it can handle much larger result set. #4168
  • [feat] Display dynamic analysis generated testcase and timestamp columns in static HTML #4172

Web GUI improvements

:exclamation: Backward incompatible changes

None

:bug: Analyzer improvements

:computer: CLI/Server improvements

:deciduous_tree: Environment

:book: Documentation updates

:hammer: Other

New Contributors

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.23.1...v6.24.0-rc1

v6.23.1

5 months ago

What's Changed

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.23.0...v6.23.1

v6.23.0

5 months ago

:star2: Highlights

GCC Static Analyzer support

We are happy to announce that CodeChecker added native support for the GCC Static Analyzer! This analyzer checks code in the C family of languages, but its latest release at the time of writing is still best used only on C code. Despite it being a bit immature for C++, we did some internal surveys where the GCC Static Analyzer seemed to be promising.

We expect this analyzer to be slower than clang-tidy, but faster than the Clang Static Analyzer. You can enable it by adding --analyzers gcc to your CodeChecker check or CodeChecker analyze commands. For further configuration, check out the GCC Static Analyzer configuration page.

GNU GCC 13.0.0. (the minimum version we support) can be tricky to obtain and to make CodeChecker use it, as CodeChecker looks for the g++ binary, not g++-13. As a workaround, you can set the environmental variable CC_ANALYZER_BIN which will make CodeChecker use the given analyzer path (e.g. CC_ANALYZER_BIN="gcc:/usr/bin/g++-13"). You can use CodeChecker analyzers to check whether you have the correct binary configured.

You can enable gcc checkers by explicitly mentioning them at the analyze command e.g.

CodeChecker analyze -e gcc

gcc checkers are only added to the exterme profile. After evaluation, some checkers may be added to other profiles too.

Under the same breath, we added partial support for the SARIF file format (as opposed to using plists) to report-converter, with greater support planned for future releases.

Review status config file

In previous CodeChecker versions, you could set the review status of a report using two methods: using in-source comments, or setting a review status rule in the GUI. The former sets the specific report's review status, the latter sets all matching reports' review status.

This release introduces a third way, a review status config file! One of the motivations behind this is that we wanted to have a way to set review statuses on reports in specific directories (which was not possible on the GUI). CodeChecker uses a YAML config file that can be set during analysis:

$version: 1
rules:
  - filters:
      filepath: /path/to/project/test/*
      checker_name: core.DivideZero
    actions:
      review_status: intentional
      reason: Division by zero in test files is automatically intentional.

  - filters:
      filepath: /path/to/project/important/module/*
    actions:
      review_status: confirmed
      reason: All reports in this module should be investigated.

  - filters:
      filepath: "*/project/test/*"
    actions:
      review_status: suppress
      reason: If a filter starts with asterix, then it should be quoted due to YAML format.

  - filters:
      report_hash: b85851b34789e35c6acfa1a4aaf65382
    actions:
      review_status: false_positive
      reason: This report is false positive.

This is how you can use this config file for an analysis:

CodeChecker analyze compile_commands.json --review-status-config review_status.yaml -o reports

The config file allows for a great variety of ways to match a report and set its review status. For further details see this documentation.

Enable/disable status of checkers

In this release the unknown Checker status has been eliminated. CodeChecker will enable only those checkers that are either present in the default profile (see CodeChecker checkers --profile default) or enabled using the --enable argument (through another profile or explicitly through a checker name).

In previous CodeChecker versions, when you ran an analysis, we assigned three states to every checker: it's either enabled, disabled, or neither (unknown). We kept the third state around to give some leeway for the analyzers to decide which checkers to enable or disable, usually to manage their checker dependencies. We now see that this behavior can be (and usually is) confusing, party because it's hard to tell which checkers were actually enabled.

You can list the checkers enabled by default using the CodeChecker checkers command:

CodeChecker 6.22.0 output:
 
CodedeChecker checkers |grep clang-diagnostic-varargs -A7
clang-diagnostic-varargs
  --> Status: unknown <---
  Analyzer: clang-tidy
  Description:
  Labels:
    doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wvarargs
    severity:MEDIUM
 
=>
CodeChecker 6.23.0 output:
 
CodeChecker checkers |grep clang-diagnostic-varargs -A7
clang-diagnostic-varargs
  ---> Status: disabled <---
  Analyzer: clang-tidy
  Description:
  Labels:
    doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wvarargs
    severity:MEDIUM

Major fixes to run/tag comparisons (diff)

Following a thorough survey, we identified numerous areas to improve on our run/tag comparisons. We landed several patches to improve the results of diffs both on the CLI and the web GUI (which should be almost always identical). Despite that this feature has the appearance of a simple set operation, diff is a powerful tool that can express a lot of properties on the state of your codebase, and has a few intricacies. For this reason, we also greatly improved our docs around it.

A detailed description of the issues are described in this ticket: https://github.com/Ericsson/codechecker/issues/3884

One example is that the if the suppression was removed for a finding, the diff did not show the reappearing result as new (in local/local diff):

// Code version 1:
void c() {
  int i = 0; // deadstore, this value is never read
  // codechecker_suppress [all] SUPPRESS ALL
  i = 5;
}


// Code version 2 (suppression removed):

void c() {
  int i = 0; // deadstore, this value is never read
  i = 5;
}

CodeChecker diff -b version1.c -n version2.c --new 
Did not show the deadstore finding as new.

Web GUI improvements

We landed several patches to improve the readability and usability of the GUI, with more improvements to come in later releases! The currently selected event's visual highlight pops a little more now in the report view, and we no longer show unused columns in the run view.

In this image, you can see how much the selected event "pops" after this release, and also, how other events' opacity was a lowered a bit, which allows arrows to be seen through them. image

  1. In the report detail page, outstanding and closed issues are clearly organized into a left tree view. So it will be easier to see which report needs more attention (fixing or triaging).

image

Report limit for storing to the server

Especially in the case of clang-tidy, we have observed some unreasonable number of reports by certain checkers. In some instances, we saw hundreds of thousands (!) of reports reported by some individual checkers, and its more than unlikely that anyone will inspect these reports individually (you probably got the message about using parantheses around macros after the first 15 000 reports).

We found that these checkers were usually enabled by mistake, and put unnecessary strain both on the storage of results to the server, and on the database once stored. Moving forward, CodeChecker servers will reject stores of runs that have more than 500 000 reports. This limit is a default value that you can change or even set to unlimited. Our intent is not to discourage legitemately huge stores, only those that are whose size is likely this large by mistake.

When creating a new product called My product at endpoint myproduct, you can set the report limit from the CLI with the following invocation:

CodeChecker cmd products add -n "My product" --report-limit 1000000 myproduct

For an already existing product, you can change the limit by clicking the pencil at the products page: image image

:exclamation: Backward incompatible changes

  • [analyzer] Promote the missing analyzer warning to an error #3997
    • If analyzers are specified with --analyzers flag and one of them is missing, CodeChecker now emits an error.
    • Previously, the user could only specify the analyzers without version number e.g.: CodeChecker analyze compile_commands.json -o reports --analyzers clangsa
    • Now, you can also validate the analyzer's version number e.g.: CodeChecker analyze compile_commands.json -o reports --analyzers clangsa==14.0.0
    • In both cases, if a wrong analyzer was given, the system exit would trigger.

--all and --details were deprecated for CodeChecker analyzers

With the introduction of the GCC Static Analyzer, we think that the --all flag was more confusing than useful -- its a reasonable assumption that any system will have a version of GCC available. The default behaviour prior to this release was to only list analyzers that were available for analysis: the binary was found, met the version criteria, and was functional. The --all flag listed all supported analyzers, even if they were not available. We changed the default behaviour to always list all supported checkers, and --all is ignored. We emit helpful warnings for analyzers that CodeChecker supports, but can't analyze with.

--details could be used to print additional version information of the binary, but we didn't feel like it provided any value above what the non-detailed query gave, and it was impossible to pretty print. After this release, this flag will also be ignored.

:bug: Analyzer improvements

:computer: CLI/Server improvements

:deciduous_tree: Environment

:book: Documentation updates

:hammer: Other

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.22.2...v6.23.0

v6.23.0-rc2

6 months ago

The following changes and fixes were made since v6.23.0-rc1

Fixed the SARIF file location according to the GCC documentation. Changed GCC's output format to sarif-stderr. Temporarily ignored compiler warnings in GCC.

:bug: Analyzer Improvements:

Replaced the multiprocessing library with multiprocess. This resolved issues in multiprocess library usage on different platforms but mostly on OSX. Added in https://github.com/Ericsson/codechecker/pull/4076

Fixing a crash when CC_ANALYZERS_FROM_PATH env variable is set in https://github.com/Ericsson/codechecker/pull/4084

Corrected a bug about the --enable-all flag not disabling specific warnings in #4080 by @bruntib Fixed non-determinism in the appearance of clang-tidy checkers. Prevented duplicate addition of extra arguments in cppcheck. Resolved an issue with the AnalyzerContext lazy initialization.

:computer: Server/GUI Updates:

An error was fixed when loading the report in the report view that caused the review status dropdown menu's value to fail to update when switching to a report with a different status. Fixed in in https://github.com/Ericsson/codechecker/pull/4082 by @cservakt

CI Configuration

The issue with building ReadTheDocs has been rectified. You can view the latest docs here: https://codechecker.readthedocs.io/en/latest/ In addition, we have implemented modifications to the PyPI action in order for a more reliable package publishing by @vodorok

:hammer: Other:

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.23.0-rc1...v6.23.0-rc2

v6.23.0-rc1

6 months ago

:star2: Highlights

GCC Static Analyzer support

We are happy to announce that CodeChecker added native support for the GCC Static Analyzer! This analyzer checks code in the C family of languages, but its latest release at the time of writing is still best used only on C code. Despite it being a bit immature for C++, we did some internal surveys where the GCC Static Analyzer seemed to be promising.

We expect this analyzer to be slower than clang-tidy, but faster than the Clang Static Analyzer. You can enable it by adding --analyzers gcc to your CodeChecker check or CodeChecker analyze commands. For further configuration, check out the GCC Static Analyzer configuration page.

GNU GCC 13.0.0. (the minimum version we support) can be tricky to obtain and to make CodeChecker use it, as CodeChecker looks for the g++ binary, not g++-13. As a workaround, you can set the environmental variable CC_ANALYZER_BIN which will make CodeChecker use the given analyzer path (e.g. CC_ANALYZER_BIN="gcc:/usr/bin/g++-13"). You can use CodeChecker analyzers to check whether you have the correct binary configured.

You can enable gcc checkers by explicitly mentioning them at the analyze command e.g.

CodeChecker analyze -e gcc

gcc checkers are only added to the exterme profile. After evaluation, some checkers may be added to other profiles too.

Under the same breath, we added partial support for the SARIF file format (as opposed to using plists) to report-converter, with greater support planned for future releases.

Review status config file

In previous CodeChecker versions, you could set the review status of a report using two methods: using in-source comments, or setting a review status rule in the GUI. The former sets the specific report's review status, the latter sets all matching reports' review status.

This release introduces a third way, a review status config file! One of the motivations behind this is that we wanted to have a way to set review statuses on reports in specific directories (which was not possible on the GUI). CodeChecker uses a YAML config file that can be set during analysis:

# review_status.yaml

- filepath_filter: /path/to/project/test/*
  checker_filter: core.DivideZero
  message: Division by zero in test files is automatically intentional.
  review_status: intentional
- filepath_filter: /path/to/project/important/module/*
  message: All reports in this module should be investigated.
  review_status: confirmed
- filepath_filter: "*/project/test/*"
  message: If a filter starts with asterix, then it should be quoted due to YAML format.
  review_status: suppress
- report_hash_filter: b85851b34789e35c6acfa1a4aaf65382
  message: This report is false positive.
  review_status: false_positive

This is how you can use this config file for an analysis:

CodeChecker analyze compile_commands.json --review-status-config review_status.yaml -o reports

The config file allows for a great variety of ways to match a report and set its review status. For further details see this documentation.

Enable/disable status of checkers

In previous CodeChecker versions, when you ran an analysis, we assigned three states to every checker: it's either enabled, disabled, or neither (unknown). We kept the third state around to give some leeway for the analyzers to decide which checkers to enable or disable, usually to manage their checker dependencies. We now see that this behavior can be (and usually is) confusing, party because it's hard to tell which checkers were actually enabled. In this release the unknown status has been eliminated, and we deal with dependencies using other means. Moving on, CodeChecker will enable only those checkers that are either present in the default profile (see CodeChecker checkers --profile default) or enabled using the --enable argument.

Major fixes to run/tag comparisons (diff)

Following a thorough survey, we identified numerous areas to improve on our run/tag comparisons. We landed several patches to improve the results of diffs both on the CLI and the web GUI (which should be almost always identical). Despite that this feature has the appearance of a simple set operation, diff is a powerful tool that can express a lot of properties on the state of your codebase, and has a few intricacies. For this reason, we also greatly improved our docs around it.

Web GUI improvements

We landed several patches to improve the readability and usability of the GUI, with more improvements to come in later releases! The currently selected event's visual highlight pops a little more now in the report view, and we no longer show unused columns in the run view.

In this image, you can see how much the selected event "pops" after this release, and also, how other events' opacity was a lowered a bit, which allows arrows to be seen through them. image

Report limit for storing to the server

Especially in the case of clang-tidy, we have observed some unreasonable number of reports by certain checkers. In some instances, we saw hundreds of thousands (!) of reports reported by some individual checkers, and its more than unlikely that anyone will inspect these reports individually (you probably got the message about using parantheses around macros after the first 15 000 reports).

We found that these checkers were usually enabled by mistake, and put unnecessary strain both on the storage of results to the server, and on the database once stored. Moving forward, CodeChecker servers will reject stores of runs that have more than 500 000 reports. This limit is a default value that you can change or even set to unlimited. Our intent is not to discourage legitemately huge stores, only those that are whose size is likely this large by mistake.

When creating a new product called My product at endpoint myproduct, you can set the report limit from the CLI with the following invocation:

CodeChecker cmd products add -n "My product" --report-limit 1000000 myproduct

For an already existing product, you can change the limit by clicking the pencil at the products page: image image

:exclamation: Backward incompatible changes

Clang warnings must be referred to as clang-diagnostic-<warning-name> (instead of W<warning-name>)

After analysis, reports from clang compiler warnings (well before this release) were attributed to clang-diagnostic-<warning-name> instead of -W<warning-name> that is usually given to the compiler to enable <warning-name>. We did this so that warnings from different compilers could be differentiated. However, you could only enable <warning-name> as a checker by referencing it as W<warning-name>. In this release, we fixed this inconsistency.

Moving forward, you can enable a clang warning with the following syntax:

CodeChecker analyzer -e clang-diagnostic-deprecated-copy

instead of

CodeChecker analyze -e Wdeprecated-copy

which is no longer supported. You can list all clang-diagnostics with the CodeChecker checkers command.

--all and --details were deprecated for CodeChecker analyzers

With the introduction of the GCC Static Analyzer, we think that the --all flag was more confusing than useful -- its a reasonable assumption that any system will have a version of GCC available. The default behaviour prior to this release was to only list analyzers that were available for analysis: the binary was found, met the version criteria, and was functional. The --all flag listed all supported analyzers, even if they were not available. We changed the default behaviour to always list all supported checkers, and --all is ignored. We emit helpful warnings for analyzers that CodeChecker supports, but can't analyze with.

--details could be used to print additional version information of the binary, but we didn't feel like it provided any value above what the non-detailed query gave, and it was impossible to pretty print. After this release, this flag will also be ignored.

:bug: Analyzer improvements

:computer: CLI/Server improvements

:deciduous_tree: Environment

:book: Documentation updates

:hammer: Other

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.22.2...v6.23.0-rc1

v6.22.2

10 months ago

:star2: Highlights

Support for Ubuntu 22.04

CodeChecker failed to build on Ubuntu 22.04 in its previous release because of two issues: some of our dependencies broke with the release of python3.9, and we didn't support GNU Make-s new way of creating build jobs. These issues are all fixed now, so CodeChecker should work with the latest version of python and GNU Make!

:bug: Analyzer improvements

  • Ignore some gcc flags (-fno-lifetime-dse#3913, -Wno-error, -fprofile #3937, #3941)
    • We do these kinds of patches reguarly when a gcc flag is not supported by our main analyzer, clang.
  • Disable cppcheck-preprocessorErrorDirective explicitly #3902
    • Cppcheck analyzer results compilation errors due to less granular configuration of the build environment. This results too many false-positive reports, so this checker is disabled by default.
  • Fix exception in Spotbugs report-converter (report-converter crashed when SourceLine has no source_path attribute) #3917
  • Fix crash when an assembler command is analyzed #3914
  • Logger-related changes
    • Recognize and capture linux_spawn alongside exec* calls in the logger #3930
    • Use absolute path to logger.so in LD_PRELOAD #3919
      • CodeChecker logger is using the LD_PRELOAD environment variable where ldlogger.so was set with a relative path. Due to the relative path LD_LIBRARY_PATH has to be set too. However, this latter environment variable is overridden by the build systems many times. So CodeChecker uses an absolute path in LD_PRELOAD and eliminates the usage of LD_LIBRARY_PATH.
  • Adapt to new clang-tidy checker options format. #3934
  • Enable multiple inputs for report-converter #3897
  • Introduce sanitizer checker names #3904
  • Exclude dynamic parts of checker message in hash generation #3927
  • Analysis shouldn't fail on non-existing directory #3943
  • report-converter: Parse all leaks reported by LeakSanitizer #3750

:computer: CLI/Server improvements

  • [fix][server] Fix webapp crash when using component filter #3887
  • [bugfix] Fix the zombie process issue #3895
  • 6.22.1 highlights #3888
  • [GUI] Add a tooltip about Diff #3890
  • [cmd] Warning message on no run delete. #3915
  • [GUI] Pop the call stack when the message starts with "Returning;" #3948
  • Fix local local diff src code suppression #3944

:deciduous_tree: Environment

  • [test] Get rid of mockldap #3894
  • [req] Upgrade lxml to 4.9.2 #3896
  • [fix] One more attempt to fix gui tests #3911
  • Bump GitPython version #3841
  • [ci] Remove pypi actions from pullrequest and push events. #3912
  • Update Snapstore publish action #3891
  • [fix] Fix newly surfaced gui test error during cleanup plan testing #3920
  • [test][NFC] Change from nose to pytest (analyzer library) #3926
  • [test][NFC] Change from nose to pytest (tools library) #3931
  • [test][NFC] Change from nose to pytest (web library) #3932
  • [test][NFC] Remove every remaining trace of nose in favor of pytest #3933
  • [env] Upgrade PyYAML to version 6.0 #3942
  • [test] Allow additional pytest args to be given through make targets #3935

:book: Documentation updates

  • [config] Additional clang-diagnostic documentations #3922

:hammer: Other

  • [doc] Make every second release highlight green #3882
  • [version] Bump up to version 6.23.0 #3893
  • Makefile: package_gerrit_skiplist should depend on package_dir_structure #3901
  • [NFC] Factor args out of the diff logic for unit tests #3863
  • [refactor] Reducing analyzer config handler #3824
  • [test] Add missing tests for cmdline diffing, and display a bug for tag diffs #3868
  • Error message: Add a missing space #3953
  • Fix a Pylint false positive with python3.9 or later #3925

Full Changelog: https://github.com/Ericsson/codechecker/compare/v6.22.0...v6.22.2

v6.22.1

1 year ago

:star2: Highlights

[fix][server] Fix webapp crash when using component filter

CodeChecker webapp was crashing when using the component filter, which has been fixed in this release. #3887

[doc] Make every second release highlight green #3882

v6.22.0

1 year ago

:star2: Highlights

Further enhancements to speed up the store procedure

After another round of optimizations, CodeChecker store is ~2 times faster than in v6.21.0. Combined with the previous release, storing may be as much as 4 times faster than v6.20.0., with larger result directories seeing a greater degree of improvement.

This should allow those that use CodeChecker in CI loops to see fewer timeouts due to long storages, or lower timeout tresholds significantly.

Multiroot analysis

CodeChecker now supports an analysis mode where for each source file, it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.

If your project is structured such that multiple folders act as their own root folder (hence the name multiroot), CodeChecker should be able to support that out of the box. clangd and clang-tidy already works this way: https://clangd.llvm.org/installation.html#compile_commandsjson

This feature also affects the CodeChecker Visual Studio Code plugin, where analysis will be done on multiroot projects as well Ericsson/CodecheckerVSCodePlugin#113.

Previously the input of analysis must have been a compilation database JSON file. This PR supports the following new CodeChecker analyze invocations, as long as a corresponding compilation database file is found:

# Analyze a single file.
CodeChecker analyze analyze.cpp -o reports

# Analyze all source files under a directory.
CodeChecker analyze my_project -o reports

CodeChecker is now able to parse additional fields from plist files especially relevant to dynamic analyses. https://github.com/Ericsson/codechecker/blob/master/docs/analyzer/user_guide.md#dynamic-analysis-results

<dict>
  <key>diagnostics</key>
  <array>
    <dict>
      <key>category</key>
      <string>unknown</string>
      <key>check_name</key>
      <string>UndefinedBehaviorSanitizer</string>
      <key>report-annotation</key>
      <dict>
        <key>testcase</key>
        <string>yhegalkoei</string>
        <key>timestamp</key>
        <string>1970-04-26T17:27:55</string>
      </dict>
      <key>path</key>
      <array>
        ...
      </array>
    </dict>

image

Unlike for static analyzers, the time of the detection can be a crucial piece of information, as a report may be a result of another preceding report. Users that record the timestamp of the detection and store it in CodeChecker under the new 'Timestamp' field will be able to sort reports by it. CodeChecker now also supports the 'Testsuite' field.

You can read more about this feature in its PR #3849, and the relevant docs PR #3871.

:exclamation: Backward incompatible changes

  • [cmd] Remove some deprecated flags. #3823
    • CodeChecker checkers --only-enabled DEPRECATED. Show only the enabled checkers. use CodeChecker checkers --details to list the checker status (enabled/disabled)
    • CodeChecker checkers --only-disabled. use CodeChecker checkers --details to list the checker status.
    • CodeChecker cmd diff -s, --suppressed DEPRECATED. Lists the suppressed reports. Use the  --review-status [REVIEW_STATUS [REVIEW_STATUS ...]] flag to filter the results.
    • CodeChecker cmd diff --filter FILTER       DEPRECATED. Filter diff results. Use  the --review-status [REVIEW_STATUS [REVIEW_STATUS ...]] flag                         to filter the results.
    • CodeChecker cmd sum  --disable-unique  DEPRECATED. Use the '--uniqueing' option to get uniqueing results.
  • [cmd] Remove the CodeChecker analyzer --tidy-config flag #3822
    • CodeChecker analyze [--tidy-config TIDY_CONFIG] DEPRECATED and removed. Use the CodeChecker analyzers --analyzer-config clang-tidy to list the analyzer options Use e.g. CodeChecker analyze --analyzer-config clang-tidy:WarningsAsErrors=true to set a parameter. Alternatively you can use .clang-tidy config files too
  • [analyzer] Promote the missing checker warning to an error #3820
    • If a checker name given to --enable/--disable is not recognized (usually because of a typo) by any of the analyzers, CodeChecker now emits an error. While we strongly advise you against it, you can demote this error to a warning, restoring the behaviour similar to previous releases, with the flag --no-missing-checker-error (#3866).

:bug: Analyzer improvements

  • ignore -fno-keep-inline-dllexport gcc option #3813
  • Fix error using Clang option '-stdlib=libc++' #3808
  • [fix] Fix a condition about checkers being compiler warnings #3838
  • [analyzer] Promote the missing checker warning to an error #3820
  • [fix] Pass arch flag correctly #3854
  • [fix] Treat clang-diagnostic-* checkers as compiler flags #3874
  • Forward --driver-mode compiler flag to the analyzer #3867

:repeat: Profile changes

  • bugprone-standalone-empty: default, extreme, sensitive
  • bugprone-unsafe-functions: extreme, security, sensitive
  • cert-msc24-c: alias of bugprone-unsafe-functions
  • cert-msc33-c: alias of bugprone-unsafe-functions
  • cppcoreguidelines-avoid-capture-default-when-capturing-this: extreme, sensitive
  • cppcoreguidelines-avoid-capturing-lambda-coroutines: default, extreme, sensitive
  • cppcoreguidelines-avoid-reference-coroutine-parameters: default, extreme, sensitive
  • cppcoreguidelines-rvalue-reference-param-not-moved: extreme, sensitive
  • llvmlibc-inline-function-decl: style
  • misc-use-anonymous-namespace: default, extreme, sensitive
  • Document the new checker misc-use-anonymous-namespace #3803
  • [cfg] Assign new check profiles for 6.22RC1 #3861

:computer: CLI/Server improvements

  • Further enhancements to speed up the store procedure #3796
  • Multiroot analysis #3815 CodeChecker now supports an analysis mode where for each source file, it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file. clangd and clang-tidy works this way: https://clangd.llvm.org/installation.html This feature allows the analaysis of multi-root projects also in the vscode plugin Ericsson/CodecheckerVSCodePlugin#113 Previously the input of analysis was a compilation database JSON file. The of this PR is to support the following analysis invocations:
# Analyze one source file.
CodeChecker analyze main.c -o reports

# analyze all source files under a directory.
CodeChecker analyze my_project -o reports
  • Support report annotations and add dynamic analyzer related annotations #3849
  • Required format for --checker-config #3817 "CodeChecker analyze" command has a --checker-config flag. The parameter this flag should be in the following format: <analyzer>:<checker>:<option>=<value>. This format is checked and an error message is emitted if the format is not met.
  • [cmd] Gracefully exit instead of crashing when cmd diff is missing a param #3801
  • cppcheck: allow spaces in path #3812
  • [cmd] Fix a crash with CodeChecker cmd diff --unique on #3816
  • [bugfix] Don't convert cppcheck parameters to absolute path #3821
  • [cmd] Deprecate --warnings flag #3802
  • [gui] Fix for filter product in gui test #3469
  • [web] Fix stale permission caching #3840

:deciduous_tree: Environment

  • [req] Upgrade lxml to 4.9.1 #3799
  • Fix three bugs and a couple of style issues #3804
  • Updates to setup.py/PyPI configuration #3819
  • [test] Upgrade to Python 3.8 in GitHub Actions #3859

:book: Documentation updates

  • README.md: add python3-setuptools dependency #3729
  • [docs] Reword what labels, guidelines, checkers mean, and their enabling #3845

:hammer: Other

  • [version] Bump version to 6.22.0 #3787
  • [repo] Add vim sessions file to gitignore #3792
  • [docs] Fix facebook-infer links #3834
  • [tests] Change subprocess.call to subprocess.Popen #3837
  • Change dev/test servers port from default #3833

v6.22.0-rc1

1 year ago

:star2: Highlights

Further enhancements to speed up the store procedure

After another round of optimizations, CodeChecker store is ~2 times faster than in v6.21.0. Combined with the previous release, storing may be as much as 4 times faster than v6.20.0., with larger result directories seeing a greater degree of improvement.

This should allow those that use CodeChecker in CI loops to see fewer timeouts due to long storages, or lower timeout tresholds significantly.

Multiroot analysis

CodeChecker now supports an analysis mode where for each source file, it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file.

If your project is structured such that multiple folders act as their own root folder (hence the name multiroot), CodeChecker should be able to support that out of the box. clangd and clang-tidy already works this way: https://clangd.llvm.org/installation.html#compile_commandsjson

This feature also affects the CodeChecker Visual Studio Code plugin, where analysis will be done on multiroot projects as well Ericsson/CodecheckerVSCodePlugin#113.

Previously the input of analysis must have been a compilation database JSON file. This PR supports the following new CodeChecker analyze invocations, as long as a corresponding compilation database file is found:

# Analyze a single file.
CodeChecker analyze analyze.cpp -o reports

# Analyze all source files under a directory.
CodeChecker analyze my_project -o reports

CodeChecker is now able to parse additional fields from plist files especially relevant to dynamic analyses.

<key>diagnostics</key>
<array>
<dict>
   <key>category</key>
   <string>Memory error</string>
   ...
   <dict>
     <key>timestamp</key>
     <string>2000-01-01 10:00</string>
     <key>testsuite</key>
     <string>TS-1</key>
     ...
   </dict>
</dict>
</array>

image

Unlike for static analyzers, the time of the detection can be a crucial piece of information, as a report may be a result of another preceding report. Users that record the timestamp of the detection and store it in CodeChecker under the new 'Timestamp' field will be able to sort reports by it. CodeChecker now also supports the 'Testsuite' field.

You can read more about this feature in its PR: #3849.

:exclamation: Backward incompatible changes

  • [cmd] Remove some deprecated flags. #3823
  • [cmd] Remove --tidy-config flag #3822
  • [cmd] Remove some deprecated flags. #3823
    • CodeChecker checkers --only-enabled DEPRECATED. Show only the enabled checkers. use CodeChecker checkers --details to list the checker status (enabled/disabled)
    • CodeChecker checkers --only-disabled. use CodeChecker checkers --details to list the checker status.
    • CodeChecker cmd diff -s, --suppressed DEPRECATED. Lists the suppressed reports. Use the  --review-status [REVIEW_STATUS [REVIEW_STATUS ...]] flag to filter the results.
    • CodeChecker cmd diff --filter FILTER       DEPRECATED. Filter diff results. Use  the --review-status [REVIEW_STATUS [REVIEW_STATUS ...]] flag                         to filter the results.
    • CodeChecker cmd sum  --disable-unique  DEPRECATED. Use the '--uniqueing' option to get uniqueing results.
  • [cmd] Remove the CodeChecker analyzer --tidy-config flag #3822
    • CodeChecker analyze [--tidy-config TIDY_CONFIG] DEPRECATED and removed. Use the CodeChecker analyzers --analyzer-config clang-tidy to list the analyzer options Use e.g. CodeChecker analyze --analyzer-config clang-tidy:WarningsAsErrors=true to set a parameter. Alternatively you can use .clang-tidy config files too

:bug: Analyzer improvements

  • ignore -fno-keep-inline-dllexport gcc option #3813
  • Fix error using Clang option '-stdlib=libc++' #3808
  • [fix] Fix a condition about checkers being compiler warnings #3838
  • [analyzer] Promote the missing checker warning to an error #3820
  • [fix] Pass arch flag correctly #3854

:repeat: Profile changes

  • bugprone-standalone-empty: default, extreme, sensitive
  • bugprone-unsafe-functions: extreme, security, sensitive
  • cert-msc24-c: alias of bugprone-unsafe-functions
  • cert-msc33-c: alias of bugprone-unsafe-functions
  • cppcoreguidelines-avoid-capture-default-when-capturing-this: extreme, sensitive
  • cppcoreguidelines-avoid-capturing-lambda-coroutines: default, extreme, sensitive
  • cppcoreguidelines-avoid-reference-coroutine-parameters: default, extreme, sensitive
  • cppcoreguidelines-rvalue-reference-param-not-moved: extreme, sensitive
  • llvmlibc-inline-function-decl: style
  • misc-use-anonymous-namespace: default, extreme, sensitive
  • Document the new checker misc-use-anonymous-namespace #3803
  • [cfg] Assign new check profiles for 6.22RC1 #3861

:computer: CLI/Server improvements

  • Further enhancements to speed up the store procedure #3796
  • Multiroot analysis #3815 CodeChecker now supports an analysis mode where for each source file, it tries to find the closest compile_commands.json file up in the directory hierarchy starting from the source file. clangd and clang-tidy works this way: https://clangd.llvm.org/installation.html This feature allows the analaysis of multi-root projects also in the vscode plugin Ericsson/CodecheckerVSCodePlugin#113 Previously the input of analysis was a compilation database JSON file. The of this PR is to support the following analysis invocations:
# Analyze one source file.
CodeChecker analyze main.c -o reports

# analyze all source files under a directory.
CodeChecker analyze my_project -o reports
  • Support report annotations and add dynamic analyzer related annotations #3849
  • Required format for --checker-config #3817 "CodeChecker analyze" command has a --checker-config flag. The parameter this flag should be in the following format: <analyzer>:<checker>:<option>=<value>. This format is checked and an error message is emitted if the format is not met.
  • [cmd] Gracefully exit instead of crashing when cmd diff is missing a param #3801
  • cppcheck: allow spaces in path #3812
  • [cmd] Fix a crash with CodeChecker cmd diff --unique on #3816
  • [bugfix] Don't convert cppcheck parameters to absolute path #3821
  • [cmd] Deprecate --warnings flag #3802
  • [gui] Fix for filter product in gui test #3469
  • [web] Fix stale permission caching #3840

:deciduous_tree: Environment

  • [req] Upgrade lxml to 4.9.1 #3799
  • Fix three bugs and a couple of style issues #3804
  • Updates to setup.py/PyPI configuration #3819
  • [test] Upgrade to Python 3.8 in GitHub Actions #3859

:book: Documentation updates

  • README.md: add python3-setuptools dependency #3729
  • [docs] Reword what labels, guidelines, checkers mean, and their enabling #3845

:hammer: Other

  • [version] Bump version to 6.22.0 #3787
  • [repo] Add vim sessions file to gitignore #3792
  • [docs] Fix facebook-infer links #3834
  • [tests] Change subprocess.call to subprocess.Popen #3837
  • Change dev/test servers port from default #3833

v6.21.0

1 year ago

:bug: Analyzer improvements

  • [report-converter] Support Roslynator (#3765) The Roslynator project contains several analyzers for C# built on top of Microsoft Roslyn. CodeChecker now supports the visualization of these C# anlaysis results. It also provides a .NET tool for running Roslyn code analysis from the command line. It is not limited to Microsoft and Roslynator analyzers, it supports any Roslyn anaylzer. It can also report MSBuild compiler diagnostics.

:computer: CLI/Server improvements

  • Make CodeChecker store about twice as fast (#3777) This small change from a regex to a string search is expected to shave off the time it takes to run a CodeChecker store command by as much as 50%!
  • [fix] Speed up resolved diffing (#3771) This fixes the everlasting diff runtime, when the report count is large (~60000) and the ReviewStatusRule count is also substantial.

:repeat: Profile changes

  • [analyzer][clang][clang-tidy] Assign new check profiles (#3769)
    • bugprone-assignment-in-if-condition: extreme (no longer in the sensitive and default profiles)
    • bugprone-signal-handler: default (new), security (new), sensitive, extreme
    • bugprone-suspicious-realloc-usage (new): default, sensitive, extreme
    • bugprone-stringview-nullptr (new): default, sensitive, extreme
    • bugprone-unchecked-optional-access (new): extreme
    • cert-sig30-c: removed from all profiles (as it is an alias to bugprone-signal-handler)
    • cppcoreguidelines-avoid-const-or-ref-data-members: sensitive (new), extreme
    • cppcoreguidelines-avoid-do-while (new): extreme
    • misc-const-correctness: removed from all profiles (it was too extreme even for extreme)
    • misc-misleading-bidirectional: default, security (new), sensitive, extreme
    • misc-misleading-identifier" (new): default, security, sensitive, extreme
    • alpha.unix.Errno: sensitive (new), extreme
    • core.uninitialized.NewArraySize (new): default, sensitive, extreme
    • alpha.unix.cstring.UninitializedRead (new): extreme

:book: Documentation updates

  • [analyzer][doc] Mention that Z3 as the constraint solver is highly unstable (#3772) While LLVM supports the usage of Z3, that doesn't mean the same for the Clang Static Analyzer. It is a highly experimental feature that may or may not be generally available in a stable way, which is now better explained in the docs and in --help messages.
  • [doc] Refurbish several parts of the README (#3763)
    • Self-advertise the CodeChecker GitHub CI action!
    • Added the PLDI'2020 talk about CodeChecker to the papers section
    • Moved information about Python 2 lower as it is no longer really an important thing in today's world
    • Figure out the new LLVM monorepo commit for the referenced SVN commit that introduced Bug hashes to Clang SA

:hammer: Other improvements/fixes

  • Quick fix for cppcheck environment (#3744) The cppcheck needs the original environment when invoked. This quick fix restores it at analyzer invocation.
  • [bugfix] Old client has different behavior with new server (#3746, #3747) So far, we have supported the communication in between a CodeChecker server and almost all older CodeChecker clients versions. For CodeChecker servers on version 6.20.0, clients issueing CodeChecker cmd diff to the server got an incorrect results, which this PR fixes.
  • [bugfix] Don't update review status date (#3749) When a review status is set in the GUI then a new entry is inserted to review_statuses table. Every time the same report is stored, its review status date used to be updated, which was a bug, since the storage date is NOT the same as the review status date.
  • Document 'cppcoreguidelines-avoid-const-or-ref-data-members' (#3734)
  • Document 'bugprone-suspicious-realloc-usage' (#3755)
  • Escape &, <, > from the source C-files to HTML-output (#3748) This fixed a bug where CodeChecker parse --export html produced an invalid HTMl file.
  • [feat] Comment lines in skipfile (#3768) Hashmark (#) character can be used for commenting lines out in skipfiles, and can now be used for CodeCheckers skip files!
  • Issue a warning about this release being only an RC (#3780) CodeChecker version now warns users about the current release being only a release candidate. Please create a bug report if you find anything wrong, so we can fix it for the proper release!
  • [fix] Ignore files that .gitignore ignores (#3785)
  • Set "anywhere on path" in URL (#3783) In the previous release, on the gui, when the "anywhere on path" filter was set, it wasn't saved in the URL. It is now!
  • [bugfix] Don't crash with intercept-build based compilation database (#3685) CodeChecker was only really compatible with compilation databases where "command" was used instead of "arguments" as the actual command to execute. This is now fixed.
  • [db] Garbage collection of analysis_info timeout (#3775) The garbage collection of analysis_info table has been restructured because the original query exceeded a 2min timeout.