Static code analysis tool for openbmc

Stewart Smith stewart at linux.ibm.com
Thu Mar 14 08:55:06 AEDT 2019


Lei YU <mine260309 at gmail.com> writes:
> On Wed, Mar 13, 2019 at 6:15 PM Ratan Gupta <ratagupt at linux.vnet.ibm.com> wrote:
>> Is there any plan to use any static code analysis tool in openbmc? I
>
> In Jenkins job, we have cppcheck to do checks on the code.
>
>> find one of the tool which is good and used in multiple opensource
>> projects is "coverity".
>
> I would prefer clang static analyzer, but other tools like coverity is also
> welcome.
> And if possible, there is much stronger analyzer PVS-Studio Analyzer (need
> license though). I read [PVS-Studio's blog][1] and that tool is really really
> good.
>
> But I think the main question is, what to do with issues found by the static
> analyzer? We need to define some rule to fix or ignore the issues.

In my experience with host firmware on OpenPOWER, each tool gets a
different set of things that it catches. Even the humble sparse catches
things that other tools do not (notably endian screw-ups).

A big advantage of Coverity is the tooling around it, the web site where
you can mark things permanently as a false positive, assign things to
people, etc. For other tools that you just run in a jenkins job, it's
way too easy to not see things grow, or just have a large list of false
positives you get used to ignoring.

-- 
Stewart Smith
OPAL Architect, IBM.



More information about the openbmc mailing list