Documentation: dev-tools: Enhance static analysis section with discussion
Enhance the static analysis tools section with a discussion on when to use each of them. This was mainly taken from Dan Carpenter and Julia Lawall's comments on a previous documentation patch for static analysis tools. Lore: https://lore.kernel.org/linux-doc/20220329090911.GX3293@kadam/T/#mb97770c8e938095aadc3ee08f4ac7fe32ae386e6 Signed-off-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com> Acked-by: David Gow <davidgow@google.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Cc: Julia Lawall <julia.lawall@inria.fr> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
parent
12379401c0
commit
a32d5c0fc1
|
@ -146,3 +146,35 @@ Documentation/dev-tools/coccinelle.rst documentation page for details.
|
|||
|
||||
Beware, though, that static analysis tools suffer from **false positives**.
|
||||
Errors and warns need to be evaluated carefully before attempting to fix them.
|
||||
|
||||
When to use Sparse and Smatch
|
||||
-----------------------------
|
||||
|
||||
Sparse does type checking, such as verifying that annotated variables do not
|
||||
cause endianness bugs, detecting places that use ``__user`` pointers improperly,
|
||||
and analyzing the compatibility of symbol initializers.
|
||||
|
||||
Smatch does flow analysis and, if allowed to build the function database, it
|
||||
also does cross function analysis. Smatch tries to answer questions like where
|
||||
is this buffer allocated? How big is it? Can this index be controlled by the
|
||||
user? Is this variable larger than that variable?
|
||||
|
||||
It's generally easier to write checks in Smatch than it is to write checks in
|
||||
Sparse. Nevertheless, there are some overlaps between Sparse and Smatch checks.
|
||||
|
||||
Strong points of Smatch and Coccinelle
|
||||
--------------------------------------
|
||||
|
||||
Coccinelle is probably the easiest for writing checks. It works before the
|
||||
pre-processor so it's easier to check for bugs in macros using Coccinelle.
|
||||
Coccinelle also creates patches for you, which no other tool does.
|
||||
|
||||
For example, with Coccinelle you can do a mass conversion from
|
||||
``kmalloc(x * size, GFP_KERNEL)`` to ``kmalloc_array(x, size, GFP_KERNEL)``, and
|
||||
that's really useful. If you just created a Smatch warning and try to push the
|
||||
work of converting on to the maintainers they would be annoyed. You'd have to
|
||||
argue about each warning if can really overflow or not.
|
||||
|
||||
Coccinelle does no analysis of variable values, which is the strong point of
|
||||
Smatch. On the other hand, Coccinelle allows you to do simple things in a simple
|
||||
way.
|
||||
|
|
Loading…
Reference in New Issue