I’m dusting off dim recollection.. and it’s further complicated by the scan service (which is the free Coverity for open source projects that we use) being slightly different from the commercial offering. At the time, I feel I concluded that Coverity models could override macro definitions but that this may be one of the features scan didn’t support, partly because the model file is maintained in the web service, and the data collection happens completely offline until the point of submission.
I don’t remember if I tried overriding these macros locally during collection, but that would be my next thought; it would require some hoop jumping (eg, including __coverity_tainted_data_sanitize__ as a weak function stub so the build succeeds but does not interfere with Coverity). I suspect I left it because of diminishing returns on the effort when we’d already managed the defect list to a reasonable size, and new issues were easily assessed and marked in the UI as they arose. I also note the examples in Coverity’s documentation showing macros in the modelling file are no longer present – or perhaps I imagined them :) Chris. From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Andrew Yourtchenko Sent: Friday, September 11, 2020 11:41 To: Luke, Chris <chris_l...@cable.comcast.com> Cc: Nathan Skrzypczak <nathan.skrzypc...@gmail.com>; vpp-dev <vpp-dev@lists.fd.io> Subject: Re: [EXTERNAL] Re: [vpp-dev] Please look at coverity defects in preparation for VPP 20.09 before Monday Chris, this is very interesting - i was under the impression that coverity operates post-macro expansion (and thus should see the check within VALIDATE_SW_IF_INDEX)... is it not the case, or am I missing something else ? --a On 11 Sep 2020, at 17:06, Luke, Chris <chris_l...@comcast.com<mailto:chris_l...@comcast.com>> wrote: Nathan, Just a caveat; those Coverity comments do not always work – at least didn’t when we started using Coverity. They have plausibly improved things in the analyzer since but I have not seen that; I would be interested to see if it is effective once patches are merged and my twice daily submission runs, so let me know! For example, I did setup a modeling file<https://urldefense.com/v3/__https:/scan.coverity.com/projects/fd-io-vpp/model_file__;!!CQl3mcHX2A!TmMr0WssV60nR4jWEgZWKAK-gIs8V6m_rzj9wADlBcpA3m9o-NBboR7LVoSw9eyaUw$> that has fake versions of key macros to mark certain data as safe (eg, if we inspect an interface index with VALIDATE_SW_IF_INDEX or variants of, we can assume the index is now safe) but I did not find that to be effective at the time, so did not make it any more complete. If that now works, this would be a better way to handle most tainted data errors – the validation macros/functions squelch the complaint. Chris. From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Nathan Skrzypczak Sent: Friday, September 11, 2020 04:45 To: Andrew Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>> Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: [EXTERNAL] Re: [vpp-dev] Please look at coverity defects in preparation for VPP 20.09 before Monday Hi Andrew, Hi all, Thanks for the coverity reminder and good luck with release work Andrew ! Just sharing some info for fixing coverity warnings as it was surprisingly difficult to find. The checker's reference can be found here [1]. False positive can *apparently* be silenced with comments, e.g. : /* coverity [COPY_PASTE_ERROR] */ u8 ab->ba.ab.ba<https://urldefense.com/v3/__http:/ba.ab.ba__;!!CQl3mcHX2A!WZ6BI2nKiAyyj0Pfi5YgF8Rdz-AuHM_ks3F7LzE_xGsFvtqbMZQh2HQeC3r124DCcg$> = 1; /* coverity[ -tainted_data_argument : arg-0 ] */ recvmsg (...); Hope this helps Cheers -Nathan [1] https://scan9.coverity.com/doc/en/cov_checker_ref.html<https://urldefense.com/v3/__https:/scan9.coverity.com/doc/en/cov_checker_ref.html__;!!CQl3mcHX2A!WZ6BI2nKiAyyj0Pfi5YgF8Rdz-AuHM_ks3F7LzE_xGsFvtqbMZQh2HQeC3p01mkguw$> Le jeu. 10 sept. 2020 à 17:10, Andrew Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>> a écrit : Dear developers, In preparation for the 20.09 release - could you please take a look at the Coverity report and address the outstanding issues in "your" areas of the code. To do so: go to https://scan.coverity.com/projects/fd-io-vpp<https://urldefense.com/v3/__https:/scan.coverity.com/projects/fd-io-vpp__;!!CQl3mcHX2A!WZ6BI2nKiAyyj0Pfi5YgF8Rdz-AuHM_ks3F7LzE_xGsFvtqbMZQh2HQeC3pu-_Jesg$>, login, then hit "view defects" button on the top right. There are currently 18 defects as seen there. Each Coverity issue corresponds to a defect. We need to have this number to be 0 by RC2, so on Monday I will start contacting the folks personally with either a "thank you" note if that issue has already taken care of between now and then, or a request to open a JIRA ticket so that it can be tracked and mentioned in the release notes for 20.09 as a known issue. I'd obviously prefer the former, it's less work for everyone and the users will be happier with the result. :-) So - thanks a lot in advance for spending some of your cycles tomorrow and squashing all of the outstanding defects ! --a /* your friendly 20.0Segmentation fault (core dumped)
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17377): https://lists.fd.io/g/vpp-dev/message/17377 Mute This Topic: https://lists.fd.io/mt/76781568/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
