selinux/scripts/run-scan-build
Nicolas Iooss 120681c1a3 libsepol, libsemanage: add a macro to silence static analyzer warnings in tests
Several static analyzers (clang's one, Facebook Infer, etc.) warn about
NULL pointer dereferences after a call to CU_ASSERT_PTR_NOT_NULL_FATAL()
in the test code written using CUnit framework. This is because this
CUnit macro is too complex for them to understand that the pointer
cannot be NULL: it is translated to a call to CU_assertImplementation()
with an argument as TRUE in order to mean that the call is fatal if the
asserted condition failed (cf.
http://cunit.sourceforge.net/doxdocs/group__Framework.html).

A possible solution could consist in replacing the
CU_ASSERT_..._FATAL() calls by assert() ones, as most static analyzers
know about assert(). Nevertheless this seems to go against CUnit's API.

An alternative solution consists in overriding CU_ASSERT_..._FATAL()
macros in order to expand to assert() after a call to the matching
CU_ASSERT_...() non-fatal macro. This appears to work fine and to remove
many false-positive warnings from various static analyzers.

As this substitution should only occur when using static analyzer, put
it under #ifdef __CHECKER__, which is the macro used by sparse when
analyzing the Linux kernel.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-30 08:43:41 -04:00

38 lines
1.5 KiB
Bash
Executable File

#!/bin/sh
# Run clang's static analyzer (scan-build) and record its output in output-scan-build/
# Ensure the current directory is where this script is
cd "$(dirname -- "$0")" || exit $?
OUTPUTDIR="$(pwd)/output-scan-build"
# Display the commands which are run, and make sure they succeed
set -x -e
# Use a temporary directory as an installation directory, if $DESTDIR is not set
if [ -z "$DESTDIR" ] ; then
DESTDIR="$(mktemp --tmpdir -d scan-build-destdir-XXXXXXXXXX)"
fi
# Make sure to use the newly-installed libraries when running tests
export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib"
export PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH"
export PYTHONPATH="$DESTDIR$(${PYTHON:-python3} -c "from distutils.sysconfig import *;print(get_python_lib(prefix='/usr'))")"
export RUBYLIB="$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorarchdir"]')"
# Build and analyze
make -C .. CC=clang clean distclean -j"$(nproc)"
scan-build -analyze-headers -o "$OUTPUTDIR" make -C .. \
CC=clang \
DESTDIR="$DESTDIR" \
CFLAGS="-O2 -Wall -D__CHECKER__ -I$DESTDIR/usr/include" \
install install-pywrap install-rubywrap all test
# Reduce the verbosity in order to keep the message from scan-build saying
# "scan-build: Run 'scan-view /.../output-scan-build/2018-...' to examine bug reports.
set +x
# Remove the destination directory without using "rm -rf"
chmod u+w "$DESTDIR/usr/bin/newrole"
rm -r "$DESTDIR"