[cfe-dev] [Analyzer] File based support for SA suppression

Tue Oct 24 14:01:14 PDT 2017

Hi all,

In the past we have discussed Static Analyzer suppression mechanisms in
great length. They are extremely handy when needing to quash false positives
that inevitably arise from using this tool.

Presently we don't really have any mechanisms for suppression. The only way
to do this is to turn off the analyzer for a block of code (#ifndef
__clang_analyzer__).

I understand that the community is exploring a pragma based approach to
silencing the SA. While this will work for most use cases it has one
limitation: it involves making changes to the source file(s).

This can be problematic for:

1.	Analyzing projects that contain some amount of legacy code that
can't be changed. While making changes to security critical issues is
possible, it is a tough sell to add pragmas that cater to an external tool.
2.	For teams / groups working on large projects (eg: Android) that
involve building some amount of open source code that can't be changed
easily.

I am presently exploring an external file based mechanism for suppressing
the Static Analyzer. What I'm proposing is that we have a compiler flag that
can point to an external text or xml file that contains the suppression
information. A first cut for the suppression information can contain the
file name, function name and checker type to be silenced. The static
analyzer can then read the file and silence warnings accordingly.

This will in essence solve the aforementioned problem. Note: I thought of
function name and not line number because any small change to the code can
break line number assumptions; silencing warnings by function name seems
more stable.

Looking forward to hearing the communities thoughts on such a mechanism and
it's likelihood of getting accepted upstream.

Thanks

Regards,

Nikhil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20171024/4d773b37/attachment.html>