--- proj4.2p0.conf 2016-09-26 14:05:50.718085100 +0000 +++ proj4.4p0.conf 2016-09-26 14:06:17.126725700 +0000 @@ -386,11 +386,11 @@ # COMPILER_MODELS += /a/b/gcc -> gcc:AB # COMPILER_MODELS += /c/d/gcc -> gcc:CD # -# [#random_filename] If your build system generates randomly-named -# files each time it runs, you may be able to use a combination of -# COMPILER_MODELS and DISABLED_COMPILERS to model compilation -# without incurring a separate license cost for each randomly-named -# file. +# [ANCHOR random_filename] If your build system generates randomly- +# named files each time it runs, you may be able to use a +# combination of COMPILER_MODELS and DISABLED_COMPILERS to model +# compilation without incurring a separate license cost for each +# randomly-named file. # # For example, suppose your regular software built uses a tool # called mybuild, whose behavior is such that @@ -1887,12 +1887,25 @@ # patch files in subdirectory D/fname.x/ are applied to the source # file named fname.x, where fname.x is the source file name as # specified in the build command or #include statements, before any -# redirection (such as symbolic link resolution). Note that -# fname.x/ must be a direct subdirectory of D - it cannot be more -# deeply nested. -# -# If any part of a patch file fails, no part of that file is -# applied. +# redirection (such as symbolic link resolution). +# - fname.x/ must be a direct subdirectory of D - it cannot be more +# deeply nested. +# - All patches in any such D/fname.x/ are applied to fname.x. +# There could be several such patches for a given file, whether +# because there are multiple SOURCE_PATCH_DIRECTORIES rules, +# because a single fname.x/ directory contains multiple patches, +# or both. The success or failure of any individual application +# does not affect the application of other patches. +# - If any part of a patch file fails, no part of that file is +# applied. +# - If there are multiple SOURCE_PATCH_DIRECTORIES rules, the +# directories are processed in reverse order:patches from the +# directory specified by the last SOURCE_PATCH_DIRECTORIES rule +# are applied first. +# +# The successful application of one patch does not preclude +# attempts to subsequently apply additional patches: Every matching +# patch is attempted. # # Notes # This process is independent of the names of the patch files @@ -2672,7 +2685,7 @@ # For more information, see the manual section on Parallelism in # CodeSonar [doc/html/Workings/Parallelism.html]. -#SLAVE_TIMEOUT = 3600 +#SLAVE_TIMEOUT = 1800 # Parameter MASTER_KEEPALIVE_PERIOD @@ -2709,7 +2722,7 @@ # For more information, see the manual section on Parallelism in # CodeSonar [doc/html/Workings/Parallelism.html]. -#MASTER_KEEPALIVE_PERIOD = 86400 +#MASTER_KEEPALIVE_PERIOD = 3000 # Parameter WARNING_FILTER @@ -2804,24 +2817,24 @@ # whitespace-sensitive). If C, specifies a constraint on the # warning Procedure (so has the same behavior as a procedure # rule). -# - reachable : whether or not the first function in Listing XML is -# reachable from one of the roots specified by -# REACHABILITY_ROOTS. Set to zero to specify that the rule -# applies only to warnings for which the first function is -# unreachable; non-zero to specify that it applies only to -# warnings for which the first function is reachable. CodeSonar -# will issue an alert [doc/html/GUI/GUI_Alerts.html] if there are -# one or more WARNING_FILTER reachable rules, but no reachability -# roots have been specified. +# - reachable : whether or not the first function in Listing XML +# belongs to set REACHABLE_FROM_ROOTS_EXTENDED +# [#reachable_from_roots_extended]. Set to non-zero to specify +# that the rule applies only to warnings for which the first +# function is in this set; zero to specify that the rule only +# applies to warnings for which the first function is NOT in this +# set. CodeSonar will issue an alert +# [doc/html/GUI/GUI_Alerts.html] if there are one or more +# WARNING_FILTER reachable rules, but no reachability roots have +# been specified. # - starts_in_source_libraries : whether or not the first function -# in Listing XML is a CodeSonar Library Model -# [doc/html/C_Module/LibraryModels/LibraryModels.html], or is -# directly or transitively called by a library model. Set to zero -# to specify that the rule applies only to warnings for which the -# first function is a library model or called by a library model; -# non-zero to specify that it applies only to warnings for which -# the first function is not a library model and not called by a -# library model. +# in Listing XML belongs to set +# CONSERVATIVELY_REACHABLE_FROM_SOURCE_LIBRARIES +# [#conservatively_reachable_from_source_libraries]. Set to non- +# zero to specify that the rule applies only to warnings for +# which the first function is in this set; zero to specify that +# it applies only to warnings for which the first function is not +# in this set. # # Notes # If there are two or more s in a pattern, the pattern @@ -3041,11 +3054,14 @@ # (Checks for some classes may require additional settings in order # to work correctly. See the individual warning class documentation # in the manual for full information.) +# WARNING_FILTER += allow class="## Follows # Operator" # WARNING_FILTER += allow class="/* in Comment" # WARNING_FILTER += allow class="// in Comment" # WARNING_FILTER += allow class="2$Buffer Overrun" # WARNING_FILTER += allow class="Addition Overflow of Allocation Size" # WARNING_FILTER += allow class="Addition Overflow of Size" +# WARNING_FILTER += allow class="Array Parameter Mismatch" +# WARNING_FILTER += allow class="Assignment Result in Expression" # WARNING_FILTER += allow class="Assignment in Conditional" # WARNING_FILTER += allow class="Backwards goto" # WARNING_FILTER += allow class="Basic Numerical Type Used" @@ -3060,6 +3076,7 @@ # WARNING_FILTER += allow class="Cast: Non-integer Arithmetic Type/Object Pointer" # WARNING_FILTER += allow class="Cast: Object Pointers" # WARNING_FILTER += allow class="Code Before #include" +# WARNING_FILTER += allow class="Coercion: Integer Constant to Pointer" # WARNING_FILTER += allow class="Comment Suggests Code Unfinished" # WARNING_FILTER += allow class="Commented-out Code" # WARNING_FILTER += allow class="Condition Contains Side Effects" @@ -3076,6 +3093,7 @@ # WARNING_FILTER += allow class="Dangerous Include File Name" # WARNING_FILTER += allow class="Data Race" # WARNING_FILTER += allow class="Declaration of Flexible Array Member" +# WARNING_FILTER += allow class="Declaration of Reserved Name" # WARNING_FILTER += allow class="Declaration of Variable Length Array" # WARNING_FILTER += allow class="Dynamic Allocation After Initialization" # WARNING_FILTER += allow class="Excessive Stack Depth" @@ -3121,6 +3139,7 @@ # WARNING_FILTER += allow class="Macro Parameter Not Parenthesized" # WARNING_FILTER += allow class="Macro Undefined in Function Body" # WARNING_FILTER += allow class="Macro Undefinition of Reserved Name" +# WARNING_FILTER += allow class="Macro Uses # Operator" # WARNING_FILTER += allow class="Macro Uses ## Operator" # WARNING_FILTER += allow class="Macro Uses -> Operator" # WARNING_FILTER += allow class="Macro Uses Unary * Operator" @@ -3134,6 +3153,7 @@ # WARNING_FILTER += allow class="Microsoft Extension" # WARNING_FILTER += allow class="Mismatched Operand Types" # WARNING_FILTER += allow class="Misplaced Return Statement" +# WARNING_FILTER += allow class="Misplaced case" # WARNING_FILTER += allow class="Misplaced default" # WARNING_FILTER += allow class="Missing Braces in Initialization" # WARNING_FILTER += allow class="Missing External Declaration" @@ -3142,6 +3162,7 @@ # WARNING_FILTER += allow class="Missing Literal Suffix" # WARNING_FILTER += allow class="Missing Lock Acquisition" # WARNING_FILTER += allow class="Missing Lock Release" +# WARNING_FILTER += allow class="Missing Parentheses" # WARNING_FILTER += allow class="Missing break" # WARNING_FILTER += allow class="Missing default" # WARNING_FILTER += allow class="Missing for-loop Step" @@ -3161,6 +3182,7 @@ # WARNING_FILTER += allow class="Nested Locks" # WARNING_FILTER += allow class="No Matching #endif" # WARNING_FILTER += allow class="No Matching #if" +# WARNING_FILTER += allow class="Non-Boolean Preprocessor Expression" # WARNING_FILTER += allow class="Non-const String Literal" # WARNING_FILTER += allow class="Non-distinct Identifiers: External Names" # WARNING_FILTER += allow class="Non-distinct Identifiers: Macro/Macro" @@ -3178,6 +3200,7 @@ # WARNING_FILTER += allow class="Over-initialized Element" # WARNING_FILTER += allow class="Partially Uninitialized Aggregate" # WARNING_FILTER += allow class="Partially Uninitialized Array" +# WARNING_FILTER += allow class="Pointer Arithmetic" # WARNING_FILTER += allow class="Pointer Before Beginning of Object" # WARNING_FILTER += allow class="Pointer Past End of Object" # WARNING_FILTER += allow class="Pointer Type Inside Typedef" @@ -3191,6 +3214,8 @@ # WARNING_FILTER += allow class="Scope Could Be Local Static" # WARNING_FILTER += allow class="Side Effects in Expression with Decrement" # WARNING_FILTER += allow class="Side Effects in Expression with Increment" +# WARNING_FILTER += allow class="Side Effects in Initializer List" +# WARNING_FILTER += allow class="Side Effects in Logical Operand" # WARNING_FILTER += allow class="Side Effects in sizeof" # WARNING_FILTER += allow class="Signal Handler Entry Point" # WARNING_FILTER += allow class="Socket In Wrong State" @@ -3214,9 +3239,17 @@ # WARNING_FILTER += allow class="Typographically Ambiguous Identifiers" # WARNING_FILTER += allow class="Unbalanced Parenthesis" # WARNING_FILTER += allow class="Unchecked Parameter Dereference" +# WARNING_FILTER += allow class="Undefined Macro in #if" +# WARNING_FILTER += allow class="Unexercised Call" +# WARNING_FILTER += allow class="Unexercised Computation" +# WARNING_FILTER += allow class="Unexercised Conditional" +# WARNING_FILTER += allow class="Unexercised Control Flow" +# WARNING_FILTER += allow class="Unexercised Data Flow" # WARNING_FILTER += allow class="Union Type" # WARNING_FILTER += allow class="Unknown Lock" # WARNING_FILTER += allow class="Unreachable Control Flow" +# WARNING_FILTER += allow class="Unspecified Array Size with Designator Initialization" +# WARNING_FILTER += allow class="Unterminated Escape Sequence" # WARNING_FILTER += allow class="Unused Label" # WARNING_FILTER += allow class="Unused Macro" # WARNING_FILTER += allow class="Unused Parameter" @@ -3227,9 +3260,12 @@ # WARNING_FILTER += allow class="Use of Exception Handling Function" # WARNING_FILTER += allow class="Use of " # WARNING_FILTER += allow class="Use of " +# WARNING_FILTER += allow class="Use of Feature" +# WARNING_FILTER += allow class="Use of Input/Output Macro" # WARNING_FILTER += allow class="Use of Input/Output" # WARNING_FILTER += allow class="Use of " # WARNING_FILTER += allow class="Use of Time/Date Function" +# WARNING_FILTER += allow class="Use of Input/Output Macro" # WARNING_FILTER += allow class="Use of Input/Output" # WARNING_FILTER += allow class="Use of AddAccessAllowedAce" # WARNING_FILTER += allow class="Use of AddAccessDeniedAce" @@ -3307,7 +3343,7 @@ # WARNING_FILTER += discard class="Integer Overflow of Allocation Size" is_sysinclude #WARNING_FILTER += discard language="C++" is_sysinclude - +#WARNING_FILTER += discard class="Undefined Macro in #if" is_sysinclude # Parameter SKIP_ANALYSIS_OF # @@ -3323,14 +3359,80 @@ # # Behavior # - UNREACHABLE_FUNCTIONS : instructs CodeSonar to skips analysis -# of any procedure that is not reachable from one of the roots -# specified by REACHABILITY_ROOTS. CodeSonar will issue an alert -# [doc/html/GUI/GUI_Alerts.html] if value UNREACHABLE_FUNCTIONS -# is set but no reachability roots are specified. +# of any procedure not included in set +# REACHABLE_FROM_ROOTS_EXTENDED [#reachable_from_roots_extended]. +# CodeSonar will issue an alert [doc/html/GUI/GUI_Alerts.html] if +# value UNREACHABLE_FUNCTIONS is set but no reachability roots +# are specified. # - SOURCE_LIBRARIES : instructs CodeSonar to skip analysis of -# CodeSonar Library Models -# [doc/html/C_Module/LibraryModels/LibraryModels.html], and any -# functions transitively called by library models. +# procedures in set +# CONSERVATIVELY_REACHABLE_FROM_SOURCE_LIBRARIES +# [#conservatively_reachable_from_source_libraries]. + + +# Parameter SOURCE_MIN_REACHABLE_FROM_ROOTS +# +# Purpose +# Provides a safeguard against misidentifying a large portion of +# source code as unreachable. +# +# Type +# integer +# +# Behavior +# The value of this parameter is used in computing set +# REACHABLE_FROM_ROOTS_EXTENDED [#reachable_from_roots_extended]. + +#SOURCE_MIN_REACHABLE_FROM_ROOTS = 0 + + +# Parameter SOURCE_MAX_REACHABLE_FROM_LIBRARIES +# +# Purpose +# Provides a safeguard against misidentifying a large portion of +# source code as reachable from libraries. +# +# Type +# integer +# +# Behavior +# The value of this parameter is used in computing set +# CONSERVATIVELY_REACHABLE_FROM_SOURCE_LIBRARIES +# [#conservatively_reachable_from_source_libraries]. +# +# +# Notes +# We define sets REACHABLE_FROM_SOURCE_LIBRARIES and +# CONSERVATIVELY_REACHABLE_FROM_SOURCE_LIBRARIES. +# +# REACHABLE_FROM_SOURCE_LIBRARIES is the set of all source +# procedures P such that: +# - P's name matches a CodeSonar library model +# [doc/html/C_Module/LibraryModels/LibraryModels.html], or +# - P is called (directly or transitively) by a procedure whose +# name matches a CodeSonar library model. +# +# In some cases, the name matching may misidentify procedures as +# libraries, which may result in a significant number of procedures +# misidentified as reachable from libraries. In such cases, +# CodeSonar may fail to analyze a significant portion of the +# program, reducing the quality of the results. The use of set +# CONSERVATIVELY_REACHABLE_FROM_SOURCE_LIBRARIES represents a +# safeguard against such cases. +# +# [ANCHOR conservatively_reachable_from_source_libraries] +# CONSERVATIVELY_REACHABLE_FROM_SOURCE_LIBRARIES is defined as +# follows. Let S be the set of all source procedures in the +# analyzed project (for a source-only analysis, all procedures are +# source procedures). +# - If |REACHABLE_FROM_SOURCE_LIBRARIES|/|S| is greater than the +# value of SOURCE_MAX_REACHABLE_FROM_LIBRARIES, +# CONSERVATIVELY_REACHABLE_FROM_SOURCE_LIBRARIES is the empty +# set. +# - Otherwise, CONSERVATIVELY_REACHABLE_FROM_SOURCE_LIBRARIES is +# equal to REACHABLE_FROM_SOURCE_LIBRARIES. + +#SOURCE_MAX_REACHABLE_FROM_LIBRARIES = 100 # Parameter BAD_FUNCTION_REGEX @@ -4428,7 +4530,7 @@ # A low value can result in slow web queries if the time between # applicable queries exceeds this value. A high value can result in # an extra process hanging around doing nothing on the analysis -# machine. The default setting is 30 minutes ( = 1800 seconds). +# machine. The factory setting is 30 minutes ( = 1800 seconds). # # The analysis log will not be finalized, and so the Analysis Log # [doc/html/GUI/GUI_Log_Analysis.html] contents may continue to @@ -4468,7 +4570,7 @@ # A low value can result in slow web queries if the time between # applicable queries exceeds this value. A high value can result in # an extra process hanging around doing nothing on the analysis -# machine. The default setting is 30 minutes ( = 1800 seconds). +# machine. The factory setting is 30 minutes ( = 1800 seconds). # # The analysis log will not be finalized, and so the Analysis Log # [doc/html/GUI/GUI_Log_Analysis.html] page contents may continue @@ -4948,8 +5050,8 @@ # Parameter TIME_LIMIT_DATA_RACE_PATH_SEARCH # # Purpose -# Seconds the analysis may spend searching for a feasible path for -# a particular pair of threads and a particular memory location. +# Bounds the time that data race analysis can spend in any subunit +# of work (threadA, threadB, memory_location). # # Tags # - TIME_LIMIT: Analysis Time Limits @@ -4959,20 +5061,30 @@ # integer # # Behavior -# If the time limit is exceeded, no Data Race warnings will be -# reported for the relevant thread pair and memory location. -# -# Notes -# This specifies elapsed time. -# +# When set to integer N, specifies that a subunit of work (threadA, +# threadB, memory_location) in data race analysis will be +# terminated if it takes longer than N seconds. This can result in +# Data Race false negatives for the corresponding thread pair and +# memory location. +# +# Units of work are also subject to time limits based on the +# overall time budget allocated for data race search. Full details +# [#data_race_budget] are provided in the documentation for +# DATA_RACE_BARRIER_PERIOD. +# +# Notes +# A subunit of work in the data race analysis is represented as a +# triple (threadA, threadB, memory_loc): "search for data races +# between threadA and threadB with respect to memory_loc, issuing +# warnings as appropriate". + #TIME_LIMIT_DATA_RACE_PATH_SEARCH = 600 # Parameter TIME_LIMIT_DATA_RACE_PATH_SEARCH_PER_PROCEDURE # # Purpose -# Milliseconds the analysis may spend per procedure (amortized) on -# data race search. +# Used to compute overall time budget for data race refinement. # # Tags # - TIME_LIMIT: Analysis Time Limits @@ -4981,27 +5093,28 @@ # integer # # Behavior -# The analysis computes a total budget for data race search by -# multiplying the number of procedures by the value specified here. -# The total budget will not be exceeded. The analysis will start -# sampling only some (thread, thread, memory location) triples if -# the overall pace seems insufficient for finishing the entire -# analysis on time. +# When set to integer N, specifies that the total time budget for +# data race search is num_procedures * N milliseconds, where +# num_procedures is the number of procedures in the analyzed +# project. +# +# The total budget will not be exceeded. Full details of the data +# race budget mechanism [#data_race_budget] are provided in the +# documentation for DATA_RACE_BARRIER_PERIOD. # # Notes -# This specifies time per procedure in milliseconds. The default -# setting of 100 would allow the entire data race phase to run for -# almost 30 hours on a program with a million procedures (very -# large program). -# +# The factory setting (100) would allow the entire data race phase +# to run for almost 30 hours on a program with a million procedures +# (very large program). + #TIME_LIMIT_DATA_RACE_PATH_SEARCH_PER_PROCEDURE = 100 # Parameter TIME_LIMIT_TAINT_REFINE # # Purpose -# Maximum number of seconds the analysis may spend refining taint -# warnings. +# Bounds the time that taint analysis can spend refining taint +# warnings in a procedure. # # Tags # - TIME_LIMIT: Analysis Time Limits @@ -5010,13 +5123,22 @@ # integer # # Behavior -# Once likely taint warnings have been identified in a procedure -# (at the start of the path), a search phase takes place to -# determine which of those taint warnings are valid. This limits -# the number of seconds, per procedure, that this search may take. +# When set to integer N, specifies that taint refinement in a +# procedure will be terminated if it takes more than N seconds. +# This can result in taint warning false negatives for that +# procedure. +# +# Units of work are also subject to time limits based on the +# overall time budget for taint refinement. Full details of the +# taint refinement budget mechanism [#taint_refine_budget] are +# provided in the documentation for REFINEMENT_BARRIER_PERIOD. # # Notes -# This specifies elapsed time. +# Once likely taint warnings have been identified in a procedure +# (at the start of the path), a search phase takes place to +# determine which of those taint warnings are valid. +# TIME_LIMIT_TAINT_REFINE specifies how many seconds, per +# procedure, this search may take. # # The warning classes affected by this parameter are: # @@ -5039,15 +5161,14 @@ # - Addition Overflow of Size # - Truncation of Allocation Size # - Truncation of Size. -# + #TIME_LIMIT_TAINT_REFINE = 60 # Parameter TIME_LIMIT_TAINT_REFINE_PER_PROCEDURE # # Purpose -# Milliseconds the analysis may spend per procedure (amortized) on -# taint refinement. +# Used to compute overall time budget for taint refinement. # # Tags # - TIME_LIMIT: Analysis Time Limits @@ -5056,16 +5177,21 @@ # integer # # Behavior -# The analysis computes a total budget for taint refinement by -# multiplying the number of procedures by the value specified here. -# The total budget will not be exceeded. +# When set to integer N, specifies that the total time budget for +# taint refinement is num_procedures * N milliseconds, where +# num_procedures is the number of procedures in the analyzed +# project. +# +# The total budget will not be exceeded. Full details of the taint +# refinement budget mechanism [#taint_refine_budget] are provided +# in the documentation for REFINEMENT_BARRIER_PERIOD. # # Notes -# This specifies time per procedure in milliseconds. The default -# setting of 200 would allow the taint refinement phase to run for +# This specifies time per procedure in milliseconds. The factory +# setting (200) would allow the taint refinement phase to run for # 55 hours on a program with a million procedures (very large # program). -# + #TIME_LIMIT_TAINT_REFINE_PER_PROCEDURE = 200 @@ -5076,7 +5202,10 @@ # procedure for detecting data races. # # Type -# non-negative integer WC_CONCURRENCY.DATARACE +# non-negative integer +# +# Tags +# - WC_CONCURRENCY.DATARACE: Used by Data Race # # Behavior # If a procedure accesses more than this many shared variables, @@ -5088,7 +5217,7 @@ # This only affects the analysis for Data Race warnings. If this is # set to a very high number (for example, more than 200,000) # CodeSonar may behave unpredictably or crash. -# + #DATA_RACE_MAX_MEM_ACCESSES = 1000 @@ -5099,22 +5228,173 @@ # given (transitive) memory access. # # Type -# non-negative integer WC_CONCURRENCY.DATARACE +# non-negative integer +# +# Tags +# - WC_CONCURRENCY.DATARACE: Used by Data Race # # Behavior # If a procedure accesses more than this many shared variables, -# some variables will not be checked for data races. Raising this -# will result in a more thorough analysis, but will increase the -# time and memory used by the analysis. +# some variables will not be checked for data races. Increasing the +# setting will result in a more thorough analysis, but will +# increase the time and memory used by the analysis. # # Notes -# This only affects the analysis for Data Race warnings. It is -# expected that this value will rarely be exceeded with its default -# value (1000). +# This only affects the analysis for Data Race warnings. # +# It is expected that few or no procedures will access more shared +# variables than the bound imposed by the factory setting (1000). + #DATA_RACE_MAX_LOCKSETS_PER_MEM_ACCESS = 1000 +# Parameter DATA_RACE_BARRIER_PERIOD +# +# Purpose +# Controls a trade off between analysis performance and Data Race +# false negatives. +# +# Tags +# - WC_CONCURRENCY.DATARACE: Used by Data Race +# - ANALYSIS_BOUND: Analysis resource/effort limit +# +# Type +# integer +# +# Behavior +# When set to integer N, specifies that the CodeSonar data race +# analysis will have a concurrency barrier after every N units of +# work. For data race analysis, each unit of work is represented by +# a pair (threadA, threadB,): "search for data races between +# threads threadA and threadB". +# +# At each concurrency barrier, the analysis determines the +# remaining time budget. It then uses this information to determine +# a per-unit-of-work budget for units of work in the next segment +# (that is, up to the next concurrency barrier). +# +# See below [#data_race_budget] for further details. +# +# Notes +# Performance and false negative rates can be negatively affected +# if the setting is too high, but also if it is too low. +# - If the setting is too high, unused search budget allocations +# from earlier units of work will not be released in time to be +# reallocated to later units of work. +# - If the setting is too low, parallelism is limited. In +# particular, the setting should be higher than the number of +# analysis slaves, and CodeSonar will issue an alert if this is +# not the case. +# +# [ANCHOR data_race_budget] The analysis computes a total time +# budget for data race search by multiplying the number of analyzed +# procedures by the TIME_LIMIT_DATA_RACE_PATH_SEARCH_PER_PROCEDURE +# setting. The set of all units of work for the search is divided +# into segments containing N units of work each, where N is the +# value of DATA_RACE_BARRIER_PERIOD, with a concurrency barrier at +# the end of each segment. At each concurrency barrier, the +# analysis determines the remaining time budget. It then uses this +# information to determine a per-unit-of-work budget for units of +# work in the next segment (that is, up to the next concurrency +# barrier). This per-unit-of-work budget is used along with +# TIME_LIMIT_DATA_RACE_PATH_SEARCH to limit the time that any unit +# of work in the next segment can take. +# - TIME_LIMIT_DATA_RACE_PATH_SEARCH is an upper bound on time +# spent in any given subunit of work (threadA, threadB, +# memory_loc). +# - The computed per-unit-of-work budget is generally lower than +# the value of TIME_LIMIT_DATA_RACE_PATH_SEARCH, and represents +# an additional bound that is checked at the end of each subunit +# of work (threadA, threadB, memory_loc). This means that if the +# per-unit-of-work budget is exhausted during a particular +# subunit, the subunit (and unit) will not be terminated until +# the path exploration finishes (unless the +# TIME_LIMIT_DATA_RACE_PATH_SEARCH bound is also reached during +# the same subunit). +# +# If overall budget consumption has been worse than linear, the +# analysis may also determine that some units of work in the next +# segment must be skipped in order to maintain a reasonable overall +# budget consumption rate. +# +# The magnitude of each unit of work depends on the settings of +# parameters DATA_RACE_PATH_FINDING_EFFORT, +# DATA_RACE_MAX_MEM_ACCESSES, +# DATA_RACE_MAX_LOCKSETS_PER_MEM_ACCESS, and +# DATA_RACE_MAX_RELATED_PATHS. +# +# The number of units of work depends on the settings of parameters +# DATA_RACE_IGNORE_NAMES and MULTIPLE_THREADS_PER_ENTRY_PROCEDURE. + + +#DATA_RACE_BARRIER_PERIOD = 100 + + +# Parameter REFINEMENT_BARRIER_PERIOD +# +# Purpose +# Controls a trade off between analysis performance and false +# negatives for taint-related warnings. +# +# Type +# integer +# +# Behavior +# When set to integer N, specifies that the CodeSonar taint +# refinement will have a concurrency barrier after every N units of +# work. For taint refinement, a unit of work comprises the set of +# warning refinement tasks for a procedure P. +# +# At each concurrency barrier, the analysis determines the +# remaining time budget. It then uses this information to determine +# a per-unit-of-work budget for units of work in the next segment +# (that is, up to the next concurrency barrier). +# +# See below [#taint_refine_budget] for further details. +# +# Notes +# Performance and false negative rates can be negatively affected +# if the setting is too high, but also if it is too low. +# - If the setting is too high, unused search budget allocations +# from earlier units of work will not be released in time to be +# reallocated to later units of work. +# - If the setting is too low, parallelism is limited. In +# particular, the setting should be higher than the number of +# analysis slaves, and CodeSonar will issue an alert if this is +# not the case. +# +# [ANCHOR taint_refine_budget] The analysis computes a total time +# budget for taint refinement by multiplying the number of analyzed +# procedures by the TIME_LIMIT_TAINT_REFINE_PER_PROCEDURE setting. +# The set of all units of work for the search is divided into +# segments containing N units of work each, where N is the value of +# REFINEMENT_BARRIER_PERIOD, with a concurrency barrier at the end +# of each segment. At each concurrency barrier, the analysis +# determines the remaining time budget. It then uses this +# information to determine a per-unit-of-work budget for units of +# work in the next segment (that is, up to the next concurrency +# barrier). This per-unit-of-work budget is used along with +# TIME_LIMIT_TAINT_REFINE to limit the time that any unit of work +# in the next segment can take. +# - TIME_LIMIT_TAINT_REFINE is an upper bound on time spent in any +# given unit of work. +# - The computed per-unit-of-work budget is generally lower than +# the value of TIME_LIMIT_TAINT_REFINE, and represents an +# additional bound that is checked less frequently during the +# unit of work. This means that if the per-unit-of-work budget is +# exhausted during a unit of work, the unit will not be +# terminated until one of these checkpoints is reached (unless +# the TIME_LIMIT_TAINT_REFINE bound is also exceeded). +# +# If overall budget consumption has been worse than linear, the +# analysis may also determine that some units of work in the next +# segment must be skipped in order to maintain a reasonable overall +# budget consumption rate. + + +#REFINEMENT_BARRIER_PERIOD = 1000 + + # Parameter ROLLBACK_SUMMARIES_ON_ABORT # # Purpose @@ -5940,6 +6220,46 @@ #DP_REFINEMENT_APPROXIMATE_DISMISS_TIMEOUT = No +# Parameter TAINT_PLUS_DP_REFINEMENT +# +# Purpose +# Specifies whether or not the analysis will apply decision +# procedure refinement for "taint+dp" [#taint_dp] warnings. +# +# Behavior +# If set to Yes, the analysis will perform refinement: this means +# that the analysis runs the decision procedure on each warning +# path. +# - The CodeSonar analysis will perform exact refinement on the +# core path [doc/html/Elements/PROPERTIES_Warning.html#core_path] +# for each warning. Warnings determined to be unfeasible are +# handled as specified by the setting of +# TAINT_PLUS_DP_REFINEMENT_DISMISS. Warnings for which the +# decision procedure times out are handled as specified by the +# setting of TAINT_PLUS_DP_REFINEMENT_DISMISS_TIMEOUT. +# - On-demand extended path checking +# [doc/html/GUI/GUI_Path_Checking.html] will also use refinement. +# +# If set to No, the analysis will not perform refinement. For these +# warning classes, there will be many false positives, since +# decision procedure refinement is the primary mechanism by which +# code is judged safe. +# +# Tags +# - WARNING_TUNING: Fine Tuning for Warnings +# +# Type +# { Yes, No } +# +# Notes +# Parameters TAINT_PLUS_DP_REFINEMENT_TIMEOUT, +# TAINT_PLUS_DP_REFINEMENT_DISMISS, and +# TAINT_PLUS_DP_REFINEMENT_DISMISS_TIMEOUT control various aspects +# of refinement. + +#TAINT_PLUS_DP_REFINEMENT = Yes + + # Parameter TAINT_PLUS_DP_REFINEMENT_TIMEOUT # # Purpose @@ -5973,7 +6293,7 @@ # non-negative integer # # Notes -# [#taint_dp] "Taint+dp" warnings are those of the following +# [ANCHOR taint_dp] "Taint+dp" warnings are those of the following # classes. # # - Tainted Buffer Access @@ -6829,7 +7149,7 @@ # is set to a very high number (for example, more than 200,000) # CodeSonar may behave unpredictably or crash. # -## LOCK_MAX_PENDING_WARNINGS_PER_PROCEDURE = 1000 +#LOCK_MAX_PENDING_WARNINGS_PER_PROCEDURE = 1000 # Parameter CALL_SITE_EXPANSIONS @@ -6879,10 +7199,10 @@ # # Notes # A limit that is too high may cause CodeSonar to have a stack -# overflow. The default limit is only encountered in pathological -# cases: only one program capable of inducing a stack overflow has -# ever been found in the wild. -# +# overflow. The factory setting (30) is only encountered in +# pathological cases: only one program capable of inducing a stack +# overflow has ever been found in the wild. + #CALL_SITE_EXPANSION_BOUND = 30 @@ -7479,7 +7799,7 @@ # - Yes : the analysis will output an XML file showing the # variables modified by each procedure. For an analysis whose # analysis directory -# [doc/html/Elements/PROPERTIES_analysis.html#analysis_dir] is +# [doc/html/Elements/PROPERTIES_Analysis.html#analysis_dir] is # //.prj_files, the XML file path will be # //.side_effects.xml. # - No : this XML file will not be output. @@ -7850,9 +8170,9 @@ # int *p = &A[10]; # # Notes -# This feature is turned off by default because many codebases may -# have cursor pointers that reach the end of an object but are -# never dereferenced, as in the following example. +# The factory setting is "No" because many codebases may have +# cursor pointers that reach the end of an object but are never +# dereferenced, as in the following example. # int A[10]; # int *p; # for( p = A; p < &A[10]; p++ ); @@ -7880,10 +8200,10 @@ # through the loop. # # Notes -# This feature is turned off by default because it is a frequent +# The factory setting is "No" because this feature is a frequent # source of false positive results when complex invariants in the # codebase render the non-initializing paths infeasible. -# + #WARN_MORE_LOOP_UVARS = No @@ -8983,6 +9303,35 @@ # Example 2: the following will match any procedure in every file # whose full path name has foo.c as a suffix. # REACHABILITY_ROOTS += foo.c:* +# +# We define sets REACHABLE_FROM_ROOTS and +# REACHABLE_FROM_ROOTS_EXTENDED. +# +# [ANCHOR reachable_from_roots] REACHABLE_FROM_ROOTS is the set of +# all procedures P such that: +# - P matches a REACHABILITY_ROOTS rule, or +# - P is called (directly or transitively) by a procedure that +# matches a REACHABILITY_ROOTS rule. +# +# In some cases, such as calls through function pointer variables, +# CodeSonar may not correctly resolve all callees for a procedure. +# This can result in procedures incorrectly being identified as +# unreachable, which in turn can reduce the quality of CodeSonar +# analysis results. The use of set REACHABLE_FROM_ROOTS_EXTENDED +# represents a safeguard against such cases. +# +# [ANCHOR reachable_from_roots_extended] +# REACHABLE_FROM_ROOTS_EXTENDED is defined as follows. Let R be the +# source procedure subset of REACHABLE_FROM_ROOTS, and let S be the +# set of all source procedures in the analyzed project (for a +# source-only analysis, all procedures are source procedures). +# - If |R|/|S| is less than the value of parameter +# SOURCE_MIN_REACHABLE_FROM_ROOTS, REACHABLE_FROM_ROOTS_EXTENDED +# is the union of REACHABLE_FROM_ROOTS and S. CodeSonar will +# issue an alert [doc/html/GUI/GUI_Alerts.html] to notify you +# that it has made this determination. +# - Otherwise, REACHABLE_FROM_ROOTS_EXTENDED is equal to +# REACHABLE_FROM_ROOTS. # Parameter HARDCODED_ARGS_REGEX @@ -10197,7 +10546,7 @@ # sprintf-like functions might print up to this many characters. # # Notes -# The default setting has been experimentally verified as the +# The factory setting has been experimentally verified as the # largest number of digits common printf implementations will # render for a 64-bit double. # @@ -10225,7 +10574,7 @@ # sprintf-like functions might print up to this many characters. # # Notes -# The default setting has been experimentally verified as the +# The factory setting has been experimentally verified as the # largest number of digits common printf implementations will # render for an 80-bit double. # @@ -10418,9 +10767,10 @@ # any macro name will match. At least one of BAD_MACRO_NAME and # BAD_MACRO_FILENAME must be specified. # - BAD_MACRO_FILENAME is a regular expression. If the macro is -# defined in a file that matches this, then the warning may be -# issued. If unspecified, any file name will match. At least one -# of BAD_MACRO_NAME and BAD_MACRO_FILENAME must be specified. +# defined in a file whose name matches this expression, then the +# warning may be issued. If unspecified, any file name will +# match. At least one of BAD_MACRO_NAME and BAD_MACRO_FILENAME +# must be specified. # - BAD_MACRO_CATEGORIES is the set of categories for the warning, # as a semicolon-separated list. This defaults to the empty # string. @@ -10488,3 +10838,66 @@ #BAD_MACRO_BASE_RANK = 12.0 #BAD_MACRO_SIGNIFICANCE = RELIABILITY + +#BAD_MACRO_CLASS = Use of Feature +#BAD_MACRO_NAME = ^(va_arg|va_start|va_end|va_copy)$ +#BAD_MACRO_INFO = is used. Violation of Misra C 2012:17.1: The features of <stdarg.h> shall not be used +#BAD_MACRO_FILENAME = stdarg.h$ +#BAD_MACRO_CATEGORIES = BADMACRO.STDARG_H;Misra2012:17.1 +#BAD_MACRO_BASE_RANK = 10.0 +#BAD_MACRO_SIGNIFICANCE = RELIABILITY + +#BAD_MACRO_CLASS = Use of Input/Output Macro +#BAD_MACRO_NAME = ^(clearerr|ctermid|cuserid|fclose|fdopen|feof|ferror|fflush|fgetc|fgetpos|fgets|fileno|flockfile|fopen|fprintf|fputc|fputs|fread|freopen|fscanf|fseek|fseeko|fsetpos|ftell|ftello|ftrylockfile|funlockfile|fwrite|getc|getchar|getc_unlocked|getchar_unlocked|getopt|gets|getw|pclose|perror|popen|printf|putc|putchar|putc_unlocked|putchar_unlocked|puts|putw|remove|rename|rewind|scanf|setbuf|setvbuf|snprintf|sprintf|sscanf|tempnam|tmpfile|tmpnam|ungetc|vfprintf|vprintf|vsnprintf|vsprintf)$ +#BAD_MACRO_FILENAME = stdio.h$ +#BAD_MACRO_CATEGORIES = BADMACRO.STDIO_H;Misra2012:21.6;CWE:758;CWE:676 +#BAD_MACRO_BASE_RANK = 10.0 +#BAD_MACRO_SIGNIFICANCE = STYLE + +#BAD_MACRO_CLASS = Use of Input/Output Macro +#BAD_MACRO_NAME = ^(btowc|fwprintf|fwscanf|iswalnum|iswalpha|iswcntrl|iswdigit|iswgraph|iswlower|iswprint|iswpunct|iswspace|iswupper|iswxdigit|iswctype|fgetwc|fgetws|fputwc|fputws|fwide|getwc|getwchar|mbsinit|mbrlen|mbrtowc|mbsrtowcs|putwc|putwchar|swprintf|swscanf|towlower|towupper|ungetwc|vfwprintf|vwprintf|vswprintf|wcrtomb|wcscat|wcschr|wcscmp|wcscoll|wcscpy|wcscspn|wcsftime|wcslen|wcsncat|wcsncmp|wcsncpy|wcspbrk|wcsrchr|wcsrtombs|wcsspn|wcsstr|wcstod|wcstok|wcstol|wcstoul|wcswcs|wcswidth|wcsxfrm|wctob|wctype|wcwidth|wmemchr|wmemcmp|wmemcpy|wmemmove|wmemset|wprintf|wscanf)$ +#BAD_MACRO_FILENAME = wchar.h$ +#BAD_MACRO_CATEGORIES = BADMACRO.WCHAR_H;Misra2012:21.6;CWE:758;CWE:676 +#BAD_MACRO_BASE_RANK = 10 +#BAD_MACRO_SIGNIFICANCE = STYLE + + +# Parameter SIDE_EFFECT_FREE_FUNCTIONS +# +# Purpose +# Specifies functions whose calls are to be considered side effect +# free. +# +# Tags +# - WC_LANG.STRUCT.SE.DEC: Used by Side Effects in Expression with +# Decrement +# - WC_LANG.STRUCT.SE.INC: Used by Side Effects in Expression with +# Increment +# - WC_LANG.STRUCT.SE.INIT: Used by Side Effects in Initializer +# List +# - WC_LANG.STRUCT.SE.LOGIC: Used by Side Effects in Logical +# Operand +# - WC_LANG.STRUCT.SE.SIZEOF: Used by Side Effects in sizeof +# +# Type +# Boost regular expression +# [http://www.boost.org/doc/libs/1_51_0/libs/regex/doc/html/boost_regex/syntax.html] +# +# Behavior +# In checks for the following warning classes,CodeSonar treats all +# function calls as having side effects UNLESS the function name +# matches a SIDE_EFFECT_FREE_FUNCTIONS regular expression. +# - Side Effects in Expression with Decrement +# - Side Effects in Expression with Increment +# - Side Effects in Initializer List +# - Side Effects in Logical Operand +# - Side Effects in sizeof +# +# Notes +# It is impossible to know precisely which functions have side +# effects in general, so this parameter allows the specification of +# functions that are considered side effect free. + +#SIDE_EFFECT_FREE_FUNCTIONS += ^(strlen|strnlen_s|strcmp|strncmp|strcoll|strchr|strrchr|strspn|strcspn|memchr)$ +#SIDE_EFFECT_FREE_FUNCTIONS += ^(isalnum|isalpha|islower|isupper|isdigit|isxdigit|iscntrl|isgraph|isspace|isblank|isprint|ispunct|tolower|toupper)$ +#SIDE_EFFECT_FREE_FUNCTIONS += ^(iswalnum|iswalpha|iswlower|iswdigit|iswxdigit|iswcntrl|iswgraph|iswspace|iswblank|iswprint|iswpunct|wctype|towlower|towupper|towctrans|wctrans)$