Static Analysis: some UI ideas
David Malcolm
dmalcolm at redhat.com
Tue Feb 5 16:57:51 UTC 2013
On Tue, 2013-02-05 at 13:02 +0100, Kamil Dudka wrote:
> On Monday 04 February 2013 22:37:45 David Malcolm wrote:
> > Content-addressed storage: they're named by SHA-1 sum of their contents,
> > similar to how git does it, so if the bulk of the files don't change,
> > they have the same SHA-1 sum and are only stored once. See e.g.:
> > http://fedorapeople.org/~dmalcolm/static-analysis/2013-01-30/python-ethtool
> > -0.7-4.fc19.src.rpm/static-analysis/sources/ I probably should gzip them as
> > well.
>
> This can indeed save some space. I really like the idea. Maybe using a true
> git store would give you additional reduction of space requirements thanks to
> using the delta compression.
Interesting. I had thought that git purely stored compressed files and
eschewed the idea of deltas, but it does indeed store deltas sometimes:
http://git-scm.com/book/ch9-4.html
My plan had been to store the files either in a big lookaside directory
structure, or directly as (compressed) blobs in a database,
named/indexed by SHA-1 sum. But that approach might yield significant
savings, provided it can do name-matching.
Then again, premature optimization is the root of all bugs :)
> > Currently it's capturing all C files that have GCC invoked on them, or
> > are mentioned in a warning (e.g. a .h file with an inline function with
> > a bug). I could tweak things so it only captures files that are
> > mentioned in a warning.
>
> But then you would be no longer able to provide the context. If the error
> trace goes through a function foo() defined in another module of the same
> package, the user needs to look at its definition to confirm/waive the defect.
I was a little sloppy in my wording when I said "mentioned in a
warning", sorry. This *does* include the traces, so for the case you
describe it *would* capture the source file containing the definition of
foo(), so that we would be able to render that information in a
presentation of the data. (though all of my current trace
visualizations only handle one function at a time; see e.g.:
http://gcc-python-plugin.readthedocs.org/en/latest/_images/sample-html-error-report.png
(screenshot of html)
and:
http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-03-19/example/example.html
http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-03-26/pylibmc/example.html
so we'd need some kind of new visualization for interprocedural paths.
[specifically, the source extraction is implemented by
https://github.com/fedora-static-analysis/mock-with-analysis/blob/master/mock-with-analysis#L172
in extract_results_from_chroot() where I pass a SourceExtractor visitor
over the analysis file; it visits all files mentioned in the analysis
file]
> > I guess the issue is: where do you store the knowledge about good vs bad
> > warnings? My plan was to store it server-side. But we could generate
> > summaries and have them available client-side. For example, if, say
> > cppcheck's "useClosedFile" test has generated 100 issues of which 5 have
> > received human attention: 1 has been marked as a true positive, and 4
> > has been marked as false positives. We could then say ("cppcheck",
> > "useClosedFile") has a signal:noise ratio of 1:4. We could then
> > generate a summary of these (tool, testID) ratios for use by clients,
> > which could then a user-configurable signal:noise threshold, so you can
> > say: "only show me results from tests that achieve 1:2 or better".
>
> I did not realize you mean auto-filtering based on statistics form user's
> input. Then maintaining the statistics at the server sounds as a good idea.
> Being able to export a text file with scores per checker should be just fine
> for the command-line tools. We will see if the statistics from user's input
> could be used as a reliable criterion. The problem is that some defects
> tend to be classified incorrectly without a deeper analysis of the report
> (and code).
(nods)
For some depressing but useful thoughts on this, see:
http://www.dwheeler.com/flawfinder/#fool-with-tool
> > > The limitation of javascript-based UIs is that they are read-only. Some
> > > developers prefer to go through the defects using their own environment
> > > (eclipse, vim, emacs, ...) rather than a web browser so that they can fix
> > > them immediately. We should support both approaches I guess.
> >
> > Both approaches. What we could do is provide a tool ("fedpkg
> > get-errors" ?) that captures the errors in the same output format as
> > gcc. That way if you run it from say gcc, the *compilation* buffer has
> > everything in the right format, and emacs' goto-next-error stuff works.
>
> 'fedpkg foo' is probably overkill at this point. My concern was rather that
> we should not so much rely on the web server/browser approach in the first
> place. I would like to have most of the equipment working just from terminal
> without any server or browser. Any server solution can be then easily built
> on top of it.
Right, and that's what I've been doing.
> > Currently it's matching on 4 things:
> > * by name of test tool (e.g. "clang-analyzer")
>
> + the class of defect? e.g. "useClosedFile" in your example above...
Good point (the "testid" in firehose terminology). Added in:
https://github.com/fedora-static-analysis/mock-with-analysis/commit/25b12996cbc66477241c94d6f6a7123007743f6c
though this doesn't appear to affect the comparisons with the
python-ethtool test data I'm currently working with.
> > * by filename of C file within the tarball (so e.g.
> > '/builddir/build/BUILD/python-ethtool-0.7/python-ethtool/etherinfo.c'
> > becomes 'python-ethtool/etherinfo.c', allowing different versions to be
> > compared)
>
> With some part of the path or just base name?
the "full" path within the tarball, so that, say:
'/builddir/build/BUILD/python-ethtool-0.6/python-ethtool/etherinfo.c'
'/builddir/build/BUILD/python-ethtool-0.7/python-ethtool/etherinfo.c'
both are treated as 'python-ethtool/etherinfo.c'
(see get_internal_filename() within:
https://github.com/fedora-static-analysis/mock-with-analysis/blob/master/reports/reports.py#L10 )
> > * function name (or None)
>
> You want to work with full signatures if you are going to support overloaded
> functions/methods in C++.
Agreed.
Currently mock-with-analysis only runs analyzers on C code, for
simplicity - my immediate deadline/goal is that I'm giving a talk at
PyCon next month on static analysis of Python extensions:
https://us.pycon.org/2013/schedule/presentation/95/
and I ideally want to have my cpychecker data in some kind of database I
can sanely query. (this is what's motivating my work on this right
now).
So I'm currently largely ignoring C++, but I believe that the approach
I'm using can be extended to support it without excess pain.
> > * text of message
>
> The messages cannot be checked for exact match in certain cases. Have a look
> at the rules we use in csdiff for the text messages:
>
> http://git.fedorahosted.org/cgit/codescan-diff.git/plain/csfilter.cc
Thanks for the link. My first thought looking at that code was
"Whoah!" - you appear to be doing some fairly complicated text parsing
in C++." Have you considered using Python for that? (in my experience
the time taken to run the tool dwarfs that of parsing the results, so
using an interpreted language shouldn't impose a noticeable speed
penalty).
Those rules appear to be very much tool-specific, for the analysis tool
that you're parsing the results of.
It would seem to makes sense to have two concepts of message for a
warning: the raw message (as emitted by the tool), and a cleaned version
of the message (for use in comparing for duplicates). I wonder where
the cleaning should happen: on parsing, or at a later time. The latter
seems better: the parser reads the raw message, which is treated as
canonical, and we can have a set of rules for cleaning the message
(which will need to grow and be tweaked as we run into difficult
messages).
I did some message cleaning of my own in:
https://github.com/fedora-static-analysis/mock-with-analysis/blob/master/reports/make-comparative-report.py#L28
since some of cpychecker's messages embed too much context. (my bad, as
author of cpychecker)
> > See "make-comparative-report.py:ComparativeIssues" in
> > https://github.com/fedora-static-analysis/mock-with-analysis/blob/master/re
> > ports/make-comparative-report.py
>
> Actually my comment was not about the matching algorithm, but about the way
> you present the comparative results. The UI is based on comparing a pair of
> source files. In many cases you will fail to find a proper pairing of source
> files between two versions of a package.
Yes, you're right. I need to be careful to ensure that issues aren't
dropped when this happens. I haven't yet checked to see what my
experiment does in that case.
Thanks for the valuable suggestions.
Dave
More information about the devel
mailing list