使用SAL注释的Visual Studio社区代码分析的质量
[英]Quality of Visual Studio Community code analysis with SAL annotations
问题描述
I hope this question is not out of scope for SO; 
我希望这个问题不超出SO的范围; if it is (sorry in that case), please tell me where it belongs and I'll try to move it there. 如果是(对不起那种情况),请告诉我它属于哪里,我会尝试将它移到那里。
The concept of SAL annotations for static code analysis in C/C++ seems really useful to me. 用于C / C ++中静态代码分析的SAL注释的概念对我来说似乎非常有用。 Take for example the wrongly implemented wmemcpy example on MSDN: Understanding SAL : 以MSDN上错误实现的wmemcpy为例:了解SAL :
wchar_t * wmemcpy(
_Out_writes_all_(count) wchar_t *dest,
_In_reads_(count) const wchar_t *src,
size_t count)
{
size_t i;
for (i = 0; i <= count; i++) { // BUG: off-by-one error
dest[i] = src[i];
}
return dest;
}
MSDN says that "a code analysis tool could catch the bug by analyzing this function alone" , which seems great, but the problem is that when I paste this code in VS 2017 Community no warning about this pops up on code analysis, not even with all analysis warnings enabled. MSDN说“代码分析工具可以通过单独分析这个功能来捕获错误” ,这看起来很棒,但问题是,当我在VS 2017社区中粘贴此代码时,没有关于此代码分析的警告,甚至没有启用所有分析警告。 (Other warnings like C26481 Don't use pointer arithmetic. Use span instead (bounds.1). do.) (像C26481 Don't use pointer arithmetic. Use span instead (bounds.1).这样的其他警告C26481 Don't use pointer arithmetic. Use span instead (bounds.1).执行。)
Another example which should produce warnings (at least according to an answer to What is the purpose of SAL (Source Annotation Language) and what is the difference between SAL 1 and 2? ), but does not: 另一个应该产生警告的例子(至少根据SAL的目的是什么(源注释语言)以及SAL 1和2之间的区别是什么? ),但不是:
_Success_(return) bool GetASmallInt(_Out_range_(0, 10) int& an_int);
//main:
int result;
const auto ret = GetASmallInt(result);
std::cout << result;
And a case of an incorrect warning: 一个不正确的警告案例:
struct MyStruct { int *a; };
void RetrieveMyStruct(_Out_ MyStruct *result) {
result->a = new int(42);
}
//main:
MyStruct s;
RetrieveMyStruct(&s);
// C26486 Don't pass a pointer that may be invalid to a function. Parameter 1 's.a' in call to 'RetrieveMyStruct' may be invalid (lifetime.1).
// Don't pass a pointer that may be invalid to a function. The parameter in a call may be invalid (lifetime.1).
result is obviously marked with _Out_ and not _In_ or _Inout_ so this warning does not make sense in this case. result显然标有_Out_而不是_In_或_Inout_所以这个警告在这种情况下没有意义。
My question is: Why does Visual Studio's SAL-based code analysis seem to be quite bad; 我的问题是:为什么Visual Studio的基于SAL的代码分析看起来很糟糕; am I missing something? 我错过了什么吗? Is Visual Studio Professional or Enterprise maybe better in this aspect? Visual Studio Professional或Enterprise在这方面可能更好吗? Or is there a tool which can do this better? 还是有一种工具可以做得更好吗?
And if it's really quite bad: is this a known problem and are there maybe plans to improve this type of analysis? 如果它真的非常糟糕:这是一个已知的问题,是否有可能计划改进这种类型的分析?
Related: visual studio 2013 static code analysis - how reliable is it? 相关: visual studio 2013静态代码分析 - 它有多可靠?
1 个解决方案
解决方案1
0 已采纳 2018-08-22 08:05:40
Functions contracts , of which SAL annotations are a lightweight realization, make it possible to reason locally about whether a function is doing the right thing and is used wrongly or the opposite. 函数契约 ,其中SAL注释是一种轻量级实现, 可以在本地推断函数是否正在做正确的事情并且使用错误或相反。 Without them, you could only discuss the notion of bug in the context of a whole program. 没有它们,你只能在整个程序的背景下讨论bug的概念。 With them, as the documentation says, it becomes possible to say locally that a function's behavior is a bug, and you can hope that a static analysis tool will find it. 有了它们,正如文档所说,可以在本地说一个函数的行为是一个bug,你可以希望静态分析工具能找到它。
Verifying mechanically that a piece of code does not have bugs remains a difficult problem even with this help. 即使有这方面的帮助,机械地验证一段代码没有错误仍然是一个难题。 Different techniques exist because there are various partial approaches to the problem. 存在不同的技术,因为存在针对该问题的各种部分方法。 They all have strengths and weaknesses, and they all contain plenty of heuristics. 它们都有优点和缺点,它们都包含大量的启发式方法。 Loops are part of what makes predicting all the behaviors of a program difficult, and implementers of these tools may choose not to hard-code patterns for the extremely simple loops, since these patterns would seldom serve in practice. 循环是使预测程序的所有行为变得困难的部分,这些工具的实现者可能选择不对极其简单的循环硬编码模式,因为这些模式很少在实践中起作用。
And if it's really quite bad: is this a known problem and are there maybe plans to improve this type of analysis?
Yes, researchers have worked on this topic for decades and continue both to improve the theory and to transfer theoretical ideas into practical tools. 是的,研究人员几十年来一直在研究这个主题,并继续改进理论并将理论思想转化为实用工具。 As a user, you have a choice: 作为用户,您可以选择:
- if you need your code to be free of bugs, for instance because it is intended for a safety-critical context, then you already have very heavy methodology in place based on intensive testing at each level of the V-cycle, and this sort of static analysis can already help you reach the same level of confidence with less (but some) effort. 如果您需要您的代码没有错误,例如因为它是针对安全关键的上下文,那么您已经拥有非常繁重的方法,基于V-cycle每个级别的密集测试,这种类型的静态分析已经可以帮助您以较少(但有些)的努力达到相同的置信水平。 You will need more expressive contract specifications than SAL annotations for this goal. 对于此目标,您需要比SAL注释更具表现力的合同规范。 An example is ACSL for C. 一个例子是ACSL for C.
- if you are not willing to make the considerable effort necessary to ensure that code is bug-free with high-confidence, you can still take advantage of this sort of static analysis, but in this case consider any bug found as a bonus. 如果你不愿意付出相当大的努力来确保代码没有高可信度的错误,你仍然可以利用这种静态分析,但在这种情况下,请考虑任何发现的奖励作为奖励。 The annotations, because they have a formally defined meaning, can also be useful to assign blame even in the context of a manual code review in which no static analyzer is involved. 注释,因为它们具有正式定义的含义,即使在不涉及静态分析器的手动代码检查的上下文中也可以用于指定责任。 SAL annotations were designed explicitly for this usecase. SAL注释是为此用例明确设计的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.