RuleChecker release 17.04

Standalone RuleChecker

This is the first official stable release of RuleChecker that can be used both within and without Astrée.
Note that using RuleChecker in conjunction with Astrée maximizes precision on semantical rules.

SEI CERT C

RuleChecker now also supports coding rules defined by the SEI CERT C standard.

General improvements

  • Reduced memory consumption on code with many unused static functions.
  • RuleChecker now supports checking multiple groups of files, each with its own configuration of rules.
  • Checking for recursive function calls no longer requires specifying an analysis entry point.
  • The new rule set “A. Diagnostics” reports diagnostics formerly issued as errors or notifications by the C frontend.
  • Added support for selecting rule categories for automatically generated code as listed in appendix E of MISRA-C:2012.
  • Rule violations can now be commented in the source code using special syntax:

    /* ASTREE_comment(1:4,:11, check_global_object_scope, "Unused function, should we remove it?", true_no_defect) */
    int f(void) {
      return X;
    }

    You can generate a comment template in this syntax by clicking on the Comment field of a rule violation in the Findings view.

  • When performing rule checks as part of an Astrée analysis, the wrapper and stubs file is no longer excluded from rule checking.

Options and directives

  • The option ignored-source-files has been removed. Files to be checked are now explicitly specified in the new RuleChecker configuration. (Cf. also the Astrée release notes on DAX.)
  • The directive __ASTREE_suppress now also accepts rules_category as type, causing all rule checks to be suppressed for the specified code region.

Improved messages

  • Messages about violations of the recursion check now include a list of all the functions involved in the recursion cycle.
  • Violated metric thresholds now include the threshold and the computed value:
    ALARM (R): check min-comment-density-his failed (violates T.14.1) comment density 0.00 violates the limit of 0.80
  • Violated MISRA rules now include their MISRA classification (mandatory, required or advisory):
    ALARM (R): check cast-integer-implicit failed (violates M.10.1-required)
    ALARM (R): check identifier-unique failed (violates M.5.7-advisory)

Bug fixes

  • Fixed an issue that in rare cases made RuleChecker fail to find certain source files.
  • Paths are now consistently handled case-insensitively when the option case-insensitive is enabled.

Qualification Support Kits

  • 26 additional test cases.
  • Consistency checks for XML result and XML report files.

Qualification Software Life Cycle Data report

A QSLCD report is now available that documents the devel­opment process of RuleChecker, including all veri­fica­tion and quality assurance activities.

MISRA-C:2004

  • Improved the check static-identifier-reuse to remove false alarms for block-scope static variables. This affects the rules 5.5 and 5.7.
  • Modified the check struct-type-incomplete for rule 18.1 so that it is now executed for each translation unit.
  • Fixed false alarms for the check boolean-invariant which previously could be reported in unreachable code. This affects rule 13.7.
  • Corrected the checks for the rules 11.2, 11.3, 11.4, 11.5 with respect to explicit and implicit casts applied to arrays. This particularly affects expressions in which an array is implicitly treated as a pointer, like when passing it as an argument to a function.
  • For rule 14.2, a cast to void is no longer assumed to indicate intentionally unused expressions.
  • For rule 12.2, the check expression-order has been replaced by the check evaluation-order.
  • Improved several rule checks that consider side effects:
    • evaluation-order (rule 12.2)
    • logop-side-effect (rule 12.4)
    • statement-sideeffect (rule 14.2)
  • RuleChecker now also warns about invalid constant array sizes, which are a violation of rule 1.1.
  • Improved the check statement-side effect for rule 14.2 to consider all defective cases that involve volatile lvalues or assembler code.
  • Fixed false alarms about violations of rule 16.3 for prototyped functions without parameter using a type alias of void in the parameter type list, e.g.
    typedef void VOID;
    int f(VOID);
  • The coverage of rule 1.1 has been extended by the following checks for additional cases of constraint violations:
    • function-pointer-integer-cast-implicit
    • pointer-integral-cast-implicit
    • cast-pointer-void-arithmetic-implicit
    • inappropriate-pointer-cast-implicit
  • The coverage of rule 1.1 has been extended by the following checks to report the use of language extensions supported by Astrée and RuleChecker:
    • pointer-attribute
    • at-location
    • forward-declared-enum
    • statement-expression
    • assembler
    • lvalue-cast
  • The plain char type is now treated strictly unequal to the (un)signed char types. This affects:
    • rule 8.4 (type-compatibility)
    • rule 11.4 (object-pointer-diff-cast-strict, object-pointer-diff-cast-strict-implicit)
    • rule 10.1 (cast-integer-implicit)
  • Improved the check local-object-scope to remove false alarms when using a variable in a global initializer. This affects rule 8.7.
  • When no Astrée analysis results are available, the rules 18.2, 19.1, and 20.3 are now still partially covered.
  • Improved coverage of rule 9.1 by adding the new check uninitialized-local-read which does not require Astrée analysis results.
  • Rule 20.3: constant parameters in calls to library functions are now checked for potential domain and range errors.
  • Assignments to different union fields of the same union are now reported as violations of rule 18.2.

MISRA-C:2012

  • Added support for the rules 11.9, 14.1, 17.8, and 20.7.
  • Rule 20.12 is now fully covered thanks to the new check expanded-hash-parameter. It warns about macro parameters that are subject to further macro replacement where they occur in the replacement text both with and without the # or ## operator.
  • Removed false alarms for:
    • rule 5.6 and 5.7, identifier-unique-typedef and identifier-unique-tag for typedefs declaring the same identifier as struct tag and type name (typedef struct S {...} S;) if such declarations are included in multiple translation units
    • rule 5.9, static-identifier-reuse on block-scope static variables
    • rule 7.4, literal-assignment when the definition of a literal involves a type constructed by typedef, or when initializing an array of character type by a string literal
    • rule 8.2, for prototyped functions that use a type alias of void in the parameter type list:
      typedef void VOID;
      int f(VOID);
    • rule 8.9, local-object-scope when using a variable in a global initializer
    • rule 9.1, uninitialized-variable-use on local static variables
    • rule 9.5, array-size-designator when initializing an array with a string literal
    • rule 13.3, unary-assign-detachment for write accesses to volatile lvalues inside of aggregates
    • rule 15.3, goto-nesting on goto statements that point into the body of an enclosing for-loop or selection statement
  • Corrected the assumed size of the essential type of bitfields. This affects the rules 10.3, 10.6, 10.7, 10.8, and 12.2.
  • Corrected the checks for rules 11.3, 11.4, 11.7, 11.8 with respect to explicit and implicit casts applied to arrays. This particularly affects expressions in which an array is implicitly treated as a pointer, like when passing it as an argument to a function.
  • Improved several checks that consider side effects:
    • side-effect-in-initializer-list (rule 13.1)
    • evaluation-order (rule 13.2)
    • side-effect-in-logical-exp (rule 13.5)
    • for-loop-condition-sideeffect (rule 14.2)
  • RuleChecker now also warns about invalid constant array sizes, which are a violation of rule 1.1.
  • The checks literal-assignment and string-literal-modification for rule 7.4 have been extended to also raise alarms about complex expressions pointing to a string literal.
  • Alarms about violations of rule 5.3 now include the location of the hidden identifier.
  • Improved the check evaluation-order used in the rules 12.2 and 13.2. It is now more precise for assignments of the form lhs = f(..) where lhs has no read accesses and f(..) is a function call.
  • The coverage of rule 1.1 has been extended by the following checks for additional cases of constraint violations:
    • function-pointer-integer-cast-implicit
    • pointer-integral-cast-implicit
    • cast-pointer-void-arithmetic-implicit
    • inappropriate-pointer-cast-implicit
  • The coverage of rule 1.2 has been extended by the following checks to report the use of language extensions supported by Astrée and RuleChecker:
    • pointer-attribute
    • at-location
    • forward-declared-enum
    • statement-expression
    • assembler
    • lvalue-cast
  • Directive 4.11: constant parameters in calls to library functions are checked for potential domain and range errors.
  • Assignments to different union fields of the same union are now reported as violations of rule 19.1.
  • Improved coverage of rule 9.1 by adding the new check uninitialized-local-read which does not require Astrée analysis results.
  • Improved messages of violations of rule 8.3 such that the GUI allows jumping directly to the code locations of conflicting declarations.

SEI CERT C

Added support for the SEI CERT C coding standard.

Customer-specific rules

  • Rule X.A.5.42: the upper limit of the check logical-operators can now be set, the default being 3.
  • Rule X.A.3.7 has been extended by an option that controls whether the characters ä, Ä, ö, Ö, ü, Ü, and ß may appear in comments, provided that they are UTF-8 encoded. The default value of the option forbids the use of such characters.
  • Rule X.A.5.57: corrected the checks with respect to explicit and implicit casts applied to arrays. This particularly affects expressions in which an array is implicitly treated as a pointer, like when passing it as an argument to a function.
  • Rule X.A.5.19: fixed false alarms for prototyped functions without parameters using a type alias of void in the parameter type list:
    typedef void VOID;
    int f(VOID);
  • The plain char type is now treated strictly unequal to the (un)signed char types. This affects rule X.A.5.44 (cast-implicit).

Style rules

Added new style rule S.1.5: Enumeration constant identifiers can be validated to match a given regular expression.

Code metrics

  • New metrics:
    • FILES
      reports the number of source files in the entire analysis project
    • FUNGLOB
      reports the number of function definitions in the entire analysis project
  • The metric FUN (number of function definitions per file) is now correctly computed in all circumstances.
  • The metric LSCOPE (language scope) now also takes labels into account.
  • The LSCOPE for empty functions is now determined to be 0 instead of NaN.