RuleChecker Release 17.04
-------------------------


Standalone RuleChecker
----------------------
This is the first official stable release of RuleChecker that can be used 
both within and without Astrée.

Note that using RuleChecker in conjunction with Astrée maximizes precision 
on semantical rules.


SEI CERT C
----------
RuleChecker now also supports coding rules defined by the SEI CERT C standard.


General improvements
--------------------
* Reduced memory consumption on code with many unused static functions.

* RuleChecker now supports checking multiple groups of files, 
  each with its own configuration of rules.

* Checking for recursive function calls no longer requires specifying 
  an analysis entry point.
  
* The new rule set “A. Diagnostics” reports diagnostics 
  formerly issued as errors or notifications by the C frontend.
  
* Added support for selecting rule categories for automatically generated code 
  as listed in appendix E of MISRA-C:2012.
  
* Rule violations can now be commented in the source code using special syntax:

    /* ASTREE_comment(1:4,:11,
       check_global_object_scope,
       "Unused function, should we remove it?",
       true_no_defect) */
       
    int f(void) {
      return X;
    }
    
  You can generate a comment template in this syntax by clicking 
  on the Comment field of a rule violation in the Findings view.
    
* When performing rule checks as part of an Astrée analysis, 
  the wrapper and stubs file is no longer excluded from rule checking.


Options and directives
----------------------
* The option ignored-source-files has been removed. Files to be checked 
  are now explicitly specified in the new RuleChecker configuration. 
  Cf. also the Astrée 17.04 release notes on DAX at 
  www.absint.com/releasenotes/astree_release_1704.html.
  
* The directive __ASTREE_suppress now also accepts rules_category as type, 
  causing all rule checks to be suppressed for the specified code region.


Improved messages
-----------------
* Messages about violations of the recursion check now include a list 
  of all the functions involved in the recursion cycle.
  
* Violated metric thresholds now include the threshold and the computed value:

    ALARM (R): check min-comment-density-his failed (violates T.14.1) 
    comment density 0.00 violates the limit of 0.80
    
* Violated MISRA rules now include their MISRA classification 
 (mandatory, required or advisory):

    ALARM (R): check cast-integer-implicit failed (violates M.10.1-required)
    ALARM (R): check identifier-unique failed (violates M.5.7-advisory)


Bug fixes
---------
* Fixed an issue that in rare cases made RuleChecker fail to find 
  certain source files.
  
* Paths are now consistently handled case-insensitively 
  when the option case-insensitive is enabled.


Qualification Support Kits
--------------------------
* 26 additional test cases.

* Consistency checks for XML result and XML report files.


Qualification Software Life Cycle Data report
---------------------------------------------
A QSLCD report is now available that documents the development process of RuleChecker, 
including all verification and quality assurance activities.


MISRA-C:2004
------------
* Improved the check static-identifier-reuse to remove false alarms 
  for block-scope static variables. This affects the rules 5.5 and 5.7.
  
* Modified the check struct-type-incomplete for rule 18.1 
  so that it is now executed for each translation unit.
  
* Fixed false alarms for the check boolean-invariant which previously 
  could be reported in unreachable code. This affects rule 13.7.
  
* Corrected the checks for the rules 11.2, 11.3, 11.4, 11.5
  with respect to explicit and implicit casts applied to arrays. 
  This particularly affects expressions in which an array is implicitly 
  treated as a pointer, like when passing it as an argument to a function.
  
* For rule 14.2, a cast to void is no longer assumed to indicate 
  intentionally unused expressions.
  
* For rule 12.2, the check expression-order has been replaced
  by the check evaluation-order.
  
* Improved several rule checks that consider side effects:

  * evaluation-order (rule 12.2)
  * logop-side-effect (rule 12.4)
  * statement-sideeffect (rule 14.2)

* RuleChecker now also warns about invalid constant array sizes, 
  which are a violation of rule 1.1.
  
* Improved the check statement-side effect for rule 14.2 to consider 
  all defective cases that involve volatile lvalues or assembler code.
  
* Fixed false alarms about violations of rule 16.3 for prototyped functions
  without parameter using a type alias of void in the parameter type list, 
  for example:
  
    typedef void VOID;
    int f(VOID);

* The coverage of rule 1.1 has been extended by the following checks 
  for additional cases of constraint violations:

  * function-pointer-integer-cast-implicit
  * pointer-integral-cast-implicit
  * cast-pointer-void-arithmetic-implicit
  * inappropriate-pointer-cast-implicit

* The coverage of rule 1.1 has been extended by the following checks 
  to report the use of language extensions supported by Astrée and RuleChecker:

  * pointer-attribute
  * at-location
  * forward-declared-enum
  * statement-expression
  * assembler
  * lvalue-cast

* The plain char type is now treated strictly unequal to the (un)signed 
  char types. This affects:

  * rule 8.4 (type-compatibility)
  * rule 11.4 (object-pointer-diff-cast-strict, 
               object-pointer-diff-cast-strict-implicit)
  * rule 10.1 (cast-integer-implicit)

* Improved the check local-object-scope to remove false alarms 
  when using a variable in a global initializer. This affects rule 8.7.
  
* When no Astrée analysis results are available, 
  the rules 18.2, 19.1, and 20.3 are now still partially covered.
  
* Improved coverage of rule 9.1 by adding the new check 
  uninitialized-local-read which does not require Astrée analysis results.
  
* Rule 20.3: constant parameters in calls to library functions 
  are now checked for potential domain and range errors.
  
* Assignments to different union fields of the same union 
  are now reported as violations of rule 18.2.


MISRA-C:2012
------------
* Added support for the rules 11.9, 14.1,
  17.8, and 20.7.
  
* Rule 20.12 is now fully covered thanks to the new check 
  expanded-hash-parameter. It warns about macro parameters that are subject to 
  further macro replacement where they occur in the replacement text both with 
  and without the # or ## operator.
  
* Removed false alarms for:

  * rule 5.6 and 5.7, identifier-unique-typedef and identifier-unique-tag 
    for typedefs declaring the same identifier as struct tag and type name 
   (typedef struct S {...} S;) if such declarations are included in multiple 
    translation units
  * rule 5.9, static-identifier-reuse on block-scope static variables
  * rule 7.4, literal-assignment when the definition of a literal involves
    a type constructed by typedef, or when initializing an array 
    of character type by a string literal
  * rule 8.2, for prototyped functions that use a type alias of void 
    in the parameter type list:
    
      typedef void VOID;
      int f(VOID);
      
  * rule 8.9, local-object-scope when using a variable in a global 
    initializer
  * rule 9.1, uninitialized-variable-use on local static variables
  * rule 9.5, array-size-designator when initializing an array 
    with a string literal
  * rule 13.3, unary-assign-detachment for write accesses to volatile
    lvalues inside of aggregates
  * rule 15.3, goto-nesting on goto statements that point into the body 
    of an enclosing for-loop or selection statement

* Corrected the assumed size of the essential type of bitfields. 
  This affects the rules 10.3, 10.6, 10.7, 10.8, and 12.2.
  
* Corrected the checks for rules 11.3, 11.4, 11.7, 11.8 with respect to 
  explicit and implicit casts applied to arrays. This particularly affects
  expressions in which an array is implicitly treated as a pointer, 
  like when passing it as an argument to a function.
  
* Improved several checks that consider side effects:

  * side-effect-in-initializer-list (rule 13.1)
  * evaluation-order (rule 13.2)
  * side-effect-in-logical-exp (rule 13.5)
  * for-loop-condition-sideeffect (rule 14.2)

* RuleChecker now also warns about invalid constant array sizes, 
  which are a violation of rule 1.1.

* The checks literal-assignment and string-literal-modification for rule 7.4 
  have been extended to also raise alarms about complex expressions pointing
  to a string literal.
  
* Alarms about violations of rule 5.3 now include the location 
  of the hidden identifier.

* Improved the check evaluation-order used in the rules 12.2 and 13.2. 
  It is now more precise for assignments of the form lhs = f(..) where 
  lhs has no read accesses and f(..) is a function call.
  
* The coverage of rule 1.1 has been extended by the following checks 
  for additional cases of constraint violations:

  * function-pointer-integer-cast-implicit
  * pointer-integral-cast-implicit
  * cast-pointer-void-arithmetic-implicit
  * inappropriate-pointer-cast-implicit

* The coverage of rule 1.2 has been extended by the following checks 
  to report the use of language extensions supported by Astrée and RuleChecker:

  * pointer-attribute
  * at-location
  * forward-declared-enum
  * statement-expression
  * assembler
  * lvalue-cast

* Directive 4.11: constant parameters in calls 
  to library functions are checked for potential domain and range errors.
  
* Assignments to different union fields of the same union are now reported 
  as violations of rule 19.1.
  
* Improved coverage of rule 9.1 by adding the new check 
  uninitialized-local-read which does not require Astrée analysis results.
  
* Improved messages of violations of rule 8.3 such that the GUI 
  allows jumping directly to the code locations of conflicting declarations.


SEI CERT C
----------
Added support for the SEI CERT C coding standard.


Customer-specific rules
-----------------------
* Rule X.A.5.42: the upper limit of the check logical-operators 
  can now be set, the default being 3.

* Rule X.A.3.7 has been extended by an option that controls whether 
  the characters ä, Ä, ö, Ö, ü, Ü, and ß may appear in comments, 
  provided that they are UTF-8 encoded. The default value of the option
  forbids the use of such characters.
  
* Rule X.A.5.57: corrected the checks with respect to explicit and 
  implicit casts applied to arrays. This particularly affects expressions 
  in which an array is implicitly treated as a pointer, like when passing 
  it as an argument to a function.
  
* Rule X.A.5.19: fixed false alarms for prototyped functions
  without parameters using a type alias of void in the parameter type list:
  
    typedef void VOID;
    int f(VOID);
    
* The plain char type is now treated strictly unequal to the (un)signed
  char types. This affects rule X.A.5.44 (cast-implicit).


Style rules
-----------
Added new style rule S.1.5: Enumeration constant identifiers
can be validated to match a given regular expression.


Code metrics
------------
* New metrics:

  * FILES
    reports the number of source files in the entire analysis project
  * FUNGLOB
    reports the number of function definitions in the entire analysis project
    
* The metric FUN (number of function definitions per file) 
  is now correctly computed in all circumstances.
  
* The metric LSCOPE (language scope) now also takes labels into account.

* The LSCOPE for empty functions is now determined to be 0 instead of NaN.


------------------------------------------------------------------------------
Last updated on 18 April 2017 by alex@absint.com.
Copyright 2017 AbsInt. www.absint.com
------------------------------------------------------------------------------
An HTML version of these release notes is available at
www.absint.com/releasenotes/rulechecker/17.04