Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cfg] Add 'bugprone-suspicious-memory-comparison' to config #3410

Closed
wants to merge 1 commit into from
Closed

[cfg] Add 'bugprone-suspicious-memory-comparison' to config #3410

wants to merge 1 commit into from

Conversation

whisperity
Copy link
Contributor

The checker landed recently in 3373e845398bfb8fa0e3c81b7ca84cbfedbad3ae 1,
and covers SEI-CERT rules EXP42-C 2 and FLP37-C 3 in the same
implementation.

SEI-CERT classifies EXP42-C as Medium severity with Probable likelihood,
while FLP37-C is of Low severity and Unlikely likelihood.

Due to the fix of the issue being minimal engineering effort (making a
comparison predicate and replacing uses of (std::)memcmp with it), the
MEDIUM severity in our case I believe is justified.

CC: @steakhal

@whisperity
[cfg] Add 'bugprone-suspicious-memory-comparison' to config
28a1f4a 
The checker landed recently in `3373e845398bfb8fa0e3c81b7ca84cbfedbad3ae` [1],
and covers SEI-CERT rules **EXP42-C** [2] and **FLP37-C** [3] in the same
implementation.

SEI-CERT classifies **EXP42-C** as Medium severity with Probable likelihood,
while **FLP37-C** is of Low severity and Unlikely likelihood.

Due to the fix of the issue being minimal engineering effort (making a
comparison predicate and replacing uses of `(std::)memcmp` with it), the
`MEDIUM` severity in our case I believe is justified.

  [1]: http://github.com/llvm/llvm-project/commit/3373e845398bfb8fa0e3c81b7ca84cbfedbad3ae
  [2]: http://wiki.sei.cmu.edu/confluence/display/c/EXP42-C.+Do+not+compare+padding+data
  [3]: http://wiki.sei.cmu.edu/confluence/display/c/FLP37-C.+Do+not+use+object+representations+to+compare+floating-point+values
@whisperity whisperity added analyzer 📈 Related to the analyze commands (analysis driver) clang-tidy 🐉 clang-tidy is a clang-based C++ “linter” tool. config ⚙️ labels Aug 26, 2021
@steakhal
Copy link
Contributor

+1

@csordasmarton csordasmarton added this to the release 6.17.0 milestone Aug 31, 2021
@csordasmarton csordasmarton requested a review from bruntib August 31, 2021 14:13
@csordasmarton
Copy link
Contributor

Checker configuration is changed in #3233. Can you please rebase your branch and resolve the merge conflict. The new configuration files can be found here: https://github.com/Ericsson/codechecker/tree/master/config/labels.

@bruntib
Copy link
Contributor

bruntib commented Aug 31, 2021

I close this ticket and transfer the changed to the other format: #3413.

@bruntib bruntib closed this Aug 31, 2021
@whisperity whisperity deleted the bencze-gabor-checkers branch September 1, 2021 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@csordasmarton csordasmarton Awaiting requested review from csordasmarton

@bruntib bruntib Awaiting requested review from bruntib bruntib is a code owner

Assignees
No one assigned
Labels
analyzer 📈 Related to the analyze commands (analysis driver) clang-tidy 🐉 clang-tidy is a clang-based C++ “linter” tool. config ⚙️
Projects
None yet
Milestone
release 6.17.0
Development

Successfully merging this pull request may close these issues.
4 participants
@whisperity @steakhal @csordasmarton @bruntib