Firmware Static Analysis with CodeChecker | Interrupt

Blog
1

The pitfalls of C programming are well known: undefined behavior abounds, uninitialized variables lie in wait, memory leaks, and buffers overflow.

This is a companion discussion topic for the original entry at https://interrupt.memfault.com/blog/static-analysis-with-codechecker
2

For personal projects use pvs-studio

What do you think about this?

4

PVS Studio has a lot going for it, but it does not do cross-translation-unit analysis at this time (though it is on their roadmap). Additionally, it is a commercial product which requires license management & payment to use on non personal / OSS projects.

5

Hi ! I’ve tried today the tutorial proposed by Interrupt and unfortunately it seems that the --ctu option and any interception done by CodeChecker has disappeared.
Which leads CodeChecker to not process any file at all when ChibiOS is compiling.

CodeChecker version in usage
6.17.0

Would you mind to check if the article is still applicable today ?
Should I move back to a specific version of CodeChecker ?

Many thanks,
hellgheast.

6

Hey @hellgheast, I probably won’t be able to fire this up for a few days, but looking at their latest docs, the --ctu option should still be there. See Quick Howto - CodeChecker.

Could you share the command you tried to run, and what the error message was?

7

Hi @francois, Sure let me know whenever you have time.

I followed the steps of the article until the CC_LOGGER_GCC_LIKE step with redefinition to arm-none-eabi-gcc.

CodeChecker log -b “make VERBOSE=1 -f make/stm32f769_discovery.make” -o compilation.json --verbose debug

It outputed the compilation of the ChibiOS files

...
Compiling ffunicode.c
...
Compiling main.c

unfortunately the compilation.json is just empty, which means the intercept-build doesn’t seem to intercept compilation calls.

8

This is likely due to a conflict with SIP on MacOS or another configuration issue. See “What to do if compilation.json is empty?” at Quick Howto - CodeChecker.

This is not an issue with --ctu.

9

Hello,
I already disabled SIP.

What I discovered it seems, is that the CC_LOGGER_GCC_LIKE redifition doesn’t seem to be taken in account when compiling ChibiOS. It might be a problem specific to the latest version of CodeChecker.

Please let me know whenever you tested with the latest build of CodeChecker if the --ctu option is still here. On my side when I tried to analyze using the --ctu option, it showed me an error as it’s an unknown option in the current version.

Let me know when you’ve done your tests and thanks for the help !