Context

CodeChecker is a static analysis infrastructure built on the LLVM/Clang Static Analyzer toolchain. It can scan your codebase with a three different tools (cppcheck, clangsa and clang-tidy) and produce report documents. This report document show what possible errors and mistakes are in your code.

The best part is that the CodeChecker also includes a web server component (demo), where you view the reports in a nice format and keep a track of the old and new bugs.

CodeChecker is now a part of the upstream Zephyr, so now is ideal time to include this tool in our projects.

Required steps / Implementation details

• Make feasibility study - Setup the CodeChecker on a example project and make it work end-to-end. This means that is okay if you need to manually push reports to the server, so you can view them, the purpose here is to see what kind of scripting/automation will be needed.
• Add some custom rules to the underlying tools to under stand how this impact the generation of violation reports. In the past we did not had much success setting up clang-tidy as it reported errors in our code that came from Zephyr and other third party libraries. Lets see if we can suppress this this time.
• Once above is validated you can proceed with development of the scripts and CI workflows to automate this
• Write documentation for the users.

Definition of Done

Above is done and created documentation and code are reviewed.

Progress report:

• It is easy to set up and run the server, docker compose takes care of everything. Extra care is needed to deal with authentication, permission and location of the database that stores everything.
• We can manually remove undesired reported errors (caused by LOG_* macros), but that requires parsing of .xml files. Shouldn't be too hard.
• We do not need to use CodeChecker support in Zephyr. Input into CodeChecker is the compile_commands.json file, which we already generate in our builds. It is also a better way if we manually stitch together CodeChecker commands, as we have better control of input parameters.

Possible workflows with CodeChecker:

• The developer can scan a project from the command line and get back a report of all violations. The report can be printed on stdout or an HTML report can be generated and opened with a Firefox.
• The developer can scan a project and compare its report with the one from the server. That we he can see if he is introducing new violations or if he resolved older ones. Some logic will need to be written to determine against which run should be downloaded based on the West project.
• CI runs CodeChecker on every commit and stores the report on the server. If new bugs are added an email or notification is sent to the developer.

Implementation

The question that I had to resolve was: how to integrate the CodeChecker into the developer's workflow?
Should I just write some scripts and make the invokeable from the Makefile that is in the root directory?
Or should I integrate it into the East?

After some consideration, I have decided to integrate the CodeChecker into East:

• Arguments given to the CodeChecker change depending on the location where we are calling CodeChecker. It is much more convenient to do this logic in Python than in a BASH shell.
• Some intermediary files will need to be generated every time the CodeChecker is run.
• CodeChecker is configurable enough so that East code won't have to change if users want to use different checkers, reporting, etc.
• Installing CodeChecker dependencies manually is not trivial, cppcheck, clangsa and clang-tidy need to be installed. This can be automated.

This is great!

Is it firefox only or any browser?

This can of course be made configurable.