SonarQube 8.4.1 (build * 35646)
Build done with GNU make through a Makefile, calling arm-none-eabi-gcc (~200 files to build)
Runs on Windows Server 2012
Run from Jenkins with the command : sonar-scanner -Dsonar.branch.name=${env.BRANCH_NAME}
Hello,
Our C codebase uses custom run-time assertions to ensure some conditions are met when executing a function. However, we observed that SonarQube raised some bugs as if those conditions were never checked. This looks similar to what is described in this thread, which we’ve read carefully to try to have it working on our side.
As an example, here is a function which SonarQube marked as bugged:
const char* tab[4] = {"ABC", "DEF", "GHI", "JKL"};
const char* foo(uint8_t index)
{
ASSERT_CUSTOM(index >= 1 && index <= 4);
return tab[index - 1];
}
Here, SonarQube gives us an error on the return line stating: Out of bound memory access (access exceeds upper limit of memory block)
.
The assertion is defined like this, in its own header:
#if (defined SONARBUILD)
#define ASSERT_CUSTOM(expr) \
if (!(expr)) \
{ \
FAIL_ASSERT(); \
}
#else
#define ASSERT_CUSTOM(expr) \
if (!(expr)) \
{ \
PROPRIETARY_ERROR_MGT(-1, __LINE__)); \
}
#endif
#if (defined SONARBUILD)
/**
* @brief Stop execution when an assertion fails
*/
__STATIC_INLINE __attribute__((noreturn)) void FAIL_ASSERT(void)
{
while (1)
;
}
#endif
Also, when calling the sonar-scanner, in our Jenkins-Makefile flow we ensure that this option is passed to the compiler: -DSONARBUILD
Is there any solution to this ? Currently we have to close the bugs one by one as false-positives, but this is not a good long-term solution. How to have SonarQube be aware that those assertions exist ?