Custom assertions ignored by SonarQube

SonarQube 8.4.1 (build * 35646)
Build done with GNU make through a Makefile, calling arm-none-eabi-gcc (~200 files to build)
Runs on Windows Server 2012
Run from Jenkins with the command : sonar-scanner -Dsonar.branch.name=${env.BRANCH_NAME}

Hello,

Our C codebase uses custom run-time assertions to ensure some conditions are met when executing a function. However, we observed that SonarQube raised some bugs as if those conditions were never checked. This looks similar to what is described in this thread, which we’ve read carefully to try to have it working on our side.

As an example, here is a function which SonarQube marked as bugged:

const char* tab[4] = {"ABC", "DEF", "GHI", "JKL"};

const char* foo(uint8_t index)
{
    ASSERT_CUSTOM(index >= 1 && index <= 4);

    return tab[index - 1];
}

Here, SonarQube gives us an error on the return line stating: Out of bound memory access (access exceeds upper limit of memory block).

The assertion is defined like this, in its own header:

#if (defined SONARBUILD)
#define ASSERT_CUSTOM(expr) \
    if (!(expr))         \
    {                    \
        FAIL_ASSERT();   \
    }
#else
#define ASSERT_CUSTOM(expr)                              \
    if (!(expr))                                                                 \
    {                                                                                \
        PROPRIETARY_ERROR_MGT(-1, __LINE__)); \
    }
#endif

#if (defined SONARBUILD)
/**
 * @brief Stop execution when an assertion fails
 */
__STATIC_INLINE __attribute__((noreturn)) void FAIL_ASSERT(void)
{
    while (1)
        ;
}
#endif

Also, when calling the sonar-scanner, in our Jenkins-Makefile flow we ensure that this option is passed to the compiler: -DSONARBUILD

Is there any solution to this ? Currently we have to close the bugs one by one as false-positives, but this is not a good long-term solution. How to have SonarQube be aware that those assertions exist ?

Hello @TimF !

All what you did with the code seems right and the problem should not happen there.
I used your snippet of code with your version of SonarQube and the assert is seen by the analysis and the issue is not raised.

The only thing that looks a bit strange is when you say that you pass -DSONARBUILD when calling sonar-scanner.
This should be passed earlier to your build somehow so that the compiler defines SONARBUILD.

Can you check that?
If this is not the issue, would you be able to share with us a standalone reproducer in one cpp file?

Cheers