tests: check: ast-grep: add static analysis rules#545
Conversation
|
@claude review |
Claude review of PR #545 (6c8bf90)Suggestions
Nits
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| sed \ | ||
| xxd && \ | ||
| dnf clean all -y | ||
|
|
There was a problem hiding this comment.
Claude: suggestion: ast-grep-cli is installed without a version pin (pipx install --global ast-grep-cli). A breaking change in ast-grep's rule syntax or --off flag behavior could cause CI failures across all branches simultaneously. Consider pinning to a specific version (e.g. pipx install --global ast-grep-cli==0.38.0) and updating periodically via a dedicated PR. Same applies to all other Dockerfiles (Fedora via pipx, Ubuntu via pip).
There was a problem hiding this comment.
On the other hand, it'd be nice to see failures introduced in new version immediately, not "whenever we remember to bump hardcoded versions". I think fetching the latest version should be fine.
| kind: return_statement | ||
| has: | ||
| kind: identifier | ||
| regex: "^E[A-Z0-9]{2,}$" |
There was a problem hiding this comment.
Claude: nit: The rule uses has: without stopBy: end, so return (ENOMEM); (parenthesized) would escape detection because the direct child of return_statement is parenthesized_expression, not identifier. This doesn't occur in the current codebase but is a latent gap. Adding stopBy: end to the has: clause would make it robust against this pattern.
There was a problem hiding this comment.
This is very niche case, ignoring.
pzmarzly
force-pushed
the
push-muppwpwwukvo
branch
from
6c8bf90 to
0677b44
Compare
pzmarzly
force-pushed
the
push-muppwpwwukvo
branch
from
0677b44 to
3aa5c03
Compare
1 participant
If https://ast-grep.github.io/ is installed (e.g. via
pip install ast-grep-cli), we can use it to enforce many of our coding standards. See #510. Previous attempt in #502.Each rule is added in separate commit, so it's best to review this PR commit-by-commit.
Rules with existing violations are added as disabled. We should reenable them one by one later. Each reenablement will create a large PR, that may create merge conflicts for everyone.
Test
ast-grep scan --config tests/check/ast-grep/sgconfig.yml src/bfcli/ src/libbpfilter/https://gist.github.com/pzmarzly/7dfba8ca061a942a271b14c6320ea13b
ast-grep scan --config tests/check/ast-grep/sgconfig.yml src/bfcli/ src/libbpfilter/ --off=assert-pointer-params --off=doxygen-prefer-backticks --off=doxygen-public-functions --off=no-direct-free --off=single-line-comment-style(current invocation inCMakeLists.txt):[empty result, i.e. all OK]
List of rules
assert()them at entry.bf_/bfc_prefix (or_bf_/_bfc_when static).bf_*_new()must take aTYPE **output parameter for ownership transfer.`name`over@p name,@ref name,@c namein Doxygen comments./** @brief ... */comment.bf_/bfc_prefix._BF_*_MAX/_BFC_*_MAXsentinel (with listed exceptions for bitmasks and kernel ABI mirrors)._cleanup_close_must be initialized to-1to avoid closing fd 0 on error paths.bf_*_free()/_bf_*_free()must returnvoidand accept a double-pointer parameter.-ENOMEM, notENOMEM).free(); usefreep()or a typedbf_*_free()cleanup function instead (with exempt callers).bf_err,bf_warn, …) instead offprintf(stderr, …)/vfprintf(stderr, …).#pragma once, not#ifndef/#defineinclude guards.//, reserving/* */for multi-line (SPDX excluded).SPDX-License-Identifiercomment.bf_/bfc_prefix; external type references are ignored.