Skip to content

Latest commit

 

History

History
82 lines (69 loc) · 4.28 KB

static_analysis.md

File metadata and controls

82 lines (69 loc) · 4.28 KB

Static Analysis

We use several tools for static analysis in chromium.

[TOC]

Autoninja Integration

You can set android_static_analysis = "build_server" in your gn args to run static analysis tasks in the background. This will change the build as follows:

  • autoninja will not wait for static analysis jobs to complete.
    • This means the build will succeed but static analysis might fail later.
    • If there are background tasks still running, autoninja will say so at the end of the build.
    • Leads to 30-50% improvement in build times when building debug.
  • If a background static analysis task fails, the failure output is printed onto the terminal that ran autoninja.
    • The output is preceded by an emoji like ⏩.
    • If the output gets mixed in with what you are doing so it is no longer clear, you can check the task output in the logfile.
      • E.g.: out/Default/buildserver.log.0.
  • Changes the terminal title to keep live track of remaining analysis tasks.

Android Lint

  • Runs as part of normal compilation.
  • Controlled by GN arg: disable_android_lint (or android_static_analysis).
  • Useful checks include:
    • NewApi (ensureing Build.VERSION.SDK_INT checks are in place).
  • A list of disabled checks is found within lint.py.
  • Custom lint checks are possible, but we don't have any.
  • Checks run on the entire codebase, not only on changed lines.
  • Does not run when chromium_code = false (e.g. for //third_party).

ErrorProne

  • Runs as part of normal compilation.
  • Controlled by GN arg: use_errorprone_java_compiler (or android_static_analysis).
  • Useful checks include:
    • Checking correctness of nullable annotations (via NullAway plugin).
    • Enforcement of @GuardedBy, @CheckReturnValue, and @DoNotMock.
    • Enforcement of /* paramName= */ comments.
  • A list of enabled / disabled checks is found within compile_java.py
    • Many checks are currently disabled because there is work involved in fixing violations they introduce. Please help!
  • Chrome has a few custom checks.
  • Checks run on the entire codebase, not only on changed lines.
  • Does not run when chromium_code = false (e.g. for //third_party).

Checkstyle

  • Mainly used for checking Java formatting & style.
    • E.g.: Unused imports and naming conventions.
  • Allows custom checks to be added via XML. Here is ours.
  • Preferred over adding checks via PRESUBMIT.py because the tool understands @SuppressWarnings annotations.
  • Runs only on changed lines as a part of PRESUBMIT.py.

PRESUBMIT.py:

  • Checks for banned patterns via _BANNED_JAVA_FUNCTIONS.
    • (These should likely be moved to checkstyle).
  • Checks for a random set of things in ChecksAndroidSpecificOnUpload().
    • Including running Checkstyle.
  • Runs only on changed lines.

Bytecode Processor

  • Runs as part of normal compilation.
  • Controlled by GN arg: android_static_analysis.
  • Performs a single check:
    • Enforces that targets do not rely on indirect dependencies to populate their classpath.
    • In other words: that deps are not missing any entries.