Enhance the static analysis tools section with a discussion on when to use each of them. This was mainly taken from Dan Carpenter and Julia Lawall's comments on the previous documentation patch for static analysis tools. Lore: https://lore.kernel.org/linux-doc/20220329090911.GX3293@kadam/T/#mb97770c8e938095aadc3ee08f4ac7fe32ae386e6 Signed-off-by: Marcelo Schmitt <marcelo.schmitt1@xxxxxxxxx> Cc: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Cc: Julia Lawall <julia.lawall@xxxxxxxx> --- Documentation/dev-tools/testing-overview.rst | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/Documentation/dev-tools/testing-overview.rst b/Documentation/dev-tools/testing-overview.rst index b5e02dd3fd94..91e479045d3a 100644 --- a/Documentation/dev-tools/testing-overview.rst +++ b/Documentation/dev-tools/testing-overview.rst @@ -146,3 +146,36 @@ Documentation/dev-tools/coccinelle.rst documentation page for details. Beware, though, that static analysis tools suffer from **false positives**. Errors and warns need to be evaluated carefully before attempting to fix them. + +When to use Sparse and Smatch +----------------------------- + +Sparse is useful for type checking, detecting places that use ``__user`` +pointers improperly, or finding endianness bugs. Sparse runs much faster than +Smatch. + +Smatch does flow analysis and, if allowed to build the function database, it +also does cross function analysis. Smatch tries to answer questions like where +is this buffer allocated? How big is it? Can this index be controlled by the +user? Is this variable larger than that variable? + +It's generally easier to write checks in Smatch than it is to write checks in +Sparse. Nevertheless, there are some overlaps between Sparse and Smatch checks +because there is no reason for re-implementing Sparse's check in Smatch. + +Strong points of Smatch and Coccinelle +-------------------------------------- + +Coccinelle is probably the easiest for writing checks. It works before the +pre-compiler so it's easier to check for bugs in macros using Coccinelle. +Coccinelle also writes patches fixes for you which no other tool does. + +With Coccinelle you can do a mass conversion from +``kmalloc(x * size, GFP_KERNEL)`` to ``kmalloc_array(x, size, GFP_KERNEL)``, and +that's really useful. If you just created a Smatch warning and try to push the +work of converting on to the maintainers they would be annoyed. You'd have to +argue about each warning if can really overflow or not. + +Coccinelle does no analysis of variable values, which is the strong point of +Smatch. On the other hand, Coccinelle allows you to do simple things in a simple +way. -- 2.35.1
