4

We're using Coverity to analyze our C# code for defects.

We have some unit-tests that explicitly verify that null-parameters are handled correctly.

These are listed as defects by Coverity. If this was Microsofts own code analysis we could tag our method that does the null-passing with [SuppressMessage(...)], is something similar available for Coverity?

We'd rather not try to muddify the code enough to confuse Coverity.

Here's an example piece of code that gives this defect:

[Test]
public void SomeRandomTest()
{
    var obj = new SomeRandomObject();
    Assert.Throws<ArgumentNullException>(() => obj.Method(null));
}

...

public class SomeRandomObject
{
    public void Method(object value)
    {
        if (value == null) throw new ArgumentNullException(nameof(value));
        ...
    }
}

The explicit error is shown as

Explicit null dereferenced (FORWARD_NULL)
var_deref_model: Passing null to Method, which throws an exception after checking for null.

Lasse V. Karlsen
  • 380,855
  • 102
  • 628
  • 825
  • [Something like this](https://doclazy.wordpress.com/2011/07/14/coverity-suppressing-false-positives-with-cod/) perhaps but with the `var_deref_model` event tag? – DavidG Sep 03 '18 at 10:49
  • That looks promising. Care to leave that as an answer? We'll try it and see if that removes the incident but that certainly looks like exactly what we want. – Lasse V. Karlsen Sep 03 '18 at 11:08
  • I only found that with some creative Google-fu, have absolutely no idea if it will work. Will add an answer if it does though. – DavidG Sep 03 '18 at 14:51
  • We're waiting for coverity analysis, I think it runs every night, I'm rather new on the team so I am not entirely sure how often that part of the build is running, will post an updated comment when I know. – Lasse V. Karlsen Sep 03 '18 at 17:10
  • @DavidG It worked. One place still showed up as an issue, but two others were flagged as fixed. We'll investigate what could be wrong with the third place but for now I think you can safely add your comment as an answer. – Lasse V. Karlsen Sep 04 '18 at 16:24
  • Good to hear it worked, not sure on the exact format of comment you used, so I guessed `//` rather than `/* ... */` – DavidG Sep 04 '18 at 16:31
  • We actually wrote the comment once then copy-pasted it two more places and we've verified this. The difference is that for one of the cases the comment was on line X and on line X+1 there was a method call that passed a lambda expression delegate, and it was this expression that had the `null` value. We're leaning towards Coverity not understanding this part because I think parts of the Coverity server we're using is wrong, so we expanded it to an anonymous method and moved the comment inside so it is "closer" to the use of the `null` value. We'll see how it goes. – Lasse V. Karlsen Sep 05 '18 at 07:06
  • Perhaps you could use a /**/ style comment next to the lambda might work in that case? – DavidG Sep 05 '18 at 07:39
  • 1
    We're trying multiple things here so if I find out what worked I'll post an update. – Lasse V. Karlsen Sep 05 '18 at 10:04

1 Answers1

7

Taking an example from this site, you can suppress these messages with a comment above the reported error line, but in your case you would use the var_deref_model tag. For example:

// coverity[var_deref_model]
DavidG
  • 113,891
  • 12
  • 217
  • 223