|  | # Retrieving Code Analysis Warnings | 
|  |  | 
|  | Several times a day the Chromium code base is built with Microsoft VC++'s | 
|  | `/analyze` compile option. This does static code analysis which has found | 
|  | numerous bugs (see https://crbug.com/427616). While it is possible to visit the | 
|  | `/analyze` builder page and look at the raw results | 
|  | (http://build.chromium.org/p/chromium.fyi/builders/Chromium%20Windows%20Analyze) | 
|  | this works very poorly. | 
|  |  | 
|  | As of this writing there are 2,702 unique warnings. Some of these are in header | 
|  | files and fire multiple times so there are a total of 11,202 warning lines. Most | 
|  | of these have been examined and found to be false positives. Therefore, in order | 
|  | to sanely examine the /analyze warnings it is necessary to summarize the | 
|  | warnings, and find what is new. | 
|  |  | 
|  | There are scripts to do this. | 
|  |  | 
|  | ## Details | 
|  |  | 
|  | The necessary scripts, which currently run on Windows only, are checked in to | 
|  | `tools\win\new_analyze_warnings`. Typical usage is like this: | 
|  |  | 
|  | > set ANALYZE_REPO=d:\src\analyze_chromium | 
|  | > retrieve_latest_warnings.bat | 
|  |  | 
|  | The batch file using the associated Python scripts to retrieve the latest | 
|  | results from the web page, create a summary file, and if previous results were | 
|  | found create a new warnings file. Typical results look like this: | 
|  |  | 
|  | analyze0067_full.txt | 
|  | analyze0067_summary.txt | 
|  | analyze0067_new.txt | 
|  |  | 
|  | If `ANALYZE_REPO` is set then the batch file goes to `%ANALYZE_REPO%\src`, does | 
|  | a git pull, then does a checkout of the revision that corresponds to the latest | 
|  | warnings, and then does a gclient sync. The warnings can then be easily | 
|  | correlated to the specific source that triggered them. | 
|  |  | 
|  | ## Understanding the results | 
|  |  | 
|  | The `new.txt` file lists new warnings, and fixed warnings. Usually it can | 
|  | accurately identify them but sometimes all it can say is that the number of | 
|  | instances of a particularly warning has changed, which is usually not of | 
|  | interest. If you look at new warnings every day or two then the number of new | 
|  | warnings is usually low enough to be quite manageable. | 
|  |  | 
|  | The `summary.txt` file groups warnings by type, and then sorts the groups by | 
|  | frequency. Low frequency warnings are more likely to be real bugs, so focus on | 
|  | those. However, all of the low-frequency have been investigated so at this time | 
|  | they are unlikely to be real bugs. | 
|  |  | 
|  | The majority of new warnings are variable shadowing warnings. Until `-Wshadow` | 
|  | is enabled for gcc/clang builds these warnings will continue to appear, and | 
|  | unless they are actually buggy or are particularly confusing it is usually not | 
|  | worth fixing them. One exception would be if you are planning to enable | 
|  | `-Wshadow` in which case using the list or relevant shadowing warnings would be | 
|  | ideal. | 
|  |  | 
|  | Some of the warnings say that out-of-range memory accesses will occur, which is | 
|  | pretty scary. For instance "warning C6201: Index '-1' is out of valid index | 
|  | range '0' to '4'". In most cases these are false positives so use your own | 
|  | judgment when deciding whether to fix them. | 
|  |  | 
|  | The `full.txt` file contains the raw output and should usually be ignored. | 
|  |  | 
|  | If you have any questions then post to the chromium dev mailing list. |