We are using Visual Studio Code Analysis Rules for code quality checks. We have created our custom .ruleset file and marked some violations as Errors, so that every time anyone's violating these rules, he will get a compile error and have to fix the issue.
Now everything run fine with debug mode, but when I build my project in release mode, I am not getting any error with rule 1804 i.e. Remove unused locals. In fact this violation is totally absent from violation list, not even as warning!!
Knowing that one need to have build configuration set to run your code analysis rules, I have enabled code analysis for all configurations in project properties, like this -
Doing this works good for all other rules but 1804.
Is it seems like a bug with code analysis, or it's a valid behavior for some reason I am not aware of, and is there's anything to get it work?
I am using Visual Studio 2013
This is not as strange as you may think. FxCop acts on the binaries, not on the sources. And in Release Mode the compiler will apply optimizations, such as removing unused locals, simplifying if/else statements and other things which lead to the same execution, but with higher performance or lower memory usage.
After these pieces of code have been optimized away, FxCop won't be able to detect it.
This is why it makes most sense do to binary analysis on the non-optimized binaries.
With Visual Studio 2015, most of the analysis has been moved into Roslyn Analyzers, which will catch these issues by analyzing the source code, instead of the binary output. This will allow Code Analysis (in 2015) to detect these issues, even if they didn't make it into the final binaries.
Related
This seems to be a tricky question, also because it is difficult to present here all settings involved. So let me state the total picture:
I use Visual Studio 2022 to build a solution (all in x64 mode) comprising of two projects
CapopConsole
and
CapopWrap
CapopConsole is a C# Console-Project generating an exe and CapopWrap is a C++/CLI project wrapping a C++ native library called Capop. It generates a dll called CapopWrap.dll. CapopConsole has CapopWrap as dependency.
CapopWrap has three extra .lib dependencies, namely
capoplib.lib, libpredicates.lib, jsoncpp.lib
in Release mode and
capoplib.lib, libpredicates_d.lib, jsoncppd.lib
in Debug mode.
The first two of each row are from a certain project, special for me, the last one is from the well known jsoncpp project. All three libs are built with Visual Studio 2022 with the new CMake mode (no 'solutions').
Now the point is: Compiling and linking CapopWrap produces both for release and debug mode respectively a result dll, in both cases called CapopWrap.dll.
But: CapopWrap.dll from debug mode has a dependency on jsoncppd.dll whereas CapopWrap.dll from release mode has no explicit jsoncpp related dependency whatsoever (as shown with dumpbin, for example).
By symmetry one might expect that CapopWrap.dll (Release) would incur a dependency on jsoncpp.dll but this is not the case.
I would really be happy, if someone could help me find an explanation for this - my own attempts so far where fruitless.
Addendum: I do not give concrete excerpts from my .csproj and cmake files at first, because they are a bit lengthy and maybe an answer is possible without them. If not, please tell me, what you want to see concretely from my configuration files (or filesystem contents), I will edit it in then.
At the moment I'm interested in source code analysis and playing around with the built-in possibilities and other third party plguins.
The biggest problem for me, is to identify or filter for code analysis related warnings in the error list window of Visual Studio.
I think all warnings starting with "CA" are these types of errors. Anyway I'm still not sure and want to get this clarified, so that I have knowledge about this and not just a feeling/believe.
This problem brings me in general to the question: Is there a list of all error/warning "groups" and what they are related to? Is it possible that there are "custom" defined "groups"?
I think this is important since every warning will be pushed to the same window. Based on the task someone is working on, it can be pretty hard to identify relvant warnings/outputs (especially in huge projects).
So far my results or what I think is the meaning (list may be uncomplete):
CA - Source Code Analysis, based on this source
CS - C# compiler in general, based on assumption (I get these while compiling C#)
AD - ?? (I get these from "Roslyn Security Guard" when throwing exceptions while analysing code)
C - C/C++ compiler in general, based on assumption (I know this group of warnings from C/C++ projects)
SG - ?? (Maybe these are warnings coming from successfull analysed code with Roslyn Security Guard (SG = Security Guard?))
Yes SG comes from Roslyn Security Guard. It is a custom name chosen by developer of the analyzer. This is why there is no single list of warnings. Only groups of warnings produced by Microsoft are documented on Msdn. AD001 is shown when an analyzer itself throws an exception because of a bug in it.
I've getting some information about this, but I still can find a proper answer, I was asked recently in my company for this : "run a fxcop analysis on that code and tell me the results".
Ok, I have VS2010 Ultimate which has code analysis, but before making any comment, I browse it on the internet cause I want to implement the best choice...
So, let's say I'm gonna use the same rules on both analyzers:
Should I recommend using one above the other?
Should I say "hey, thats kinda old, let's use code analysis!"
Should I get the same results on different computers? (for what I undersand, fxcop gives you some "points" and for what I've read, sometimes it gives you diff points on diff computers, I don't know about this with code analysis
Thanks, any help would be appreciated
FxCop and Code Analysis are essentially the same thing, with the following differences:
Code Analysis includes a VS IDE extension. FxCop can be executed from and show results within the IDE, but the result is not as full-featured. On the other hand, FxCop includes a stand-alone UI that is more full-features with respect to certain types of results exploration.
Code Analysis includes more rules than FxCop. Part of this is because it includes an additional rules engine, but part is just extra rules that Microsoft decided we should pay for. (The extra rules can be run from FxCop if you want to see the results in the stand-alone FxCop UI.)
For any given rule, you should see exactly the same results on any given machine, regardless of which of the two tools you are using. The only cases in which you should see differences is when you do not specify culture settings for the FxCop analysis, and the system culture differs between machines.
I'm setting up a project where we've decide to use StyleCop and VS2010 "Code Analysis" rules.
I've setup the build so both sets of rules are executed on every build. The problem is that developers on this project will only be able to see StyleCop and Code Analysis rule violations on build.
While authoring code the VS2010 code editor doesn't highlight rules violations like it would do for build errors. I'm afraid that means folks would end up authoring code for an extended period of time and than prior to checkin have to fix 100+ rules violations. I'd like to explore a more organic process.
After spending the better part of the last two weeks googling, I admit defeat. I've found "StyleCop for Resharper" that would provide inline code editor highlights for StyleCop rules violations. I was wondering if there's something similar for Code Analysis or if there are any other options for StyleCop?
Thanks,
-- Justin Angel
Unfortunately there is nothing similar to StyleCop for Resharper for FxCop. StyleCop is looking only for style guideline violations, which means it need only look at source code, text files. FxCop performs analysis on compiled assemblies and looks at things like P/Invoke correctness, multiple calls to Dispose, unmanaged vs. managed API use, etc. While a tool could certainly perform such analysis of source (indeed, Resharper can help you with some, but certainly not all FxCop warnings), to do so fully would effectively require a compile. If you are compiling, then you might as well just use FxCop. By the way, Resharper is worth the money.
Custom Compiler Warnings and
C#: Create custom warning in Visual Studio if certain method is used in source code
haven't helped as they deal with code that is under the author's control.
We are using a 3rd party suite of UI controls (DevExpress) in our software and I want to generate a warning when someone uses MessageBox.Show("blah"); instead of XtraMessageBox.Show("blah");
Is there a way to do that?
This sort of thing can be addressed relatively easily via a custom rule for FxCop/Visual Studio Code Analysis. If you are using Visual Studio Developer Edition, you will even see the rule failures displayed along-side your compilation warnings and errors in the IDE.
While there's no way you can do real custom compile-time error in .NET, there's a number of third-party tools (both free and commercial) that can inject their validation logic into the build process, usually after the compilation.
Here are three ways I know of to solve you problem:
Resharper 5.0($) will support custom rules / warnings.
In PostSharp(free) you can define OnMethodBoundary aspect, overwrite its CompileTimeValidate method and emit a [post]compile-time error from it.
NDepend can be integrated with your build process ($) to enforce coding policies like that
No there is no direct way. If you think about it you are looking for a compiler warning for some code that you don't even compile.
If you really want this you could use Reflection methods on YOUR compiled assembly to check if any methods/assemblies you don't want have been called. Cecil has a lot of the functionality you need. You could then make this part of your build process.