[Mono-list] [ANN] Smokey - bug and coding guidelines checker

Jesse Jones jesjones at mindspring.com
Wed Feb 6 05:36:48 EST 2008

Smokey is a command line tool used to analyze assemblies and report  
problems. Problems include buggy code (e.g. infinite recursion, null  
deref, malformed format string), performance issues (e.g. string  
concatenation in loops, excessive boxing, large structs), violations  
of the .NET design guidelines (e.g. inheriting from  
ApplicationException or ICloneable, naming, and swallowing  
exceptions), and miscellaneous rules like misspelled words in string  

You can download Smokey from the web site:
<https://home.comcast.net/~jesse98/public/Smokey>. The web site also  
has an html report for one of the System assemblies and a list of all  
of Smokey's rules.

Changes from Smokey
* Added 21 new rules:
	APTCA1, AllowPartiallyTrustedCallers assembly calls into a non-aptca  
	APTCA2, class in a AllowPartiallyTrustedCallers assembly derives  
from a class defined in a non-aptca assembly.
	ConflictingTransparency, a 100% transparent assembly uses  
	ImperativeSecurity, programmatic use of CodeAccessPermission objects.
	IndirectLinkDemand, method in the assembly calls a link demand  
method w/o performing any security checks.
	InternalInterface, overridable implementation of an internal  
interface method.
	KeepAlive, type with finalizer and IntPtr does not call GC.KeepAlive.
	NamedPermissionSet, a NamedPermissionSet is being instantiated with  
the name of one of the built-in permission sets.
	NonVirtualInheritanceDemand, inheritance demand on a non-virtual  
	PathCombine, paths are being concatenated via string.Concat.
	PartitionAssembly, transparent and critical code is not partitioned  
	PermitDenySecurity, assembly uses PermitDeny and/or Deny security  
	ReadOnlyArray, public or protected readonly array.
	SealedInheritanceDemand, sealed type has an inheritance demand.
	SecureAsserts, method asserts a permission, but caller does no  
security checks.
	SecureGetObjectData, GetObjectData is not protected with  
	SecureOverrides, type has a link demand and virtuals but no  
inheritance demands.
	TransparentAssert1, a 100% transparent assembly asserts a permission.
	TransparentAssert2, a mixed transparent/critical assembly has a  
transparent method which asserts a permission.
	UnmanagedCodeSecurity, SuppressUnmanagedCodeSecurityAttribute usage.
	VisibleEventHandler, an event handler method is public or protected.
* Tweaked the code so that it compiles with mono 1.2.6.
* Smokey now works with .NET (you'll need to have Mono.Cecil in  
Smokey's directory or somewhere else the CLR can find it) and you  
won't get file and line numbers.
* Replaced Mono.GetOptions with a much simpler options parser.
* Dependent assemblies in the directory of the assembly being tested  
are now correctly loaded.
* Fixed SuffixName rule: classes that implement IDictionary should  
have a Dictionary suffix, not a Collection suffix.
* Instead of throwing an exception if two assemblies define a type  
with the same name in the same namespace we now just use the first type.

   -- Jesse

More information about the Mono-list mailing list