runtime: Pass correct parameterName to ArgumentException

We have that rule enabled in dotnet/runtime: https://github.com/dotnet/runtime/blob/d1006ce95052e609252756999596652e3f5d0757/eng/CodeAnalysis.ruleset#L57 I might be remembering incorrectly, but I thought @danmosemsft told me he found some occurrences of this in our codebase; if that’s true, it’d be good to understand what the rule is missing, and potentially augment it.

@buyaa-n / @danmosemsft - I’ve revised our definition of done a bit. Here’s the updated list. We’ll get this documented somewhere centrally very soon.

• Implement the Analyzer locally (but no PR yet)
• Run the analyzer locally against the dotnet/runtime, dotnet/aspnetcore, and dotnet/roslyn repositories using the failures there to discover nuance and guide the implementation details
• Document the matching and non-matching scenarios and all of the nuance discovered (as issue comments for now, until we have a more formal place to document these details)
• Review each of the failures in those repositories and determine the course of action for each
• Implement the fixer for C# (if applicable). We will not implement fixers for VB.
• Solidify decision for severity/default/categorization/numbering. Ideally, analyzers for new APIs will be on by default, but this requires very high confidence in avoiding false positives
• Follow the standard API review process for anything that has changed since the analyzer concept was approved, such as the categorization and generalization of the analyzer or changes to an attribute which informs the analyzer. We will solidify this process as we work through the first handful of analyzers
• Write unit tests for all cases documented in bullet 3 (matching and non-matching scenarios)
• Submit a PR for Analyzer/Fixer and get it merged into roslyn-analyzers
• Submit a PR for the SDK config to reflect the severity/default determination
• Fix or suppress the failures in the dotnet/runtime repo
• File issues in dotnet/aspnetcore and dotnet/roslyn for the failures in those repositories

analyzer only for desired ArgumentException descendants to exclude user-defined types or apply to all ArgumentException-derived types (including itself) that have a constructor accepting a paramName parameter, including user-defined types

Seems like a good candidate for an analyzer option to allow users to select either configuration.

maybe we only want the analyzer to report for public/protected/protected ( do not warn for internal private methods). @mavasani is there any config option for setting the target method accessibility level? Any suggestions about that?

Yes, we have tons of analyzers that only want to run on public API surface by default, but want to give end users the option to configure the analyzed API surface. We have an extension method and an existing editorconfig option that should exactly meet your requirements.

Option: https://github.com/dotnet/roslyn-analyzers/blob/master/docs/Analyzer Configuration.md#analyzed-api-surface

API: You can invoke ISymbolExtensions.MatchesConfiguredVisibility method on the symbol that needs to be checked, for example: https://github.com/dotnet/roslyn-analyzers/blob/0cbdd68e14722e911d50eee64ee95823b3ffa09c/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/ReviewUnusedParameters.cs#L221-L230

Example Unit test: https://github.com/dotnet/roslyn-analyzers/blob/0cbdd68e14722e911d50eee64ee95823b3ffa09c/src/NetAnalyzers/UnitTests/Microsoft.CodeQuality.Analyzers/Maintainability/ReviewUnusedParametersTests.cs#L820-L873

Just found we have analyzer for ArgumentException and its descendants, some rules might not covered and no fixer implemented I assume i would update this analyzer (if needed) and add fixer implementation. @mavasani please let me know what you think

@buyaa-n That sounds good. This rule should likely tune or supersede CA2208.

Going through the discussions in this issue, I wanted to point out that the rules written in roslyn-analyzers repo have the ability to define end-user configurable .editorconfig options. We have had large number of scenarios where options are very helpful when there is no single, perfect analyzer implementation:

1. The default analyzer implementation is too strict/pessimistic to avoid false positives, but we have large user requests to allow configuration to execute it in lenient/optimistic mode where user want no false negatives, but are fine to suppress false positives.
2. The analyzer can be implemented with more then reasonable semantics, but only one can be chosen for default implementation, but it seems reasonable to expose an option to allow users to switch between any of these. For example, see single-letter-type-parameters option.
3. End users want to be able to customize the analysis scope, such as API surface (public versus internal) on which the analysis executes. For example, see analyzed-api-surface option.
4. Analyzer can take end-user configurable symbol names/signatures as inputs for analysis. For example see additional-string-formatting-methods option or null-check-validation-methods option.

Would I be expected to suppress the warning on this line?

@danmosemsft in addition to @bartonjs’s comment our “Definition of Done” steps for analyzers might give you more info

1. Analyzer implemented locally (but no PR yet)
2. Rule run locally against the runtime repo with failures assessed to guide implementation details
3. Matching and non-matching scenarios captured and documented (in the issue comments to start, but Jeff will follow up with Manish for permanent documentation plans); this will illustrate the nuance taken into account for the analyzer
4. Follow the standard API review process, including the attribute if applicable, and discussing categorization and generalization. We are still working out the details of this exact process for analyzers.
5. Determine what to do with each of the runtime failures
6. Fixer implemented for C# (if applicable) - we will not implement VB fixers
7. Decision made for severity/default/categorization/numbering, typically on by default for new APIs
8. Write unit tests for all cases documented in bullet 3
9. Submit PR for Analyzer/Fixer and get it merged into roslyn-analyzers
10. SDK config committed to reflect the severity/default decision for old APIs
11. Runtime failures fixed or suppressed

My personal refinement/rise-and-repeat would say “hmm, if there are no parameters to a method and it’s throwing an ArgumentException, there’s not really anything to report on; it must be a helper”.

If the helper took the message as a parameter, then it’d require suppression… assuming that’s not a commonish pattern.

But the general flow on anything reactive like this is definitely “write it, see too many violations, figure out how to get it down to a manageable number”; like with stackalloc in a loop.

Two argument call, paramName is a literal, but not a parameter name. (No fixer, just squiggle the argument.)

Are we holding the bar to “essentially no noise” ? As this is a pattern we use in a fair number of places. Eg., (1) because the parameter name was historically different, although we should probably just ‘break’ those (2) because it’s in a throw helper eg

        private static Exception HashAlgorithmNameNullOrEmpty() =>
            new ArgumentException(SR.Cryptography_HashAlgorithmNameNullOrEmpty, "hashAlgorithm");

Would I be expected to suppress the warning on this line?

I searched for \WArgumentException\(nameof in our own tree and there are 64 hits…