How to make the Clang Static Analyzer output its w

2019-03-09 22:00发布

问题:

I'm running Clang 3.4 on Ubuntu 12.10 (from http://llvm.org/apt/). I ran the analyzer (clang --analyze) over some code, and it found a couple of issues:

Blah.C:429:9: warning: Declared variable-length array (VLA) has zero size
        unsigned char separatedData[groupDataLength];
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~

But the specific issue isn't important. I want to know the steps of how it came to that conclusion (the code is complex enough for me not to see it within 15 mins).

I see a screenshot from the Clang site that shows steps of working viewed in a web browser:

That's probably obtained from Xcode.

The question is: how do I get Clang to output such steps of working from the command line? Or even output results to a browser if it so wishes? This would make the analyzer significantly more useful, and make fixing things much quicker.

(I have noticed that GCC's documentation is very excellent, but Clang/LLVM's documentation is very poor. I've tried "clang --analyze -Xanalyzer '-v'" as a stab in the dark to tell the analyzer to be more verbose -- the -Xanalyzer switch was from the man pages.)

回答1:

In addition to text output on the console:

clang++ --analyze -Xanalyzer -analyzer-output=text main.cpp

You can get the full html output:

clang++ --analyze -Xanalyzer -analyzer-output=html -o html-dir main.cpp

Additionally, you can select specific checkers to enable. This page lists available checks. For example, you can enable all of the C++ checks in the alpha group using the flags:

-Xanalyzer -analyzer-checker=alpha.cplusplus

http://coliru.stacked-crooked.com/a/7746c4004704d4a7

main.cpp:5:1: warning: Potential leak of memory pointed to by 'x'
}
^
main.cpp:4:12: note: Memory is allocated
  int *x = new int;
           ^~~~~~~
main.cpp:5:1: note: Potential leak of memory pointed to by 'x'
}
^

Apparently the front end exposes

-analyzer-config <Option Name>=<Value>

E.g.

-analyzer-config -analyzer-checker=alpha.cplusplus

which might be better supported than -Xanalyzer and may be getting extended to support options to individual checkers: http://lists.cs.uiuc.edu/pipermail/cfe-dev/2014-October/039552.html



回答2:

You are on the right track, but to get the full trace leading to a bug you additionally need to ask clang for output in text format (don't ask why). Since you will probably need to adjust e.g. include paths or defines for your project anyway I'd suggest you use clang-check which acts as a wrapper around clang's analyzer pass. It can also hook into the static analyzer tools exposed in e.g. scan-build. You can then

$ clang-check -analyze -extra-arg -Xclang -extra-arg -analyzer-output=text

Like you wrote the documentation for these very nice tools is abysmal. I cobbled above call together from bits and pieces from Chandler Carruth's GoingNative2013 talk.



回答3:

You have to use scanbuild: http://clang-analyzer.llvm.org/scan-build.html

You type the commands that generate your build, but you pre-pend them with scan-build.

Example: instead of

make

type

scan-build make

instead of

./configure
make

type

scan-build ./configure
scan-build make

Clear the build before launching the analyzer, otherwise make will state that everything has been built already and the analyzer will not run.