[cfe-dev] Static Analyzer
kremenek at apple.com
Wed Jul 9 15:59:36 PDT 2008
On Jul 9, 2008, at 3:41 PM, Emilio Monti wrote:
> I tried running scan-build wrapping a make building a simple test ANSI
> C application full of clear bugs (memory leaks, null pointer
> dereferencing, etc), but I always end up with:
> scan-build: No bugs found.
> Is it a problem of my build/configuration?
> Which type of bugs can be detected with the current static analyzer?
> I tried looking for this type of information, but I found only
> Objective C examples.
> Best Regards,
I've been tardy in posting a comprehensive list of bugs currently
found by the tool, as well as a rough description of how the tool
finds these bugs. I'll try and post some information on this to the
Clang website soon.
The only memory leaks that the analyzer looks for right now related to
use of Apple's Core Foundation and Foundation frameworks. The former
is a C API, while the latter is solely for Objective-C. If you aren't
using these APIs, the tool will not flag any leaks. There are plans
to eventually support finding leaks involving malloc, etc., but it
requires more infrastructure that is in the queue to implement.
Null dereferences are inferred by tracking constants and inequality
relationships within a function. This does not involve inter-
procedural analysis (yet). For example:
*p = 1; // Null dereference because p could be null.
The analysis also finds dead stores, which are stores to variables
that are never used. While the compiler optimizer can optimize away
many of these stores, they are often indicative of significant logical
errors in a program.
The analyzer also looks for path-specific uses of uninitialized
values, undefined operations such as bit-shifting by too many bits,
etc. There are a few other checks, but there are mainly API specific
checks with respect to the Core Foundation/Foundation APIs. There are
many other checks we plan on implementing some day, including buffer
overflow analysis and uses-of-untrusted data, etc. The tool is still
very early in development, and there is a whole wealth of even simple
checks that could and should be implemented.
If you have specific test cases that include bugs that the analyzer is
not finding, please feel free to send them my way or file a Bugzilla
Incidentally, how are you running the analyzer? As you said, it could
be a problem with your build. Make sure you operate with a clean
build, and that your build system will use the CC environment variable
to determine what compiler to use. If you manually set CC within your
build system files, the analyzer won't be run (all scan-build does
right now is set CC to be ccc-analyzer instead of gcc). If your build
system presents verbose output on what commands it is executing, you
should see calls to 'ccc-analyzer' instead of 'gcc'.
More information about the cfe-dev