[cfe-dev] Static Analyzer

Ted Kremenek kremenek at apple.com
Wed Jul 9 15:59:36 PDT 2008 

On Jul 9, 2008, at 3:41 PM, Emilio Monti wrote:

> Hi,
> I tried running scan-build wrapping a make building a simple test ANSI
> C application full of clear bugs (memory leaks, null pointer
> dereferencing, etc), but I always end up with:
> scan-build: No bugs found.
>
> Is it a problem of my build/configuration?
>
> Which type of bugs can be detected with the current static analyzer?
> I tried looking for this type of information, but I found only
> Objective C examples.
>
> Best Regards,
> Emilio

Hi Emilio,

I've been tardy in posting a comprehensive list of bugs currently  
found by the tool, as well as a rough description of how the tool  
finds these bugs.  I'll try and post some information on this to the  
Clang website soon.

The only memory leaks that the analyzer looks for right now related to  
use of Apple's Core Foundation and Foundation frameworks.  The former  
is a C API, while the latter is solely for Objective-C.  If you aren't  
using these APIs, the tool will not flag any leaks.  There are plans  
to eventually support finding leaks involving malloc, etc., but it  
requires more infrastructure that is in the queue to implement.

Null dereferences are inferred by tracking constants and inequality  
relationships within a function.  This does not involve inter- 
procedural analysis (yet).  For example:

    if (p)
      ...

    *p = 1;  // Null dereference because p could be null.

The analysis also finds dead stores, which are stores to variables  
that are never used.  While the compiler optimizer can optimize away  
many of these stores, they are often indicative of significant logical  
errors in a program.

The analyzer also looks for path-specific uses of uninitialized  
values, undefined operations such as bit-shifting by too many bits,  
etc.  There are a few other checks, but there are mainly API specific  
checks with respect to the Core Foundation/Foundation APIs.  There are  
many other checks we plan on implementing some day, including buffer  
overflow analysis and uses-of-untrusted data, etc.  The tool is still  
very early in development, and there is a whole wealth of even simple  
checks that could and should be implemented.

If you have specific test cases that include bugs that the analyzer is  
not finding, please feel free to send them my way or file a Bugzilla  
report.

Incidentally, how are you running the analyzer?  As you said, it could  
be a problem with your build.  Make sure you operate with a clean  
build, and that your build system will use the CC environment variable  
to determine what compiler to use.  If you manually set CC within your  
build system files, the analyzer won't be run (all scan-build does  
right now is set CC to be ccc-analyzer instead of gcc).  If your build  
system presents verbose output on what commands it is executing, you  
should see calls to 'ccc-analyzer' instead of 'gcc'.

Ted

More information about the cfe-dev mailing list