[cfe-dev] [GSoC 2019] Apply the Clang Static Analyzer to LLVM-based projects - final report

Simon Pilgrim via cfe-dev cfe-dev at lists.llvm.org
Wed Aug 28 01:07:48 PDT 2019 

Sylvestre Ledru looks after the scan-build web report, but I understand 
it hit a few issues back in June (it normally updates a few times a 
week). We also discussed whether there was an automated way for those 
updates to email the summary to the cfe/llvm dev lists, indicating total 
warnings, and highlighting any new ones (we punted that discussion until 
the GSoC was done - btw thank you all!!!).

Improving documentation (and support scripts) on how to get a analyzer 
report on local builds would be very useful - I've found it tricky to 
work with on my WSL builds and I tended to just browse the scan-build 
web report when it was up to date. At the moment I'm just keeping an eye 
on cppcheck and MSVC analysis reports that I have running in visual studio.

On 28/08/2019 02:56, Artem Dergachev wrote:
> +Simon because he has enthusiastically looked at the state of things 
> just before we started: 
> http://lists.llvm.org/pipermail/llvm-dev/2019-May/132196.html
>
> Also +Devin.
>
> Also, Simon: do you know how does https://llvm.org/reports/scan-build/ 
> usually get updated? It doesn't seem to be in the www repo and it's 
> now super outdated, given the amount of change that Csaba unleashed 
> upon us this summer.
>
> I suggest that from now on we pay more attention to these reports, 
> because even though there are still a lot of them, and still 
> definitely not all of them constitute real crashes, they make *much* 
> more sense today than they used to some three months ago. Almost all 
> warnings are actionable and promote better, safer code.
>
> I just spent 2-3 hours cleaning up ~20 warnings on the static analyzer 
> itself, which included writing a test for one real crash that i found 
> that way (and attempting to do the same for a few more potential 
> crashes). The results are in https://reviews.llvm.org/D66847. My 
> (heavily biased) opinion is that it was worth every minute and i 
> basically encourage everybody to try this out again.
>
>
> On 8/26/19 10:23 AM, Csaba Dabis wrote:
>> Hey everyone!
>>
>> This Summer we managed to make the Clang Static Analyzer support the 
>> LLVM and
>> LLVM-based projects with my mentors Artem Dergachev and Gabor Horvath.
>>
>> For a more detailed documentation please visit my final report:
>> https://docs.google.com/document/d/1o9-xEWbzivUGKIOXp9jUNZYq0mkecd5KH5dBN5Hdlu8/ 
>>
>>
>> The project in a nutshell: I have fixed the most annoying false 
>> positives and
>> added support for the custom RTTI of LLVM which became a huge true 
>> positive
>> boost as we now emit warnings on misuse of LLVM casting APIs. All of 
>> my patches
>> (except one D65239) are upstreamed and on by default. The remaining 
>> work is to
>> fix the less annoying and not so common false positives.
>

More information about the cfe-dev mailing list