[llvm-dev] [RFC] Tooling for parsing and symbolication of Sanitizer reports

Aaron Ballman via llvm-dev llvm-dev at lists.llvm.org
Mon Oct 19 06:59:48 PDT 2020


On Wed, Oct 14, 2020 at 3:05 PM Dan Liew <dan at su-root.co.uk> wrote:
>
> > There is a standardized JSON-based format used for exchanging static
> > analysis finding reports between tools called SARIF that seems like it
> > may be a natural fit for this work, perhaps. What's more, Clang
> > already has some SARIF writing capabilities that could perhaps be
> > lifted for the implementation (it's one of the formats the clang
> > static analyzer produces for output). You can see the SARIF site for
> > more information:
> > https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
>
> Thanks for bringing this up. I wasn't aware of this before. I'm
> struggling to grok that documentation and would probably need concrete
> examples to understand if it's a good fit.

You can see the output in action by running the clang static analyzer
and having it produce SARIF output. Some sample output from the test
suite can be found at:
https://github.com/llvm/llvm-project/blob/master/clang/test/Analysis/diagnostics/Inputs/expected-sarif/sarif-diagnostics-taint-test.c.sarif

> TBH I'm much more likely to go for a custom JSON schema though because
> the structured version of sanitizer reports will be very closely tied
> to the Sanitizers.

I would find that rather unsatisfying given that there's a standard
JSON format for exchanging source code analysis reports between tools
that's already being used by existing source code analysis report
viewing tools like Visual Studio or CodeSonar. I don't think that a
proprietary JSON schema that no one supports is a better option.

~Aaron

>
> Thanks,
> Dan.


More information about the llvm-dev mailing list