Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 1 | <html> |
| 2 | <head> |
| 3 | <title>Information on using the Static Analyzer ("LLVM Checker")</title> |
Ted Kremenek | 20c5f14 | 2008-06-11 05:26:52 +0000 | [diff] [blame] | 4 | <link type="text/css" rel="stylesheet" href="menu.css" /> |
| 5 | <link type="text/css" rel="stylesheet" href="content.css" /> |
Ted Kremenek | e0665ab | 2008-06-11 05:55:39 +0000 | [diff] [blame] | 6 | <style> |
Ted Kremenek | 482c6d4 | 2008-06-11 05:28:36 +0000 | [diff] [blame] | 7 | thead { |
| 8 | background-color:#eee; color:#666666; |
| 9 | font-weight: bold; cursor: default; |
| 10 | text-align:center; |
| 11 | border-top: 2px solid #000000; |
| 12 | border-bottom: 2px solid #000000; |
| 13 | font-weight: bold; font-family: Verdana |
| 14 | } |
| 15 | table { border: 1px #000000 solid } |
| 16 | table { border-collapse: collapse; border-spacing: 0px } |
| 17 | table { margin-left:20px; margin-top:20px; margin-bottom:20px } |
| 18 | td { border-bottom: 1px #000000 dotted } |
| 19 | td { padding:5px; padding-left:8px; padding-right:8px } |
| 20 | td { text-align:left; font-size:9pt } |
| 21 | td.View { padding-left: 10px } |
| 22 | </style> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 23 | </head> |
| 24 | <body> |
| 25 | |
Ted Kremenek | 20c5f14 | 2008-06-11 05:26:52 +0000 | [diff] [blame] | 26 | <!--#include virtual="menu.html.incl"--> |
| 27 | |
| 28 | <div id="content"> |
| 29 | |
Ted Kremenek | 43bfbaf | 2008-06-11 06:01:28 +0000 | [diff] [blame^] | 30 | <h1>Information on using the Static Analyzer</h1> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 31 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 32 | <p>This documents provides some notes on using the LLVM/clang static analyzer to |
| 33 | find bugs in C and Objective-C programs.</p> |
| 34 | |
| 35 | <p>Please note that this tool is <b>very early</b> in development, and there are |
| 36 | <b>many planned enhancements</b> to improve both the precision and scope of its |
| 37 | analysis algorithms as well as the kinds bugs it will find.</p> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 38 | |
| 39 | <p>This document is arranged into the following sections:</p> |
| 40 | |
| 41 | <ul> |
Ted Kremenek | bd31716 | 2008-06-09 14:30:01 +0000 | [diff] [blame] | 42 | <li><a href="#Contents">Obtaining the Analyzer</a></li> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 43 | <li><a href="#BasicUsage">Basic Usage</a></li> |
Ted Kremenek | 891a353 | 2008-04-25 20:29:37 +0000 | [diff] [blame] | 44 | <li><a href="#Output">Output of the Analyzer</a></li> |
| 45 | <li><a href="#RecommendedUsageGuidelines">Recommended Usage Guidelines</a></li> |
| 46 | <li><a href="#Debugging">Debugging the Analyzer</a> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 47 | </ul> |
| 48 | |
Ted Kremenek | bd31716 | 2008-06-09 14:30:01 +0000 | [diff] [blame] | 49 | <h2 id="ReleaseContents">Obtaining the Analyzer</h2> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 50 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 51 | <p> Using the analyzer involves executing <tt>scan-build</tt> (see <a |
| 52 | href="#BasicUsage">Basic Usage</a>). <tt>scan-build</tt> will first look for a |
| 53 | <tt>clang</tt> executable in the same directory as <tt>scan-build</tt>, and then |
| 54 | search your path.</p> |
| 55 | |
| 56 | <p>If one is using the analyzer directly from the Clang sources, it suffices to |
| 57 | just directly execute <tt>scan-build</tt> in the <tt>utils</tt> directory. No |
| 58 | other special installation is needed.</p> |
| 59 | |
| 60 | <h3>Packaged Builds (currently Mac-Only)</h3> |
| 61 | |
| 62 | <p>Semi-regular builds of the analyzer on Mac OS X (10.5) are available <a |
Ted Kremenek | bd31716 | 2008-06-09 14:30:01 +0000 | [diff] [blame] | 63 | href="http://keeda.stanford.edu/~kremenek/checker">here</a>. Packaged builds for |
| 64 | other platforms may eventually be provided, but as the tool is in its early |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 65 | stages we are not actively promoting releases yet. If you wish to help |
| 66 | contribute regular builds of the analyzer on other platforms, please email the |
| 67 | <a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev">Clang Developers' |
| 68 | mailing list</a>.</p> |
Ted Kremenek | bd31716 | 2008-06-09 14:30:01 +0000 | [diff] [blame] | 69 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 70 | <p>Packaged builds of the analyzer expand to the following files:</p> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 71 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 72 | <table id="package"> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 73 | <thead><tr><td>File</td><td>Purpose</td></tr></thead> |
| 74 | <tr><td><tt><b>scan-build</b></tt></td><td>Script for running the analyzer over a project build. <b>This is the only file you care about.</b></td></tr> |
| 75 | <tr><td><tt>ccc-analyzer</tt></td><td>GCC interceptor (called by scan-build)</td></tr> |
| 76 | <tr><td><tt>clang</tt></td><td>Static Analyzer (called by ccc-analyzer)</td><tr> |
| 77 | <tr><td><tt>sorttable.js</tt></td><td>JavaScript used for displaying error reports</td></tr> |
| 78 | </table> |
| 79 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 80 | <h3>Other Platforms (Building the Analyzer from Source)</h3> |
| 81 | |
| 82 | <p>Packaged builds simply consist of a few files from the Clang source tree, |
| 83 | meaning that <b>anyone</b> who can build Clang can use the static analyzer. |
| 84 | Please see the <a href="get_started.html">Getting Started</a> page for more |
| 85 | details on downloading and compiling Clang.</p> |
| 86 | |
| 87 | <p>All files used by the analyzer (and included in packaged builds; <a |
| 88 | href="#package">see above</a>) other than a compiled <tt>clang</tt> executable |
| 89 | are found in the <tt>utils</tt> subdirectory in the Clang tree.</p> |
Ted Kremenek | bd31716 | 2008-06-09 14:30:01 +0000 | [diff] [blame] | 90 | |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 91 | <h2 id="BasicUsage">Basic Usage</h2> |
| 92 | |
| 93 | <p>The analyzer is executed from the command-line. To run the analyzer, you will |
| 94 | use <tt>scan-build</tt> to analyze the source files compiled by <tt>gcc</tt> |
| 95 | during a project build.</p> |
| 96 | |
| 97 | <p>For example, to analyze the files compiled under a build:</p> |
| 98 | |
| 99 | <pre> |
| 100 | $ <b>scan-build</b> make |
| 101 | $ <b>scan-build</b> xcodebuild |
| 102 | </pre> |
| 103 | |
| 104 | <p> In the first case <tt>scan-build</tt> analyzes the code of a project built |
| 105 | with <tt>make</tt>, andin the second case <tt>scan-build</tt> analyzes a project |
| 106 | built using <tt>xcodebuild</tt>. In general, the format is: </p> |
| 107 | |
| 108 | <pre> |
| 109 | $ <b>scan-build</b> <i>[scan-build options]</i> <b><command></b> <i>[command options]</i> |
| 110 | </pre> |
| 111 | |
| 112 | <p> Operationally, <tt>scan-build</tt> literally runs <command> with all of the |
| 113 | subsequent options passed to it. For example</p> |
| 114 | |
| 115 | <pre> |
| 116 | $ scan-build make <b>-j4</b> |
| 117 | </pre> |
| 118 | |
| 119 | <p>In this example, <tt>scan-build</tt> makes no effort to interpret the options |
| 120 | after the build command (in this case, <tt>make</tt>); it just passes them |
| 121 | through. In general, <tt>scan-build</tt> should support parallel builds, but |
| 122 | <b>not distributed builds</b>. Similarly, you can use <tt>scan-build</tt> to |
| 123 | analyze specific files: |
| 124 | |
| 125 | <pre> |
| 126 | $ scan-build gcc -c <b>t1.c t2.c</b> |
| 127 | </pre> |
| 128 | |
| 129 | <p> |
| 130 | This example causes the files <tt>t1.c</tt> and <tt>t2.c</tt> to be analyzed. |
| 131 | </p> |
| 132 | |
| 133 | <h3>Other Options</h3> |
| 134 | |
| 135 | <p> |
| 136 | As mentioned above, extra options can be passed to <tt>scan-build</tt>. These |
| 137 | options prefix the build command. For example:</p> |
| 138 | |
| 139 | <pre> |
| 140 | $ scan-build <b>-k -V</b> make |
| 141 | $ scan-build <b>-k -V</b> xcodebuild |
| 142 | </pre> |
| 143 | |
| 144 | <p>Here are a complete list of options:</p> |
| 145 | |
| 146 | <table> |
| 147 | <thead><tr><td>Option</td><td>Description</td></tr></thead> |
| 148 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 149 | <tr><td><b>-a</b></td> |
| 150 | <td>The analysis to run. The default analysis is <i>checker-cfref</i>. Valid options are: <i>checker-cfref</i>, <i>fsyntax-only</i>. |
| 151 | These translate into options passed down to the <tt>clang</tt> executable, and currently this option is mainly used for debugging.</td></tr> |
| 152 | |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 153 | <tr><td><b>-o</b></td><td>Target directory for HTML report files. Subdirectories will be |
| 154 | created as needed to represent separate "runs" of the analyzer. If this option |
| 155 | is not specified, a directory is created in <tt>/tmp</tt> to store the |
| 156 | reports.</td><tr> |
| 157 | |
| 158 | <tr><td><b>-h</b><br><i><nobr>(or no arguments)</nobr></i></td><td>Display <tt>scan-build</tt> options.</td></tr> |
| 159 | |
| 160 | <tr><td><b>-k</b><br><nobr><b>--keep-going</b></nobr></td><td>Add a "keep on going" option to the |
| 161 | specified build command. <p>This option currently supports <tt>make</tt> and |
| 162 | <tt>xcodebuild</tt>.</p> <p>This is a convenience option; one can specify this |
| 163 | behavior directly using build options.</p></td></tr> |
| 164 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 165 | <tr><td><b>-v<b></td><td>Verbose output from scan-build and the analyzer. <b>A second and third |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 166 | "-v" increases verbosity</b>, and is useful for filing bug reports against the analyzer.</td></tr> |
| 167 | |
| 168 | <tr><td><b>-V</b></td><td>View analysis results in a web browser when the build command completes.</td></tr> |
| 169 | </table> |
| 170 | |
| 171 | <p>These options can also be viewed by running <tt>scan-build</tt> with no |
| 172 | arguments:</p> |
| 173 | |
| 174 | <pre> |
| 175 | $ <b>scan-build</b> |
| 176 | |
| 177 | USAGE: scan-build [options] <build command> [build options] |
| 178 | |
| 179 | OPTIONS: |
| 180 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 181 | -a - The analysis to run. The default is 'checker-cfref'. |
| 182 | Valid options are: 'checker-cfref', 'fsyntax-only' |
| 183 | |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 184 | -o - Target directory for HTML report files. Subdirectories |
| 185 | will be created as needed to represent separate "runs" of |
| 186 | the analyzer. If this option is not specified, a directory |
| 187 | is created in /tmp to store the reports. |
| 188 | <b>...</b> |
| 189 | </pre> |
| 190 | |
| 191 | <h2 id="Output">Output of the Analyzer</h2> |
| 192 | |
| 193 | <p> |
| 194 | The output of the analyzer is a set of HTML files, each one which represents a |
| 195 | separate bug report. A single <tt>index.html</tt> file is generated for |
| 196 | surveying all of the bugs. You can then just open <tt>index.html</tt> in a web |
| 197 | browser to view the bug reports. |
| 198 | </p> |
| 199 | |
| 200 | <p> |
| 201 | Where the HTML files are generated is specified with a <b>-o</b> option to |
Ted Kremenek | 87e795e | 2008-04-25 20:31:58 +0000 | [diff] [blame] | 202 | <tt>scan-build</tt>. If <b>-o</b> isn't specified, a directory in <tt>/tmp</tt> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 203 | is created to store the files (<tt>scan-build</tt> will print a message telling |
| 204 | you where they are). If you want to view the reports immediately after the build |
| 205 | completes, pass <b>-V</b> to <tt>scan-build</tt>. |
| 206 | </p> |
| 207 | |
| 208 | |
Ted Kremenek | 904f100 | 2008-04-25 20:30:34 +0000 | [diff] [blame] | 209 | <h2 id="RecommendedUsageGuidelines">Recommended Usage Guidelines</h2> |
Ted Kremenek | ce2e332 | 2008-04-25 18:44:36 +0000 | [diff] [blame] | 210 | |
| 211 | Here are a few recommendations with running the analyzer: |
| 212 | |
| 213 | <h3>Always Analyze a Project in its "Debug" Configuration</h3> |
| 214 | |
| 215 | Most projects can be built in a "debug" mode that enables assertions. Assertions |
| 216 | are picked up by the static analyzer to prune infeasible paths, which in some |
| 217 | cases can greatly reduce the number of false positives (bogus error reports) |
| 218 | emitted by the tool. |
| 219 | |
| 220 | <h3>Pass -k to <tt>scan-build</tt></h3> |
| 221 | |
| 222 | <p>While <tt>ccc-analyzer</tt> invokes <tt>gcc</tt> to compile code, any |
| 223 | problems in correctly forwarding arguments to <tt>gcc</tt> may result in a build |
| 224 | failure. Passing <b>-k</b> to <tt>scan-build</tt> potentially allows you to |
| 225 | analyze other code in a project for which this problem doesn't occur.</p> |
| 226 | |
| 227 | <p> Also, it is useful to analyze a project even if not all of the source files |
| 228 | are compilable. This is great when using <tt>scan-build</tt> as part of your |
| 229 | compile-debug cycle.</p> |
| 230 | |
| 231 | <h3>Use Verbose Output when Debugging <tt>scan-build</tt></h3> |
| 232 | |
| 233 | <tt>scan-build</tt> takes a <b>-v</b> option to emit verbose output about what |
| 234 | it's doing; two <b>-v</b> options emit more information. Redirecting the output |
| 235 | of <tt>scan-build</tt> to a text file (make sure to redirect standard error) is |
| 236 | useful for filing bug reports against <tt>scan-build</tt> or the analyzer, as we |
| 237 | can see the exact options (and files) passed to the analyzer. For more |
| 238 | comprehendible logs, don't perform a parallel build. |
| 239 | |
| 240 | <h2 id="Debugging">Debugging the Analyzer</h2> |
| 241 | |
| 242 | This section provides information on debugging the analyzer, and troubleshooting |
| 243 | it when you have problems analyzing a particular project. |
| 244 | |
| 245 | <h3>How it Works</h3> |
| 246 | |
| 247 | To analyze a project, <tt>scan-build</tt> simply sets the environment variable |
| 248 | <tt>CC</tt> to the full path to <tt>ccc-analyzer</tt>. It also sets a few other |
| 249 | environment variables to communicate to <tt>ccc-analyzer</tt> where to dump HTML |
| 250 | report files. |
| 251 | |
| 252 | <p>Some Makefiles (or equivalent project files) hardcode the compiler; for such |
| 253 | projects simply overriding <tt>CC</tt> won't cause <tt>ccc-analyzer</tt> to be |
| 254 | called. This will cause the compiled code <b>to not be analyzed.</b></p> If you |
| 255 | find that your code isn't being analyzed, check to see if <tt>CC</tt> is |
| 256 | hardcoded. If this is the case, you can hardcode it instead to the <b>full |
| 257 | path</b> to <tt>ccc-analyzer</tt>.</p> |
| 258 | |
| 259 | <p>When applicable, you can also run <tt>./configure</tt> for a project through |
| 260 | <tt>scan-build</tt> so that configure sets up the location of <tt>CC</tt> based |
| 261 | on the environment passed in from <tt>scan-build</tt>: |
| 262 | |
| 263 | <pre> |
| 264 | $ scan-build <b>./configure</b> |
| 265 | </pre> |
| 266 | |
| 267 | <p><tt>scan-build</tt> has special knowledge about <tt>configure</tt>, so it in |
| 268 | most cases will not actually analyze the configure tests run by |
| 269 | <tt>configure</tt>.</p> |
| 270 | |
| 271 | <p>Under the hood, <tt>ccc-analyzer</tt> directly invokes <tt>gcc</tt> to |
| 272 | compile the actual code in addition to running the analyzer (which occurs by it |
| 273 | calling <tt>clang</tt>). <tt>ccc-analyzer</tt> tries to correctly forward all |
| 274 | the arguments over to <tt>gcc</tt>, but this may not work perfectly (please |
| 275 | report bugs of this kind). |
| 276 | |
| 277 | <h3>Filing Bugs</h3> |
| 278 | |
| 279 | We encourage users to file bug reports for any problems that they encounter. |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 280 | |
| 281 | <p><b>Outside Apple</b>: Please <a |
| 282 | href="http://llvm.org/bugs/enter_bug.cgi?product=clang">file bugs</a> (against |
| 283 | Clang) in LLVM's Bugzilla database.</p> |
| 284 | |
| 285 | <p><b>Apple-internal</b>: Please file bugs in Radar against the <b>llvm - clang</b> |
| 286 | component.</p> |
| 287 | |
Ted Kremenek | 20c5f14 | 2008-06-11 05:26:52 +0000 | [diff] [blame] | 288 | </div> |
| 289 | |
Ted Kremenek | be6e516 | 2008-06-11 05:25:12 +0000 | [diff] [blame] | 290 | </body> |
| 291 | </html> |