SCAN-BUILD
Section: User Commands (1)
Index
Return to Main Contents
BSD mandoc
clang 14
NAME
scan-build
- Clang static analyzer
SYNOPSIS
scan-build
[-ohkvV
]
[-analyze-headers
]
[-enable-checker [checker_name
]
]
[-disable-checker [checker_name
]
]
[--help
]
[--help-checkers
]
[--html-title [=title
]
]
[--keep-going
]
[-plist
]
[-plist-html
]
[--status-bugs
]
[--use-c++ [=compiler_path
]
]
[--use-cc [=compiler_path
]
]
[--view
]
[-constraints [model
]
]
[-maxloop N
]
[-no-failure-reports
]
[-stats
]
[-store [model
]
]
build_command
[build_options]
DESCRIPTION
scan-build
is a Perl script that invokes the Clang static analyzer. Options used by
scan-build
or by the analyzer appear first, followed by the
build_command
and any
build_options
normally used to build the target system.
The static analyzer employs a long list of checking algorithms, see
Sx CHECKERS .
Output can be written in standard
.plist
and/or HTML format.
The following options are supported:
- -analyze-headers
-
Also analyze functions in #included files.
- -enable-checker checker_name , -disable-checker checker_name
-
Enable/disable
checker_name
See
Sx CHECKERS .
- -h , --help
-
Display this message.
- --help-checkers
-
List default checkers, see
Sx CHECKERS .
- --html-title [= title
]
-
Specify the title used on generated HTML pages.
A default title is generated if
title
is not specified.
- -k , --keep-going
-
Add a
``keep on going''
option to
build_command
Currently supports make and xcodebuild. This is a convenience option;
one can specify this behavior directly using build options.
- -o
-
Target directory for HTML report files. Subdirectories will be
created as needed to represent separate invocations
of the analyzer. If this option is not specified, a directory is
created in /tmp (TMPDIR on Mac OS X) to store the reports.
- -plist
-
Output the results as a set of
.plist
files. (By default the output of
scan-build
is a set of HTML files.)
- -plist-html
-
Output the results as a set of HTML and .plist files
- --status-bugs
-
Set exit status to 1 if it found potential bugs and 0 otherwise. By
default the exit status of
scan-build
is that returned by
build_command
- --use-c++ [= compiler_path
]
-
Guess the default compiler for your C++ and Objective-C++ code. Use this
option to specify an alternate compiler.
- --use-cc [= compiler_path
]
-
Guess the default compiler for your C and Objective-C code. Use this
option to specify an alternate compiler.
- -v
-
Verbose output from
scan-build
and the analyzer. A second and
third
v
increases verbosity.
- -V , --view
-
View analysis results in a web browser when the build completes.
- -constraints [model
]
-
Specify the constraint engine used by the analyzer. By default the
`range'
model is used. Specifying
`basic'
uses a simpler, less powerful constraint model used by checker-0.160
and earlier.
- -maxloop N
-
Specify the number of times a block can be visited before giving
up. Default is 4. Increase for more comprehensive coverage at a
cost of speed.
- -no-failure-reports
-
Do not create a
`failures'
subdirectory that includes analyzer crash reports and preprocessed
source files.
- -stats
-
Generates visitation statistics for the project being analyzed.
- -store [model
]
-
Specify the store model used by the analyzer. By default, the
`region'
store model is used.
`region'
specifies a field-
sensitive store model. Users can also specify
`basic'
which is far less precise but can more quickly analyze code.
`basic'
was the default store model for checker-0.221 and earlier.
EXIT STATUS
scan-build
returns the value returned by
build_command
unless
--status-bugs
or
--keep-going
is used.
CHECKERS
The checkers listed below may be enabled/disabled using the
-enable-checker
and
-disable-checker
options.
A default group of checkers is run unless explicitly disabled.
Exactly which checkers constitute the default group is a function
of the operating system in use; they are listed with
--help-checkers
- core.AdjustedReturnValue
-
Check to see if the return value of a function call is different than
the caller expects (e.g., from calls through function pointers).
- core.AttributeNonNull
-
Check for null pointers passed as arguments to a function whose arguments are marked with the
`nonnull'
attribute.
- core.CallAndMessage
-
Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers).
- core.DivideZero
-
Check for division by zero.
- core.NullDereference
-
Check for dereferences of null pointers.
- core.StackAddressEscape
-
Check that addresses to stack memory do not escape the function.
- core.UndefinedBinaryOperatorResult
-
Check for undefined results of binary operators.
- core.VLASize
-
Check for declarations of VLA of undefined or zero size.
- core.builtin.BuiltinFunctions
-
Evaluate compiler builtin functions, e.g.
Fn alloca .
- core.builtin.NoReturnFunctions
-
Evaluate
`panic'
functions that are known to not return to the caller.
- core.uninitialized.ArraySubscript
-
Check for uninitialized values used as array subscripts.
- core.uninitialized.Assign
-
Check for assigning uninitialized values.
- core.uninitialized.Branch
-
Check for uninitialized values used as branch conditions.
- core.uninitialized.CapturedBlockVariable
-
Check for blocks that capture uninitialized values.
- core.uninitialized.UndefReturn
-
Check for uninitialized values being returned to the caller.
- deadcode.DeadStores
-
Check for values stored to variables that are never read afterwards.
- debug.DumpCFG
-
Display Control-Flow Graphs.
- debug.DumpCallGraph
-
Display Call Graph.
- debug.DumpDominators
-
Print the dominance tree for a given Control-Flow Graph.
- debug.DumpLiveVars
-
Print results of live variable analysis.
- debug.Stats
-
Emit warnings with analyzer statistics.
- debug.TaintTest
-
Mark tainted symbols as such.
- debug.ViewCFG
-
View Control-Flow Graphs using
GraphViz
- debug.ViewCallGraph
-
View Call Graph using
GraphViz
- llvm.Conventions
-
Check code for LLVM codebase conventions.
- osx.API
-
Check for proper uses of various Mac OS X APIs.
- osx.AtomicCAS
-
Evaluate calls to
Vt OSAtomic
functions.
- osx.SecKeychainAPI
-
Check for proper uses of Secure Keychain APIs.
- osx.cocoa.AtSync
-
Check for null pointers used as mutexes for @synchronized.
- osx.cocoa.ClassRelease
-
Check for sending
`retain'
,
`release,'
or
`autorelease'
directly to a Class.
- osx.cocoa.IncompatibleMethodTypes
-
Warn about Objective-C method signatures with type incompatibilities.
- osx.cocoa.NSAutoreleasePool
-
Warn for suboptimal uses of
Vt NSAutoreleasePool
in Objective-C GC mode.
- osx.cocoa.NSError
-
Check usage of NSError** parameters.
- osx.cocoa.NilArg
-
Check for prohibited nil arguments to Objective-C method calls.
- osx.cocoa.RetainCount
-
Check for leaks and improper reference count management.
- osx.cocoa.SelfInit
-
Check that
`self'
is properly initialized inside an initializer method.
- osx.cocoa.UnusedIvars
-
Warn about private ivars that are never used.
- osx.cocoa.VariadicMethodTypes
-
Check for passing non-Objective-C types to variadic methods that expect only Objective-C types.
- osx.coreFoundation.CFError
-
Check usage of CFErrorRef* parameters.
- osx.coreFoundation.CFNumber
-
Check for proper uses of
Fn CFNumberCreate .
- osx.coreFoundation.CFRetainRelease
-
Check for null arguments to
Fn CFRetain ,
Fn CFRelease ,
and
Fn CFMakeCollectable .
- osx.coreFoundation.containers.OutOfBounds
-
Checks for index out-of-bounds when using the
Vt CFArray
API.
- osx.coreFoundation.containers.PointerSizedValues
-
Warns if
Vt CFArray ,
Vt CFDictionary ,
or
Vt CFSet
are created with non-pointer-size values.
- security.FloatLoopCounter
-
Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP).
- security.insecureAPI.UncheckedReturn
-
Warn on uses of functions whose return values must be always checked.
- security.insecureAPI.getpw
-
Warn on uses of
Fn getpw .
- security.insecureAPI.gets
-
Warn on uses of
Fn gets .
- security.insecureAPI.mkstemp
-
Warn when
Fn mkstemp
is passed fewer than 6 X's in the format string.
- security.insecureAPI.mktemp
-
Warn on uses of
Fn mktemp .
- security.insecureAPI.rand
-
Warn on uses of
Fn rand ,
Fn random ,
and related functions.
- security.insecureAPI.strcpy
-
Warn on uses of
Fn strcpy
and
Fn strcat .
- security.insecureAPI.vfork
-
Warn on uses of
Fn vfork .
- unix.API
-
Check calls to various UNIX/Posix functions.
- unix.Malloc
-
Check for memory leaks, double free, and use-after-free.
- unix.cstring.BadSizeArg
-
Check the size argument passed into C string functions for common
erroneous patterns.
- unix.cstring.NullArg
-
Check for null pointers being passed as arguments to C string functions.
EXAMPLE
scan-build -o /tmp/myhtmldir make -j4
The above example causes analysis reports to be deposited into
a subdirectory of
/tmp/myhtmldir
and to run
make
with the
-j4
option.
A different subdirectory is created each time
scan-build
analyzes a project.
The analyzer should support most parallel builds, but not distributed builds.
AUTHORS
scan-build
was written by
An Ted Kremenek .
Documentation contributed by
An James K. Lowden Aq jklowden@schemamania.org .
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- EXIT STATUS
-
- CHECKERS
-
- EXAMPLE
-
- AUTHORS
-
This document was created by
man2html,
using the manual pages.
Time: 23:51:35 GMT, April 24, 2024