1 .\" This file is distributed under the University of Illinois Open Source
2 .\" License. See LICENSE.TXT for details.
3 .\" $Id: scan-build.1 329399 2018-04-06 15:14:32Z alexfh $
9 .Nd Clang static analyzer
13 .Op Fl analyze-headers
14 .Op Fl enable-checker Op Ar checker_name
15 .Op Fl disable-checker Op Ar checker_name
17 .Op Fl Fl help-checkers
18 .Op Fl Fl html-title Op Ar =title
23 .Op Fl Fl use-c++ Op Ar =compiler_path
24 .Op Fl Fl use-cc Op Ar =compiler_path
26 .Op Fl constraints Op Ar model
28 .Op Fl no-failure-reports
30 .Op Fl store Op Ar model
37 is a Perl script that invokes the Clang static analyzer. Options used by
39 or by the analyzer appear first, followed by the
43 normally used to build the target system.
45 The static analyzer employs a long list of checking algorithms, see
47 Output can be written in standard
51 The following options are supported:
52 .Bl -tag -width indent
53 .It Fl analyze-headers
54 Also analyze functions in #included files.
55 .It Fl enable-checker Ar checker_name , Fl disable-checker Ar checker_name
62 .It Fl Fl help-checkers
63 List default checkers, see
65 .It Fl Fl html-title Ns Op = Ns Ar title
66 Specify the title used on generated HTML pages.
67 A default title is generated if
70 .It Fl k , Fl Fl keep-going
75 Currently supports make and xcodebuild. This is a convenience option;
76 one can specify this behavior directly using build options.
78 Target directory for HTML report files. Subdirectories will be
79 created as needed to represent separate invocations
80 of the analyzer. If this option is not specified, a directory is
81 created in /tmp (TMPDIR on Mac OS X) to store the reports.
83 Output the results as a set of
85 files. (By default the output of
87 is a set of HTML files.)
89 Output the results as a set of HTML and .plist files
91 Set exit status to 1 if it found potential bugs and 0 otherwise. By
92 default the exit status of
96 .It Fl Fl use-c++ Ns Op = Ns Ar compiler_path
97 Guess the default compiler for your C++ and Objective-C++ code. Use this
98 option to specify an alternate compiler.
99 .It Fl Fl use-cc Ns Op = Ns Ar compiler_path
100 Guess the default compiler for your C and Objective-C code. Use this
101 option to specify an alternate compiler.
105 and the analyzer. A second and
109 .It Fl V , Fl Fl view
110 View analysis results in a web browser when the build completes.
111 .It Fl constraints Op Ar model
112 Specify the contraint engine used by the analyzer. By default the
114 model is used. Specifying
116 uses a simpler, less powerful constraint model used by checker-0.160
119 Specify the number of times a block can be visited before giving
120 up. Default is 4. Increase for more comprehensive coverage at a
122 .It Fl no-failure-reports
125 subdirectory that includes analyzer crash reports and preprocessed
128 Generates visitation statistics for the project being analyzed.
129 .It Fl store Op Ar model
130 Specify the store model used by the analyzer. By default, the
135 sensitive store model. Users can also specify
137 which is far less precise but can more quickly analyze code.
139 was the default store model for checker-0.221 and earlier.
144 returns the value returned by
152 .\" Other sections not yet used ...
156 .\" .Sh COMPATIBILITY
161 The checkers listed below may be enabled/disabled using the
166 A default group of checkers is run unless explicitly disabled.
167 Exactly which checkers constitute the default group is a function
168 of the operating system in use; they are listed with
169 .Fl Fl help-checkers .
170 .Bl -tag -width indent.
171 .It core.AdjustedReturnValue
172 Check to see if the return value of a function call is different than
173 the caller expects (e.g., from calls through function pointers).
174 .It core.AttributeNonNull
175 Check for null pointers passed as arguments to a function whose arguments are marked with the
178 .It core.CallAndMessage
179 Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers).
181 Check for division by zero.
182 .It core.NullDereference
183 Check for dereferences of null pointers.
184 .It core.StackAddressEscape
185 Check that addresses to stack memory do not escape the function.
186 .It core.UndefinedBinaryOperatorResult
187 Check for undefined results of binary operators.
189 Check for declarations of VLA of undefined or zero size.
190 .It core.builtin.BuiltinFunctions
191 Evaluate compiler builtin functions, e.g.
193 .It core.builtin.NoReturnFunctions
196 functions that are known to not return to the caller.
197 .It core.uninitialized.ArraySubscript
198 Check for uninitialized values used as array subscripts.
199 .It core.uninitialized.Assign
200 Check for assigning uninitialized values.
201 .It core.uninitialized.Branch
202 Check for uninitialized values used as branch conditions.
203 .It core.uninitialized.CapturedBlockVariable
204 Check for blocks that capture uninitialized values.
205 .It core.uninitialized.UndefReturn
206 Check for uninitialized values being returned to the caller.
207 .It deadcode.DeadStores
208 Check for values stored to variables that are never read afterwards.
210 Display Control-Flow Graphs.
211 .It debug.DumpCallGraph
213 .It debug.DumpDominators
214 Print the dominance tree for a given Control-Flow Graph.
215 .It debug.DumpLiveVars
216 Print results of live variable analysis.
218 Emit warnings with analyzer statistics.
220 Mark tainted symbols as such.
222 View Control-Flow Graphs using
224 .It debug.ViewCallGraph
225 View Call Graph using
228 Check code for LLVM codebase conventions.
230 Check for proper uses of various Mac OS X APIs.
235 .It osx.SecKeychainAPI
236 Check for proper uses of Secure Keychain APIs.
238 Check for null pointers used as mutexes for @synchronized.
239 .It osx.cocoa.ClassRelease
246 .It osx.cocoa.IncompatibleMethodTypes
247 Warn about Objective-C method signatures with type incompatibilities.
248 .It osx.cocoa.NSAutoreleasePool
249 Warn for suboptimal uses of
250 .Vt NSAutoreleasePool
251 in Objective-C GC mode.
252 .It osx.cocoa.NSError
253 Check usage of NSError** parameters.
255 Check for prohibited nil arguments to Objective-C method calls.
256 .It osx.cocoa.RetainCount
257 Check for leaks and improper reference count management.
258 .It osx.cocoa.SelfInit
261 is properly initialized inside an initializer method.
262 .It osx.cocoa.UnusedIvars
263 Warn about private ivars that are never used.
264 .It osx.cocoa.VariadicMethodTypes
265 Check for passing non-Objective-C types to variadic methods that expect only Objective-C types.
266 .It osx.coreFoundation.CFError
267 Check usage of CFErrorRef* parameters.
268 .It osx.coreFoundation.CFNumber
269 Check for proper uses of
271 .It osx.coreFoundation.CFRetainRelease
272 Check for null arguments to
276 .Fn CFMakeCollectable .
277 .It osx.coreFoundation.containers.OutOfBounds
278 Checks for index out-of-bounds when using the
281 .It osx.coreFoundation.containers.PointerSizedValues
287 are created with non-pointer-size values.
288 .It security.FloatLoopCounter
289 Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP).
290 .It security.insecureAPI.UncheckedReturn
291 Warn on uses of functions whose return values must be always checked.
292 .It security.insecureAPI.getpw
295 .It security.insecureAPI.gets
298 .It security.insecureAPI.mkstemp
301 is passed fewer than 6 X's in the format string.
302 .It security.insecureAPI.mktemp
305 .It security.insecureAPI.rand
309 and related functions.
310 .It security.insecureAPI.strcpy
315 .It security.insecureAPI.vfork
319 Check calls to various UNIX/Posix functions.
321 Check for memory leaks, double free, and use-after-free.
322 .It unix.cstring.BadSizeArg
323 Check the size argument passed into C string functions for common
325 .It unix.cstring.NullArg
326 Check for null pointers being passed as arguments to C string functions.
330 .Ic scan-build -o /tmp/myhtmldir make -j4
332 The above example causes analysis reports to be deposited into
340 A different subdirectory is created each time
343 The analyzer should support most parallel builds, but not distributed builds.
348 Documentation contributed by
349 .An "James K. Lowden" Aq jklowden@schemamania.org .