1SCAN-BUILD(1) BSD General Commands Manual SCAN-BUILD(1)
2
4 scan-build — Clang static analyzer
5
7 scan-build [-ohkvV] [-analyze-headers] [-enable-checker [checker_name]]
8 [-disable-checker [checker_name]] [--help] [--help-checkers]
9 [--html-title [=title]] [--keep-going] [-plist] [-plist-html]
10 [--status-bugs] [--use-c++ [=compiler_path]]
11 [--use-cc [=compiler_path]] [--view] [-constraints [model]]
12 [-maxloop N] [-no-failure-reports] [-stats] [-store [model]]
13 build_command [build_options]
14
16 scan-build is a Perl script that invokes the Clang static analyzer.
17 Options used by scan-build or by the analyzer appear first, followed by
18 the build_command and any build_options normally used to build the target
19 system.
20 The static analyzer employs a long list of checking algorithms, see
22 CHECKERS. Output can be written in standard .plist and/or HTML format.
23 The following options are supported:
25 -analyze-headers
27 Also analyze functions in #included files.
28 -enable-checker checker_name, -disable-checker checker_name
30 Enable/disable checker_name. See CHECKERS.
31 -h, --help
33 Display this message.
34 --help-checkers
36 List default checkers, see CHECKERS.
37 --html-title[=title]
39 Specify the title used on generated HTML pages. A default title
40 is generated if title is not specified.
41 -k, --keep-going
43 Add a “keep on going” option to build_command. Currently sup‐
44 ports make and xcodebuild. This is a convenience option; one can
45 specify this behavior directly using build options.
46 -o Target directory for HTML report files. Subdirectories will be
48 created as needed to represent separate invocations of the ana‐
49 lyzer. If this option is not specified, a directory is created
50 in /tmp (TMPDIR on Mac OS X) to store the reports.
51 -plist Output the results as a set of .plist files. (By default the out‐
53 put of scan-build is a set of HTML files.)
54 -plist-html
56 Output the results as a set of HTML and .plist files
57 --status-bugs
59 Set exit status to 1 if it found potential bugs and 0 otherwise.
60 By default the exit status of scan-build is that returned by
61 build_command.
62 --use-c++[=compiler_path]
64 Guess the default compiler for your C++ and Objective-C++ code.
65 Use this option to specify an alternate compiler.
66 --use-cc[=compiler_path]
68 Guess the default compiler for your C and Objective-C code. Use
69 this option to specify an alternate compiler.
70 -v Verbose output from scan-build and the analyzer. A second and
72 third v increases verbosity.
73 -V, --view
75 View analysis results in a web browser when the build completes.
76 -constraints [model]
78 Specify the contraint engine used by the analyzer. By default
79 the ‘range’ model is used. Specifying ‘basic’ uses a simpler,
80 less powerful constraint model used by checker-0.160 and earlier.
81 -maxloop N
83 Specify the number of times a block can be visited before giving
84 up. Default is 4. Increase for more comprehensive coverage at a
85 cost of speed.
86 -no-failure-reports
88 Do not create a ‘failures’ subdirectory that includes analyzer
89 crash reports and preprocessed source files.
90 -stats Generates visitation statistics for the project being analyzed.
92 -store [model]
94 Specify the store model used by the analyzer. By default, the
95 ‘region’ store model is used. ‘region’ specifies a field- sensi‐
96 tive store model. Users can also specify ‘basic’ which is far
97 less precise but can more quickly analyze code. ‘basic’ was the
98 default store model for checker-0.221 and earlier.
99
101 scan-build returns the value returned by build_command unless
102 --status-bugs or --keep-going is used.
103
105 The checkers listed below may be enabled/disabled using the
106 -enable-checker and -disable-checker options. A default group of check‐
107 ers is run unless explicitly disabled. Exactly which checkers constitute
108 the default group is a function of the operating system in use; they are
109 listed with --help-checkers.
110 core.AdjustedReturnValue
112 Check to see if the return value of a function call is different
113 than the caller expects (e.g., from calls through function
114 pointers).
115 core.AttributeNonNull
117 Check for null pointers passed as arguments to a function whose
118 arguments are marked with the ‘nonnull’ attribute.
119 core.CallAndMessage
121 Check for logical errors for function calls and Objective-C mes‐
122 sage expressions (e.g., uninitialized arguments, null function
123 pointers).
124 core.DivideZero
126 Check for division by zero.
127 core.NullDereference
129 Check for dereferences of null pointers.
130 core.StackAddressEscape
132 Check that addresses to stack memory do not escape the function.
133 core.UndefinedBinaryOperatorResult
135 Check for undefined results of binary operators.
136 core.VLASize
138 Check for declarations of VLA of undefined or zero size.
139 core.builtin.BuiltinFunctions
141 Evaluate compiler builtin functions, e.g. alloca().
142 core.builtin.NoReturnFunctions
144 Evaluate ‘panic’ functions that are known to not return to the
145 caller.
146 core.uninitialized.ArraySubscript
148 Check for uninitialized values used as array subscripts.
149 core.uninitialized.Assign
151 Check for assigning uninitialized values.
152 core.uninitialized.Branch
154 Check for uninitialized values used as branch conditions.
155 core.uninitialized.CapturedBlockVariable
157 Check for blocks that capture uninitialized values.
158 core.uninitialized.UndefReturn
160 Check for uninitialized values being returned to the caller.
161 deadcode.DeadStores
163 Check for values stored to variables that are never read after‐
164 wards.
165 debug.DumpCFG
167 Display Control-Flow Graphs.
168 debug.DumpCallGraph
170 Display Call Graph.
171 debug.DumpDominators
173 Print the dominance tree for a given Control-Flow Graph.
174 debug.DumpLiveVars
176 Print results of live variable analysis.
177 debug.Stats
179 Emit warnings with analyzer statistics.
180 debug.TaintTest
182 Mark tainted symbols as such.
183 debug.ViewCFG
185 View Control-Flow Graphs using GraphViz.
186 debug.ViewCallGraph
188 View Call Graph using GraphViz.
189 llvm.Conventions
191 Check code for LLVM codebase conventions.
192 osx.API Check for proper uses of various Mac OS X APIs.
194 osx.AtomicCAS
196 Evaluate calls to OSAtomic functions.
197 osx.SecKeychainAPI
199 Check for proper uses of Secure Keychain APIs.
200 osx.cocoa.AtSync
202 Check for null pointers used as mutexes for @synchronized.
203 osx.cocoa.ClassRelease
205 Check for sending ‘retain’, ‘release,’ or ‘autorelease’ directly
206 to a Class.
207 osx.cocoa.IncompatibleMethodTypes
209 Warn about Objective-C method signatures with type incompatibil‐
210 ities.
211 osx.cocoa.NSAutoreleasePool
213 Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC
214 mode.
215 osx.cocoa.NSError
217 Check usage of NSError** parameters.
218 osx.cocoa.NilArg
220 Check for prohibited nil arguments to Objective-C method calls.
221 osx.cocoa.RetainCount
223 Check for leaks and improper reference count management.
224 osx.cocoa.SelfInit
226 Check that ‘self’ is properly initialized inside an initializer
227 method.
228 osx.cocoa.UnusedIvars
230 Warn about private ivars that are never used.
231 osx.cocoa.VariadicMethodTypes
233 Check for passing non-Objective-C types to variadic methods that
234 expect only Objective-C types.
235 osx.coreFoundation.CFError
237 Check usage of CFErrorRef* parameters.
238 osx.coreFoundation.CFNumber
240 Check for proper uses of CFNumberCreate().
241 osx.coreFoundation.CFRetainRelease
243 Check for null arguments to CFRetain(), CFRelease(), and
244 CFMakeCollectable().
245 osx.coreFoundation.containers.OutOfBounds
247 Checks for index out-of-bounds when using the CFArray API.
248 osx.coreFoundation.containers.PointerSizedValues
250 Warns if CFArray, CFDictionary, or CFSet are created with non-
251 pointer-size values.
252 security.FloatLoopCounter
254 Warn on using a floating point value as a loop counter (CERT:
255 FLP30-C, FLP30-CPP).
256 security.insecureAPI.UncheckedReturn
258 Warn on uses of functions whose return values must be always
259 checked.
260 security.insecureAPI.getpw
262 Warn on uses of getpw().
263 security.insecureAPI.gets
265 Warn on uses of gets().
266 security.insecureAPI.mkstemp
268 Warn when mkstemp() is passed fewer than 6 X's in the format
269 string.
270 security.insecureAPI.mktemp
272 Warn on uses of mktemp().
273 security.insecureAPI.rand
275 Warn on uses of rand(), random(), and related functions.
276 security.insecureAPI.strcpy
278 Warn on uses of strcpy() and strcat().
279 security.insecureAPI.vfork
281 Warn on uses of vfork().
282 unix.API
284 Check calls to various UNIX/Posix functions.
285 unix.Malloc
287 Check for memory leaks, double free, and use-after-free.
288 unix.cstring.BadSizeArg
290 Check the size argument passed into C string functions for com‐
291 mon erroneous patterns.
292 unix.cstring.NullArg
294 Check for null pointers being passed as arguments to C string
295 functions.
296
298 scan-build -o /tmp/myhtmldir make -j4
299 The above example causes analysis reports to be deposited into a subdi‐
301 rectory of /tmp/myhtmldir and to run make with the -j4 option. A differ‐
302 ent subdirectory is created each time scan-build analyzes a project. The
303 analyzer should support most parallel builds, but not distributed builds.
304
306 scan-build was written by Ted Kremenek. Documentation contributed by
307 James K. Lowden <jklowden@schemamania.org>.
308clang 3.5 May 25, 2012 clang 3.5