1SCAN-BUILD(1)             BSD General Commands Manual            SCAN-BUILD(1)
2

NAME

4     scan-build — Clang static analyzer
5

SYNOPSIS

7     scan-build [-ohkvV] [-analyze-headers] [-enable-checker [checker_name]]
8                [-disable-checker [checker_name]] [--help] [--help-checkers]
9                [--html-title [=title]] [--keep-going] [-plist] [-plist-html]
10                [--status-bugs] [--use-c++ [=compiler_path]]
11                [--use-cc [=compiler_path]] [--view] [-constraints [model]]
12                [-maxloop N] [-no-failure-reports] [-stats] [-store [model]]
13                build_command [build_options]
14

DESCRIPTION

16     scan-build is a Perl script that invokes the Clang static analyzer.  Op‐
17     tions used by scan-build or by the analyzer appear first, followed by the
18     build_command and any build_options normally used to build the target
19     system.
20
21     The static analyzer employs a long list of checking algorithms, see
22     CHECKERS.  Output can be written in standard .plist and/or HTML format.
23
24     The following options are supported:
25
26     -analyze-headers
27             Also analyze functions in #included files.
28
29     -enable-checker checker_name, -disable-checker checker_name
30             Enable/disable checker_name.  See CHECKERS.
31
32     -h, --help
33             Display this message.
34
35     --help-checkers
36             List default checkers, see CHECKERS.
37
38     --html-title[=title]
39             Specify the title used on generated HTML pages.  A default title
40             is generated if title is not specified.
41
42     -k, --keep-going
43             Add a “keep on going” option to build_command.  Currently sup‐
44             ports make and xcodebuild. This is a convenience option; one can
45             specify this behavior directly using build options.
46
47     -o      Target directory for HTML report files.  Subdirectories will be
48             created as needed to represent separate invocations of the ana‐
49             lyzer.  If this option is not specified, a directory is created
50             in /tmp (TMPDIR on Mac OS X) to store the reports.
51
52     -plist  Output the results as a set of .plist files. (By default the out‐
53             put of scan-build is a set of HTML files.)
54
55     -plist-html
56             Output the results as a set of HTML and .plist files
57
58     --status-bugs
59             Set exit status to 1 if it found potential bugs and 0 otherwise.
60             By default the exit status of scan-build is that returned by
61             build_command.
62
63     --use-c++[=compiler_path]
64             Guess the default compiler for your C++ and Objective-C++ code.
65             Use this option to specify an alternate compiler.
66
67     --use-cc[=compiler_path]
68             Guess the default compiler for your C and Objective-C code. Use
69             this option to specify an alternate compiler.
70
71     -v      Verbose output from scan-build and the analyzer. A second and
72             third v increases verbosity.
73
74     -V, --view
75             View analysis results in a web browser when the build completes.
76
77     -constraints [model]
78             Specify the constraint engine used by the analyzer.  By default
79             the ‘range’ model is used.  Specifying ‘basic’ uses a simpler,
80             less powerful constraint model used by checker-0.160 and earlier.
81
82     -maxloop N
83             Specify the number of times a block can be visited before giving
84             up. Default is 4. Increase for more comprehensive coverage at a
85             cost of speed.
86
87     -no-failure-reports
88             Do not create a ‘failures’ subdirectory that includes analyzer
89             crash reports and preprocessed source files.
90
91     -stats  Generates visitation statistics for the project being analyzed.
92
93     -store [model]
94             Specify the store model used by the analyzer. By default, the
95             ‘region’ store model is used.  ‘region’ specifies a field- sensi‐
96             tive store model. Users can also specify ‘basic’ which is far
97             less precise but can more quickly analyze code.  ‘basic’ was the
98             default store model for checker-0.221 and earlier.
99

EXIT STATUS

101     scan-build returns the value returned by build_command unless
102     --status-bugs or --keep-going is used.
103

CHECKERS

105     The checkers listed below may be enabled/disabled using the
106     -enable-checker and -disable-checker options.  A default group of check‐
107     ers is run unless explicitly disabled.  Exactly which checkers constitute
108     the default group is a function of the operating system in use; they are
109     listed with --help-checkers.
110
111     core.AdjustedReturnValue
112              Check to see if the return value of a function call is different
113              than the caller expects (e.g., from calls through function
114              pointers).
115
116     core.AttributeNonNull
117              Check for null pointers passed as arguments to a function whose
118              arguments are marked with the ‘nonnull’ attribute.
119
120     core.CallAndMessage
121              Check for logical errors for function calls and Objective-C mes‐
122              sage expressions (e.g., uninitialized arguments, null function
123              pointers).
124
125     core.DivideZero
126              Check for division by zero.
127
128     core.NullDereference
129              Check for dereferences of null pointers.
130
131     core.StackAddressEscape
132              Check that addresses to stack memory do not escape the function.
133
134     core.UndefinedBinaryOperatorResult
135              Check for undefined results of binary operators.
136
137     core.VLASize
138              Check for declarations of VLA of undefined or zero size.
139
140     core.builtin.BuiltinFunctions
141              Evaluate compiler builtin functions, e.g.  alloca().
142
143     core.builtin.NoReturnFunctions
144              Evaluate ‘panic’ functions that are known to not return to the
145              caller.
146
147     core.uninitialized.ArraySubscript
148              Check for uninitialized values used as array subscripts.
149
150     core.uninitialized.Assign
151              Check for assigning uninitialized values.
152
153     core.uninitialized.Branch
154              Check for uninitialized values used as branch conditions.
155
156     core.uninitialized.CapturedBlockVariable
157              Check for blocks that capture uninitialized values.
158
159     core.uninitialized.UndefReturn
160              Check for uninitialized values being returned to the caller.
161
162     deadcode.DeadStores
163              Check for values stored to variables that are never read after‐
164              wards.
165
166     debug.DumpCFG
167              Display Control-Flow Graphs.
168
169     debug.DumpCallGraph
170              Display Call Graph.
171
172     debug.DumpDominators
173              Print the dominance tree for a given Control-Flow Graph.
174
175     debug.DumpLiveVars
176              Print results of live variable analysis.
177
178     debug.Stats
179              Emit warnings with analyzer statistics.
180
181     debug.TaintTest
182              Mark tainted symbols as such.
183
184     debug.ViewCFG
185              View Control-Flow Graphs using GraphViz.
186
187     debug.ViewCallGraph
188              View Call Graph using GraphViz.
189
190     llvm.Conventions
191              Check code for LLVM codebase conventions.
192
193     osx.API  Check for proper uses of various Mac OS X APIs.
194
195     osx.AtomicCAS
196              Evaluate calls to OSAtomic functions.
197
198     osx.SecKeychainAPI
199              Check for proper uses of Secure Keychain APIs.
200
201     osx.cocoa.AtSync
202              Check for null pointers used as mutexes for @synchronized.
203
204     osx.cocoa.ClassRelease
205              Check for sending ‘retain’, ‘release,’ or ‘autorelease’ directly
206              to a Class.
207
208     osx.cocoa.IncompatibleMethodTypes
209              Warn about Objective-C method signatures with type incompatibil‐
210              ities.
211
212     osx.cocoa.NSAutoreleasePool
213              Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC
214              mode.
215
216     osx.cocoa.NSError
217              Check usage of NSError** parameters.
218
219     osx.cocoa.NilArg
220              Check for prohibited nil arguments to Objective-C method calls.
221
222     osx.cocoa.RetainCount
223              Check for leaks and improper reference count management.
224
225     osx.cocoa.SelfInit
226              Check that ‘self’ is properly initialized inside an initializer
227              method.
228
229     osx.cocoa.UnusedIvars
230              Warn about private ivars that are never used.
231
232     osx.cocoa.VariadicMethodTypes
233              Check for passing non-Objective-C types to variadic methods that
234              expect only Objective-C types.
235
236     osx.coreFoundation.CFError
237              Check usage of CFErrorRef* parameters.
238
239     osx.coreFoundation.CFNumber
240              Check for proper uses of CFNumberCreate().
241
242     osx.coreFoundation.CFRetainRelease
243              Check for null arguments to CFRetain(), CFRelease(), and
244              CFMakeCollectable().
245
246     osx.coreFoundation.containers.OutOfBounds
247              Checks for index out-of-bounds when using the CFArray API.
248
249     osx.coreFoundation.containers.PointerSizedValues
250              Warns if CFArray, CFDictionary, or CFSet are created with non-
251              pointer-size values.
252
253     security.FloatLoopCounter
254              Warn on using a floating point value as a loop counter (CERT:
255              FLP30-C, FLP30-CPP).
256
257     security.insecureAPI.UncheckedReturn
258              Warn on uses of functions whose return values must be always
259              checked.
260
261     security.insecureAPI.getpw
262              Warn on uses of getpw().
263
264     security.insecureAPI.gets
265              Warn on uses of gets().
266
267     security.insecureAPI.mkstemp
268              Warn when mkstemp() is passed fewer than 6 X's in the format
269              string.
270
271     security.insecureAPI.mktemp
272              Warn on uses of mktemp().
273
274     security.insecureAPI.rand
275              Warn on uses of rand(), random(), and related functions.
276
277     security.insecureAPI.strcpy
278              Warn on uses of strcpy() and strcat().
279
280     security.insecureAPI.vfork
281              Warn on uses of vfork().
282
283     unix.API
284              Check calls to various UNIX/Posix functions.
285
286     unix.Malloc
287              Check for memory leaks, double free, and use-after-free.
288
289     unix.cstring.BadSizeArg
290              Check the size argument passed into C string functions for com‐
291              mon erroneous patterns.
292
293     unix.cstring.NullArg
294              Check for null pointers being passed as arguments to C string
295              functions.
296

EXAMPLE

298     scan-build -o /tmp/myhtmldir make -j4
299
300     The above example causes analysis reports to be deposited into a subdi‐
301     rectory of /tmp/myhtmldir and to run make with the -j4 option.  A differ‐
302     ent subdirectory is created each time scan-build analyzes a project.  The
303     analyzer should support most parallel builds, but not distributed builds.
304

AUTHORS

306     scan-build was written by Ted Kremenek.  Documentation contributed by
307     James K. Lowden <jklowden@schemamania.org>.
308
309clang 15                         Jun 24, 2022                         clang 15
Impressum