As I understand it the Clang static analyzer is not intended to be used directly. It's best to use it through CodeChecker, which provide high level commands and do the low level calls to the Clang SA (and also Clang tidy). In particular if you want whole project analysis (CTU, cross translation units analysis) CC will do the all the needed calls in a single "analyze" command.
I currently use `--analyze -Xanalyzer -analyzer-opt-analyze-headers` for checking my header-only libs in clang, but AFAIK the recommended workflow is to use clang-tidy which is better configurable than calling clang directly.
If you're on Mac with Xcode, the static analyzer and the sanitizers ASAN, UBSAN and TSAN are simple UI checkboxes.
That codechecker thing is sooo tedios to install. Why do I need to 70 MB of environment for some python script which just wraps clang tools anyway? :-(
I like scan-build better than codechecker, but codechecker is the only thing that does CTU, which is much more thorough.
That being said, codechecker is not that great in terms of it's interface. Over all, it really needs to be implemented in a GUI application as there are many many fine tuning flags you can set with the clang analyzer (as well as potential for parallelization) that either cant be taken advantage of, or is too cumbersome to use codechecker to do.
How do I use the sanitizers with freestanding targets? They seem to require a lot of library support which is unavailable on freestanding programs.
The article mentions the address sanitizer keeps track of allocations and their sizes. I wrote my own allocator, how do I integrate it with the sanitizer? I added malloc attributes to all allocation functions but they don't seem to do anything.
You need to provide implementations of the sanitizer callbacks yourself. For example, to use the address sanitizer you should use `-fsanitize=kernel-address`, and then the compiler will generate calls to `__asan_load8_noabort`, `__asan_load4_noabort`, `__asan_store8_noabort`... when loads/stores happen.
In those functions, you need to implement the sanitizer yourself, and have it panic if it detects an invalid access (address sanitizers are usually implemented with shadow memory). You'll have to give your sanitizer enough shadow memory during initialization, and also add your own alloc/free sanitizer callbacks to your allocator (so the sanitizer knows when things are allocated/freed).
I have an example [1] that implements a basic ASAN and UBSAN in a kernel (it's written in D, but could be easily adapted to C or C++). Hopefully it's helpful!
The flag applies the transitive property[1] when propagating constraints. This gives more accurate results, but at the cost of analyzer speed.
if (4 < x) {
if (x < y) {
if (y == 0) {
// Unreachable since the above three conditions cannot
// all be true at the same time (without multithreading).
}
}
}
For a more detailed explanation, see [2]. (Also the inspiration for the above example.)
GCC now has this elaborate (kind of beautiful) way of highlighting a path through your code which leads to a potential oopsie like use after free.
`-fno-omit-frame-pointer` has been useful for profiling using perf.