CodeChecker

CodeChecker is a static analysis infrastructure built on the LLVM/Clang Static Analyzer toolchain, replacing scan-build in a Linux or macOS (OS X) development environment.

CodeChecker是一个基于LLVM/Clang的C/C++静态代码检查工具。

Github链接：https://github.com/Ericsson/codechecker

开发商：Ericsson（爱立信）

功能特性

支持多种代码检查器，目前主要支持Clang Static Analyzer和Clang Tidy
可以高效地存储结果于数据库，例如PostgreSQL、SQLite等
自带Web应用程序，可以轻松查看已发现的代码缺陷
Filterable（可根据检查器名称、错误等级、文件路径等进行过滤）
Comparable（可与指定结果进行比对以查看已修复和新引入的错误）
支持增量检查（只检查增加或修改的代码文件并更新结果）
查看每次新引入的错误列表
通过修改配置文件或在源代码中添加注释抑制已知的假阳性结果
可与其他开发者共享测试结果，提供审查和评论系统
能够显示标准输出的分析结果
基于服务器-客户端通信，可方便地存储和查询测试结果
支持多种可视化前端，例如Web应用程序、命令行工具、Eclipse插件等

Main features

• Support for multiple analyzers, currently Clang Static Analyzer and Clang-Tidy
• Store results of multiple large-scale analysis runs efficiently, either in a PostgreSQL or SQLite database
• Web application for viewing discovered code defects with a streamlined, easy experience
• Filterable (defect checker name, severity, source paths, ...) and comparable (calculates difference between two analyses of the project, showing which bugs have been fixed and which are newly introduced) result viewing
• Subsequent analysis runs only check and update results for modified files without analysing the entire project (depends on build toolchain support!)
• See the list of bugs that has been introduced since your last analyzer execution
• Suppression of known false positive results, either in configuration file or via annotation in source code, along with exclusion of entire source paths from analysis
• Results can be shared with fellow developers, the comments and review system helps communication of code defects
• Can show analysis results on standard output
• Easily implementable Thrift-based server-client communication used for storing and querying of discovered defects
• Support for multiple bug visualisation frontends, such as the web application, a command-line tool and an Eclipse plugin

User documentation

• Getting started (How-To with examples)
• Analyzer User guide
• Webserver User guide
• Requiring credentials to view analysis results
• Overview about connecting multiple analysis run databases
• Permission management
• Usage of PostgreSQL database
• How to deal with false positives
• Store Cppcheck analyzer reports

Install guide

Linux

For a detailed dependency list, and for instructions on how to install newer clang and clang-tidy versions please see Requirements. The following commands are used to bootstrap CodeChecker on Ubuntu 18.04 LTS:

# Install mandatory dependencies for a development and analysis environment.
# NOTE: clang or clang-tidy can be replaced by any later versions of LLVM/Clang.
sudo apt-get install clang clang-tidy build-essential curl doxygen gcc-multilib \
      git python-virtualenv python-dev thrift-compiler

# Check out CodeChecker source code.
git clone https://github.com/Ericsson/CodeChecker.git --depth 1 ~/codechecker
cd ~/codechecker

# Create a Python virtualenv and set it as your environment.
make venv
source $PWD/venv/bin/activate

# Build and install a CodeChecker package.
make package

# For ease of access, add the build directory to PATH.
export PATH="$PWD/build/CodeChecker/bin:$PATH"

cd ..

Note: By default make package will build ldlogger shared objects for 32bit and 64bit too. If you would like to build and package 64 bit only shared objects and ldlogger binary you can set BUILD_LOGGER_64_BIT_ONLY environment variable to YES before the package build: BUILD_LOGGER_64_BIT_ONLY=YES make package.

Upgrading environment after system or Python upgrade

If you have upgraded your system's Python to a newer version (e.g. from 2.7.6 to 2.7.12 – this is the case when upgrading Ubuntu from 14.04.2 LTS to 16.04.1 LTS), the installed environment will not work out-of-the-box. To fix this issue, run the following command to upgrade your checker_env too:

cd ~/codechecker/venv
virtualenv -p /usr/bin/python2.7 .

Mac OS X

In OSX environment the intercept-build tool from scan-build is used to log the compiler invocations.

It is possible that the intercept-build can not log the compiler calls without turning off System Integrity Protection (SIP). intercept build can automatically detect if SIP is turned off.

You can turn off SIP on El Capitan this way:

• Click the  (Apple) menu.
• Select Restart...
• Hold down command-R to boot into the Recovery System.
• Click the Utilities menu and select Terminal.
• Type csrutil disable and press return.
• Close the Terminal app.
• Click the  (Apple) menu and select Restart....

The following commands are used to bootstrap CodeChecker on OS X El Capitan 10.11, macOS Sierra 10.12 and macOS High Sierra 10.13.

# Download and install dependencies.
brew update
brew install doxygen gcc git

# Install the latest clang see: https://formulae.brew.sh/formula/llvm
brew install llvm@7

# Install Thrift 0.9.3 (Note: the general Thrift version is 0.10.0 on macOS High Sierra 10.13)
brew unlink thrift
brew install [email protected]

# Fetch source code.
git clone https://github.com/Ericsson/CodeChecker.git --depth 1 ~/codechecker
cd ~/codechecker

# Create a Python virtualenv and set it as your environment.
make venv_osx
source $PWD/venv/bin/activate

# Build and install a CodeChecker package.
make package

# For ease of access, add the build directory to PATH.
export PATH="$PWD/build/CodeChecker/bin:$PATH"

cd ..

Docker

To run CodeChecker server in Docker see the Docker documentation.

Check your first project

Configuring Clang version

Clang and/or Clang-Tidy must be available on your system before you can run analysis on a project. CodeChecker automatically detects and uses the latest available version in your PATH.

If you wish to use a custom clang or clang-tidy binary, e.g. because you intend to use a specific version or a specific build, you need to configure the installed CodeChecker package to use the appropriate binaries. Please edit the configuration file ~/codechecker/build/CodeChecker/config/package_layout.json. In the runtime/analyzers section, you must set the values, as shown below, to the binaries you intend to use.

"analyzers" : {
  "clangsa" : "/path/to/clang/bin/clang-8",
  "clang-tidy" : "/path/to/clang/bin/clang-tidy-8"
},

You can set the CC_ANALYZERS_FROM_PATH environment variable before running a CodeChecker command to yes or 1 to enforce taking the analyzers from the PATH instead of the given binaries.

Make sure that the required include paths are at the right place! Clang based tools search by default for builtin-includes in a path relative to the tool binary. $(dirname /path/to/tool)/../lib/clang/8.0.0/include

Setting up the environment in your Terminal

These steps must always be taken in a new command prompt you wish to execute analysis in.

source ~/codechecker/venv/bin/activate

# Path of CodeChecker package
# NOTE: SKIP this line if you want to always specify CodeChecker's full path.
export PATH=~/codechecker/build/CodeChecker/bin:$PATH

# Path of `scan-build.py` (intercept-build)
# NOTE: SKIP this line if you don't want to use intercept-build.
export PATH=~/<user path>/llvm/tools/clang/tools/scan-build-py/bin:$PATH

# Path of the built LLVM/Clang
# NOTE: SKIP this line if clang is available in your PATH as an installed Linux package.
export PATH=~/<user path>/build/bin:$PATH

Check the test project

Analyze your project with the check command:

CodeChecker check -b "cd ~/your-project && make clean && make" -o ~/results

check will print an overview of the issues found in your project by the analyzers.

Start a CodeChecker web and storage server in another terminal or as a background process. By default it will listen on localhost:8001.

The SQLite database containing the reports will be placed in your workspace directory (~/.codechecker by default), which can be provided via the -w flag.

CodeChecker server

Store your analysis reports onto the server to be able to use the Web Viewer.

CodeChecker store ~/results -n my-project

View results

Open the CodeChecker Web Viewer in your browser, and you should be greeted with a web application showing you the analysis results.

Important limitations with older Clang versions

Clang 3.6 or earlier releases are NOT supported due to CodeChecker relying on features not available in those releases.

If you have Clang 3.7 installed you might see the following warning message:

Hash value wasn't found in the plist file.

• Use Clang >= 3.8 or trunk r251011 — otherwise CodeChecker generates a simple hash based on the filename and the line content. This method is applied for Clang-Tidy results too, because Clang-Tidy does not support bug identifier hash generation currently.

Useful Documentation

Feature overview

• CodeChecker feature overview

Static analysis

• False Positives
• Checker and Static Analyzer configuration
• Checker documentation
• GCC incompatibilities

Security configuration

• Authentication
• Permissions

Continuous Integration (CI)

• Jenkins Gerrit integration
• Daily Scripts

Database configuration

• PostgreSQL setup
• Schema Guide

Server configuration

• Products
• Logging

Developer documentations

• Architecture
• Package layout
• Dependencies
• Thrift interface
• Package and integration tests

Conference papers, presentations

• A high-level overview about the infrastructure is available amongst the 2015Euro LLVM Conference presentations.
  Dániel KRUPP, György ORBÁN, Gábor HORVÁTH and Bence BABATI:
  Industrial Experiences with the Clang Static Analysis Toolset