Skip to content

Latest commit

 

History

History
170 lines (146 loc) · 11.3 KB

checker_and_analyzer_configuration.md

File metadata and controls

170 lines (146 loc) · 11.3 KB

Configure Clang Static Analyzer and checkers

Analyzer configuration can be done through the --saargs analysis option which forwards arguments without modification to the Clang Static Analyzer:

CodeChecker analyze --saargs static_analyzer.cfg

In the static_analyzer.cfg file various static analyzer and checker related configuration options can be configured like this:

-Xclang -analyzer-config -Xclang unix.Malloc:Optimistic=true -Xclang -analyzer-max-loop -Xclang 20

Before every configuration option '-Xclang' argument should be written and all the configuration options sould be in one line!

In the static_analyzer.cfg example file we set a checker specific configuration option unix.Malloc:Optimistic=true for the unix.Malloc checker and a static analyzer configuration option analyzer-max-loop (the maximum number of times the analyzer will go through a loop, the default value is 4).

Checker specific configuration options

This is not a comprehensive list view checker documentation or implementation for available configuration options:

checker name configuration option default value available values description
nullability NoDiagnoseCallsToSystemHeaders false true/false If true, the checker will not diagnose nullability issues for calls to system headers.
unix.Malloc Optimistic false true/false

Clang Static Analyzer configuration options

This is not a comprehesive list, check out the clang static analyzer documentation or source code for more details about the configuration options.

configuration option default value available values description
analyzer-max-loop 4
inline-lambdas true
ipa dynamic-bifurcate inter procedural analysis
ipa-always-inline-size 3
mode deep deep, shallow
max-inlinable-size 100 100 for deep mode, 4 for shallow
max-nodes 225000 22500 for deep, 75000 for shallow, maximum number of nodes for top level functions
unroll-loops false true/false
widen-loops false true/false
suppress-null-return-paths false
c++-inlining constructors constructors, destructors, none, methods inlining options
leak-diagnostics-reference-allocation false true/false
max-times-inline-large 32
region-store-small-struct-limit 2
path-diagnostics-alternate false true/false
report-in-main-source-file true true/false
min-cfg-size-treat-functions-as-large 14
cfg-conditional-static-initializers true
cfg-implicit-dtors true true/false
cfg-lifetime false true/false
cfg-loopexit false true/false
cfg-temporary-dtors false true/false
faux-bodies true true/false
graph-trim-interval 1000

Z3 Theorem Prover

The static analyzer supports using the Z3 Theorem Prover from Microsoft Research as an external constraint solver. This allows reasoning over more complex queries, but performance is ~15x slower than the default range-based constraint solver. To enable the Z3 solver backend, Clang must be built with the CLANG_ANALYZER_BUILD_Z3=ON option, and the -Xanalyzer -analyzer-constraints=z3 arguments passed at runtime. CodeChecker will automatically detect that the Clang was built with this option and you don't have to pass these arguments to the analyzer command itself when using CodeChecker, you just have to run the CodeChecker analyze command with the --z3 option.

You can read more about Z3 Theorem Prover here.

Use Z3 SMT Solver to validate reports

Z3 SMT Solver can reduce the number of false positive bugs reported to the user by the Clang Static Analyzer (CSA), without introducing too much overhead to the analysis.

The bug refutation in the static analyzer is disabled by default and it’s hidden behind the flag --crosscheck-with-z3. Once the user has a version of clang built with Z3, the bug refutation can be enabled by passing --analyzer-config clangsa:crosscheck-with-z3=true when calling the clang static analyzer. CodeChecker will automatically detect that the Clang was built with this option and you don't have to pass these arguments to the analyzer command itself when using CodeChecker, you just have to run the CodeChecker analyze command with the --z3-refutation option.

You can read more about refutation with the Z3 SMT Solver here.

Configure Clang tidy checkers

Using Clang tidy configuration files

clang-tidy attempts to read configuration for each analyzed source file from a .clang-tidy file located in the closest parent directory of the analyzed source file.

The .clang-tidy configuration file can be in JSON or YAML format.

JSON:

{
  "Checks": "clang-diagnostic-*,clang-analyzer-*",
  "WarningsAsErrors": "",
  "HeaderFilterRegex": "",
  "AnalyzeTemporaryDtors": false,
  "CheckOptions": [
    {
      "key": "google-readability-braces-around-statements.ShortStatementLines",
      "value": "1"
    },
    {
      "key": "modernize-loop-convert.MaxCopySize",
      "value": "16"
    },
    {
      "key": "modernize-loop-convert.NamingStyle",
      "value": "CamelCase"
    },
    {
      "key": "modernize-use-nullptr.NullMacros",
      "value": "NULL"
    }
  ]
}

or the same configuration in YAML format:

---
Checks:          'clang-diagnostic-*,clang-analyzer-*'
WarningsAsErrors: ''
HeaderFilterRegex: ''
AnalyzeTemporaryDtors: false
CheckOptions:
  - key:             google-readability-braces-around-statements.ShortStatementLines
    value:           '1'
  - key:             modernize-loop-convert.MaxCopySize
    value:           '16'
  - key:             modernize-loop-convert.NamingStyle
    value:           CamelCase
  - key:             modernize-use-nullptr.NullMacros
    value:           'NULL'
...

Using tidyargs option in CodeChecker

The --tidyargs analysis argument can be used to forward configuration options through CodeChecker to the clang-tidy analyzer.

CodeChecker analyze --tidyargs tidy_analyzer.cfg

Where the tidy_analyzer.cfg config file content looks like this where the configuration arguments (json in this case) should be in one line :

-config="{ "Checks": "clang-diagnostic-*,clang-analyzer-*", "WarningsAsErrors": "", "HeaderFilterRegex": "", "AnalyzeTemporaryDtors": false, "CheckOptions": [ { "key": "google-readability-braces-around-statements.ShortStatementLines", "value": "1" }, { "key": "modernize-loop-convert.MaxCopySize", "value": "16" }, { "key": "modernize-loop-convert.NamingStyle", "value": "CamelCase" }, { "key": "modernize-use-nullptr.NullMacros", "value": "NULL" } ] }"