How to make the Clang Static Analyzer output its working from command line?

Question

I'm running Clang 3.4 on Ubuntu 12.10 (from http://llvm.org/apt/). I ran the analyzer (clang --analyze) over some code, and it found a couple of issues:

Blah.C:429:9: warning: Declared variable-length array (VLA) has zero size
        unsigned char separatedData[groupDataLength];
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~

But the specific issue isn't important. I want to know the steps of how it came to that conclusion (the code is complex enough for me not to see it within 15 mins).

I see a screenshot from the Clang site that shows steps of working viewed in a web browser:

screenshot

That's probably obtained from Xcode.

The question is: how do I get Clang to output such steps of working from the command line? Or even output results to a browser if it so wishes? This would make the analyzer significantly more useful, and make fixing things much quicker.

(I have noticed that GCC's documentation is very excellent, but Clang/LLVM's documentation is very poor. I've tried "clang --analyze -Xanalyzer '-v'" as a stab in the dark to tell the analyzer to be more verbose -- the -Xanalyzer switch was from the man pages.)

[relevant](http://channel9.msdn.com/Events/GoingNative/2013/The-Care-and-Feeding-of-C-s-Dragons) — Ryan Haining, Mar 13 '14 at 07:37
Related question: https://stackoverflow.com/q/60771584/891439 — Florian Wolters, Mar 20 '20 at 12:13

bames53 · Accepted Answer · 2014-10-11T00:24:52.230

In addition to text output on the console:

clang++ --analyze -Xanalyzer -analyzer-output=text main.cpp

You can get the full html output:

clang++ --analyze -Xanalyzer -analyzer-output=html -o html-dir main.cpp

Additionally, you can select specific checkers to enable. This page lists available checks. For example, you can enable all of the C++ checks in the alpha group using the flags:

-Xanalyzer -analyzer-checker=alpha.cplusplus

http://coliru.stacked-crooked.com/a/7746c4004704d4a7

main.cpp:5:1: warning: Potential leak of memory pointed to by 'x'
}
^
main.cpp:4:12: note: Memory is allocated
  int *x = new int;
           ^~~~~~~
main.cpp:5:1: note: Potential leak of memory pointed to by 'x'
}
^

Apparently the front end exposes

-analyzer-config <Option Name>=<Value>

E.g.

-analyzer-config -analyzer-checker=alpha.cplusplus

which might be better supported than -Xanalyzer and may be getting extended to support options to individual checkers: http://lists.cs.uiuc.edu/pipermail/cfe-dev/2014-October/039552.html

Cheers! That's useful, though I normally would be using the text output. — Jetski S-type, Apr 02 '14 at 07:50
`-analyzer-config` doesn't appear to work in version 6.0, but `-Xanalyzer` does. — Fritz, Nov 21 '18 at 15:16
Instead of `-Xanalyzer -analyzer-output=html` better use `--analyzer-output html` — Mikhail, Mar 26 '21 at 14:23

Benjamin Bannier · Answer 2 · 2023-02-19T10:35:16.780

8

You are on the right track, but to get the full trace leading to a bug you additionally need to ask clang for output in text format (don't ask why). Since you will probably need to adjust e.g. include paths or defines for your project anyway I'd suggest you use clang-check which acts as a wrapper around clang's analyzer pass. It can also hook into the static analyzer tools exposed in e.g. scan-build. You can then

$ clang-check -analyze -extra-arg -Xclang -extra-arg -analyzer-output=text

Like you wrote the documentation for these very nice tools is abysmal. I cobbled above call together from bits and pieces from Chandler Carruth's GoingNative2013 talk.

edited Feb 19 '23 at 10:35

answered Mar 13 '14 at 09:14

Benjamin Bannier

55,163
11
60
80

1

Bingo! Almost there, but the actual proper command line that works is: `clang++ --analyze [usual stuff] -Xanalyzer -analyzer-output=text` – Jetski S-type Mar 13 '14 at 22:19
2

As it is, the command didn't work: `clang-check -analyze -extra-arg -Xclang -extra-arg -analyzer-output=text [file-path]` `LLVM ERROR: Could not auto-detect compilation database for file [path]` `No compilation database found in [path] or any parent directory` `json-compilation-database: Error while opening JSON database: No such file or directory` – Jetski S-type Mar 13 '14 at 22:23
It did need some special dashes at the end to stop that error: `clang-check -analyze -extra-arg -Xclang -extra-arg -analyzer-output=text [file-path] --`, which resulted in: `fatal error: include file not found` (it has no paths). And adding -Ipath as -extra-args didn't work either. In conclusion, I don't know how to use clang-check or if it's any extra use in this case.... – Jetski S-type Mar 13 '14 at 22:23
I do actually remember seeing awesome analyzer stuff in that video, but I couldn't remember where it was from to go back to it... It is indeed a big shame the documentation is so bad for such a wonderful tool... and they wonder why Clang isn't used to its full potential.... – Jetski S-type Mar 13 '14 at 22:29
1

For clang-check you'll need a compilation database. If you don't use cmake you can use http://github.com/rizsotto/bear to create one. – Benjamin Bannier Mar 14 '14 at 07:38
Dead link for “Chandler Carruth's GoingNative2013 talk,” even in the archive: https://web.archive.org/web/20221209004447/https://learn.microsoft.com/en-us/events/goingnative/2013/the-care-and-feeding-of-c-s-dragons – Flash Sheridan Feb 17 '23 at 22:21

Paolo Brandoli · Answer 3 · 2014-03-13T08:54:21.200

3

You have to use scanbuild: http://clang-analyzer.llvm.org/scan-build.html

You type the commands that generate your build, but you pre-pend them with scan-build.

Example: instead of

make

type

scan-build make

instead of

./configure
make

type

scan-build ./configure
scan-build make

Clear the build before launching the analyzer, otherwise make will state that everything has been built already and the analyzer will not run.

edited Mar 13 '14 at 08:54

answered Mar 13 '14 at 08:45

Paolo Brandoli

4,681
26
38

1

I did: `> scan-build "[usual compiler command]"` And it just compiled as normal (no effect). So I did: `> scan-build "[usual compiler command including --analyze]"` Resulting in: `scan-build: Using '/usr/bin/clang' for static analysis` ... – Jetski S-type Mar 13 '14 at 22:10
`Blah.C:429:9: warning: Declared variable-length array (VLA) has zero size` (as before) `2 warnings generated.` `scan-build: Removing directory '/tmp/scan-build-2014-03-14-083438-2804-1' because it contains no reports.` `scan-build: No bugs found.` – Jetski S-type Mar 13 '14 at 22:13
So I did see scan-build before, but I didn't know if it would work with my custom build system (not make). I didn't really want a wrapper around, because I thought it already had enough info in the one command line call if it could find the issue it had (I just wanted the steps). It turns out I don't know how to use it, or it's not doing anything useful with my build system... – Jetski S-type Mar 13 '14 at 22:17
1

@Paolo Brandoli I agree with Jetski S-type - I tried `scan-build cmake .; scan-build make` and it just says "no bugs found". – David Doria Nov 22 '16 at 02:18

How to make the Clang Static Analyzer output its working from command line?

3 Answers3

Linked