Clang Static Analyzer doesn't find the most basic problems

Question

I wanted to try out the clang static analyzer. I'm on Windows and built clang with Visual Studio. It seems to work, but at the same time it seems to be extremely useless.

I made an example file

example.c

int main(void) 
{
    int h = 0;
    return 1/h;
}

Calling scan-build gcc -c example.c finds no error.

example.c

int main(void) 
{
    int h;
    return 1/h;
}

Calling scan-build gcc -c example.c finds no error.

example.c

int main(void) 
{
    return 1/0;
}

Calling scan-build gcc -c example.c finds no error.

If these most basic errors can't be found (and they can be found by clang itself), how can the static analyzer be of any use?

My gcc is MinGW if that matters. I also tried substituting clang but there's just nothing happening.

Am I doing something wrong here?

It would indeed appear that the tool is pure crap. Based on your tests, you don't need someone on the internet to tell you that, you already came to this conclusion. Simply uninstall it and get another one. — Lundin, Mar 09 '17 at 13:38
@Lundin There seem to be a lot of projects putting faith into the LLVM-framework. For example the Rust language, which is backed by the Mozilla Foundation. I just can't imagine the included static-analyzer is that useless. Maybe I am missing something very basic here, e.g. some hidden configuration. — CodeMonkey, Mar 09 '17 at 13:41
I haven't used this particular static analyser, but many others. As a rule of thumb, always assume they are broken beyond repair. — Lundin, Mar 09 '17 at 13:42
@Lundin Yeah, and never consider that you might be using it wrong or for the wrong thing, that would be ridiculous. — nwp, Mar 09 '17 at 13:43
@Lundin I've tried a few usable ones, e.g. Polyspace, which is very slow, but gives useful results. However the licensing costs are prohibitive for my department. — CodeMonkey, Mar 09 '17 at 13:43
@nwp If I submit a bug report and the tool vendor acknowledges that it is a bug, then I'm fairly certain that I am using the tool correctly. This is what I used to do when I got false positive, until I got tired of hearing "we'll fix it later". — Lundin, Mar 09 '17 at 13:46
@CodeMonkey just out of curiosity, if you test it with exactly the same example given in [their page](https://clang-analyzer.llvm.org/available_checks.html#core_checkers) about division by zero, does it complain? — Samir Aguiar, Mar 09 '17 at 14:02
My theory is that there are errors that are easy and fast to find, so clang just finds them for you. And then there are errors that are difficult to find and require costly analysis that massively increase your compile times which therefore cannot be enabled in clang, so they are moved into the dedicated static analyzer. That static analyzer doesn't repeat what clang is already doing, that would just be wasted effort. The test cases you have are simple and therefore nothing the static analyzer even considers. Use the tools in combination instead of expecting one tool to find everything. — nwp, Mar 09 '17 at 14:22
Cannot reproduce. These examples work fine for me, using both clang-3.6 (from a debian package) and a fairly recent svn of clang-5.0. (Of course, I'm not trying on Windows.) — rici, Mar 09 '17 at 16:02
By the way, you can specify the `-v` option (immediately after the `scan-build` command) up to three times, to receive increasingly amounts of debugging output, which might help you understand why it is not managing to do a static analysis on your system. — rici, Mar 09 '17 at 17:21
@rici I'm using the current build from SVN. I used the -v option, now it tells me it creates the report directory which it deletes afterwards. I guess it just doesn't work on Windows. — CodeMonkey, Mar 10 '17 at 06:55
Other people seem to manage to get it to work on windows, but it seems that the install has some gotchas. I don't have a windows environment handy so I can't help you, but there were some instructions for Windows install which Google found me. Worst comes to worst, its a Perl script so normsl debugging techniques should be possible. — rici, Mar 10 '17 at 07:07
I confirm that on Linux (clang 3.8) all these examples generate the relevant warnings ("a.c:4:13: warning: Division by zero", "b.c:4:13: warning: The right operand of '/' is a garbage value", "c.c:3:13: warning: division by zero [-Wdiv-by-zero]"). Most probably in your case the call to the compiler isn't properly intercepted. — Matteo Italia, Mar 10 '17 at 07:21
I had a similar problem, and tweaking my Makefile as per https://stackoverflow.com/a/38309035/328817 meant scan-build started emitting warnings. — Sam, Mar 17 '20 at 15:43
related question: https://stackoverflow.com/q/60771584/891439 — Florian Wolters, Mar 20 '20 at 12:14

score 2 · Answer 1 · answered Jul 02 '17 at 15:40

be sure to use build-scan -v (verbose) to see if actually running clang checker. I followed this tutorial http://web.cs.ucla.edu/~tianyi.zhang/tutorial.html When I tried the C++ example it did not show any errors in the buggy code. The -v showed me that the provided Makefile was broken - after I fixed that clang still did not detect the bugs but g++ shows the bug.

Maybe they turned that particular check off. Clang Static Analyzer version 3.8 The tutorial uses version 3.2

I uninstalled Clang since I couldn't make it work, but I'll try to do this should I try again. — CodeMonkey, Jul 03 '17 at 06:10

score 1 · Accepted Answer · answered May 30 '22 at 08:11

1

The scan-build driver substitutes an "interception" command in place of the compiler when doing analysis, so you need to make sure to use a "variable" as the name of the compiler.

For example, in POSIX shell: scan-build sh -c '${CC} "$@"' cc main.c -o main.

PowerShell may have similar syntax, but I'm not sure, DOS command line will need something radically different.

answered May 30 '22 at 08:11

DannyNiu

1,313
8
27

1

Credits're not mine: https://stackoverflow.com/q/38308269/6230282 – DannyNiu May 30 '22 at 08:13
5 years later, the first helpful answer. Thank you! :) – CodeMonkey Jun 03 '22 at 14:34

Ivan Kishchenko · Answer 3 · 2017-03-10T07:22:09.850

Maybe you are not doing something right. For example, the third example Visual Studio 2015 even refused to compile with error:

error C2124: divide or mod by zero.

I don't think Clang is not capable of detect something like that. However, this is not important.

I tried to check this code using PVS-Studio and it detected all three errors:

V609 Divide by zero. Denominator 'h' == 0. MFCApplication2 mainfrm.cpp 17
V614 Uninitialized variable 'h' used. MFCApplication2 mainfrm.cpp 23
V609 Divide by zero. Denominator '0' == 0. MFCApplication2 mainfrm.cpp 28

Therefore, I recommend you still experiment. At least the third case should be exactly found by Clang. A practical recommendation is to use more powerful tools, such as PVS-Studio, for analysis. He, by the way, finds errors in Clang and GCC.

Clang Static Analyzer doesn't find the most basic problems

3 Answers3

Linked