mikeash.com pyblog/friday-qa-2009-03-06-using-the-clang-static-analyzer.html comments

astrange - 2009-11-12 18:50:52

Thu, 12 Nov 2009 18:50:52 GMT

> So, gcc internals aren't as bad as I think, except for where they are? Funny.

Just for completeness: there are three ends in a compiler, and the middle-end (platform-independent optimization) is the most important.

ceeAge - 2009-04-02 19:12:50

Thu, 02 Apr 2009 19:12:50 GMT

thx John McLaughlin, for pointing to the 'karppinen' tool. however, this won't be useful on PPC. it doesn't look like a UB build.

mikeash - 2009-03-10 09:08:27

Tue, 10 Mar 2009 09:08:27 GMT

Wow, so Clang is really responsive to bug reports. Version 0.170 of the static analyzer, now available from the web site, fixes the nameC/kindC mixup with this code. Way cool.

mikeash - 2009-03-10 02:15:29

Tue, 10 Mar 2009 02:15:29 GMT

bork: What's your point? I don't believe anyone ever said that name is leaked.

bork - 2009-03-10 01:34:20

Tue, 10 Mar 2009 01:34:20 GMT

I'm pretty sure that 'name' is returned as an autoreleased object, so it is not leaked.

foobaz - 2009-03-10 01:20:12

Tue, 10 Mar 2009 01:20:12 GMT

I never tried clang until this post inspired me. I wasn't quite surprised and frightened, but I was very impressed with what it found, like rare memory leaks caused by early returns and me passing a BOOL when I should be passing an enum. AnalysisTool is great, too.

mikeash - 2009-03-08 01:01:58

Sun, 08 Mar 2009 01:01:58 GMT

And gcc internals may not be very modular but they certainly aren't as bad as you think. (well, except for the backend, anyway)

So, gcc internals aren't as bad as I think, except for where they are? Funny.

Sebastian Redl - 2009-03-07 18:56:43

Sat, 07 Mar 2009 18:56:43 GMT

The static analysis comes from a separate component in the Clang project, but it's not the same as the rest of the compiler.
Specifically, Clang consists of the following components:
Basic: Support code
Lex: Lexing and preprocessing
Parse: Parsing
AST: AST representation
Sema: Semantic analysis, builds the AST
Analyze: Static code analysis, the core logic of CSA
Rewrite: Code rewriting support

CSA combines everything except Rewrite to form the tool, but the real analysis is done in libanalyze.

Note, also, that CSA has two modes of running: flow-based analysis and path-based analysis. Flow-based is faster, but less accurate. It produces the false uninitialized warnings like GCC, which astrange mentioned. This is because it doesn't consider the possible paths through control structures. As such, it will give a false positive here:

void f(int a)
{
  int b;
  if (a > 0) b = 1;
  if (a > 5) printf("%d", b);
}

Path-based tracks possible value ranges of variables and traces out every possible path through the function. That makes it a lot slower (runtime is exponential in the number of branches, in theory, though the component aggressively culls paths), but also more accurate. The path-based analysis recognizes that it's impossible to enter the second if if the first wasn't also entered, and will not warn about an uninitialized b.

astrange - 2009-03-07 17:47:12

Sat, 07 Mar 2009 17:47:12 GMT

I'm almost certain the static analysis comes from clang itself, not LLVM. Clang does lots of cheap bitvector dataflow inside the C frontend so it can provide warnings no matter what the optimization level is; these are just a kind of really thorough warning. (you'll notice the analyses still give false uninitialized warnings where gcc does, and can't see through function calls)

And gcc internals may not be very modular but they certainly aren't as bad as you think. (well, except for the backend, anyway)

mikeash - 2009-03-07 11:47:37

Sat, 07 Mar 2009 11:47:37 GMT

Yep, you're right, that's a bug with the static analyzer. I wrote the code with the expectation that one would be good and one would be a bug, and I never realized that the output was backwards!

Vasi - 2009-03-07 11:05:28

Sat, 07 Mar 2009 11:05:28 GMT

Er, is it just me, or is it kindC[0] in the example that should be giving the null-dereference warning? You return if name is NULL, so nameC should always be a valid pointer.

John McLaughlin - 2009-03-07 08:07:56

Sat, 07 Mar 2009 08:07:56 GMT

Also see analysis tool for a nice front end.

http://www.karppinen.fi/analysistool/

(It uses clang but adds additional checks)

-john

Jean-Daniel Dupas - 2009-03-07 07:38:49

Sat, 07 Mar 2009 07:38:49 GMT

I will now abbreviate as CSA even though everybody calls it "clang"

In fact, not everybody call it "clang", some people also use "as-yet-unnamed clang static analyzer" ;-)

The clang community is looking for a better name than "scan-build", or CSA.

This tool is young and miss some important features (like cross module analysis), but it is really useful.

It even report things like missing release call in dealloc of synthesized properties, or check good usage of NSError** objects.