How to use Clang Static Analyzer,

How to use Clang Static Analyzer,
IntroductionClang

In a macro sense, Clang is a project name. Like GCC, Clang is a lightweight compiler for C, C ++, and Objective C. It is part of the Clang project.

Compared with GCC, Clang compilation is faster and takes less memory. Clang's error message and warning information are more accurate and clearer than GCC. In addition, Clang is a library-based modular design that facilitates IDE integration and complies with the llvm bsd Protocol.

Clang Static Analyzer

Clang Static Analyzer is a source code analysis tool that can search for C, C ++, and Objective-C vulnerabilities.

Currently, Clang Static Analyzer can be used as an independent tool or run in the Xcode Development Environment (Mac OS. Clang Static Analyzer, as an independent tool, can be started from a command line (such as a ubuntu terminal) and run in the process of building a code base.

As part of the Clang project, Clang Static Analyzer is a open source software. Just like the Clang compiler, Clang Static Analyzer can be integrated into other applications like a C ++ library.

Scan-build & scan-view

Scan-build is a command line tool that helps users run static analyzer to check source code so that they can build normally. Static analyzer and code compilation do not affect each other and are executed simultaneously. That is, when a project is under construction, the source code is analyzed by the static analyzer and the source code vulnerability is found. For example:

$ scan-build make

When the build is complete, the result is displayed as a web page to the user. Similar to scan-build, scan-view is also a command line tool. It can open the web page generated by scan-build and display the bug report.

How to install

The methods for installing Clang on different platforms are different: the installation method for Mac OS x is mac OS CLANG. This article introduces the installation method for Ubuntu, other platforms except Mac OS X are similar to ubuntu.

Apt-get Installation

You can directly install the SDK using apt-get. You only need to enter the following in the terminal:

$ sudo apt-get install clang

This method is applicable to users who do not have high version requirements and has the advantage of being simple and fast.

Source code Installation

If you have high requirements on the Clang version, you need to manually compile and install the Clang source code, which is also recommended on the official website. The advantage of this method is that you can get the latest version, but it is time-consuming and troublesome.

3. Compile Clang
   • Create a build directory to store the files generated after configure is executed.

     $ mkdir build$ cd build$ ../llvm/configure --prefix=/usr/clang --enable-optimized --enable-targets=host$ sudo make -j2

   • You can add some options when running configure. For details about the options, see clang configuration,
     1. The -- prefix =/usr/clang option is used to specify to install Clang to the/usr/clang directory after the Makefile file is generated and run make install.
     2. The -- enable-optimized option is used to enable optimization. It is not enabled by default. The generated version is the Debug version, which occupies a lot of memory and takes 10 times the Time of the optimized version. There is no need to generate the Debug version here.
     3. The -- enable-target = host option is used to select the target platform. By default, all platforms are generated. You only need to adapt to the local environment.
   • Make option-j2 specifies that two threads are executed simultaneously. (If dual-core is-j2, quad-core is-j4)
   • Compilation takes some time. After compilation, you can make install:

     $ make install

     Since the -- prefix option specifies the installation path, Clang is installed in the/usr/clang directory.
   • Enables bash to search for executable program clang. Create a soft link under/usr/bin to the target directory, ln-s .. /clang/bin/clang (you can also modify the PATH environment variable, but it is not recommended here, because it is not easy for the scan-build tool to find clang)
4. Adjust the scan-build and scan-view directories
   Make install from the official website does not install the scan-build and scan-view tools. After compilation, the compiled scan-build and scan-view are displayed in $ (SRCDIR)/tools/clang/tools/scan-build and $ (SRCDIR) /tools/clang/tools/scan-view ($ (SRCDIR) is the llvm path to download ). To prevent accidental deletion of these two directories, these two directories are usually put under the root directory (for example, put under/usr/share/clang), if the current directory is under the llvm directory.

   $ sudo mkdir /usr/share/clang/scan-build -p$ sudo cp ./tools/clang/tools/scan-build/* /usr/share/clang/scan-build/$ sudo mkdir /usr/share/clang/scan-view -p$ sudo cp -r ./tools/clang/tools/scan-view/* /usr/share/clang/scan-view/$ cd /usr/bin$ sudo ln -s ../share/clang/scan-build/scan-build$ sudo ln -s ../share/clang/scan-view/scan-view

   Now, the scan-build and scan-view tools can be used, but since the source code script does not specify the clang path, the clang path must be written every time you use the scan-build tool. To solve this problem, you can modify the scan-build script.

   sudo vi /usr/bin/scan-build# Find 'clang'if (!defined $AnalyzerDiscoveryMethod) {- -  $Clang = Cwd::realpath("$RealBin/bin/clang");+  $Clang = Cwd::realpath("/usr/bin/clang");   if (!defined $Clang || ! -x $Clang) {     $Clang = Cwd::realpath("$RealBin/clang");   }

   That is, change the first $ RealBin to/usr. In this way, the Clang location is specified to scan-build. Clang Static Analyzer is fully installed.

Standard Operation ProcedureClang Compiler

Similar to GCC, Clang also integrates the precompiler, assembler, and linker, and uses the following syntax format:

clang [options] <inputs>

Most of the compilation options are similar to those of GCC. For example,-E only performs pre-compilation,-S generates assembly language files (ended with. s), and-c options only compile without linking. For more information about the options, see man clang or clang-help. For details about the Clang compiler user manual, see clang compiler user's MANUAL.
Unlike GCC, you can use the -- analyze option to start a static analyzer, as shown in figure

$ clang --analyze test.c

When running this command, Clang Static Analyzer is started to analyze bugs in test. c.

Scan-build and scan-view

• Scan-build
  1. Start
     Scan-build is essentially a Perl script that invokes Clang Static Analyzer. The scan-build command is used to analyze the project during the entire project build process. This means that files not compiled by gcc or clang will not be analyzed.
  2. Basic usage
     The basic usage of scan-build is simple. You only need to enter scan-build at the beginning of the command line.

     $ scan-build make

     While making the entire project, scan-build starts the static analyzer to analyze the project code being built. The common format of the scan-build command is as follows:

     $ scan-build [scan-build options] <command> [command options]  

     Scan-build runs these commands one by one, and its parameters are also executed in order. For example, if you input a-j4 parameter in the make command, the result is a 4-core parallel Compilation:

     $ scan-build make -j4

     Scan-build can also be used to analyze specific files:

     $ scan-build gcc -c test1.c  test2.c

     This command analyzes the test1.c and test2.c files.
  3. Other options (scan-build options)
     Scan-build supports many options. Below are some common options:
  4. For more scan-build options, see man scan-build or scan-build-h.
  5. Scan-build output result
     The output result of scan-build is an HTML file set. Each html file represents an independent defect report. The index.html file is used to query all defects. You can use a browser to open the index.html file to view all defect reports. The path where html report files are stored is specified by the-o option, which is saved in the/tmp directory by default. After running scan-build, the report path is printed. If you want to view the report immediately after the command is executed, You can input a-V parameter.
  6. Notes
     If the project to be analyzed uses the configure script to automatically generate the makefile file, you need to use scan-build to execute the configure configuration file.

     $ scan-build ./configure$ scan-build make

     The reason why the configure file needs to run through scan-build is that the static analyzer is involved in the compiler to analyze the source code. This intervention is performed by temporarily setting the environment variable CC to ccc-analyzer. As a pseudo compiler, ccc-analyzer forwards command line parameters to gcc or clang for static analysis.
• The scan-viewscan-view tool is used to view html report files generated by scan-build. The specific usage is as follows:

  scan-view [options] <results directory>

  Scan-view options can be viewed through scan-view-h or man scan-view. <Results directory> is the path generated by scan-build to store html files. After the scan-build operation is complete, you will be prompted how to use scan-view to view the html report.

Checkers

Clang Static Analyzer uses different checker to detect different types of bugs in the source code. The static analyzer uses 6 types of checkers (default checker) by default ):

• Core Checkers: provides some general checks, such as whether to be divided by 0, whether to use a null pointer, and using uninitialized parameters.
• C ++ Checkers: Provides C ++ checks.
• Dead Code Checkers: Check for unused Code.
• OS X Checkers: checks the use of Objective-C and Apple's SDKs.
• Security Checkers: checks the use of insecure APIs and CERT-based Secure Coding Standards.
• Unix Checkers: checks the usage of Unix and POSIX APIs.

Among them, each type of checkers contains different checker to check bugs of different subdivision types. For example, a checker in the core checkers class: core. CallAndMessage. This checker is mainly responsible for checking the logic errors or information expression errors of function calls, such as uninitialized parameters and empty function pointers. For example:

// Cstruct S {  int x;};void f(struct S s);void test() {  struct S s;  f(s); // warn: passed-by-value arg contain uninitialized data}

You can use the -- help-checkers option to view the default checkers list. -Enable-checker and-disable-checker are used to use and disable checker, for example

$ scan-build --help-checkers$ scan-build -enable-checker core.CallAndMessage gcc test.c$ scan-build -disable-checker core.CallAndMessage gcc test.c

If a checker is not prohibited, scan-build automatically uses the default checkers. For more information about The checkers function, see "The functions of default checkers" or available checkers.

The flow chart of scan-build & ccc-analyzer

Scan-build is a perl script used to start the static analyzer. Ccc-analyzer, like scan-build, is also a perl script. The ccc-analyzer script is an intermediate file, which is called by scan-build without direct access.

Scan-build flow chart

The preceding part is the first half of the scan-build script execution and is used to process scan-build option.

In the second part, scan-build mainly processes command and command option.
Scan-build summary:

Ccc-analyzer flow chart

Summary of ccc-analyzer script process:

How to use scan-build to find bugs to analyze a code using uninitialized function pointers analysis MIPS architecture private appsThe functions of default checkers in linux bit

In Clang Static Analyzer, default checkers has six types: Core Checkers, C ++ Checkers, Dead Code Checkers, OS X Checkers, Security Checkers, and Unix Checkers. The functions of each checker in five categories except OS X Checkers are described below.

Note: