Created
September 8, 2013 19:51
-
-
Save sonney2k/6487866 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
scan-build --help | |
USAGE: scan-build [options] <build command> [build options] | |
OPTIONS: | |
-analyze-headers | |
Also analyze functions in #included files. By default, such functions | |
are skipped unless they are called by functions within the main source file. | |
-o <output location> | |
Specifies the output directory for analyzer reports. Subdirectories will be | |
created as needed to represent separate "runs" of the analyzer. If this | |
option is not specified, a directory is created in /tmp (TMPDIR on Mac OS X) | |
to store the reports. | |
-h | |
--help | |
Display this message. | |
-k | |
--keep-going | |
Add a "keep on going" option to the specified build command. This option | |
currently supports make and xcodebuild. This is a convenience option; one | |
can specify this behavior directly using build options. | |
--html-title [title] | |
--html-title=[title] | |
Specify the title used on generated HTML pages. If not specified, a default | |
title will be used. | |
-plist | |
By default the output of scan-build is a set of HTML files. This option | |
outputs the results as a set of .plist files. | |
-plist-html | |
By default the output of scan-build is a set of HTML files. This option | |
outputs the results as a set of HTML and .plist files. | |
--status-bugs | |
By default, the exit status of scan-build is the same as the executed build | |
command. Specifying this option causes the exit status of scan-build to be 1 | |
if it found potential bugs and 0 otherwise. | |
--use-cc [compiler path] | |
--use-cc=[compiler path] | |
scan-build analyzes a project by interposing a "fake compiler", which | |
executes a real compiler for compilation and the static analyzer for analysis. | |
Because of the current implementation of interposition, scan-build does not | |
know what compiler your project normally uses. Instead, it simply overrides | |
the CC environment variable, and guesses your default compiler. | |
In the future, this interposition mechanism to be improved, but if you need | |
scan-build to use a specific compiler for *compilation* then you can use | |
this option to specify a path to that compiler. | |
--use-c++ [compiler path] | |
--use-c++=[compiler path] | |
This is the same as "-use-cc" but for C++ code. | |
-v | |
Enable verbose output from scan-build. A second and third '-v' increases | |
verbosity. | |
-V | |
--view | |
View analysis results in a web browser when the build completes. | |
ADVANCED OPTIONS: | |
-no-failure-reports | |
Do not create a 'failures' subdirectory that includes analyzer crash reports | |
and preprocessed source files. | |
-stats | |
Generates visitation statistics for the project being analyzed. | |
-maxloop <loop count> | |
Specifiy the number of times a block can be visited before giving up. | |
Default is 4. Increase for more comprehensive coverage at a cost of speed. | |
-internal-stats | |
Generate internal analyzer statistics. | |
--use-analyzer [Xcode|path to clang] | |
--use-analyzer=[Xcode|path to clang] | |
scan-build uses the 'clang' executable relative to itself for static | |
analysis. One can override this behavior with this option by using the | |
'clang' packaged with Xcode (on OS X) or from the PATH. | |
--keep-empty | |
Don't remove the build results directory even if no issues were reported. | |
--override-compiler | |
Always resort to the ccc-analyzer even when better interposition methods | |
are available. | |
CONTROLLING CHECKERS: | |
A default group of checkers are always run unless explicitly disabled. | |
Checkers may be enabled/disabled using the following options: | |
-enable-checker [checker name] | |
-disable-checker [checker name] | |
LOADING CHECKERS: | |
Loading external checkers using the clang plugin interface: | |
-load-plugin [plugin library] | |
AVAILABLE CHECKERS: | |
alpha.core.BoolAssignment Warn about assigning non-{0,1} values to Boolean variables | |
alpha.core.CastSize Check when casting a malloc'ed type T, whether the size is a multiple of the size of T | |
alpha.core.CastToStruct Check for cast from non-struct pointer to struct pointer | |
alpha.core.FixedAddr Check for assignment of a fixed address to a pointer | |
alpha.core.PointerArithm Check for pointer arithmetic on locations other than array elements | |
alpha.core.PointerSub Check for pointer subtractions on two pointers pointing to different memory chunks | |
alpha.core.SizeofPtr Warn about unintended use of sizeof() on pointer expressions | |
alpha.cplusplus.NewDeleteLeaks Check for memory leaks. Traces memory managed by new/delete. | |
alpha.cplusplus.VirtualCall Check virtual function calls during construction or destruction | |
alpha.deadcode.IdempotentOperations | |
Warn about idempotent operations | |
alpha.deadcode.UnreachableCode Check unreachable code | |
alpha.osx.cocoa.Dealloc Warn about Objective-C classes that lack a correct implementation of -dealloc | |
alpha.osx.cocoa.DirectIvarAssignment | |
Check for direct assignments to instance variables | |
alpha.osx.cocoa.DirectIvarAssignmentForAnnotatedFunctions | |
Check for direct assignments to instance variables in the methods annotated with objc_no_direct_instance_variable_assignment | |
alpha.osx.cocoa.InstanceVariableInvalidation | |
Check that the invalidatable instance variables are invalidated in the methods annotated with objc_instance_variable_invalidator | |
alpha.osx.cocoa.MissingInvalidationMethod | |
Check that the invalidation methods are present in classes that contain invalidatable instance variables | |
alpha.osx.cocoa.MissingSuperCall | |
Warn about Objective-C methods that lack a necessary call to super | |
alpha.security.ArrayBound Warn about buffer overflows (older checker) | |
alpha.security.ArrayBoundV2 Warn about buffer overflows (newer checker) | |
alpha.security.MallocOverflow Check for overflows in the arguments to malloc() | |
alpha.security.ReturnPtrRange Check for an out-of-bound pointer being returned to callers | |
alpha.security.taint.TaintPropagation | |
Generate taint information used by other checkers | |
alpha.unix.Chroot Check improper use of chroot | |
alpha.unix.MallocWithAnnotations | |
Check for memory leaks, double free, and use-after-free problems. Traces memory managed by malloc()/free(). Assumes that all user-defined functions which might free a pointer are annotated. | |
alpha.unix.PthreadLock Simple lock -> unlock checker | |
alpha.unix.SimpleStream Check for misuses of stream APIs | |
alpha.unix.Stream Check stream handling functions | |
alpha.unix.cstring.BufferOverlap | |
Checks for overlap in two buffer arguments | |
alpha.unix.cstring.NotNullTerminated | |
Check for arguments which are not null-terminating strings | |
alpha.unix.cstring.OutOfBounds Check for out-of-bounds access in string functions | |
+ core.CallAndMessage Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers) | |
+ core.DivideZero Check for division by zero | |
+ core.DynamicTypePropagation Generate dynamic type information | |
+ core.NonNullParamChecker Check for null pointers passed as arguments to a function whose arguments are references or marked with the 'nonnull' attribute | |
+ core.NullDereference Check for dereferences of null pointers | |
+ core.StackAddressEscape Check that addresses to stack memory do not escape the function | |
+ core.UndefinedBinaryOperatorResult | |
Check for undefined results of binary operators | |
+ core.VLASize Check for declarations of VLA of undefined or zero size | |
+ core.builtin.BuiltinFunctions Evaluate compiler builtin functions (e.g., alloca()) | |
+ core.builtin.NoReturnFunctions Evaluate "panic" functions that are known to not return to the caller | |
+ core.uninitialized.ArraySubscript | |
Check for uninitialized values used as array subscripts | |
+ core.uninitialized.Assign Check for assigning uninitialized values | |
+ core.uninitialized.Branch Check for uninitialized values used as branch conditions | |
+ core.uninitialized.CapturedBlockVariable | |
Check for blocks that capture uninitialized values | |
+ core.uninitialized.UndefReturn Check for uninitialized values being returned to the caller | |
+ cplusplus.NewDelete Check for double-free and use-after-free problems. Traces memory managed by new/delete. | |
+ deadcode.DeadStores Check for values stored to variables that are never read afterwards | |
debug.ConfigDumper Dump config table | |
debug.DumpCFG Display Control-Flow Graphs | |
debug.DumpCallGraph Display Call Graph | |
debug.DumpCalls Print calls as they are traversed by the engine | |
debug.DumpDominators Print the dominance tree for a given CFG | |
debug.DumpLiveVars Print results of live variable analysis | |
debug.DumpTraversal Print branch conditions as they are traversed by the engine | |
debug.ExprInspection Check the analyzer's understanding of expressions | |
debug.Stats Emit warnings with analyzer statistics | |
debug.TaintTest Mark tainted symbols as such. | |
debug.ViewCFG View Control-Flow Graphs using GraphViz | |
debug.ViewCallGraph View Call Graph using GraphViz | |
llvm.Conventions Check code for LLVM codebase conventions | |
osx.API Check for proper uses of various Apple APIs | |
osx.SecKeychainAPI Check for proper uses of Secure Keychain APIs | |
osx.cocoa.AtSync Check for nil pointers used as mutexes for @synchronized | |
osx.cocoa.ClassRelease Check for sending 'retain', 'release', or 'autorelease' directly to a Class | |
osx.cocoa.IncompatibleMethodTypes | |
Warn about Objective-C method signatures with type incompatibilities | |
osx.cocoa.Loops Improved modeling of loops using Cocoa collection types | |
osx.cocoa.NSAutoreleasePool Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode | |
osx.cocoa.NSError Check usage of NSError** parameters | |
osx.cocoa.NilArg Check for prohibited nil arguments to ObjC method calls | |
osx.cocoa.NonNilReturnValue Model the APIs that are guaranteed to return a non-nil value | |
osx.cocoa.RetainCount Check for leaks and improper reference count management | |
osx.cocoa.SelfInit Check that 'self' is properly initialized inside an initializer method | |
osx.cocoa.UnusedIvars Warn about private ivars that are never used | |
osx.cocoa.VariadicMethodTypes Check for passing non-Objective-C types to variadic collection initialization methods that expect only Objective-C types | |
osx.coreFoundation.CFError Check usage of CFErrorRef* parameters | |
osx.coreFoundation.CFNumber Check for proper uses of CFNumberCreate | |
osx.coreFoundation.CFRetainRelease | |
Check for null arguments to CFRetain/CFRelease/CFMakeCollectable | |
osx.coreFoundation.containers.OutOfBounds | |
Checks for index out-of-bounds when using 'CFArray' API | |
osx.coreFoundation.containers.PointerSizedValues | |
Warns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values | |
security.FloatLoopCounter Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP) | |
+ security.insecureAPI.UncheckedReturn | |
Warn on uses of functions whose return values must be always checked | |
+ security.insecureAPI.getpw Warn on uses of the 'getpw' function | |
+ security.insecureAPI.gets Warn on uses of the 'gets' function | |
+ security.insecureAPI.mkstemp Warn when 'mkstemp' is passed fewer than 6 X's in the format string | |
+ security.insecureAPI.mktemp Warn on uses of the 'mktemp' function | |
security.insecureAPI.rand Warn on uses of the 'rand', 'random', and related functions | |
security.insecureAPI.strcpy Warn on uses of the 'strcpy' and 'strcat' functions | |
+ security.insecureAPI.vfork Warn on uses of the 'vfork' function | |
+ unix.API Check calls to various UNIX/Posix functions | |
+ unix.Malloc Check for memory leaks, double free, and use-after-free problems. Traces memory managed by malloc()/free(). | |
+ unix.MallocSizeof Check for dubious malloc arguments involving sizeof | |
+ unix.MismatchedDeallocator Check for mismatched deallocators. | |
+ unix.cstring.BadSizeArg Check the size argument passed into C string functions for common erroneous patterns | |
+ unix.cstring.NullArg Check for null pointers being passed as arguments to C string functions | |
NOTE: "+" indicates that an analysis is enabled by default. | |
BUILD OPTIONS | |
You can specify any build option acceptable to the build command. | |
EXAMPLE | |
scan-build -o /tmp/myhtmldir make -j4 | |
The above example causes analysis reports to be deposited into a subdirectory | |
of "/tmp/myhtmldir" and to run "make" with the "-j4" option. A different | |
subdirectory is created each time scan-build analyzes a project. The analyzer | |
should support most parallel builds, but not distributed builds. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment