-fanalyzer ¶This option enables an static analysis of program flow which looks for “interesting” interprocedural paths through the code, and issues warnings for problems found on them.
This analysis is much more expensive than other GCC warnings.
In technical terms, it performs coverage-guided symbolic execution of the code being compiled. It is neither sound nor complete: it can have false positives and false negatives. It is a bug-finding tool, rather than a tool for proving program correctness.
The analyzer is only suitable for use on C code in this release.
Enabling this option effectively enables the following warnings:
-Wanalyzer-allocation-size -Wanalyzer-deref-before-check -Wanalyzer-double-fclose -Wanalyzer-double-free -Wanalyzer-exposure-through-output-file -Wanalyzer-exposure-through-uninit-copy -Wanalyzer-fd-access-mode-mismatch -Wanalyzer-fd-double-close -Wanalyzer-fd-leak -Wanalyzer-fd-phase-mismatch -Wanalyzer-fd-type-mismatch -Wanalyzer-fd-use-after-close -Wanalyzer-fd-use-without-check -Wanalyzer-file-leak -Wanalyzer-free-of-non-heap -Wanalyzer-imprecise-fp-arithmetic -Wanalyzer-infinite-loop -Wanalyzer-infinite-recursion -Wanalyzer-jump-through-null -Wanalyzer-malloc-leak -Wanalyzer-mismatching-deallocation -Wanalyzer-null-argument -Wanalyzer-null-dereference -Wanalyzer-out-of-bounds -Wanalyzer-overlapping-buffers -Wanalyzer-possible-null-argument -Wanalyzer-possible-null-dereference -Wanalyzer-putenv-of-auto-var -Wanalyzer-shift-count-negative -Wanalyzer-shift-count-overflow -Wanalyzer-stale-setjmp-buffer -Wanalyzer-tainted-allocation-size -Wanalyzer-tainted-array-index -Wanalyzer-tainted-assertion -Wanalyzer-tainted-divisor -Wanalyzer-tainted-offset -Wanalyzer-tainted-size -Wanalyzer-undefined-behavior-strtok -Wanalyzer-unsafe-call-within-signal-handler -Wanalyzer-use-after-free -Wanalyzer-use-of-pointer-in-stale-stack-frame -Wanalyzer-use-of-uninitialized-value -Wanalyzer-va-arg-type-mismatch -Wanalyzer-va-list-exhausted -Wanalyzer-va-list-leak -Wanalyzer-va-list-use-after-va-end -Wanalyzer-write-to-const -Wanalyzer-write-to-string-literal
This option is only available if GCC was configured with analyzer support enabled.
-Wanalyzer-symbol-too-complex ¶If -fanalyzer is enabled, the analyzer uses various heuristics to attempt to track the state of memory, but these can be defeated by sufficiently complicated code.
By default, the analysis silently stops tracking values of expressions if they exceed the threshold defined by --param analyzer-max-svalue-depth=value, and falls back to an imprecise representation for such expressions. The -Wanalyzer-symbol-too-complex option warns if this occurs.
-Wanalyzer-too-complex ¶If -fanalyzer is enabled, the analyzer uses various heuristics to attempt to explore the control flow and data flow in the program, but these can be defeated by sufficiently complicated code.
By default, the analysis silently stops if the code is too complicated for the analyzer to fully explore and it reaches an internal limit. The -Wanalyzer-too-complex option warns if this occurs.
-Wno-analyzer-allocation-size ¶This warning requires -fanalyzer, which enables it; to disable it, use -Wno-analyzer-allocation-size.
This diagnostic warns for paths through the code in which a pointer to
a buffer is assigned to point at a buffer with a size that is not a
multiple of sizeof (*pointer).
-Wno-analyzer-deref-before-check ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-deref-before-check to disable it.
This diagnostic warns for paths through the code in which a pointer
is checked for NULL *after* it has already been
dereferenced, suggesting that the pointer could have been NULL.
Such cases suggest that the check for NULL is either redundant,
or that it needs to be moved to before the pointer is dereferenced.
This diagnostic also considers values passed to a function argument
marked with __attribute__((nonnull)) as requiring a non-NULL
value, and thus will complain if such values are checked for NULL
after returning from such a function call.
This diagnostic is unlikely to be reported when any level of optimization is enabled, as GCC’s optimization logic will typically consider such checks for NULL as being redundant, and optimize them away before the analyzer "sees" them. Hence optimization should be disabled when attempting to trigger this diagnostic.
-Wno-analyzer-double-fclose ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-double-fclose to disable it.
This diagnostic warns for paths through the code in which a FILE *
can have fclose called on it more than once.
-Wno-analyzer-double-free ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-double-free to disable it.
This diagnostic warns for paths through the code in which a pointer
can have a deallocator called on it more than once, either free,
or a deallocator referenced by attribute malloc.
See CWE-415: Double Free.
-Wno-analyzer-exposure-through-output-file ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-exposure-through-output-file to disable it.
This diagnostic warns for paths through the code in which a security-sensitive value is written to an output file (such as writing a password to a log file).
-Wanalyzer-exposure-through-uninit-copy ¶This warning requires both -fanalyzer and the use of a plugin to specify a function that copies across a “trust boundary”. Use -Wno-analyzer-exposure-through-uninit-copy to disable it.
This diagnostic warns for “infoleaks” - paths through the code in which uninitialized values are copied across a security boundary (such as code within an OS kernel that copies a partially-initialized struct on the stack to user space).
See CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
-Wno-analyzer-fd-access-mode-mismatch ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-fd-access-mode-mismatch to disable it.
This diagnostic warns for paths through code in which a
read on a write-only file descriptor is attempted, or vice versa.
This diagnostic also warns for code paths in a which a function with attribute
fd_arg_read (N) is called with a file descriptor opened with
O_WRONLY at referenced argument N or a function with attribute
fd_arg_write (N) is called with a file descriptor opened with
O_RDONLY at referenced argument N.
-Wno-analyzer-fd-double-close ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-fd-double-close to disable it.
This diagnostic warns for paths through code in which a file descriptor can be closed more than once.
-Wno-analyzer-fd-leak ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-fd-leak to disable it.
This diagnostic warns for paths through code in which an open file descriptor is leaked.
See CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime.
-Wno-analyzer-fd-phase-mismatch ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-fd-phase-mismatch to disable it.
This diagnostic warns for paths through code in which an operation is
attempted in the wrong phase of a file descriptor’s lifetime.
For example, it will warn on attempts to call accept on a stream
socket that has not yet had listen successfully called on it.
See CWE-666: Operation on Resource in Wrong Phase of Lifetime.
-Wno-analyzer-fd-type-mismatch ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-fd-type-mismatch to disable it.
This diagnostic warns for paths through code in which an
operation is attempted on the wrong type of file descriptor.
For example, it will warn on attempts to use socket operations
on a file descriptor obtained via open, or when attempting
to use a stream socket operation on a datagram socket.
-Wno-analyzer-fd-use-after-close ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-fd-use-after-close to disable it.
This diagnostic warns for paths through code in which a read or write is called on a closed file descriptor.
This diagnostic also warns for paths through code in which
a function with attribute fd_arg (N) or fd_arg_read (N)
or fd_arg_write (N) is called with a closed file descriptor at
referenced argument N.
-Wno-analyzer-fd-use-without-check ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-fd-use-without-check to disable it.
This diagnostic warns for paths through code in which a file descriptor is used without being checked for validity.
This diagnostic also warns for paths through code in which
a function with attribute fd_arg (N) or fd_arg_read (N)
or fd_arg_write (N) is called with a file descriptor, at referenced
argument N, without being checked for validity.
-Wno-analyzer-file-leak ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-file-leak to disable it.
This diagnostic warns for paths through the code in which a
<stdio.h> FILE * stream object is leaked.
See CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime.
-Wno-analyzer-free-of-non-heap ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-free-of-non-heap to disable it.
This diagnostic warns for paths through the code in which free
is called on a non-heap pointer (e.g. an on-stack buffer, or a global).
-Wno-analyzer-imprecise-fp-arithmetic ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-imprecise-fp-arithmetic to disable it.
This diagnostic warns for paths through the code in which floating-point arithmetic is used in locations where precise computation is needed. This diagnostic only warns on use of floating-point operands inside the calculation of an allocation size at the moment.
-Wno-analyzer-infinite-loop ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-infinite-loop to disable it.
This diagnostics warns for paths through the code which appear to lead to an infinite loop.
Specifically, the analyzer will issue this warning when it "sees" a loop in which:
One way for this warning to be emitted is when there is an execution path through a loop for which taking the path on one iteration implies that the same path will be taken on all subsequent iterations.
For example, consider:
while (1)
{
char opcode = *cpu_state.pc;
switch (opcode)
{
case OPCODE_FOO:
handle_opcode_foo (&cpu_state);
break;
case OPCODE_BAR:
handle_opcode_bar (&cpu_state);
break;
}
}
The analyzer will complain for the above case because if opcode
ever matches none of the cases, the switch will follow the
implicit default case, making the body of the loop be a “no-op”
with cpu_state.pc unchanged, and thus using the same value of
opcode on all subseqent iterations, leading to an infinite loop.
See CWE-835: Loop with Unreachable Exit Condition (’Infinite Loop’).
-Wno-analyzer-infinite-recursion ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-infinite-recursion to disable it.
This diagnostics warns for paths through the code which appear to lead to infinite recursion.
Specifically, when the analyzer "sees" a recursive call, it will compare the state of memory at the entry to the new frame with that at the entry to the previous frame of that function on the stack. The warning is issued if nothing in memory appears to be changing; any changes observed to parameters or globals are assumed to lead to termination of the recursion and thus suppress the warning.
This diagnostic is likely to miss cases of infinite recursion that are convered to iteration by the optimizer before the analyzer "sees" them. Hence optimization should be disabled when attempting to trigger this diagnostic.
Compare with -Winfinite-recursion, which provides a similar diagnostic, but is implemented in a different way.
-Wno-analyzer-jump-through-null ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-jump-through-null to disable it.
This diagnostic warns for paths through the code in which a NULL
function pointer is called.
-Wno-analyzer-malloc-leak ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-malloc-leak to disable it.
This diagnostic warns for paths through the code in which a
pointer allocated via an allocator is leaked: either malloc,
or a function marked with attribute malloc.
See CWE-401: Missing Release of Memory after Effective Lifetime.
-Wno-analyzer-mismatching-deallocation ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-mismatching-deallocation to disable it.
This diagnostic warns for paths through the code in which the
wrong deallocation function is called on a pointer value, based on
which function was used to allocate the pointer value. The diagnostic
will warn about mismatches between free, scalar delete
and vector delete[], and those marked as allocator/deallocator
pairs using attribute malloc.
-Wno-analyzer-out-of-bounds ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-out-of-bounds to disable it.
This diagnostic warns for paths through the code in which a buffer is definitely read or written out-of-bounds. The diagnostic applies for cases where the analyzer is able to determine a constant offset and for accesses past the end of a buffer, also a constant capacity. Further, the diagnostic does limited checking for accesses past the end when the offset as well as the capacity is symbolic.
See CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer.
For cases where the analyzer is able, it will emit a text art diagram visualizing the spatial relationship between the memory region that the analyzer predicts would be accessed, versus the range of memory that is valid to access: whether they overlap, are touching, are close or far apart; which one is before or after in memory, the relative sizes involved, the direction of the access (read vs write), and, in some cases, the values of data involved. This diagram can be suppressed using -fdiagnostics-text-art-charset=none.
-Wno-analyzer-overlapping-buffers ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-overlapping-buffers to disable it.
This diagnostic warns for paths through the code in which overlapping buffers are passed to an API for which the behavior on such buffers is undefined.
Specifically, the diagnostic occurs on calls to the following functions
memcpy
strcat
strcpy
for cases where the buffers are known to overlap.
-Wno-analyzer-possible-null-argument ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-possible-null-argument to disable it.
This diagnostic warns for paths through the code in which a
possibly-NULL value is passed to a function argument marked
with __attribute__((nonnull)) as requiring a non-NULL
value.
See CWE-690: Unchecked Return Value to NULL Pointer Dereference.
-Wno-analyzer-possible-null-dereference ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-possible-null-dereference to disable it.
This diagnostic warns for paths through the code in which a possibly-NULL value is dereferenced.
See CWE-690: Unchecked Return Value to NULL Pointer Dereference.
-Wno-analyzer-null-argument ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-null-argument to disable it.
This diagnostic warns for paths through the code in which a
value known to be NULL is passed to a function argument marked
with __attribute__((nonnull)) as requiring a non-NULL
value.
-Wno-analyzer-null-dereference ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-null-dereference to disable it.
This diagnostic warns for paths through the code in which a value known to be NULL is dereferenced.
-Wno-analyzer-putenv-of-auto-var ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-putenv-of-auto-var to disable it.
This diagnostic warns for paths through the code in which a
call to putenv is passed a pointer to an automatic variable
or an on-stack buffer.
See POS34-C. Do not call putenv() with a pointer to an automatic variable as the argument.
-Wno-analyzer-shift-count-negative ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-shift-count-negative to disable it.
This diagnostic warns for paths through the code in which a shift is attempted with a negative count. It is analogous to the -Wshift-count-negative diagnostic implemented in the C/C++ front ends, but is implemented based on analyzing interprocedural paths, rather than merely parsing the syntax tree. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings.
-Wno-analyzer-shift-count-overflow ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-shift-count-overflow to disable it.
This diagnostic warns for paths through the code in which a shift is attempted with a count greater than or equal to the precision of the operand’s type. It is analogous to the -Wshift-count-overflow diagnostic implemented in the C/C++ front ends, but is implemented based on analyzing interprocedural paths, rather than merely parsing the syntax tree. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings.
-Wno-analyzer-stale-setjmp-buffer ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-stale-setjmp-buffer to disable it.
This diagnostic warns for paths through the code in which
longjmp is called to rewind to a jmp_buf relating
to a setjmp call in a function that has returned.
When setjmp is called on a jmp_buf to record a rewind
location, it records the stack frame. The stack frame becomes invalid
when the function containing the setjmp call returns. Attempting
to rewind to it via longjmp would reference a stack frame that
no longer exists, and likely lead to a crash (or worse).
-Wno-analyzer-tainted-allocation-size ¶This warning requires -fanalyzer which enables it; use -Wno-analyzer-tainted-allocation-size to disable it.
This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as the size of an allocation without being sanitized, so that an attacker could inject an excessively large allocation and potentially cause a denial of service attack.
-Wno-analyzer-tainted-assertion ¶This warning requires -fanalyzer which enables it; use -Wno-analyzer-tainted-assertion to disable it.
This diagnostic warns for paths through the code in which a value
that could be under an attacker’s control is used as part of a
condition without being first sanitized, and that condition guards a
call to a function marked with attribute noreturn
(such as the function __builtin_unreachable). Such functions
typically indicate abnormal termination of the program, such as for
assertion failure handlers. For example:
assert (some_tainted_value < SOME_LIMIT);
In such cases:
NDEBUG,
an attacker could inject data that subverts the process, since it
presumably violates a precondition that is being assumed by the code.
Note that when assertion-checking is disabled, the assertions are typically removed by the preprocessor before the analyzer has a chance to "see" them, so this diagnostic can only generate warnings on builds in which assertion-checking is enabled.
For the purpose of this warning, any function marked with attribute
noreturn is considered as a possible assertion failure
handler, including __builtin_unreachable. Note that these functions
are sometimes removed by the optimizer before the analyzer "sees" them.
Hence optimization should be disabled when attempting to trigger this
diagnostic.
See CWE-617: Reachable Assertion.
The warning can also report problematic constructions such as
switch (some_tainted_value) {
case 0:
/* [...etc; various valid cases omitted...] */
break;
default:
__builtin_unreachable (); /* BUG: attacker can trigger this */
}
despite the above not being an assertion failure, strictly speaking.
-Wno-analyzer-tainted-array-index ¶This warning requires -fanalyzer which enables it; use -Wno-analyzer-tainted-array-index to disable it.
This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as the index of an array access without being sanitized, so that an attacker could inject an out-of-bounds access.
-Wno-analyzer-tainted-divisor ¶This warning requires -fanalyzer which enables it; use -Wno-analyzer-tainted-divisor to disable it.
This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as the divisor in a division or modulus operation without being sanitized, so that an attacker could inject a division-by-zero.
-Wno-analyzer-tainted-offset ¶This warning requires -fanalyzer which enables it; use -Wno-analyzer-tainted-offset to disable it.
This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as a pointer offset without being sanitized, so that an attacker could inject an out-of-bounds access.
-Wno-analyzer-tainted-size ¶This warning requires -fanalyzer which enables it; use -Wno-analyzer-tainted-size to disable it.
This diagnostic warns for paths through the code in which a value
that could be under an attacker’s control is used as the size of
an operation such as memset without being sanitized, so that an
attacker could inject an out-of-bounds access.
-Wno-analyzer-undefined-behavior-strtok ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-undefined-behavior-strtok to disable it.
This diagnostic warns for paths through the code in which a
call is made to strtok with undefined behavior.
Specifically, passing NULL as the first parameter for the initial
call to strtok within a process has undefined behavior.
-Wno-analyzer-unsafe-call-within-signal-handler ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-unsafe-call-within-signal-handler to disable it.
This diagnostic warns for paths through the code in which a
function known to be async-signal-unsafe (such as fprintf) is
called from a signal handler.
See CWE-479: Signal Handler Use of a Non-reentrant Function.
-Wno-analyzer-use-after-free ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-use-after-free to disable it.
This diagnostic warns for paths through the code in which a
pointer is used after a deallocator is called on it: either free,
or a deallocator referenced by attribute malloc.
-Wno-analyzer-use-of-pointer-in-stale-stack-frame ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-use-of-pointer-in-stale-stack-frame to disable it.
This diagnostic warns for paths through the code in which a pointer is dereferenced that points to a variable in a stale stack frame.
-Wno-analyzer-va-arg-type-mismatch ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-va-arg-type-mismatch to disable it.
This diagnostic warns for interprocedural paths through the code for which
the analyzer detects an attempt to use va_arg to extract a value
passed to a variadic call, but uses a type that does not match that of
the expression passed to the call.
-Wno-analyzer-va-list-exhausted ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-va-list-exhausted to disable it.
This diagnostic warns for interprocedural paths through the code for which
the analyzer detects an attempt to use va_arg to access the next
value passed to a variadic call, but all of the values in the
va_list have already been consumed.
See CWE-685: Function Call With Incorrect Number of Arguments.
-Wno-analyzer-va-list-leak ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-va-list-leak to disable it.
This diagnostic warns for interprocedural paths through the code for which
the analyzer detects that va_start or va_copy has been called
on a va_list without a corresponding call to va_end.
-Wno-analyzer-va-list-use-after-va-end ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-va-list-use-after-va-end to disable it.
This diagnostic warns for interprocedural paths through the code for which
the analyzer detects an attempt to use a va_list after
va_end has been called on it.
va_list.
-Wno-analyzer-write-to-const ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-write-to-const to disable it.
This diagnostic warns for paths through the code in which the analyzer
detects an attempt to write through a pointer to a const object.
However, the analyzer does not prioritize detection of such paths, so
false negatives are more likely relative to other warnings.
-Wno-analyzer-write-to-string-literal ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-write-to-string-literal to disable it.
This diagnostic warns for paths through the code in which the analyzer detects an attempt to write through a pointer to a string literal. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings.
-Wno-analyzer-use-of-uninitialized-value ¶This warning requires -fanalyzer, which enables it; use -Wno-analyzer-use-of-uninitialized-value to disable it.
This diagnostic warns for paths through the code in which an uninitialized value is used.
The analyzer has hardcoded knowledge about the behavior of the following memory-management functions:
alloca
__builtin_alloc,
__builtin_alloc_with_align, __builtin_calloc,
__builtin_free, __builtin_malloc, __builtin_memcpy,
__builtin_memcpy_chk, __builtin_memset,
__builtin_memset_chk, __builtin_realloc,
__builtin_stack_restore, and __builtin_stack_save
calloc
free
malloc
memset
operator delete
operator delete []
operator new
operator new []
realloc
strdup
strndup
of the following functions for working with file descriptors:
open
close
creat
dup, dup2 and dup3
isatty
pipe, and pipe2
read
write
socket, bind, listen, accept, and connect
of the following functions for working with <stdio.h> streams:
__builtin_fprintf,
__builtin_fprintf_unlocked, __builtin_fputc,
__builtin_fputc_unlocked, __builtin_fputs,
__builtin_fputs_unlocked, __builtin_fwrite,
__builtin_fwrite_unlocked, __builtin_printf,
__builtin_printf_unlocked, __builtin_putc,
__builtin_putchar, __builtin_putchar_unlocked,
__builtin_putc_unlocked, __builtin_puts,
__builtin_puts_unlocked, __builtin_vfprintf, and
__builtin_vprintf
fopen
fclose
ferror
fgets
fgets_unlocked
fileno
fread
getc
getchar
fprintf
printf
fwrite
and of the following functions:
__builtin_expect,
__builtin_expect_with_probability, __builtin_strchr,
__builtin_strcpy, __builtin_strcpy_chk,
__builtin_strlen, __builtin_va_copy, and
__builtin_va_start
error and error_at_line
getpass
longjmp
putenv
setjmp
siglongjmp
signal
sigsetjmp
strcat
strchr
strlen
In addition, various functions with an __analyzer_ prefix have
special meaning to the analyzer, described in the GCC Internals manual.
Pertinent parameters for controlling the exploration are:
The following options control the analyzer.
-fanalyzer-call-summaries ¶Simplify interprocedural analysis by computing the effect of certain calls, rather than exploring all paths through the function from callsite to each possible return.
If enabled, call summaries are only used for functions with more than one call site, and that are sufficiently complicated (as per --param analyzer-min-snodes-for-call-summary=value).
-fanalyzer-checker=name ¶Restrict the analyzer to run just the named checker, and enable it.
-fanalyzer-debug-text-art-headings ¶This option is intended for analyzer developers. If enabled, the analyzer will add extra annotations to any diagrams it generates.
-fno-analyzer-feasibility ¶This option is intended for analyzer developers.
By default the analyzer verifies that there is a feasible control flow path for each diagnostic it emits: that the conditions that hold are not mutually exclusive. Diagnostics for which no feasible path can be found are rejected. This filtering can be suppressed with -fno-analyzer-feasibility, for debugging issues in this code.
-fanalyzer-fine-grained ¶This option is intended for analyzer developers.
Internally the analyzer builds an “exploded graph” that combines control flow graphs with data flow information.
By default, an edge in this graph can contain the effects of a run of multiple statements within a basic block. With -fanalyzer-fine-grained, each statement gets its own edge.
-fanalyzer-show-duplicate-count ¶This option is intended for analyzer developers: if multiple diagnostics have been detected as being duplicates of each other, it emits a note when reporting the best diagnostic, giving the number of additional diagnostics that were suppressed by the deduplication logic.
-fanalyzer-show-events-in-system-headers ¶By default the analyzer emits simplified diagnostics paths by hiding events fully located within a system header. With -fanalyzer-show-events-in-system-headers such events are no longer suppressed.
-fno-analyzer-state-merge ¶This option is intended for analyzer developers.
By default the analyzer attempts to simplify analysis by merging sufficiently similar states at each program point as it builds its “exploded graph”. With -fno-analyzer-state-merge this merging can be suppressed, for debugging state-handling issues.
-fno-analyzer-state-purge ¶This option is intended for analyzer developers.
By default the analyzer attempts to simplify analysis by purging aspects of state at a program point that appear to no longer be relevant e.g. the values of locals that aren’t accessed later in the function and which aren’t relevant to leak analysis.
With -fno-analyzer-state-purge this purging of state can be suppressed, for debugging state-handling issues.
-fno-analyzer-suppress-followups ¶This option is intended for analyzer developers.
By default the analyzer will stop exploring an execution path after encountering certain diagnostics, in order to avoid potentially issuing a cascade of follow-up diagnostics.
The diagnostics that terminate analysis along a path are:
With -fno-analyzer-suppress-followups the analyzer will continue to explore such paths even after such diagnostics, which may be helpful for debugging issues in the analyzer, or for microbenchmarks for detecting undefined behavior.
-fanalyzer-transitivity ¶This option enables transitivity of constraints within the analyzer.
-fno-analyzer-undo-inlining ¶This option is intended for analyzer developers.
-fanalyzer runs relatively late compared to other code analysis tools, and some optimizations have already been applied to the code. In particular function inlining may have occurred, leading to the interprocedural execution paths emitted by the analyzer containing function frames that don’t correspond to those in the original source code.
By default the analyzer attempts to reconstruct the original function frames, and to emit events showing the inlined calls.
With -fno-analyzer-undo-inlining this attempt to reconstruct the original frame information can be disabled, which may be of help when debugging issues in the analyzer.
-fanalyzer-verbose-edgesThis option is intended for analyzer developers. It enables more verbose, lower-level detail in the descriptions of control flow within diagnostic paths.
-fanalyzer-verbose-state-changesThis option is intended for analyzer developers. It enables more verbose, lower-level detail in the descriptions of events relating to state machines within diagnostic paths.
-fanalyzer-verbosity=levelThis option controls the complexity of the control flow paths that are emitted for analyzer diagnostics.
The level can be one of:
At this level, interprocedural call and return events are displayed,
along with the most pertinent state-change events relating to
a diagnostic. For example, for a double-free diagnostic,
both calls to free will be shown.
As per the previous level, but also show events for the entry to each function.
As per the previous level, but also show events relating to control flow that are significant to triggering the issue (e.g. “true path taken” at a conditional).
This level is the default.
As per the previous level, but show all control flow events, not just significant ones.
This level is intended for analyzer developers; it adds various other events intended for debugging the analyzer.
-fdump-analyzer ¶Dump internal details about what the analyzer is doing to file.analyzer.txt. -fdump-analyzer-stderr overrides this option.
-fdump-analyzer-stderr ¶Dump internal details about what the analyzer is doing to stderr. This option overrides -fdump-analyzer.
-fdump-analyzer-callgraph ¶Dump a representation of the call graph suitable for viewing with GraphViz to file.callgraph.dot.
-fdump-analyzer-exploded-graph ¶Dump a representation of the “exploded graph” suitable for viewing with GraphViz to file.eg.dot. Nodes are color-coded based on state-machine states to emphasize state changes.
-fdump-analyzer-exploded-nodes ¶Emit diagnostics showing where nodes in the “exploded graph” are in relation to the program source.
-fdump-analyzer-exploded-nodes-2 ¶Dump a textual representation of the “exploded graph” to file.eg.txt.
-fdump-analyzer-exploded-nodes-3 ¶Dump a textual representation of the “exploded graph” to one dump file per node, to file.eg-id.txt. This is typically a large number of dump files.
-fdump-analyzer-exploded-paths ¶Dump a textual representation of the “exploded path” for each diagnostic to file.idx.kind.epath.txt.
-fdump-analyzer-feasibility ¶Dump internal details about the analyzer’s search for feasible paths. The details are written in a form suitable for viewing with GraphViz to filenames of the form file.*.fg.dot, file.*.tg.dot, and file.*.fpath.txt.
-fdump-analyzer-infinite-loop ¶Dump internal details about the analyzer’s search for infinite loops. The details are written in a form suitable for viewing with GraphViz to filenames of the form file.*.infinite-loop.dot.
-fdump-analyzer-json ¶Dump a compressed JSON representation of analyzer internals to file.analyzer.json.gz. The precise format is subject to change.
-fdump-analyzer-state-purge ¶As per -fdump-analyzer-supergraph, dump a representation of the “supergraph” suitable for viewing with GraphViz, but annotate the graph with information on what state will be purged at each node. The graph is written to file.state-purge.dot.
-fdump-analyzer-supergraph ¶Dump representations of the “supergraph” suitable for viewing with GraphViz to file.supergraph.dot and to file.supergraph-eg.dot. These show all of the control flow graphs in the program, with interprocedural edges for calls and returns. The second dump contains annotations showing nodes in the “exploded graph” and diagnostics associated with them.
-fdump-analyzer-untracked ¶Emit custom warnings with internal details intended for analyzer developers.
| 什么是日间手术 | 暴露是什么意思 | gm是什么牌子 | 做小吃什么生意最赚钱 | 宣字五行属什么 |
| 碱性磷酸酶偏低是什么原因 | 胃火重吃什么药 | 德不配位是什么意思 | 刀口力念什么 | 左脸颊有痣代表什么 |
| 早餐应该吃什么 | 大意失荆州是什么意思 | 咳嗽咳白痰是什么症状 | 胸口容易出汗是什么原因 | 痛风用什么药 |
| 韩红是什么民族 | r车标是什么牌子 | loa胎位是什么意思 | teeth是什么意思 | 吃生南瓜子有什么好处 |
| 食物链是什么意思hcv8jop7ns9r.cn | 大暑是什么意思啊hcv8jop7ns3r.cn | 十一月五号是什么星座beikeqingting.com | 更是什么结构的字hcv8jop3ns0r.cn | 去海边穿什么衣服拍照好看hcv8jop9ns1r.cn |
| 财政部部长什么级别hcv8jop1ns9r.cn | 音召念什么hcv8jop5ns4r.cn | 鼻子两侧毛孔粗大是什么原因造成的hcv9jop0ns5r.cn | 软组织是什么yanzhenzixun.com | 2r是什么意思wuhaiwuya.com |
| 肾阴阳两虚吃什么中成药hcv8jop6ns5r.cn | 七月二十六是什么星座hcv9jop7ns3r.cn | 前列腺增生用什么药hcv7jop6ns7r.cn | 吃什么会瘦hcv8jop8ns9r.cn | 腿抽筋是什么问题hcv9jop7ns1r.cn |
| 加盟什么店最赚钱投资小hcv9jop0ns7r.cn | 合伙人是什么意思hcv7jop7ns2r.cn | 消谷善饥是什么意思hcv9jop2ns5r.cn | 一直打嗝吃什么药yanzhenzixun.com | 教主是什么意思hcv8jop1ns6r.cn |