1.\" Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
2.\" See https://llvm.org/LICENSE.txt for license information.
3.\" SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
4.\" $Id$
5.Dd Aug 1, 2022
6.Dt SCAN-BUILD 1
7.Os "clang" "16"
8.Sh NAME
9.Nm scan-build
10.Nd Clang static analyzer
11.Sh SYNOPSIS
12.Nm
13.Op Fl ohkvV
14.Op Fl analyze-headers
15.Op Fl enable-checker Op Ar checker_name
16.Op Fl disable-checker Op Ar checker_name
17.Op Fl Fl help
18.Op Fl Fl help-checkers
19.Op Fl Fl html-title Op Ar =title
20.Op Fl Fl keep-going
21.Op Fl plist
22.Op Fl plist-html
23.Op Fl Fl status-bugs
24.Op Fl Fl use-c++ Op Ar =compiler_path
25.Op Fl Fl use-cc Op Ar =compiler_path
26.Op Fl Fl view
27.Op Fl constraints Op Ar model
28.Op Fl maxloop Ar N
29.Op Fl no-failure-reports
30.Op Fl stats
31.Op Fl store Op Ar model
32.Ar build_command
33.Op build_options
34.\"
35.\" Sh DESCRIPTION
36.Sh DESCRIPTION
37.Nm
38is a Perl script that invokes the Clang static analyzer.  Options used by
39.Nm
40or by the analyzer appear first, followed by the
41.Ar build_command
42and any
43.Ar build_options
44normally used to build the target system.
45.Pp
46The static analyzer employs a long list of checking algorithms, see
47.Sx CHECKERS .
48Output can be written in standard
49.Li .plist
50and/or HTML format.
51.Pp
52The following options are supported:
53.Bl -tag -width indent
54.It Fl analyze-headers
55Also analyze functions in #included files.
56.It Fl enable-checker Ar checker_name , Fl disable-checker Ar checker_name
57Enable/disable
58.Ar checker_name .
59See
60.Sx CHECKERS .
61.It Fl h , Fl Fl help
62Display this message.
63.It Fl Fl help-checkers
64List default checkers, see
65.Sx CHECKERS .
66.It Fl Fl html-title Ns Op = Ns Ar title
67Specify the title used on generated HTML pages.
68A default title is generated if
69.Ar title
70is not specified.
71.It Fl k , Fl Fl keep-going
72Add a
73.Dq keep on going
74option to
75.Ar build_command .
76Currently supports make and xcodebuild. This is a convenience option;
77one can specify this behavior directly using build options.
78.It Fl o
79Target directory for HTML report files.  Subdirectories will be
80created as needed to represent separate invocations
81of the analyzer.  If this option is not specified, a directory is
82created in /tmp (TMPDIR on Mac OS X) to store the reports.
83.It Fl plist
84Output the results as a set of
85.Li .plist
86files. (By default the output of
87.Nm
88is a set of HTML files.)
89.It Fl plist-html
90Output the results as a set of HTML and .plist files
91.It Fl Fl status-bugs
92Set exit status to 1 if it found potential bugs and 0 otherwise. By
93default the exit status of
94.Nm
95is that returned by
96.Ar build_command .
97.It Fl Fl use-c++ Ns Op = Ns Ar compiler_path
98Guess the default compiler for your C++ and Objective-C++ code. Use this
99option to specify an alternate compiler.
100.It Fl Fl use-cc Ns Op = Ns Ar compiler_path
101Guess the default compiler for your C and Objective-C code. Use this
102option to specify an alternate compiler.
103.It Fl v
104Verbose output from
105.Nm
106and the analyzer. A second and
107third
108.Ar v
109increases verbosity.
110.It Fl V , Fl Fl view
111View analysis results in a web browser when the build completes.
112.It Fl constraints Op Ar model
113Specify the constraint engine used by the analyzer.  By default the
114.Ql range
115model is used.  Specifying
116.Ql basic
117uses a simpler, less powerful constraint model used by checker-0.160
118and earlier.
119.It Fl maxloop Ar N
120Specify the number of times a block can be visited before giving
121up. Default is 4. Increase for more comprehensive coverage at a
122cost of speed.
123.It Fl no-failure-reports
124Do not create a
125.Ql failures
126subdirectory that includes analyzer crash reports and preprocessed
127source files.
128.It Fl stats
129Generates visitation statistics for the project being analyzed.
130.It Fl store Op Ar model
131Specify the store model used by the analyzer. By default, the
132.Ql region
133store model is used.
134.Ql region
135specifies a field-
136sensitive store model. Users can also specify
137.Ql basic
138which is far less precise but can more quickly analyze code.
139.Ql basic
140was the default store model for checker-0.221 and earlier.
141.\"
142.El
143.Sh EXIT STATUS
144.Nm
145returns the value returned by
146.Ar build_command
147unless
148.Fl Fl status-bugs
149or
150.Fl Fl keep-going
151is used.
152.\"
153.\" Other sections not yet used ...
154.\" .Sh ENVIRONMENT
155.\" .Sh FILES
156.\" .Sh DIAGNOSTICS
157.\" .Sh COMPATIBILITY
158.\" .Sh HISTORY
159.\" .Sh BUGS
160.\"
161.Sh CHECKERS
162The checkers listed below may be enabled/disabled using the
163.Fl enable-checker
164and
165.Fl disable-checker
166options.
167A default group of checkers is run unless explicitly disabled.
168Exactly which checkers constitute the default group is a function
169of the operating system in use; they are listed with
170.Fl Fl help-checkers .
171.Bl -tag -width indent.
172.It core.AdjustedReturnValue
173Check to see if the return value of a function call is different than
174the caller expects (e.g., from calls through function pointers).
175.It core.AttributeNonNull
176Check for null pointers passed as arguments to a function whose arguments are marked with the
177.Ql nonnull
178attribute.
179.It core.CallAndMessage
180Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers).
181.It core.DivideZero
182Check for division by zero.
183.It core.NullDereference
184Check for dereferences of null pointers.
185.It core.StackAddressEscape
186Check that addresses to stack memory do not escape the function.
187.It core.UndefinedBinaryOperatorResult
188Check for undefined results of binary operators.
189.It core.VLASize
190Check for declarations of VLA of undefined or zero size.
191.It core.builtin.BuiltinFunctions
192Evaluate compiler builtin functions, e.g.
193.Fn alloca .
194.It core.builtin.NoReturnFunctions
195Evaluate
196.Ql panic
197functions that are known to not return to the caller.
198.It core.uninitialized.ArraySubscript
199Check for uninitialized values used as array subscripts.
200.It core.uninitialized.Assign
201Check for assigning uninitialized values.
202.It core.uninitialized.Branch
203Check for uninitialized values used as branch conditions.
204.It core.uninitialized.CapturedBlockVariable
205Check for blocks that capture uninitialized values.
206.It core.uninitialized.UndefReturn
207Check for uninitialized values being returned to the caller.
208.It deadcode.DeadStores
209Check for values stored to variables that are never read afterwards.
210.It debug.DumpCFG
211Display Control-Flow Graphs.
212.It debug.DumpCallGraph
213Display Call Graph.
214.It debug.DumpDominators
215Print the dominance tree for a given Control-Flow Graph.
216.It debug.DumpLiveVars
217Print results of live variable analysis.
218.It debug.Stats
219Emit warnings with analyzer statistics.
220.It debug.TaintTest
221Mark tainted symbols as such.
222.It debug.ViewCFG
223View Control-Flow Graphs using
224.Ic GraphViz .
225.It debug.ViewCallGraph
226View Call Graph using
227.Ic GraphViz .
228.It llvm.Conventions
229Check code for LLVM codebase conventions.
230.It osx.API
231Check for proper uses of various Mac OS X APIs.
232.It osx.AtomicCAS
233Evaluate calls to
234.Vt OSAtomic
235functions.
236.It osx.SecKeychainAPI
237Check for proper uses of Secure Keychain APIs.
238.It osx.cocoa.AtSync
239Check for null pointers used as mutexes for @synchronized.
240.It osx.cocoa.ClassRelease
241Check for sending
242.Ql retain ,
243.Ql release,
244or
245.Ql autorelease
246directly to a Class.
247.It osx.cocoa.IncompatibleMethodTypes
248Warn about Objective-C method signatures with type incompatibilities.
249.It osx.cocoa.NSAutoreleasePool
250Warn for suboptimal uses of
251.Vt NSAutoreleasePool
252in Objective-C GC mode.
253.It osx.cocoa.NSError
254Check usage of NSError** parameters.
255.It osx.cocoa.NilArg
256Check for prohibited nil arguments to Objective-C method calls.
257.It osx.cocoa.RetainCount
258Check for leaks and improper reference count management.
259.It osx.cocoa.SelfInit
260Check that
261.Ql self
262is properly initialized inside an initializer method.
263.It osx.cocoa.UnusedIvars
264Warn about private ivars that are never used.
265.It osx.cocoa.VariadicMethodTypes
266Check for passing non-Objective-C types to variadic methods that expect only Objective-C types.
267.It osx.coreFoundation.CFError
268Check usage of CFErrorRef* parameters.
269.It osx.coreFoundation.CFNumber
270Check for proper uses of
271.Fn CFNumberCreate .
272.It osx.coreFoundation.CFRetainRelease
273Check for null arguments to
274.Fn CFRetain ,
275.Fn CFRelease ,
276and
277.Fn CFMakeCollectable .
278.It osx.coreFoundation.containers.OutOfBounds
279Checks for index out-of-bounds when using the
280.Vt CFArray
281API.
282.It osx.coreFoundation.containers.PointerSizedValues
283Warns if
284.Vt CFArray ,
285.Vt CFDictionary ,
286or
287.Vt CFSet
288are created with non-pointer-size values.
289.It security.FloatLoopCounter
290Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP).
291.It security.insecureAPI.UncheckedReturn
292Warn on uses of functions whose return values must be always checked.
293.It security.insecureAPI.getpw
294Warn on uses of
295.Fn getpw .
296.It security.insecureAPI.gets
297Warn on uses of
298.Fn gets .
299.It security.insecureAPI.mkstemp
300Warn when
301.Fn mkstemp
302is passed fewer than 6 X's in the format string.
303.It security.insecureAPI.mktemp
304Warn on uses of
305.Fn mktemp .
306.It security.insecureAPI.rand
307Warn on uses of
308.Fn rand ,
309.Fn random ,
310and related functions.
311.It security.insecureAPI.strcpy
312Warn on uses of
313.Fn strcpy
314and
315.Fn strcat .
316.It security.insecureAPI.vfork
317Warn on uses of
318.Fn vfork .
319.It unix.API
320Check calls to various UNIX/Posix functions.
321.It unix.Malloc
322Check for memory leaks, double free, and use-after-free.
323.It unix.cstring.BadSizeArg
324Check the size argument passed into C string functions for common
325erroneous patterns.
326.It unix.cstring.NullArg
327Check for null pointers being passed as arguments to C string functions.
328.El
329.\"
330.Sh EXAMPLE
331.Ic scan-build -o /tmp/myhtmldir make -j4
332.Pp
333The above example causes analysis reports to be deposited into
334a subdirectory of
335.Pa /tmp/myhtmldir
336and to run
337.Ic make
338with the
339.Fl j4
340option.
341A different subdirectory is created each time
342.Nm
343analyzes a project.
344The analyzer should support most parallel builds, but not distributed builds.
345.Sh AUTHORS
346.Nm
347was written by
348.An "Ted Kremenek" .
349Documentation contributed by
350.An "James K. Lowden" Aq jklowden@schemamania.org .
351