Gcc/10.2.0/gcc/Static-Analyzer-Options
Next: Debugging Options, Previous: Warning Options, Up: Invoking GCC [Contents][Index]
3.9 Options That Control Static Analysis
-fanalyzer
This option enables an static analysis of program flow which looks for “interesting” interprocedural paths through the code, and issues warnings for problems found on them.
This analysis is much more expensive than other GCC warnings.
Enabling this option effectively enables the following warnings:
-Wanalyzer-double-fclose -Wanalyzer-double-free -Wanalyzer-exposure-through-output-file -Wanalyzer-file-leak -Wanalyzer-free-of-non-heap -Wanalyzer-malloc-leak -Wanalyzer-possible-null-argument -Wanalyzer-possible-null-dereference -Wanalyzer-null-argument -Wanalyzer-null-dereference -Wanalyzer-stale-setjmp-buffer -Wanalyzer-tainted-array-index -Wanalyzer-unsafe-call-within-signal-handler -Wanalyzer-use-after-free -Wanalyzer-use-of-pointer-in-stale-stack-frame
This option is only available if GCC was configured with analyzer support enabled.
-Wanalyzer-too-complex
If
-fanalyzer
is enabled, the analyzer uses various heuristics to attempt to explore the control flow and data flow in the program, but these can be defeated by sufficiently complicated code.By default, the analysis silently stops if the code is too complicated for the analyzer to fully explore and it reaches an internal limit. The
-Wanalyzer-too-complex
option warns if this occurs.-Wno-analyzer-double-fclose
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-double-fclose
to disable it.This diagnostic warns for paths through the code in which a
FILE *
can havefclose
called on it more than once.-Wno-analyzer-double-free
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-double-free
to disable it.This diagnostic warns for paths through the code in which a pointer can have
free
called on it more than once.-Wno-analyzer-exposure-through-output-file
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-exposure-through-output-file
to disable it.This diagnostic warns for paths through the code in which a security-sensitive value is written to an output file (such as writing a password to a log file).
-Wno-analyzer-file-leak
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-file-leak
to disable it.This diagnostic warns for paths through the code in which a
<stdio.h>
FILE *
stream object is leaked.-Wno-analyzer-free-of-non-heap
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-free-of-non-heap
to disable it.This diagnostic warns for paths through the code in which
free
is called on a non-heap pointer (e.g. an on-stack buffer, or a global).-Wno-analyzer-malloc-leak
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-malloc-leak
to disable it.This diagnostic warns for paths through the code in which a pointer allocated via
malloc
is leaked.-Wno-analyzer-possible-null-argument
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-possible-null-argument
to disable it.This diagnostic warns for paths through the code in which a possibly-NULL value is passed to a function argument marked with
__attribute__((nonnull))
as requiring a non-NULL value.-Wno-analyzer-possible-null-dereference
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-possible-null-dereference
to disable it.This diagnostic warns for paths through the code in which a possibly-NULL value is dereferenced.
-Wno-analyzer-null-argument
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-null-argument
to disable it.This diagnostic warns for paths through the code in which a value known to be NULL is passed to a function argument marked with
__attribute__((nonnull))
as requiring a non-NULL value.-Wno-analyzer-null-dereference
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-null-dereference
to disable it.This diagnostic warns for paths through the code in which a value known to be NULL is dereferenced.
-Wno-analyzer-stale-setjmp-buffer
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-stale-setjmp-buffer
to disable it.This diagnostic warns for paths through the code in which
longjmp
is called to rewind to ajmp_buf
relating to asetjmp
call in a function that has returned.When
setjmp
is called on ajmp_buf
to record a rewind location, it records the stack frame. The stack frame becomes invalid when the function containing thesetjmp
call returns. Attempting to rewind to it vialongjmp
would reference a stack frame that no longer exists, and likely lead to a crash (or worse).-Wno-analyzer-tainted-array-index
This warning requires both
-fanalyzer
and-fanalyzer-checker=taint
to enable it; use-Wno-analyzer-tainted-array-index
to disable it.This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as the index of an array access without being sanitized.
-Wno-analyzer-unsafe-call-within-signal-handler
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-unsafe-call-within-signal-handler
to disable it.This diagnostic warns for paths through the code in which a function known to be async-signal-unsafe (such as
fprintf
) is called from a signal handler.-Wno-analyzer-use-after-free
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-use-after-free
to disable it.This diagnostic warns for paths through the code in which a pointer is used after
free
is called on it.-Wno-analyzer-use-of-pointer-in-stale-stack-frame
This warning requires
-fanalyzer
, which enables it; use-Wno-analyzer-use-of-pointer-in-stale-stack-frame
to disable it.This diagnostic warns for paths through the code in which a pointer is dereferenced that points to a variable in a stale stack frame.
Pertinent parameters for controlling the exploration are:
--param analyzer-bb-explosion-factor=value
,
--param analyzer-max-enodes-per-program-point=value
,
--param analyzer-max-recursion-depth=value
, and
--param analyzer-min-snodes-for-call-summary=value
.
The following options control the analyzer.
-fanalyzer-call-summaries
Simplify interprocedural analysis by computing the effect of certain calls, rather than exploring all paths through the function from callsite to each possible return.
If enabled, call summaries are only used for functions with more than one call site, and that are sufficiently complicated (as per
--param analyzer-min-snodes-for-call-summary=value
).-fanalyzer-checker=name
Restrict the analyzer to run just the named checker, and enable it.
Some checkers are disabled by default (even with
-fanalyzer
), such as thetaint
checker that implements-Wanalyzer-tainted-array-index
, and this option is required to enable them.-fanalyzer-fine-grained
This option is intended for analyzer developers.
Internally the analyzer builds an “exploded graph” that combines control flow graphs with data flow information.
By default, an edge in this graph can contain the effects of a run of multiple statements within a basic block. With
-fanalyzer-fine-grained
, each statement gets its own edge.-fanalyzer-show-duplicate-count
This option is intended for analyzer developers: if multiple diagnostics have been detected as being duplicates of each other, it emits a note when reporting the best diagnostic, giving the number of additional diagnostics that were suppressed by the deduplication logic.
-fno-analyzer-state-merge
This option is intended for analyzer developers.
By default the analyzer attempts to simplify analysis by merging sufficiently similar states at each program point as it builds its “exploded graph”. With
-fno-analyzer-state-merge
this merging can be suppressed, for debugging state-handling issues.-fno-analyzer-state-purge
This option is intended for analyzer developers.
By default the analyzer attempts to simplify analysis by purging aspects of state at a program point that appear to no longer be relevant e.g. the values of locals that aren’t accessed later in the function and which aren’t relevant to leak analysis.
With
-fno-analyzer-state-purge
this purging of state can be suppressed, for debugging state-handling issues.-fanalyzer-transitivity
This option enables transitivity of constraints within the analyzer.
-fanalyzer-verbose-edges
This option is intended for analyzer developers. It enables more verbose, lower-level detail in the descriptions of control flow within diagnostic paths.
-fanalyzer-verbose-state-changes
This option is intended for analyzer developers. It enables more verbose, lower-level detail in the descriptions of events relating to state machines within diagnostic paths.
-fanalyzer-verbosity=level
This option controls the complexity of the control flow paths that are emitted for analyzer diagnostics.
The
level
can be one of:- ‘
0
’ At this level, interprocedural call and return events are displayed, along with the most pertinent state-change events relating to a diagnostic. For example, for a double-
free
diagnostic, both calls tofree
will be shown.- ‘
1
’ As per the previous level, but also show events for the entry to each function.
- ‘
2
’ As per the previous level, but also show events relating to control flow that are significant to triggering the issue (e.g. “true path taken” at a conditional).
This level is the default.
- ‘
3
’ As per the previous level, but show all control flow events, not just significant ones.
- ‘
4
’ This level is intended for analyzer developers; it adds various other events intended for debugging the analyzer.
- ‘
-fdump-analyzer
Dump internal details about what the analyzer is doing to
file.analyzer.txt
. This option is overridden by-fdump-analyzer-stderr
.-fdump-analyzer-stderr
Dump internal details about what the analyzer is doing to stderr. This option overrides
-fdump-analyzer
.-fdump-analyzer-callgraph
Dump a representation of the call graph suitable for viewing with GraphViz to
file.callgraph.dot
.-fdump-analyzer-exploded-graph
Dump a representation of the “exploded graph” suitable for viewing with GraphViz to
file.eg.dot
. Nodes are color-coded based on state-machine states to emphasize state changes.-fdump-analyzer-exploded-nodes
Emit diagnostics showing where nodes in the “exploded graph” are in relation to the program source.
-fdump-analyzer-exploded-nodes-2
Dump a textual representation of the “exploded graph” to
file.eg.txt
.-fdump-analyzer-exploded-nodes-3
Dump a textual representation of the “exploded graph” to one dump file per node, to
file.eg-id.txt
. This is typically a large number of dump files.-fdump-analyzer-state-purge
As per
-fdump-analyzer-supergraph
, dump a representation of the “supergraph” suitable for viewing with GraphViz, but annotate the graph with information on what state will be purged at each node. The graph is written tofile.state-purge.dot
.-fdump-analyzer-supergraph
Dump representations of the “supergraph” suitable for viewing with GraphViz to
file.supergraph.dot
and tofile.supergraph-eg.dot
. These show all of the control flow graphs in the program, with interprocedural edges for calls and returns. The second dump contains annotations showing nodes in the “exploded graph” and diagnostics associated with them.
Next: Debugging Options, Previous: Warning Options, Up: Invoking GCC [Contents][Index]