This file is distributed under the University of Illinois Open Source
License. See LICENSE.TXT for details.
$Id$
.Dd May 25, 2012 .Dt SCAN-BUILD 1 .Os "clang" "3.1" .Sh NAME .Nm scan-build .Nd Clang static analyzer .Sh SYNOPSIS .Nm .Op Fl ohkvV .Op Fl analyze-headers .Op Fl enable-checker Op Ar checker_name .Op Fl disable-checker Op Ar checker_name .Op Fl Fl help .Op Fl Fl help-checkers .Op Fl Fl html-title Op Ar =title .Op Fl Fl keep-going .Op Fl plist .Op Fl plist-html .Op Fl Fl status-bugs .Op Fl Fl use-c++ Op Ar =compiler_path .Op Fl Fl use-cc Op Ar =compiler_path .Op Fl Fl view .Op Fl constraints Op Ar model .Op Fl maxloop Ar N .Op Fl no-failure-reports .Op Fl stats .Op Fl store Op Ar model .Ar build_command .Op build_options
Sh DESCRIPTION
.Sh DESCRIPTION .Nm is a Perl script that invokes the Clang static analyzer. Options used by .Nm or by the analyzer appear first, followed by the .Ar build_command and any .Ar build_options normally used to build the target system.

p The static analyzer employs a long list of checking algorithms, see .Sx CHECKERS . Output can be written in standard .Li .plist and/or HTML format.

p The following options are supported: l -tag -width indent t Fl analyze-headers Also analyze functions in #included files. t Fl enable-checker Ar checker_name , Fl disable-checker Ar checker_name Enable/disable .Ar checker_name . See .Sx CHECKERS . t Fl h , Fl Fl help Display this message. t Fl Fl help-checkers List default checkers, see .Sx CHECKERS . t Fl Fl html-title Ns Op = Ns Ar title Specify the title used on generated HTML pages. A default title is generated if .Ar title is not specified. t Fl k , Fl Fl keep-going Add a .Dq keep on going option to .Ar build_command . Currently supports make and xcodebuild. This is a convenience option; one can specify this behavior directly using build options. t Fl o Target directory for HTML report files. Subdirectories will be created as needed to represent separate invocations of the analyzer. If this option is not specified, a directory is created in /tmp (TMPDIR on Mac OS X) to store the reports. t Fl plist Output the results as a set of .Li .plist files. (By default the output of .Nm is a set of HTML files.) t Fl plist-html Output the results as a set of HTML and .plist files t Fl Fl status-bugs Set exit status to 1 if it found potential bugs and 0 otherwise. By default the exit status of .Nm is that returned by .Ar build_command . t Fl Fl use-c++ Ns Op = Ns Ar compiler_path Guess the default compiler for your C++ and Objective-C++ code. Use this option to specify an alternate compiler. t Fl Fl use-cc Ns Op = Ns Ar compiler_path Guess the default compiler for your C and Objective-C code. Use this option to specify an alternate compiler. t Fl v Verbose output from .Nm and the analyzer. A second and third .Ar v increases verbosity. t Fl V , Fl Fl view View analysis results in a web browser when the build completes. t Fl constraints Op Ar model Specify the contraint engine used by the analyzer. By default the .Ql range model is used. Specifying .Ql basic uses a simpler, less powerful constraint model used by checker-0.160 and earlier. t Fl maxloop Ar N Specifiy the number of times a block can be visited before giving up. Default is 4. Increase for more comprehensive coverage at a cost of speed. t Fl no-failure-reports Do not create a .Ql failures subdirectory that includes analyzer crash reports and preprocessed source files. t Fl stats Generates visitation statistics for the project being analyzed. t Fl store Op Ar model Specify the store model used by the analyzer. By default, the .Ql region store model is used. .Ql region specifies a field- sensitive store model. Users can also specify .Ql basic which is far less precise but can more quickly analyze code. .Ql basic was the default store model for checker-0.221 and earlier.
.El .Sh EXIT STATUS .Nm returns the value returned by .Ar build_command unless .Fl Fl status-bugs or .Fl Fl keep-going is used.
Other sections not yet used ...
.Sh ENVIRONMENT
.Sh FILES
.Sh DIAGNOSTICS
.Sh COMPATIBILITY
.Sh HISTORY
.Sh BUGS

.Sh CHECKERS The checkers listed below may be enabled/disabled using the .Fl enable-checker and .Fl disable-checker options. A default group of checkers is run unless explicitly disabled. Exactly which checkers constitute the default group is a function of the operating system in use; they are listed with .Fl Fl help-checkers . l -tag -width indent. t core.AdjustedReturnValue Check to see if the return value of a function call is different than the caller expects (e.g., from calls through function pointers). t core.AttributeNonNull Check for null pointers passed as arguments to a function whose arguments are marked with the .Ql nonnull attribute. t core.CallAndMessage Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers). t core.DivideZero Check for division by zero. t core.NullDereference Check for dereferences of null pointers. t core.StackAddressEscape Check that addresses to stack memory do not escape the function. t core.UndefinedBinaryOperatorResult Check for undefined results of binary operators. t core.VLASize Check for declarations of VLA of undefined or zero size. t core.builtin.BuiltinFunctions Evaluate compiler builtin functions, e.g. .Fn alloca . t core.builtin.NoReturnFunctions Evaluate .Ql panic functions that are known to not return to the caller. t core.uninitialized.ArraySubscript Check for uninitialized values used as array subscripts. t core.uninitialized.Assign Check for assigning uninitialized values. t core.uninitialized.Branch Check for uninitialized values used as branch conditions. t core.uninitialized.CapturedBlockVariable Check for blocks that capture uninitialized values. t core.uninitialized.UndefReturn Check for uninitialized values being returned to the caller. t deadcode.DeadStores Check for values stored to variables that are never read afterwards. t debug.DumpCFG Display Control-Flow Graphs. t debug.DumpCallGraph Display Call Graph. t debug.DumpDominators Print the dominance tree for a given Control-Flow Graph. t debug.DumpLiveVars Print results of live variable analysis. t debug.Stats Emit warnings with analyzer statistics. t debug.TaintTest Mark tainted symbols as such. t debug.ViewCFG View Control-Flow Graphs using c GraphViz . t debug.ViewCallGraph View Call Graph using c GraphViz . t llvm.Conventions Check code for LLVM codebase conventions. t osx.API Check for proper uses of various Mac OS X APIs. t osx.AtomicCAS Evaluate calls to .Vt OSAtomic functions. t osx.SecKeychainAPI Check for proper uses of Secure Keychain APIs. t osx.cocoa.AtSync Check for null pointers used as mutexes for @synchronized. t osx.cocoa.ClassRelease Check for sending .Ql retain , .Ql release, or .Ql autorelease directly to a Class. t osx.cocoa.IncompatibleMethodTypes Warn about Objective-C method signatures with type incompatibilities. t osx.cocoa.NSAutoreleasePool Warn for suboptimal uses of .Vt NSAutoreleasePool in Objective-C GC mode. t osx.cocoa.NSError Check usage of NSError** parameters. t osx.cocoa.NilArg Check for prohibited nil arguments to Objective-C method calls. t osx.cocoa.RetainCount Check for leaks and improper reference count management. t osx.cocoa.SelfInit Check that .Ql self is properly initialized inside an initializer method. t osx.cocoa.UnusedIvars Warn about private ivars that are never used. t osx.cocoa.VariadicMethodTypes Check for passing non-Objective-C types to variadic methods that expect only Objective-C types. t osx.coreFoundation.CFError Check usage of CFErrorRef* parameters. t osx.coreFoundation.CFNumber Check for proper uses of .Fn CFNumberCreate . t osx.coreFoundation.CFRetainRelease Check for null arguments to .Fn CFRetain , .Fn CFRelease , and .Fn CFMakeCollectable . t osx.coreFoundation.containers.OutOfBounds Checks for index out-of-bounds when using the .Vt CFArray API. t osx.coreFoundation.containers.PointerSizedValues Warns if .Vt CFArray , .Vt CFDictionary , or .Vt CFSet are created with non-pointer-size values. t security.FloatLoopCounter Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP). t security.insecureAPI.UncheckedReturn Warn on uses of functions whose return values must be always checked. t security.insecureAPI.getpw Warn on uses of .Fn getpw . t security.insecureAPI.gets Warn on uses of .Fn gets . t security.insecureAPI.mkstemp Warn when .Fn mkstemp is passed fewer than 6 X's in the format string. t security.insecureAPI.mktemp Warn on uses of .Fn mktemp . t security.insecureAPI.rand Warn on uses of .Fn rand , .Fn random , and related functions. t security.insecureAPI.strcpy Warn on uses of .Fn strcpy and .Fn strcat . t security.insecureAPI.vfork Warn on uses of .Fn vfork . t unix.API Check calls to various UNIX/Posix functions. t unix.Malloc Check for memory leaks, double free, and use-after-free. t unix.cstring.BadSizeArg Check the size argument passed into C string functions for common erroneous patterns. t unix.cstring.NullArg Check for null pointers being passed as arguments to C string functions. .El
.Sh EXAMPLE c scan-build -o /tmp/myhtmldir make -j4

p The above example causes analysis reports to be deposited into a subdirectory of

a /tmp/myhtmldir and to run c make with the .Fl j4 option. A different subdirectory is created each time .Nm analyzes a project. The analyzer should support most parallel builds, but not distributed builds. .Sh AUTHORS .Nm was written by .An "Ted Kremenek" . Documentation contributed by .An "James K. Lowden" Aq jklowden@schemamania.org .