Static Analyzer Options - Using the GNU Compiler Collection (GCC)

Next: Debugging Options, Previous: Warning Options, Up: Invoking GCC

3.9 Options That Control Static Analysis

-fanalyzer

This option enables an static analysis of program flow which looks for “interesting” interprocedural paths through the code, and issues warnings for problems found on them.

This analysis is much more expensive than other GCC warnings.

Enabling this option effectively enables the following warnings:

          
          -Wanalyzer-double-fclose 
          -Wanalyzer-double-free 
          -Wanalyzer-exposure-through-output-file 
          -Wanalyzer-file-leak 
          -Wanalyzer-free-of-non-heap 
          -Wanalyzer-malloc-leak 
          -Wanalyzer-mismatching-deallocation 
          -Wanalyzer-null-argument 
          -Wanalyzer-null-dereference 
          -Wanalyzer-possible-null-argument 
          -Wanalyzer-possible-null-dereference 
          -Wanalyzer-shift-count-negative 
          -Wanalyzer-shift-count-overflow 
          -Wanalyzer-stale-setjmp-buffer 
          -Wanalyzer-unsafe-call-within-signal-handler 
          -Wanalyzer-use-after-free 
          -Wanalyzer-use-of-pointer-in-stale-stack-frame 
          -Wanalyzer-use-of-uninitialized-value 
          -Wanalyzer-write-to-const 
          -Wanalyzer-write-to-string-literal

This option is only available if GCC was configured with analyzer support enabled.

-Wanalyzer-too-complex

If -fanalyzer is enabled, the analyzer uses various heuristics to attempt to explore the control flow and data flow in the program, but these can be defeated by sufficiently complicated code.

By default, the analysis silently stops if the code is too complicated for the analyzer to fully explore and it reaches an internal limit. The -Wanalyzer-too-complex option warns if this occurs.

-Wno-analyzer-double-fclose

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-double-fclose to disable it.

This diagnostic warns for paths through the code in which a FILE * can have fclose called on it more than once.

-Wno-analyzer-double-free

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-double-free to disable it.

This diagnostic warns for paths through the code in which a pointer can have a deallocator called on it more than once, either free, or a deallocator referenced by attribute malloc.

-Wno-analyzer-exposure-through-output-file

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-exposure-through-output-file to disable it.

This diagnostic warns for paths through the code in which a security-sensitive value is written to an output file (such as writing a password to a log file).

-Wno-analyzer-file-leak

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-file-leak to disable it.

This diagnostic warns for paths through the code in which a <stdio.h> FILE * stream object is leaked.

-Wno-analyzer-free-of-non-heap

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-free-of-non-heap to disable it.

This diagnostic warns for paths through the code in which free is called on a non-heap pointer (e.g. an on-stack buffer, or a global).

-Wno-analyzer-malloc-leak

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-malloc-leak to disable it.

This diagnostic warns for paths through the code in which a pointer allocated via an allocator is leaked: either malloc, or a function marked with attribute malloc.

-Wno-analyzer-mismatching-deallocation

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-mismatching-deallocation to disable it.

This diagnostic warns for paths through the code in which the wrong deallocation function is called on a pointer value, based on which function was used to allocate the pointer value. The diagnostic will warn about mismatches between free, scalar delete and vector delete[], and those marked as allocator/deallocator pairs using attribute malloc.

-Wno-analyzer-possible-null-argument

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-possible-null-argument to disable it.

This diagnostic warns for paths through the code in which a possibly-NULL value is passed to a function argument marked with __attribute__((nonnull)) as requiring a non-NULL value.

-Wno-analyzer-possible-null-dereference

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-possible-null-dereference to disable it.

This diagnostic warns for paths through the code in which a possibly-NULL value is dereferenced.

-Wno-analyzer-null-argument

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-null-argument to disable it.

This diagnostic warns for paths through the code in which a value known to be NULL is passed to a function argument marked with __attribute__((nonnull)) as requiring a non-NULL value.

-Wno-analyzer-null-dereference

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-null-dereference to disable it.

This diagnostic warns for paths through the code in which a value known to be NULL is dereferenced.

-Wno-analyzer-shift-count-negative

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-shift-count-negative to disable it.

This diagnostic warns for paths through the code in which a shift is attempted with a negative count. It is analogous to the -Wshift-count-negative diagnostic implemented in the C/C++ front ends, but is implemented based on analyzing interprocedural paths, rather than merely parsing the syntax tree. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings.

-Wno-analyzer-shift-count-overflow

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-shift-count-overflow to disable it.

This diagnostic warns for paths through the code in which a shift is attempted with a count greater than or equal to the precision of the operand's type. It is analogous to the -Wshift-count-overflow diagnostic implemented in the C/C++ front ends, but is implemented based on analyzing interprocedural paths, rather than merely parsing the syntax tree. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings.

-Wno-analyzer-stale-setjmp-buffer

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-stale-setjmp-buffer to disable it.

This diagnostic warns for paths through the code in which longjmp is called to rewind to a jmp_buf relating to a setjmp call in a function that has returned.

When setjmp is called on a jmp_buf to record a rewind location, it records the stack frame. The stack frame becomes invalid when the function containing the setjmp call returns. Attempting to rewind to it via longjmp would reference a stack frame that no longer exists, and likely lead to a crash (or worse).

-Wno-analyzer-tainted-allocation-size

This warning requires both -fanalyzer and -fanalyzer-checker=taint to enable it; use -Wno-analyzer-tainted-allocation-size to disable it.

This diagnostic warns for paths through the code in which a value that could be under an attacker's control is used as the size of an allocation without being sanitized, so that an attacker could inject an excessively large allocation and potentially cause a denial of service attack.

See CWE-789: Memory Allocation with Excessive Size Value.

-Wno-analyzer-tainted-array-index

This warning requires both -fanalyzer and -fanalyzer-checker=taint to enable it; use -Wno-analyzer-tainted-array-index to disable it.

This diagnostic warns for paths through the code in which a value that could be under an attacker's control is used as the index of an array access without being sanitized, so that an attacker could inject an out-of-bounds access.

See CWE-129: Improper Validation of Array Index.

-Wno-analyzer-tainted-divisor

This warning requires both -fanalyzer and -fanalyzer-checker=taint to enable it; use -Wno-analyzer-tainted-divisor to disable it.

This diagnostic warns for paths through the code in which a value that could be under an attacker's control is used as the divisor in a division or modulus operation without being sanitized, so that an attacker could inject a division-by-zero.

-Wno-analyzer-tainted-offset

This warning requires both -fanalyzer and -fanalyzer-checker=taint to enable it; use -Wno-analyzer-tainted-offset to disable it.

This diagnostic warns for paths through the code in which a value that could be under an attacker's control is used as a pointer offset without being sanitized, so that an attacker could inject an out-of-bounds access.

See CWE-823: Use of Out-of-range Pointer Offset.

-Wno-analyzer-tainted-size

This warning requires both -fanalyzer and -fanalyzer-checker=taint to enable it; use -Wno-analyzer-tainted-size to disable it.

This diagnostic warns for paths through the code in which a value that could be under an attacker's control is used as the size of an operation such as memset without being sanitized, so that an attacker could inject an out-of-bounds access.

-Wno-analyzer-unsafe-call-within-signal-handler

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-unsafe-call-within-signal-handler to disable it.

This diagnostic warns for paths through the code in which a function known to be async-signal-unsafe (such as fprintf) is called from a signal handler.

-Wno-analyzer-use-after-free

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-use-after-free to disable it.

This diagnostic warns for paths through the code in which a pointer is used after a deallocator is called on it: either free, or a deallocator referenced by attribute malloc.

-Wno-analyzer-use-of-pointer-in-stale-stack-frame

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-use-of-pointer-in-stale-stack-frame to disable it.

This diagnostic warns for paths through the code in which a pointer is dereferenced that points to a variable in a stale stack frame.

-Wno-analyzer-write-to-const

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-write-to-const to disable it.

This diagnostic warns for paths through the code in which the analyzer detects an attempt to write through a pointer to a const object. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings.

-Wno-analyzer-write-to-string-literal

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-write-to-string-literal to disable it.

This diagnostic warns for paths through the code in which the analyzer detects an attempt to write through a pointer to a string literal. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings.

-Wno-analyzer-use-of-uninitialized-value

This warning requires -fanalyzer, which enables it; use -Wno-analyzer-use-of-uninitialized-value to disable it.

This diagnostic warns for paths through the code in which an uninitialized value is used.

Pertinent parameters for controlling the exploration are: --param analyzer-bb-explosion-factor=value, --param analyzer-max-enodes-per-program-point=value, --param analyzer-max-recursion-depth=value, and --param analyzer-min-snodes-for-call-summary=value.

The following options control the analyzer.

-fanalyzer-call-summaries

Simplify interprocedural analysis by computing the effect of certain calls, rather than exploring all paths through the function from callsite to each possible return.

If enabled, call summaries are only used for functions with more than one call site, and that are sufficiently complicated (as per --param analyzer-min-snodes-for-call-summary=value).

-fanalyzer-checker=name

Restrict the analyzer to run just the named checker, and enable it.

Some checkers are disabled by default (even with -fanalyzer), such as the taint checker that implements -Wanalyzer-tainted-array-index, and this option is required to enable them.

Note: currently, -fanalyzer-checker=taint disables the following warnings from -fanalyzer:

          
          -Wanalyzer-double-fclose 
          -Wanalyzer-double-free 
          -Wanalyzer-exposure-through-output-file 
          -Wanalyzer-file-leak 
          -Wanalyzer-free-of-non-heap 
          -Wanalyzer-malloc-leak 
          -Wanalyzer-mismatching-deallocation 
          -Wanalyzer-null-argument 
          -Wanalyzer-null-dereference 
          -Wanalyzer-possible-null-argument 
          -Wanalyzer-possible-null-dereference 
          -Wanalyzer-unsafe-call-within-signal-handler 
          -Wanalyzer-use-after-free

-fno-analyzer-feasibility

This option is intended for analyzer developers.

By default the analyzer verifies that there is a feasible control flow path for each diagnostic it emits: that the conditions that hold are not mutually exclusive. Diagnostics for which no feasible path can be found are rejected. This filtering can be suppressed with -fno-analyzer-feasibility, for debugging issues in this code.

-fanalyzer-fine-grained

This option is intended for analyzer developers.

Internally the analyzer builds an “exploded graph” that combines control flow graphs with data flow information.

By default, an edge in this graph can contain the effects of a run of multiple statements within a basic block. With -fanalyzer-fine-grained, each statement gets its own edge.

-fanalyzer-show-duplicate-count

This option is intended for analyzer developers: if multiple diagnostics have been detected as being duplicates of each other, it emits a note when reporting the best diagnostic, giving the number of additional diagnostics that were suppressed by the deduplication logic.

-fno-analyzer-state-merge

This option is intended for analyzer developers.

By default the analyzer attempts to simplify analysis by merging sufficiently similar states at each program point as it builds its “exploded graph”. With -fno-analyzer-state-merge this merging can be suppressed, for debugging state-handling issues.

-fno-analyzer-state-purge

This option is intended for analyzer developers.

By default the analyzer attempts to simplify analysis by purging aspects of state at a program point that appear to no longer be relevant e.g. the values of locals that aren't accessed later in the function and which aren't relevant to leak analysis.

With -fno-analyzer-state-purge this purging of state can be suppressed, for debugging state-handling issues.

-fanalyzer-transitivity

This option enables transitivity of constraints within the analyzer.

-fanalyzer-verbose-edges

This option is intended for analyzer developers. It enables more verbose, lower-level detail in the descriptions of control flow within diagnostic paths.

-fanalyzer-verbose-state-changes

This option is intended for analyzer developers. It enables more verbose, lower-level detail in the descriptions of events relating to state machines within diagnostic paths.

-fanalyzer-verbosity=level

This option controls the complexity of the control flow paths that are emitted for analyzer diagnostics.

The level can be one of:

`0': At this level, interprocedural call and return events are displayed, along with the most pertinent state-change events relating to a diagnostic. For example, for a double-free diagnostic, both calls to free will be shown.
`1': As per the previous level, but also show events for the entry to each function.
`2': As per the previous level, but also show events relating to control flow that are significant to triggering the issue (e.g. “true path taken” at a conditional).
This level is the default.
`3': As per the previous level, but show all control flow events, not just significant ones.
`4': This level is intended for analyzer developers; it adds various other events intended for debugging the analyzer.

-fdump-analyzer

Dump internal details about what the analyzer is doing to file.analyzer.txt. This option is overridden by -fdump-analyzer-stderr.

-fdump-analyzer-stderr

Dump internal details about what the analyzer is doing to stderr. This option overrides -fdump-analyzer.

-fdump-analyzer-callgraph

Dump a representation of the call graph suitable for viewing with GraphViz to file.callgraph.dot.

-fdump-analyzer-exploded-graph

Dump a representation of the “exploded graph” suitable for viewing with GraphViz to file.eg.dot. Nodes are color-coded based on state-machine states to emphasize state changes.

-fdump-analyzer-exploded-nodes

Emit diagnostics showing where nodes in the “exploded graph” are in relation to the program source.

-fdump-analyzer-exploded-nodes-2

Dump a textual representation of the “exploded graph” to file.eg.txt.

-fdump-analyzer-exploded-nodes-3

Dump a textual representation of the “exploded graph” to one dump file per node, to file.eg-id.txt. This is typically a large number of dump files.

-fdump-analyzer-exploded-paths

Dump a textual representation of the “exploded path” for each diagnostic to file.idx.kind.epath.txt.

-fdump-analyzer-feasibility

Dump internal details about the analyzer's search for feasible paths. The details are written in a form suitable for viewing with GraphViz to filenames of the form file.*.fg.dot, file.*.tg.dot, and file.*.fpath.txt.

-fdump-analyzer-json

Dump a compressed JSON representation of analyzer internals to file.analyzer.json.gz. The precise format is subject to change.

-fdump-analyzer-state-purge

As per -fdump-analyzer-supergraph, dump a representation of the “supergraph” suitable for viewing with GraphViz, but annotate the graph with information on what state will be purged at each node. The graph is written to file.state-purge.dot.

-fdump-analyzer-supergraph

Dump representations of the “supergraph” suitable for viewing with GraphViz to file.supergraph.dot and to file.supergraph-eg.dot. These show all of the control flow graphs in the program, with interprocedural edges for calls and returns. The second dump contains annotations showing nodes in the “exploded graph” and diagnostics associated with them.

-fdump-analyzer-untracked

Emit custom warnings with internal details intended for analyzer developers.