[analyzer] Emit errors from StaticAnalyzer

Hi,

I would like to ask what do you think about having possibility to emit errors from clang StaticAnalyzer?

Recently I encountered a problem with implementing complex diagnostics in clang (which requires call graph analysis, for example): it is hard to implement such diagnostics in Sema because there is no place with fully-built AST.

So, I used static analyzer and implemented a few additional checkers, but the problem with static analyzer is that all diagnostics are emitted as warnings.

Here is an example of the patch I would like to commit: https://github.com/AlexeySachkov/clang/commit/898c9c566d4c1c37c2d56787fd08ff8b1697aca9

What do you think?

If there are no objections from adding possibility to emit errors from static analyzer, I will put a patch for review. Any comments on implementation?

My main task is to implement some diagnostic messages, probably someone can advise me a better solution than static analyzer? Here an example (I’m interested in OpenCL C):

int val attribute((my_attr1));

void func() {

val = 10; // expected-error{{variables declared with my_attr1 attribute cannot be used from kernels declared with my_attr2 attribute}}

}

attribute((my_attr2))

__kernel void my_kernel() {

func();

}

I knew that call graph analysis is used in Sema during compilation of CUDA sources and if static analyzer is completely wrong place for such stuff, I can try to use CUDA approach and update the Sema.

Also I wouldn’t like to use clang plugins or to create a clang-based tool.

Best regards,

Alexey Sachkov

Hi Alexey,

you can maybe implement your checks in clang-tidy as a separate module. CFG analysis and matchers are easily usable there.

You can emit errors with diag(), which is used in all checks to emit the warnings.

Sincerely Jonas

Hi Alexey,

Could you give some examples of diagnostics you have implemented?

In general, clang static analyzer emits warnings as it is allowed to have false positives by design.
I think your workflow can be achieved without any changes required though: if you know that checker X
will not have false positive, you can just configure your build system to fail the build if the static analyzer
finds any bugs with only your checker turned on.

Regards,
George

Hi George!

George Karpenkov via cfe-dev <cfe-dev@lists.llvm.org> ezt írta (időpont: 2018. máj. 11., P 22:37):

Hi Alexey,

Could you give some examples of diagnostics you have implemented?

In general, clang static analyzer emits warnings as it is allowed to have false positives by design.
I think your workflow can be achieved without any changes required though: if you know that checker X
will not have false positive, you can just configure your build system to fail the build if the static analyzer
finds any bugs with only your checker turned on.

Unfortunately, it is not that easy. Running the analyzer without the core checks is not supported and likely to cause crashes. Core checks, however, might give false positives. To support this scenario, we should be able to turn diagnostics off from core checks (but keep the modeling part).

Regards,
Gábor

Hi,

Here is an example of diagnostic I implemented: https://github.com/AlexeySachkov/clang/commit/fc9ffedea8155cfd8cdd5da1861b9642e0a6646d

And I was able to launch only my checker without any crashes of clang.

I’m trying to figure out where is the best place for such diagnostics:

· StaticAnalyzer:

o + modular, every additional implemented diagnostic/checker can be enabled separately

o – cannot emit errors by default

· Sema

o – not modular, no fully-built AST (may be “workarounded” like it is done for CUDA)

o + no problems with emitting errors, absolutely the right place for semantic analysis.

· Clang-plugins, clang-based tools (clang-tidy), build system configuration

o – not acceptable solution for me

Hi Alexey,

You probably really want to use AST matchers library for similar checks, as it makes the code safer, faster, more concise, and more general.
Cf. AST matchers and Clang refactoring tools - Eli Bendersky's website for an example.

As to where the check should belong, since you’re not doing symbolic execution and only doing AST matching,
I think it should be possible to run your checker with core checks disabled (and if it’s not possible, maybe we should fix that).

George