[analyzer]How to avoid the clang static analyzer to analyze system include files

Hi,
I am using clang static analyzer in Microsoft Visual C++ projects, but I found it very time-consuming when analyzing MFC cpp files. I found too many warnings in MFC include files, looks like:

C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\VC\Tools\MSVC\14.16.27023\atlmfc\include\atlsimpstr.h(800,3): warning:
Returned pointer value points outside the original object (potential buffer overflow)
return( reinterpret_cast< CStringData* >( m_pszData )-1 );
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\VC\Tools\MSVC\14.16.27023\atlmfc\include\atlsimpstr.h(900,3): warning:
Returned pointer value points outside the original object (potential buffer overflow)
return( pNewData );
^~~~~~~~~~~~~~~~~~
AlexfPerf.cpp(190,8): warning: Casting a non-structure type to a structure type and accessing a field can lead to memory access
errors or data corruption
pot = (PPERF_OBJECT_TYPE)((PBYTE)pdb + pdb->HeaderLength);

So, I’m thinking if clang is analyzing too much on these system header files. How to have clang avoid to analyze them?

Thanks,

Johnson Haul

This is the intended behavior. The analyzer finds execution paths, not individual lines of code. We are exploring execution paths that start in user code and end in the header, as they are likely to indicate a bug in user code. We are *not* exploring execution paths that start in the headers - this is what corresponds to the other tools' suppression of header analysis.

Btw, the analyzer's output should also contain full paths, not only individual lines. I don't know how exactly you're integrating the analyzer into your build system but if that's all the output you're getting then you should choose a better output mode.

Performance of the static analyzer is expected to be significantly slower than compilation. The analyzer is simply doing a lot more work.

Also note that alpha checkers are entirely unsupported. If you simply want to find more bugs, you do not want them on. At least, you should check if they are the source of your performance problems.