analyzer: invoking a single analyzer from the static analysis tools.

I was wondering if someone might be able to help me with cleanly invoking a single analyzer from the static analysis tools.

I am not sure what I need to do (or, should be doing instead) in a situation like the one below where I’ve got a header like stdio.h included (–analyze figures it out, but then it appears that I lose the ability to apply a single checker) :

% e./Debug+Asserts/bin/clang -cc1 -analyze -analyzer-checker=core.DivideZero ./tmp/main.c

./tmp/main.c:1:10: fatal error: ‘stdio.h’ file not found
#include <stdio.h>
1 error generated.

% cat ./tmpe/main.c

#include <stdio.h>

int main( int argc, char** argv){
int x = 1;
int y = 0;

printf(“%d\n”, x / y);

return 0;



Hi Michael,

It’s not recommended to run the low-level driver like this. You can just use scan-build, for example:

  $ scan-build clang -c /tmp/main.c

or more generally

  $ scan-build <compiler line>

You can also use:

  $ clang —analyze /tmp/main.c

directly. That’s somewhat discouraged because the long-term idea is that the static analyzer supports global analysis. The intention is that you can declare a set of files to analyze and they get analyzed together, whereas the latter line is clearly just analyzing a particular file using clang.


Hi Ted,

Thanks for the help! I actually have a follow-up question, though. This question came up because I was toying around with developing my own simple checker and wanted to test it out. My first inclination was to do this in isolation from the other checkers which is why I attempted the invocation from my original post, but perhaps you’re saying that even for a dev situation like this just run the whole platter of checkers? Or, did you just mean for a general usage scenario where someone isn’t adding new checkers etc.?

I just ended up using --analyze because the scan-build command I could figure out was somewhat more verbose, needing --use-analyzer=… etc.; but, I was mostly fumbling around trying to get it to work, so I’m sure I’m missing a bunch of different things.

Thanks again.


Using —analyze is fine. I mainly advocate against using the -cc1 driver options directly. The analyzer basically expects that some of the core.* checkers are guaranteed to be on to do the path-sensitive analysis, but they are factored as separate checkers both for testing and to make the core engine less monolithic. Using —analyze will give you the appropriate set of default checkers, and then you can enable additional ones using —analyzer-checker=…, etc.

I see. That’s extremely helpful and clarifies some things for me. I wasn’t sure at first whether or not -analyzer-checker was effective with --analyze because I could see those core checkers running. That the analyzer relies on those checkers makes a crash that I ran into now understandable (I forced divide-by-zero off).