Clang Static Analyzer multipass checker

Hello, I’m beginner in CSA programming. I have read clang SA a checker developer manual
and have some questions.
How can I pass command line options to CSA checker? Does -Xanalyzer option can help me?
May be I need to see AnalyzerOptions.cpp, but can’t understand how to catch options from my checker.

Also I want to know is it possible to realize multi-pass analyzer with parallel or sequential running of one or multiply checker with data transfer between passes.
I need to run first checker that taint some input, observes taint values and find some AST expressions (or with path sensible analysis).
After this checker ends up I need to start the second checker, that uses search results of 1’st in analysis from begining of ExplodedGraph.

Hi!

Are you using the latest ‘n’ greatest clang? If so, you may add options to your checker by first declaring it in Checkers.td, here’s an example:

def MyExample : Checker<“MyChecker”>,
HelpText<“blahblah”>,
CheckerOptions<[
CmdLineOption<Boolean, // type of the option: String, Boolean, Integer
“Option1”, // name
“example description 1”, // description
“true”, // default value
Released, // development stage: InAlpha, Released

, // whether it should be hidden, e.g. it’s an implementation detail
CmdLineOption<Integer,
“Option2”,
“example description 2”,
5475764,
, // note that this option isn’t hidden
]>,
Documentation;

Then, you may invoke the analyzer with the new options as you normally would:

clang -cc1 -analyze -analyzer-checker=MyExample -analyzer-config MyExample:Option1=false
clang --analyze -Xclang -analyzer-checker=MyExample -Xclang -analyzer-config -Xclang MyExample:Option1=false

Please follow up if you’re still having trouble!

Hello, I’m beginner in CSA programming. I have read clang SA a checker developer manual
and have some questions.
How can I pass command line options to CSA checker? Does -Xanalyzer option can help me?
May be I need to see AnalyzerOptions.cpp, but can’t understand how to catch options from my checker.

Also I want to know is it possible to realize multi-pass analyzer with parallel or sequential running of one or multiply checker with data transfer between passes.
I need to run first checker that taint some input, observes taint values and find some AST expressions (or with path sensible analysis).
After this checker ends up I need to start the second checker, that uses search results of 1’st in analysis from begining of ExplodedGraph.

Are you sure that you need two sequential passes? As far as I know, we have nothing like that currently.

Hi!

Are you using the latest ‘n’ greatest clang? If so, you may add options to your checker by first declaring it in Checkers.td, here’s an example:

def MyExample : Checker<“MyChecker”>,
HelpText<“blahblah”>,
CheckerOptions<[
CmdLineOption<Boolean, // type of the option: String, Boolean, Integer
“Option1”, // name
“example description 1”, // description
“true”, // default value
Released, // development stage: InAlpha, Released

, // whether it should be hidden, e.g. it’s an implementation detail
CmdLineOption<Integer,
“Option2”,
“example description 2”,
5475764,
, // note that this option isn’t hidden
]>,
Documentation;

Then, you may invoke the analyzer with the new options as you normally would:

clang -cc1 -analyze -analyzer-checker=MyExample -analyzer-config MyExample:Option1=false
clang --analyze -Xclang -analyzer-checker=MyExample -Xclang -analyzer-config -Xclang MyExample:Option1=false

Meant to write MyChecker instead of MyExample, whoops.

Multi-pass path-sensitive analysis is indeed not a thing. However, you can do arbitrary AST-based analysis before path-sensitive analysis or after it by subscribing to the respective callback, and you can also explore the whole path-sensitive analysis graph at the end of the analysis. But none of this is actually used actively; there’s usually no need for this.

Also all path-sensitive checkers have a way to affect other checkers and communicate to each other via mutating the common program state. This is used much more actively and allows conducting multiple interconnected analysis in a single path.

There’s most likely an easier solution to what you’re trying to do; i recommend discussing it.