Extend Static Analyzer

I am trying to extend the functionality of the static analyzer to do some
very basic checks and include the results in the analyzer report. For
example, I want to check for any file accesses within objective c code
(writetofile, etc.) and include the findings in the existing analysis report
produced. I am thinking this can be done by adding the checks to
SemaChecking.cpp and then adding the appropriate warning message
declarations to DiagnosticSemaKinds.td. Is this the right track or should
something like this be added elsewhere?


You don't need to interface with Sema at all. What you want can be
implemented as a simple self contained checker that the analyzer will
run when you use something like 'scan-build'. For example, take a look
at something like lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp. This
checker implements some very basic analysis warnings for incorrect
usage of unix apis like open. The checker is invoked when the analyzer
goes through the control flow graph (CFG) and sees a function call
happen (it inherits from check::PreStmt<CallExpr>.) It simply
dispatches based on the identifier of the called function and issues
BugReports when believes something is awry.

Note that even a simple analysis like this will potentially need to
worry about the path through the CFG leading to the call, because
variables that may be mentioned at the call site obviously can be
affected by the control flow. You can see some of this logic for
example in the 'CheckOpen' function of UnixAPIChecker.

I would recommend you read lib/StaticAnalyzer/README.txt to get an
idea of how the analyzer core deals with control flow and exposes it,
as well as looking at UnixAPIChecker - for basic function calls, it's
probably similar to what you want to do. I don't know Objective-C
however, so I can't give you any specific help with that, but if you
look around there are several Objective-C specific checkers that are
included which should give you an idea of how to move forward.

PS. Don't forget to add your new checker to
lib/StaticAnalyzer/Checkers/Checkers.td - if you want it run by
default with scan-build (for testing) then you can just stick your
checker into the 'Core' package during development and it'll
automatically be turned on.

Thanks for the reply to the question about extending the static analyzer. I
have followed your recommendation and have added a simple self contained
checker to lib/StaticAnalyzer/Checkers that implements some very basic
warnings if it sees certain function calls for file access (e.g.
'writeToFile' in Objective C). I modeled the checker against the
UnixAPIChecker.cpp and MacOSXAPIChecker.cpp. I also added the declaration of
the checker to lib/StaticAnalyzer/Checkers/Checkers.td.

Is there anywhere else I need to add anything to get this working? I am
assuming the checker will be invoked when a function call happens based on
check::PreStmt<CallExpr>, which I included from the UnixAPIChecker and
MacOSXAPIChecker checkers.

That should be all you need. The most important part, of course, is the registration function (see the bottom of MacOSXAPIChecker, if you're missing ).

If you put your checker in a non-default package in Checkers.td (core,deadcode,security, and possibly unix or osx, depending on your platform), you will have to enable it specifically when you run clang:

clang -cc1 -analyzer-checker somepackage.mychecker file.c
clang -Xanalyzer -analyzer-checker=somepackage.mychecker file.c