Help in suppressing warnings from static analyzer

Andrzej_Krzemienski · September 5, 2017, 7:03am

Hi,

I would like to ask for an advice from clang developers about suppressing warnings from the static analyzer.

I am calling the analyzer directly from clang c++ compiler, with clang++ --analyze. I am compiling a unit-test project that is using Google’s Gmock. I am getting a well known and described false positive:

https://github.com/google/googletest/issues/853
https://stackoverflow.com/questions/39527160/clang-tidy-how-to-suppress-warnings/39544324#39544324
https://bugs.llvm.org/show_bug.cgi?id=28053

So, I am trying to manually disable it by putting // NOLINT in gmocks code. As a result, I still get the analyzer warning:

gtest/googlemock/include/gmock/gmock-spec-builders.h:1274:5: warning: Use of memory after it is freed
return function_mocker_->AddNewExpectation( // NOLINT
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

which I find quite surprising, because even in the warning message I get the text // NOLINT but the bug is still not disabled.

Maybe someone could help me figure out what is going on. Can you not suppress warnings when running analyzer directly from clang c++ compiler? Or is there a different way for suppressing the analyzer warnings?

Thanks,

&rzej;

Xazax-hun · September 5, 2017, 7:14am

Hi Andrzej!

Unfortunately, the static analyzer do not support such methods for suppression at the moment.

But you can use 3rd party tools to achieve that. For example CodeChecker (https://github.com/Ericsson/codechecker/).

Regards,
Gábor

George_Karpenkov · September 19, 2017, 2:09am

Hi Andrzej,

To add to what Gabor has mentioned:

The first two links you have posted refer to clang-tidy.
This is a different tool from clang static analyzer, and is maintained in a separate repository.
The main difference is that clang-tidy pattern-matches on AST,
while clang static analyzer performs symbolic execution.

Clang static analyzer does not parse “// NOLINT” comments, nor comments in general.
While this is a limitation, it can be also seen as a good thing, as it forces the actual executable code
to be a single canonical source of analysis results.

Strategies for dealing with false positives are described at the clang static analyzer webpage: http://clang-analyzer.llvm.org/faq.html,
without looking at the whole code it is hard to tell which one is the most applicable.

Regards,
George