How does scan-build

Hello,

how does scan-build exactly parse its parameters?

How does “scan-build make” know, that it should just invoke make and not do anything until a compiler is invoked.

Does “scan-build cc …” parse in fact the source code, or the generated object files and in the former case, is the
compiler invoked or does scan-build just considers the parameters passed to the compiler?

Regards
  Дилян

Hello,

how does scan-build exactly parse its parameters?

How does “scan-build make” know, that it should just invoke make and not do anything until a compiler is invoked.

Does “scan-build cc …” parse in fact the source code, or the generated object files and in the former case, is the
compiler invoked or does scan-build just considers the parameters passed to the compiler?

You shouldn't need scan-build nowadays, what build system are you
using? Cmake, qbs and i'm sure others support generating a clang
compilation database.

Chris

Hello Christin,

I want to understand how the clang static analyzer is used, and https://clang-analyzer.llvm.org/scan-build.html says to
use directly “scan-build”.

This documentation *might* be out-dated. What build system are you
using, that is the key question.
It's way easier to use the clang compilation database -- if your
build system supports it --

https://clang.llvm.org/docs/JSONCompilationDatabase.html

Chris

Hello Christin,

I want to understand how the clang static analyzer is used, and https://clang-analyzer.llvm.org/scan-build.html says to
use directly “scan-build”.

This documentation *might* be out-dated. What build system are you
using, that is the key question.
It's way easier to use the clang compilation database -- if your
build system supports it --

https://clang.llvm.org/docs/JSONCompilationDatabase.html

Hi,

I am interested in this as well and I am confused by what you are
saying. Even if a compilation database is used with cmake for example,
you still need to perform the analysis on the file in the compilation
database. What am I missing here? Is there a tool besides scan-build
that reads the compilation database and performs the analysis? I know of
https://github.com/rizsotto/scan-build but this is not even part of the
LLVM project so I assume there's something else you know about.

Paulo

The modern way of working is first to start with a clang compilation database.
So you need to generate one with cmake, qbs, meson, whatever your
build system is.

Then any modern llvm-based tooling should/will understand this DB.
Clang static anylisers (clang-tidy, clazy, ...) come with some handy
python scripts that you might want to look into.

Hello Christian,

I use autoconf/automake.

In fact I want to see what will happen if I combine many source files into one and pass that file to the static
analyzer. In this use case there is no build system involved.

Regards
  Дилян

I haven't use GNU autotools in ages. Yes in that case scan-build might
be your only way to collect the compilation database.
What i don't understand is "combine many source files into one", are
you after LTO [1]?
How does the static analiser fits into that?
Can you provide details on what you're trying to achieve exactly?

[1] https://llvm.org/docs/LinkTimeOptimization.html

Hello Chirstian,

for the rationale to join several input files into one, and pass that one to the static analyzer, see the thread Subj:
“Many .c files as input to scan-build” Thread-Id: <e0b6149d092be2f191052aed11be0d2bf7b83d2a.camel@aegee.org> . The idea
is to get more useful results out of the static analyzer by providing it with more complete picture of everything: a
single source file containg all information.

As far as LTO is concerned, it is not ready for the prime time. In order of ar, nm and ranlib to work with LTO, the
installation process of clang must install LLVMgold.so under ${libdir}/bfd-plugins otherwise the build system has to do
a lot of magic and most build systems don’t do that magic (part of the magic is to call on some systems gcc-ar-5 and on
others gcc-ar-5.0 or alike. In fact cmake is the only build system to implement this magic completely, as of January
2019). Build systems want to use just ar or nm. I posted this to llvm-dev,
http://lists.llvm.org/pipermail/llvm-dev/2018-March/122018.html and there is no interest to fix this. Neither is there
interest on gcc’s side.

Sorry, i haven't read any of the links above. Have you tried to simply
get rid of GNU binutils/gcc?
eg, use llvm all the way? -fuse-ld=lld and the likes? My experience
with gcc LTO (+dwarf) is so far pretty bad:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79342
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78871
Just to name a few,I'm sure there are more.

Hello Christian,

this thread is about clarifying how does scan-build exactly work and how shall one use the clang static analyzer out of
a build system to inspect a single file.

Concernig LTO, for linking static libraries and other operations, the build systems expects to have working an, nm and
ranlib. The latter work with LTO, only if the lto plugin is installed in $(libdir)/bfd-plugins. The alternative is to
choose the right tool out of llvm-ar, llvm-ar-8, llvm-ar-8.0, gcc-ar, gcc-ar-7 and gcc-ar-7.0 depending on the system
(so not to use llvm-ar-6, if the used clang is verison 7, llvm-ar-6, llvm-ar-7 and llvm-ar-8 are all available on the
system).

-fuse= is for the compiler, but cannot be passed to an/nm/ranlib. I can go into details, like some things can be linked
with ld.bfd but not with ld.gold, others can be linked with ld.gold but not with ld.bfd and gcc9 accepts -fuse-ld=bfd,
but gcc8 does not; some versions of ld.bfd generate debug information, that some versions of valgring cannot read and so
on.

This thread is not about LTO, but about passing a big source file to the static analyzer. My question, whether the
static analyzer analyzes the object file or the source file, e.g. was not answered, so I do not know, whether passing
-O3 to “scan-build cc -O3…” speeds the process or makes things worse.

Regards
  Дилян

Hello,

how does scan-build exactly parse its parameters?

How does “scan-build make” know, that it should just invoke make and not do anything until a compiler is invoked.

My understanding is that scan-build itself merely sets LD_PRELOAD=some-library.so for all processes spawned directly or indirectly from scan-build. Then it goes ahead and spawns a child process to run whatever command you gave it — e.g., make.
make will eventually spawn a child or grandchild process for clang. When that happens, some-library.so will notice and cause different behavior. Either it will tell clang to invoke the static analyzer, or it will write out “hey, clang is being called!” to an external trace log. This external trace log is what Christian and Paulo are calling a “compilation database.” The trace can be used later to re-invoke the static analyzer for each file that was compiled during the build, without having to make clean the entire project.

I confirmed some of my recollections via this documentation:
https://github.com/rizsotto/scan-build

Does “scan-build cc …” parse in fact the source code, or the generated object files and in the former case, is the
compiler invoked or does scan-build just considers the parameters passed to the compiler?

scan-build causes the static analyzer to be invoked. The static analyzer must parse the C++ source code. There is no way to “static-analyze” an object file.

–Arthur

Hello Arthur,

intercepting calls by scan-build, during it calls make or ninja, does make sense, to detect when clang is actually
invoked.

But a possible way to call scan-build is with the form “scan-build >any-compiler< compile-options”. The compiler could
be clang, gcc or anything else. How can a preloaded library intercept the execution of any compiler, but not for a non-
compiler?

Regards
  Дилян

I believe the interception works by taking over the CC and CXX environment variables, rather than with a preload. This works fine for build systems that use those environment variables, and fails for others.

Hello Ben,

https://clang-analyzer.llvm.org/scan-build.html#scanbuild_basicusage says “
It is also possible to use scan-build to analyze specific files:

$ scan-build gcc -c t1.c t2.c
This example causes the files t1.c and t2.c to be analyzed.

There is no CC/CXX involved here and it does work. So the question is, how does scan-build know how to parse its input,
whether it is a make/ninja/gcc/clang or some other compiler.

Regards
  Дилян