Questions about Clang libtooling and Clang Static Analyzer

Dear everyone,
First of all, I would like to thank all Chairs, organizers, speakers and the community for making LLVM DEVELOPERS’ MEETING such an amazing event.

I’m a beginner to clang libtooling so basically i’m building a tool using RecursiveAstVistor and i have a couple questions (please correct me if i’m not on the right way or not using the right library) to detect some bugs reaching a program point (given as entry for the analysis) and include some reasoning about the potential exploit using an smt solver such z3 :

  1. Is there a way to track the possible values that a variable can take on each program’s point execution ? (open source)

I got an answer during the “Round Table - Clang Static Analyzer” about the new google’s dataflow framework as well as some details in the mailing list but the framework is not yet accessible.

  1. is there a way to get possible substitutions of a variable at a specific program point as shown in the following example :

void foo(){





bar(v1); // v1 == expr1 || expr2


  1. Does Clang Static Analyzer consider any specific target (X86, arm, …etc) during the analysis :
  • only the machine’s target in which the analysis is performed?

  • no specific target is considered?

  • the target can be customized?

  1. Is there any document/ressource that helps newcomers/beginners to map the right tool/lib or possible alternatives for any specific need whether for (optimizations, bug detection, etc).

Best regards.

Salim .Y Kissi

Regarding questions 1 and 2, the new dataflow framework ( should do that and we’re working as fast as possible to upstream that. May take a few weeks but we seem to be on target for ~end-of-year if you can wait a bit.

Dear Mr. Yitzhak,

Thank you for your answer.

Any ideas or suggestions about questions 3 and 4 are welcome.
I’m ready to provide more details if needed.

Thank you in advance.

Best regards.
Salim .Y Kissi

  1. Does Clang Static Analyzer consider any specific target (X86, arm, …etc) during the analysis

Yes, it assumes the same target that the file is compiled against. It influences the analysis in a few ways, eg. the static analyzer assumes integer sizes to be appropriate for the target. If you want to analyze for a different target you need to build for that target.

Most clang tools that work on the AST (eg. clang-tidy) will work the same. You cannot build the AST without specifying the target, and the resulting AST will be specific to that target.

Dear Mr. Artem,
Thank you so much for the answer.

I really appreciate the help of the community, thank you for your support.

Best regards.
Salim .Y Kissi