Static Analyzer

Hi,
I tried running scan-build wrapping a make building a simple test ANSI
C application full of clear bugs (memory leaks, null pointer
dereferencing, etc), but I always end up with:
scan-build: No bugs found.

Is it a problem of my build/configuration?

Which type of bugs can be detected with the current static analyzer?
I tried looking for this type of information, but I found only
Objective C examples.

Best Regards,
Emilio

Hi Emilio,

I've been tardy in posting a comprehensive list of bugs currently found by the tool, as well as a rough description of how the tool finds these bugs. I'll try and post some information on this to the Clang website soon.

The only memory leaks that the analyzer looks for right now related to use of Apple's Core Foundation and Foundation frameworks. The former is a C API, while the latter is solely for Objective-C. If you aren't using these APIs, the tool will not flag any leaks. There are plans to eventually support finding leaks involving malloc, etc., but it requires more infrastructure that is in the queue to implement.

Null dereferences are inferred by tracking constants and inequality relationships within a function. This does not involve inter-procedural analysis (yet). For example:

    if (p)
      ...

    *p = 1; // Null dereference because p could be null.

The analysis also finds dead stores, which are stores to variables that are never used. While the compiler optimizer can optimize away many of these stores, they are often indicative of significant logical errors in a program.

The analyzer also looks for path-specific uses of uninitialized values, undefined operations such as bit-shifting by too many bits, etc. There are a few other checks, but there are mainly API specific checks with respect to the Core Foundation/Foundation APIs. There are many other checks we plan on implementing some day, including buffer overflow analysis and uses-of-untrusted data, etc. The tool is still very early in development, and there is a whole wealth of even simple checks that could and should be implemented.

If you have specific test cases that include bugs that the analyzer is not finding, please feel free to send them my way or file a Bugzilla report.

Incidentally, how are you running the analyzer? As you said, it could be a problem with your build. Make sure you operate with a clean build, and that your build system will use the CC environment variable to determine what compiler to use. If you manually set CC within your build system files, the analyzer won't be run (all scan-build does right now is set CC to be ccc-analyzer instead of gcc). If your build system presents verbose output on what commands it is executing, you should see calls to 'ccc-analyzer' instead of 'gcc'.

Ted