diff options
Diffstat (limited to 'devdocs/gcc~13/static-analyzer-options.html')
| -rw-r--r-- | devdocs/gcc~13/static-analyzer-options.html | 404 |
1 files changed, 404 insertions, 0 deletions
diff --git a/devdocs/gcc~13/static-analyzer-options.html b/devdocs/gcc~13/static-analyzer-options.html new file mode 100644 index 00000000..4d972946 --- /dev/null +++ b/devdocs/gcc~13/static-analyzer-options.html @@ -0,0 +1,404 @@ +<div class="section-level-extent" id="Static-Analyzer-Options"> <div class="nav-panel"> <p> Next: <a href="debugging-options" accesskey="n" rel="next">Options for Debugging Your Program</a>, Previous: <a href="warning-options" accesskey="p" rel="prev">Options to Request or Suppress Warnings</a>, Up: <a href="invoking-gcc" accesskey="u" rel="up">GCC Command Options</a> [<a href="index#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="indices" title="Index" rel="index">Index</a>]</p> </div> <h1 class="section" id="Options-That-Control-Static-Analysis"><span>3.9 Options That Control Static Analysis<a class="copiable-link" href="#Options-That-Control-Static-Analysis"> ¶</a></span></h1> <dl class="table"> <dt> + <span><code class="code">-fanalyzer</code><a class="copiable-link" href="#index-analyzer"> ¶</a></span> +</dt> <dd> +<p>This option enables an static analysis of program flow which looks for “interesting” interprocedural paths through the code, and issues warnings for problems found on them. </p> <p>This analysis is much more expensive than other GCC warnings. </p> <p>In technical terms, it performs coverage-guided symbolic execution of the code being compiled. It is neither sound nor complete: it can have false positives and false negatives. It is a bug-finding tool, rather than a tool for proving program correctness. </p> <p>The analyzer is only suitable for use on C code in this release. </p> <p>Enabling this option effectively enables the following warnings: </p> <div class="example smallexample"> <pre class="example-preformatted" data-language="cpp">-Wanalyzer-allocation-size +-Wanalyzer-deref-before-check +-Wanalyzer-double-fclose +-Wanalyzer-double-free +-Wanalyzer-exposure-through-output-file +-Wanalyzer-exposure-through-uninit-copy +-Wanalyzer-fd-access-mode-mismatch +-Wanalyzer-fd-double-close +-Wanalyzer-fd-leak +-Wanalyzer-fd-phase-mismatch +-Wanalyzer-fd-type-mismatch +-Wanalyzer-fd-use-after-close +-Wanalyzer-fd-use-without-check +-Wanalyzer-file-leak +-Wanalyzer-free-of-non-heap +-Wanalyzer-imprecise-fp-arithmetic +-Wanalyzer-infinite-recursion +-Wanalyzer-jump-through-null +-Wanalyzer-malloc-leak +-Wanalyzer-mismatching-deallocation +-Wanalyzer-null-argument +-Wanalyzer-null-dereference +-Wanalyzer-out-of-bounds +-Wanalyzer-possible-null-argument +-Wanalyzer-possible-null-dereference +-Wanalyzer-putenv-of-auto-var +-Wanalyzer-shift-count-negative +-Wanalyzer-shift-count-overflow +-Wanalyzer-stale-setjmp-buffer +-Wanalyzer-unsafe-call-within-signal-handler +-Wanalyzer-use-after-free +-Wanalyzer-use-of-pointer-in-stale-stack-frame +-Wanalyzer-use-of-uninitialized-value +-Wanalyzer-va-arg-type-mismatch +-Wanalyzer-va-list-exhausted +-Wanalyzer-va-list-leak +-Wanalyzer-va-list-use-after-va-end +-Wanalyzer-write-to-const +-Wanalyzer-write-to-string-literal</pre> +</div> <p>This option is only available if GCC was configured with analyzer support enabled. </p> </dd> <dt> + <span><code class="code">-Wanalyzer-too-complex</code><a class="copiable-link" href="#index-Wanalyzer-too-complex"> ¶</a></span> +</dt> <dd> +<p>If <samp class="option">-fanalyzer</samp> is enabled, the analyzer uses various heuristics to attempt to explore the control flow and data flow in the program, but these can be defeated by sufficiently complicated code. </p> <p>By default, the analysis silently stops if the code is too complicated for the analyzer to fully explore and it reaches an internal limit. The <samp class="option">-Wanalyzer-too-complex</samp> option warns if this occurs. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-allocation-size</code><a class="copiable-link" href="#index-Wanalyzer-allocation-size"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; to disable it, use <samp class="option">-Wno-analyzer-allocation-size</samp>. </p> <p>This diagnostic warns for paths through the code in which a pointer to a buffer is assigned to point at a buffer with a size that is not a multiple of <code class="code">sizeof (*pointer)</code>. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/131.html">CWE-131: Incorrect Calculation of Buffer Size</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-deref-before-check</code><a class="copiable-link" href="#index-Wanalyzer-deref-before-check"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-deref-before-check</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a pointer is checked for <code class="code">NULL</code> *after* it has already been dereferenced, suggesting that the pointer could have been NULL. Such cases suggest that the check for NULL is either redundant, or that it needs to be moved to before the pointer is dereferenced. </p> <p>This diagnostic also considers values passed to a function argument marked with <code class="code">__attribute__((nonnull))</code> as requiring a non-NULL value, and thus will complain if such values are checked for <code class="code">NULL</code> after returning from such a function call. </p> <p>This diagnostic is unlikely to be reported when any level of optimization is enabled, as GCC’s optimization logic will typically consider such checks for NULL as being redundant, and optimize them away before the analyzer "sees" them. Hence optimization should be disabled when attempting to trigger this diagnostic. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-double-fclose</code><a class="copiable-link" href="#index-Wanalyzer-double-fclose"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-double-fclose</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a <code class="code">FILE *</code> can have <code class="code">fclose</code> called on it more than once. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/1341.html">CWE-1341: Multiple Releases of Same Resource or Handle</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-double-free</code><a class="copiable-link" href="#index-Wanalyzer-double-free"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-double-free</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a pointer can have a deallocator called on it more than once, either <code class="code">free</code>, or a deallocator referenced by attribute <code class="code">malloc</code>. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/415.html">CWE-415: Double Free</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-exposure-through-output-file</code><a class="copiable-link" href="#index-Wanalyzer-exposure-through-output-file"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-exposure-through-output-file</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a security-sensitive value is written to an output file (such as writing a password to a log file). </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/532.html">CWE-532: Information Exposure Through Log Files</a>. </p> </dd> <dt> + <span><code class="code">-Wanalyzer-exposure-through-uninit-copy</code><a class="copiable-link" href="#index-Wanalyzer-exposure-through-uninit-copy"> ¶</a></span> +</dt> <dd> +<p>This warning requires both <samp class="option">-fanalyzer</samp> and the use of a plugin to specify a function that copies across a “trust boundary”. Use <samp class="option">-Wno-analyzer-exposure-through-uninit-copy</samp> to disable it. </p> <p>This diagnostic warns for “infoleaks” - paths through the code in which uninitialized values are copied across a security boundary (such as code within an OS kernel that copies a partially-initialized struct on the stack to user space). </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Exposure of Sensitive Information to an Unauthorized Actor</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-fd-access-mode-mismatch</code><a class="copiable-link" href="#index-Wanalyzer-fd-access-mode-mismatch"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-fd-access-mode-mismatch</samp> to disable it. </p> <p>This diagnostic warns for paths through code in which a <code class="code">read</code> on a write-only file descriptor is attempted, or vice versa. </p> <p>This diagnostic also warns for code paths in a which a function with attribute <code class="code">fd_arg_read (N)</code> is called with a file descriptor opened with <code class="code">O_WRONLY</code> at referenced argument <code class="code">N</code> or a function with attribute <code class="code">fd_arg_write (N)</code> is called with a file descriptor opened with <code class="code">O_RDONLY</code> at referenced argument <var class="var">N</var>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-fd-double-close</code><a class="copiable-link" href="#index-Wanalyzer-fd-double-close"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-fd-double-close</samp> to disable it. </p> <p>This diagnostic warns for paths through code in which a file descriptor can be closed more than once. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/1341.html">CWE-1341: Multiple Releases of Same Resource or Handle</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-fd-leak</code><a class="copiable-link" href="#index-Wanalyzer-fd-leak"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-fd-leak</samp> to disable it. </p> <p>This diagnostic warns for paths through code in which an open file descriptor is leaked. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/775.html">CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-fd-phase-mismatch</code><a class="copiable-link" href="#index-Wanalyzer-fd-phase-mismatch"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-fd-phase-mismatch</samp> to disable it. </p> <p>This diagnostic warns for paths through code in which an operation is attempted in the wrong phase of a file descriptor’s lifetime. For example, it will warn on attempts to call <code class="code">accept</code> on a stream socket that has not yet had <code class="code">listen</code> successfully called on it. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/666.html">CWE-666: Operation on Resource in Wrong Phase of Lifetime</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-fd-type-mismatch</code><a class="copiable-link" href="#index-Wanalyzer-fd-type-mismatch"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-fd-type-mismatch</samp> to disable it. </p> <p>This diagnostic warns for paths through code in which an operation is attempted on the wrong type of file descriptor. For example, it will warn on attempts to use socket operations on a file descriptor obtained via <code class="code">open</code>, or when attempting to use a stream socket operation on a datagram socket. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-fd-use-after-close</code><a class="copiable-link" href="#index-Wanalyzer-fd-use-after-close"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-fd-use-after-close</samp> to disable it. </p> <p>This diagnostic warns for paths through code in which a read or write is called on a closed file descriptor. </p> <p>This diagnostic also warns for paths through code in which a function with attribute <code class="code">fd_arg (N)</code> or <code class="code">fd_arg_read (N)</code> or <code class="code">fd_arg_write (N)</code> is called with a closed file descriptor at referenced argument <code class="code">N</code>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-fd-use-without-check</code><a class="copiable-link" href="#index-Wanalyzer-fd-use-without-check"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-fd-use-without-check</samp> to disable it. </p> <p>This diagnostic warns for paths through code in which a file descriptor is used without being checked for validity. </p> <p>This diagnostic also warns for paths through code in which a function with attribute <code class="code">fd_arg (N)</code> or <code class="code">fd_arg_read (N)</code> or <code class="code">fd_arg_write (N)</code> is called with a file descriptor, at referenced argument <code class="code">N</code>, without being checked for validity. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-file-leak</code><a class="copiable-link" href="#index-Wanalyzer-file-leak"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-file-leak</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a <code class="code"><stdio.h></code> <code class="code">FILE *</code> stream object is leaked. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/775.html">CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-free-of-non-heap</code><a class="copiable-link" href="#index-Wanalyzer-free-of-non-heap"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-free-of-non-heap</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which <code class="code">free</code> is called on a non-heap pointer (e.g. an on-stack buffer, or a global). </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/590.html">CWE-590: Free of Memory not on the Heap</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-imprecise-fp-arithmetic</code><a class="copiable-link" href="#index-Wanalyzer-imprecise-fp-arithmetic"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-imprecise-fp-arithmetic</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which floating-point arithmetic is used in locations where precise computation is needed. This diagnostic only warns on use of floating-point operands inside the calculation of an allocation size at the moment. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-infinite-recursion</code><a class="copiable-link" href="#index-Wanalyzer-infinite-recursion"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-infinite-recursion</samp> to disable it. </p> <p>This diagnostics warns for paths through the code which appear to lead to infinite recursion. </p> <p>Specifically, when the analyzer "sees" a recursive call, it will compare the state of memory at the entry to the new frame with that at the entry to the previous frame of that function on the stack. The warning is issued if nothing in memory appears to be changing; any changes observed to parameters or globals are assumed to lead to termination of the recursion and thus suppress the warning. </p> <p>This diagnostic is likely to miss cases of infinite recursion that are convered to iteration by the optimizer before the analyzer "sees" them. Hence optimization should be disabled when attempting to trigger this diagnostic. </p> <p>Compare with <samp class="option">-Winfinite-recursion</samp>, which provides a similar diagnostic, but is implemented in a different way. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-jump-through-null</code><a class="copiable-link" href="#index-Wanalyzer-jump-through-null"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-jump-through-null</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a <code class="code">NULL</code> function pointer is called. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-malloc-leak</code><a class="copiable-link" href="#index-Wanalyzer-malloc-leak"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-malloc-leak</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a pointer allocated via an allocator is leaked: either <code class="code">malloc</code>, or a function marked with attribute <code class="code">malloc</code>. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/401.html">CWE-401: Missing Release of Memory after Effective Lifetime</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-mismatching-deallocation</code><a class="copiable-link" href="#index-Wanalyzer-mismatching-deallocation"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-mismatching-deallocation</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which the wrong deallocation function is called on a pointer value, based on which function was used to allocate the pointer value. The diagnostic will warn about mismatches between <code class="code">free</code>, scalar <code class="code">delete</code> and vector <code class="code">delete[]</code>, and those marked as allocator/deallocator pairs using attribute <code class="code">malloc</code>. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/762.html">CWE-762: Mismatched Memory Management Routines</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-out-of-bounds</code><a class="copiable-link" href="#index-Wanalyzer-out-of-bounds"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-out-of-bounds</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a buffer is definitely read or written out-of-bounds. The diagnostic applies for cases where the analyzer is able to determine a constant offset and for accesses past the end of a buffer, also a constant capacity. Further, the diagnostic does limited checking for accesses past the end when the offset as well as the capacity is symbolic. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/119.html">CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-possible-null-argument</code><a class="copiable-link" href="#index-Wanalyzer-possible-null-argument"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-possible-null-argument</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a possibly-NULL value is passed to a function argument marked with <code class="code">__attribute__((nonnull))</code> as requiring a non-NULL value. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/690.html">CWE-690: Unchecked Return Value to NULL Pointer Dereference</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-possible-null-dereference</code><a class="copiable-link" href="#index-Wanalyzer-possible-null-dereference"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-possible-null-dereference</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a possibly-NULL value is dereferenced. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/690.html">CWE-690: Unchecked Return Value to NULL Pointer Dereference</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-null-argument</code><a class="copiable-link" href="#index-Wanalyzer-null-argument"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-null-argument</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a value known to be NULL is passed to a function argument marked with <code class="code">__attribute__((nonnull))</code> as requiring a non-NULL value. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-null-dereference</code><a class="copiable-link" href="#index-Wanalyzer-null-dereference"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-null-dereference</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a value known to be NULL is dereferenced. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-putenv-of-auto-var</code><a class="copiable-link" href="#index-Wanalyzer-putenv-of-auto-var"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-putenv-of-auto-var</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a call to <code class="code">putenv</code> is passed a pointer to an automatic variable or an on-stack buffer. </p> <p>See <a class="uref" href="https://wiki.sei.cmu.edu/confluence/x/6NYxBQ">POS34-C. Do not call putenv() with a pointer to an automatic variable as the argument</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-shift-count-negative</code><a class="copiable-link" href="#index-Wanalyzer-shift-count-negative"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-shift-count-negative</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a shift is attempted with a negative count. It is analogous to the <samp class="option">-Wshift-count-negative</samp> diagnostic implemented in the C/C++ front ends, but is implemented based on analyzing interprocedural paths, rather than merely parsing the syntax tree. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-shift-count-overflow</code><a class="copiable-link" href="#index-Wanalyzer-shift-count-overflow"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-shift-count-overflow</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a shift is attempted with a count greater than or equal to the precision of the operand’s type. It is analogous to the <samp class="option">-Wshift-count-overflow</samp> diagnostic implemented in the C/C++ front ends, but is implemented based on analyzing interprocedural paths, rather than merely parsing the syntax tree. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-stale-setjmp-buffer</code><a class="copiable-link" href="#index-Wanalyzer-stale-setjmp-buffer"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-stale-setjmp-buffer</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which <code class="code">longjmp</code> is called to rewind to a <code class="code">jmp_buf</code> relating to a <code class="code">setjmp</code> call in a function that has returned. </p> <p>When <code class="code">setjmp</code> is called on a <code class="code">jmp_buf</code> to record a rewind location, it records the stack frame. The stack frame becomes invalid when the function containing the <code class="code">setjmp</code> call returns. Attempting to rewind to it via <code class="code">longjmp</code> would reference a stack frame that no longer exists, and likely lead to a crash (or worse). </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-tainted-allocation-size</code><a class="copiable-link" href="#index-Wanalyzer-tainted-allocation-size"> ¶</a></span> +</dt> <dd> +<p>This warning requires both <samp class="option">-fanalyzer</samp> and <samp class="option">-fanalyzer-checker=taint</samp> to enable it; use <samp class="option">-Wno-analyzer-tainted-allocation-size</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as the size of an allocation without being sanitized, so that an attacker could inject an excessively large allocation and potentially cause a denial of service attack. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/789.html">CWE-789: Memory Allocation with Excessive Size Value</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-tainted-assertion</code><a class="copiable-link" href="#index-Wanalyzer-tainted-assertion"> ¶</a></span> +</dt> <dd> <p>This warning requires both <samp class="option">-fanalyzer</samp> and <samp class="option">-fanalyzer-checker=taint</samp> to enable it; use <samp class="option">-Wno-analyzer-tainted-assertion</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as part of a condition without being first sanitized, and that condition guards a call to a function marked with attribute <code class="code">noreturn</code> (such as the function <code class="code">__builtin_unreachable</code>). Such functions typically indicate abnormal termination of the program, such as for assertion failure handlers. For example: </p> <div class="example smallexample"> <pre class="example-preformatted" data-language="cpp">assert (some_tainted_value < SOME_LIMIT);</pre> +</div> <p>In such cases: </p> <ul class="itemize mark-bullet"> <li>when assertion-checking is enabled: an attacker could trigger a denial of service by injecting an assertion failure </li> +<li>when assertion-checking is disabled, such as by defining <code class="code">NDEBUG</code>, an attacker could inject data that subverts the process, since it presumably violates a precondition that is being assumed by the code. </li> +</ul> <p>Note that when assertion-checking is disabled, the assertions are typically removed by the preprocessor before the analyzer has a chance to "see" them, so this diagnostic can only generate warnings on builds in which assertion-checking is enabled. </p> <p>For the purpose of this warning, any function marked with attribute <code class="code">noreturn</code> is considered as a possible assertion failure handler, including <code class="code">__builtin_unreachable</code>. Note that these functions are sometimes removed by the optimizer before the analyzer "sees" them. Hence optimization should be disabled when attempting to trigger this diagnostic. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/617.html">CWE-617: Reachable Assertion</a>. </p> <p>The warning can also report problematic constructions such as </p> <div class="example smallexample"> <pre class="example-preformatted" data-language="cpp">switch (some_tainted_value) { +case 0: + /* [...etc; various valid cases omitted...] */ + break; + +default: + __builtin_unreachable (); /* BUG: attacker can trigger this */ +}</pre> +</div> <p>despite the above not being an assertion failure, strictly speaking. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-tainted-array-index</code><a class="copiable-link" href="#index-Wanalyzer-tainted-array-index"> ¶</a></span> +</dt> <dd> +<p>This warning requires both <samp class="option">-fanalyzer</samp> and <samp class="option">-fanalyzer-checker=taint</samp> to enable it; use <samp class="option">-Wno-analyzer-tainted-array-index</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as the index of an array access without being sanitized, so that an attacker could inject an out-of-bounds access. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/129.html">CWE-129: Improper Validation of Array Index</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-tainted-divisor</code><a class="copiable-link" href="#index-Wanalyzer-tainted-divisor"> ¶</a></span> +</dt> <dd> +<p>This warning requires both <samp class="option">-fanalyzer</samp> and <samp class="option">-fanalyzer-checker=taint</samp> to enable it; use <samp class="option">-Wno-analyzer-tainted-divisor</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as the divisor in a division or modulus operation without being sanitized, so that an attacker could inject a division-by-zero. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/369.html">CWE-369: Divide By Zero</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-tainted-offset</code><a class="copiable-link" href="#index-Wanalyzer-tainted-offset"> ¶</a></span> +</dt> <dd> +<p>This warning requires both <samp class="option">-fanalyzer</samp> and <samp class="option">-fanalyzer-checker=taint</samp> to enable it; use <samp class="option">-Wno-analyzer-tainted-offset</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as a pointer offset without being sanitized, so that an attacker could inject an out-of-bounds access. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/823.html">CWE-823: Use of Out-of-range Pointer Offset</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-tainted-size</code><a class="copiable-link" href="#index-Wanalyzer-tainted-size"> ¶</a></span> +</dt> <dd> +<p>This warning requires both <samp class="option">-fanalyzer</samp> and <samp class="option">-fanalyzer-checker=taint</samp> to enable it; use <samp class="option">-Wno-analyzer-tainted-size</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a value that could be under an attacker’s control is used as the size of an operation such as <code class="code">memset</code> without being sanitized, so that an attacker could inject an out-of-bounds access. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/129.html">CWE-129: Improper Validation of Array Index</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-unsafe-call-within-signal-handler</code><a class="copiable-link" href="#index-Wanalyzer-unsafe-call-within-signal-handler"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-unsafe-call-within-signal-handler</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a function known to be async-signal-unsafe (such as <code class="code">fprintf</code>) is called from a signal handler. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/479.html">CWE-479: Signal Handler Use of a Non-reentrant Function</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-use-after-free</code><a class="copiable-link" href="#index-Wanalyzer-use-after-free"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-use-after-free</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a pointer is used after a deallocator is called on it: either <code class="code">free</code>, or a deallocator referenced by attribute <code class="code">malloc</code>. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-use-of-pointer-in-stale-stack-frame</code><a class="copiable-link" href="#index-Wanalyzer-use-of-pointer-in-stale-stack-frame"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-use-of-pointer-in-stale-stack-frame</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which a pointer is dereferenced that points to a variable in a stale stack frame. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-va-arg-type-mismatch</code><a class="copiable-link" href="#index-Wanalyzer-va-arg-type-mismatch"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-va-arg-type-mismatch</samp> to disable it. </p> <p>This diagnostic warns for interprocedural paths through the code for which the analyzer detects an attempt to use <code class="code">va_arg</code> to extract a value passed to a variadic call, but uses a type that does not match that of the expression passed to the call. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/686.html">CWE-686: Function Call With Incorrect Argument Type</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-va-list-exhausted</code><a class="copiable-link" href="#index-Wanalyzer-va-list-exhausted"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-va-list-exhausted</samp> to disable it. </p> <p>This diagnostic warns for interprocedural paths through the code for which the analyzer detects an attempt to use <code class="code">va_arg</code> to access the next value passed to a variadic call, but all of the values in the <code class="code">va_list</code> have already been consumed. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/685.html">CWE-685: Function Call With Incorrect Number of Arguments</a>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-va-list-leak</code><a class="copiable-link" href="#index-Wanalyzer-va-list-leak"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-va-list-leak</samp> to disable it. </p> <p>This diagnostic warns for interprocedural paths through the code for which the analyzer detects that <code class="code">va_start</code> or <code class="code">va_copy</code> has been called on a <code class="code">va_list</code> without a corresponding call to <code class="code">va_end</code>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-va-list-use-after-va-end</code><a class="copiable-link" href="#index-Wanalyzer-va-list-use-after-va-end"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-va-list-use-after-va-end</samp> to disable it. </p> <p>This diagnostic warns for interprocedural paths through the code for which the analyzer detects an attempt to use a <code class="code">va_list</code> after <code class="code">va_end</code> has been called on it. <code class="code">va_list</code>. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-write-to-const</code><a class="copiable-link" href="#index-Wanalyzer-write-to-const"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-write-to-const</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which the analyzer detects an attempt to write through a pointer to a <code class="code">const</code> object. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-write-to-string-literal</code><a class="copiable-link" href="#index-Wanalyzer-write-to-string-literal"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-write-to-string-literal</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which the analyzer detects an attempt to write through a pointer to a string literal. However, the analyzer does not prioritize detection of such paths, so false negatives are more likely relative to other warnings. </p> </dd> <dt> + <span><code class="code">-Wno-analyzer-use-of-uninitialized-value</code><a class="copiable-link" href="#index-Wanalyzer-use-of-uninitialized-value"> ¶</a></span> +</dt> <dd> +<p>This warning requires <samp class="option">-fanalyzer</samp>, which enables it; use <samp class="option">-Wno-analyzer-use-of-uninitialized-value</samp> to disable it. </p> <p>This diagnostic warns for paths through the code in which an uninitialized value is used. </p> <p>See <a class="uref" href="https://cwe.mitre.org/data/definitions/457.html">CWE-457: Use of Uninitialized Variable</a>. </p> </dd> </dl> <p>The analyzer has hardcoded knowledge about the behavior of the following memory-management functions: </p> <ul class="itemize mark-bullet"> <li> +<code class="code">alloca</code> </li> +<li>The built-in functions <code class="code">__builtin_alloc</code>, <code class="code">__builtin_alloc_with_align</code>, </li> +<li> +<code class="code">__builtin_calloc</code>, <code class="code">__builtin_free</code>, <code class="code">__builtin_malloc</code>, <code class="code">__builtin_memcpy</code>, <code class="code">__builtin_memcpy_chk</code>, <code class="code">__builtin_memset</code>, <code class="code">__builtin_memset_chk</code>, <code class="code">__builtin_realloc</code>, <code class="code">__builtin_stack_restore</code>, and <code class="code">__builtin_stack_save</code> </li> +<li> +<code class="code">calloc</code> </li> +<li> +<code class="code">free</code> </li> +<li> +<code class="code">malloc</code> </li> +<li> +<code class="code">memset</code> </li> +<li> +<code class="code">operator delete</code> </li> +<li> +<code class="code">operator delete []</code> </li> +<li> +<code class="code">operator new</code> </li> +<li> +<code class="code">operator new []</code> </li> +<li> +<code class="code">realloc</code> </li> +<li> +<code class="code">strdup</code> </li> +<li> +<code class="code">strndup</code> </li> +</ul> <p>of the following functions for working with file descriptors: </p> <ul class="itemize mark-bullet"> <li> +<code class="code">open</code> </li> +<li> +<code class="code">close</code> </li> +<li> +<code class="code">creat</code> </li> +<li> +<code class="code">dup</code>, <code class="code">dup2</code> and <code class="code">dup3</code> </li> +<li> +<code class="code">isatty</code> </li> +<li> +<code class="code">pipe</code>, and <code class="code">pipe2</code> </li> +<li> +<code class="code">read</code> </li> +<li> +<code class="code">write</code> </li> +<li> +<code class="code">socket</code>, <code class="code">bind</code>, <code class="code">listen</code>, <code class="code">accept</code>, and <code class="code">connect</code> </li> +</ul> <p>of the following functions for working with <code class="code"><stdio.h></code> streams: </p> +<ul class="itemize mark-bullet"> <li>The built-in functions <code class="code">__builtin_fprintf</code>, <code class="code">__builtin_fprintf_unlocked</code>, <code class="code">__builtin_fputc</code>, <code class="code">__builtin_fputc_unlocked</code>, <code class="code">__builtin_fputs</code>, <code class="code">__builtin_fputs_unlocked</code>, <code class="code">__builtin_fwrite</code>, <code class="code">__builtin_fwrite_unlocked</code>, <code class="code">__builtin_printf</code>, <code class="code">__builtin_printf_unlocked</code>, <code class="code">__builtin_putc</code>, <code class="code">__builtin_putchar</code>, <code class="code">__builtin_putchar_unlocked</code>, <code class="code">__builtin_putc_unlocked</code>, <code class="code">__builtin_puts</code>, <code class="code">__builtin_puts_unlocked</code>, <code class="code">__builtin_vfprintf</code>, and <code class="code">__builtin_vprintf</code> </li> +<li> +<code class="code">fopen</code> </li> +<li> +<code class="code">fclose</code> </li> +<li> +<code class="code">ferror</code> </li> +<li> +<code class="code">fgets</code> </li> +<li> +<code class="code">fgets_unlocked</code> </li> +<li> +<code class="code">fileno</code> </li> +<li> +<code class="code">fread</code> </li> +<li> +<code class="code">getc</code> </li> +<li> +<code class="code">getchar</code> </li> +<li> +<code class="code">fprintf</code> </li> +<li> +<code class="code">printf</code> </li> +<li> +<code class="code">fwrite</code> </li> +</ul> <p>and of the following functions: </p> <ul class="itemize mark-bullet"> <li>The built-in functions <code class="code">__builtin_expect</code>, <code class="code">__builtin_expect_with_probability</code>, <code class="code">__builtin_strchr</code>, <code class="code">__builtin_strcpy</code>, <code class="code">__builtin_strcpy_chk</code>, <code class="code">__builtin_strlen</code>, <code class="code">__builtin_va_copy</code>, and <code class="code">__builtin_va_start</code> </li> +<li>The GNU extensions <code class="code">error</code> and <code class="code">error_at_line</code> </li> +<li> +<code class="code">getpass</code> </li> +<li> +<code class="code">longjmp</code> </li> +<li> +<code class="code">putenv</code> </li> +<li> +<code class="code">setjmp</code> </li> +<li> +<code class="code">siglongjmp</code> </li> +<li> +<code class="code">signal</code> </li> +<li> +<code class="code">sigsetjmp</code> </li> +<li> +<code class="code">strchr</code> </li> +<li> +<code class="code">strlen</code> </li> +</ul> <p>In addition, various functions with an <code class="code">__analyzer_</code> prefix have special meaning to the analyzer, described in the GCC Internals manual. </p> <p>Pertinent parameters for controlling the exploration are: </p> +<ul class="itemize mark-bullet"> <li> +<samp class="option">--param analyzer-bb-explosion-factor=<var class="var">value</var></samp> </li> +<li> +<samp class="option">--param analyzer-max-enodes-per-program-point=<var class="var">value</var></samp> </li> +<li> +<samp class="option">--param analyzer-max-recursion-depth=<var class="var">value</var></samp> </li> +<li> +<samp class="option">--param analyzer-min-snodes-for-call-summary=<var class="var">value</var></samp> </li> +</ul> <p>The following options control the analyzer. </p> <dl class="table"> <dt> + <span><code class="code">-fanalyzer-call-summaries</code><a class="copiable-link" href="#index-fanalyzer-call-summaries"> ¶</a></span> +</dt> <dd> +<p>Simplify interprocedural analysis by computing the effect of certain calls, rather than exploring all paths through the function from callsite to each possible return. </p> <p>If enabled, call summaries are only used for functions with more than one call site, and that are sufficiently complicated (as per <samp class="option">--param analyzer-min-snodes-for-call-summary=<var class="var">value</var></samp>). </p> </dd> <dt> +<span><code class="code">-fanalyzer-checker=<var class="var">name</var></code><a class="copiable-link" href="#index-fanalyzer-checker"> ¶</a></span> +</dt> <dd> +<p>Restrict the analyzer to run just the named checker, and enable it. </p> <p>Some checkers are disabled by default (even with <samp class="option">-fanalyzer</samp>), such as the <code class="code">taint</code> checker that implements <samp class="option">-Wanalyzer-tainted-array-index</samp>, and this option is required to enable them. </p> <p><em class="emph">Note:</em> currently, <samp class="option">-fanalyzer-checker=taint</samp> disables the following warnings from <samp class="option">-fanalyzer</samp>: </p> <div class="example smallexample"> <pre class="example-preformatted" data-language="cpp">-Wanalyzer-deref-before-check +-Wanalyzer-double-fclose +-Wanalyzer-double-free +-Wanalyzer-exposure-through-output-file +-Wanalyzer-fd-access-mode-mismatch +-Wanalyzer-fd-double-close +-Wanalyzer-fd-leak +-Wanalyzer-fd-use-after-close +-Wanalyzer-fd-use-without-check +-Wanalyzer-file-leak +-Wanalyzer-free-of-non-heap +-Wanalyzer-malloc-leak +-Wanalyzer-mismatching-deallocation +-Wanalyzer-null-argument +-Wanalyzer-null-dereference +-Wanalyzer-possible-null-argument +-Wanalyzer-possible-null-dereference +-Wanalyzer-unsafe-call-within-signal-handler +-Wanalyzer-use-after-free +-Wanalyzer-va-list-leak +-Wanalyzer-va-list-use-after-va-end</pre> +</div> </dd> <dt> + <span><code class="code">-fno-analyzer-feasibility</code><a class="copiable-link" href="#index-fanalyzer-feasibility"> ¶</a></span> +</dt> <dd> +<p>This option is intended for analyzer developers. </p> <p>By default the analyzer verifies that there is a feasible control flow path for each diagnostic it emits: that the conditions that hold are not mutually exclusive. Diagnostics for which no feasible path can be found are rejected. This filtering can be suppressed with <samp class="option">-fno-analyzer-feasibility</samp>, for debugging issues in this code. </p> </dd> <dt> + <span><code class="code">-fanalyzer-fine-grained</code><a class="copiable-link" href="#index-fanalyzer-fine-grained"> ¶</a></span> +</dt> <dd> +<p>This option is intended for analyzer developers. </p> <p>Internally the analyzer builds an “exploded graph” that combines control flow graphs with data flow information. </p> <p>By default, an edge in this graph can contain the effects of a run of multiple statements within a basic block. With <samp class="option">-fanalyzer-fine-grained</samp>, each statement gets its own edge. </p> </dd> <dt> + <span><code class="code">-fanalyzer-show-duplicate-count</code><a class="copiable-link" href="#index-fanalyzer-show-duplicate-count"> ¶</a></span> +</dt> <dd> +<p>This option is intended for analyzer developers: if multiple diagnostics have been detected as being duplicates of each other, it emits a note when reporting the best diagnostic, giving the number of additional diagnostics that were suppressed by the deduplication logic. </p> </dd> <dt> + <span><code class="code">-fno-analyzer-state-merge</code><a class="copiable-link" href="#index-fanalyzer-state-merge"> ¶</a></span> +</dt> <dd> +<p>This option is intended for analyzer developers. </p> <p>By default the analyzer attempts to simplify analysis by merging sufficiently similar states at each program point as it builds its “exploded graph”. With <samp class="option">-fno-analyzer-state-merge</samp> this merging can be suppressed, for debugging state-handling issues. </p> </dd> <dt> + <span><code class="code">-fno-analyzer-state-purge</code><a class="copiable-link" href="#index-fanalyzer-state-purge"> ¶</a></span> +</dt> <dd> +<p>This option is intended for analyzer developers. </p> <p>By default the analyzer attempts to simplify analysis by purging aspects of state at a program point that appear to no longer be relevant e.g. the values of locals that aren’t accessed later in the function and which aren’t relevant to leak analysis. </p> <p>With <samp class="option">-fno-analyzer-state-purge</samp> this purging of state can be suppressed, for debugging state-handling issues. </p> </dd> <dt> + <span><code class="code">-fno-analyzer-suppress-followups</code><a class="copiable-link" href="#index-fanalyzer-suppress-followups"> ¶</a></span> +</dt> <dd> +<p>This option is intended for analyzer developers. </p> <p>By default the analyzer will stop exploring an execution path after encountering certain diagnostics, in order to avoid potentially issuing a cascade of follow-up diagnostics. </p> <p>The diagnostics that terminate analysis along a path are: </p> <ul class="itemize mark-bullet"> <li> +<samp class="option">-Wanalyzer-null-argument</samp> </li> +<li> +<samp class="option">-Wanalyzer-null-dereference</samp> </li> +<li> +<samp class="option">-Wanalyzer-use-after-free</samp> </li> +<li> +<samp class="option">-Wanalyzer-use-of-pointer-in-stale-stack-frame</samp> </li> +<li> +<samp class="option">-Wanalyzer-use-of-uninitialized-value</samp> </li> +</ul> <p>With <samp class="option">-fno-analyzer-suppress-followups</samp> the analyzer will continue to explore such paths even after such diagnostics, which may be helpful for debugging issues in the analyzer, or for microbenchmarks for detecting undefined behavior. </p> </dd> <dt> + <span><code class="code">-fanalyzer-transitivity</code><a class="copiable-link" href="#index-fanalyzer-transitivity"> ¶</a></span> +</dt> <dd> +<p>This option enables transitivity of constraints within the analyzer. </p> </dd> <dt> + <span><code class="code">-fno-analyzer-undo-inlining</code><a class="copiable-link" href="#index-fanalyzer-undo-inlining"> ¶</a></span> +</dt> <dd> +<p>This option is intended for analyzer developers. </p> <p><samp class="option">-fanalyzer</samp> runs relatively late compared to other code analysis tools, and some optimizations have already been applied to the code. In particular function inlining may have occurred, leading to the interprocedural execution paths emitted by the analyzer containing function frames that don’t correspond to those in the original source code. </p> <p>By default the analyzer attempts to reconstruct the original function frames, and to emit events showing the inlined calls. </p> <p>With <samp class="option">-fno-analyzer-undo-inlining</samp> this attempt to reconstruct the original frame information can be be disabled, which may be of help when debugging issues in the analyzer. </p> </dd> <dt><code class="code">-fanalyzer-verbose-edges</code></dt> <dd> +<p>This option is intended for analyzer developers. It enables more verbose, lower-level detail in the descriptions of control flow within diagnostic paths. </p> </dd> <dt><code class="code">-fanalyzer-verbose-state-changes</code></dt> <dd> +<p>This option is intended for analyzer developers. It enables more verbose, lower-level detail in the descriptions of events relating to state machines within diagnostic paths. </p> </dd> <dt><code class="code">-fanalyzer-verbosity=<var class="var">level</var></code></dt> <dd> +<p>This option controls the complexity of the control flow paths that are emitted for analyzer diagnostics. </p> <p>The <var class="var">level</var> can be one of: </p> <dl class="table"> <dt>‘<samp class="samp">0</samp>’</dt> <dd> +<p>At this level, interprocedural call and return events are displayed, along with the most pertinent state-change events relating to a diagnostic. For example, for a double-<code class="code">free</code> diagnostic, both calls to <code class="code">free</code> will be shown. </p> </dd> <dt>‘<samp class="samp">1</samp>’</dt> <dd> +<p>As per the previous level, but also show events for the entry to each function. </p> </dd> <dt>‘<samp class="samp">2</samp>’</dt> <dd> +<p>As per the previous level, but also show events relating to control flow that are significant to triggering the issue (e.g. “true path taken” at a conditional). </p> <p>This level is the default. </p> </dd> <dt>‘<samp class="samp">3</samp>’</dt> <dd> +<p>As per the previous level, but show all control flow events, not just significant ones. </p> </dd> <dt>‘<samp class="samp">4</samp>’</dt> <dd> +<p>This level is intended for analyzer developers; it adds various other events intended for debugging the analyzer. </p> </dd> </dl> </dd> <dt> +<span><code class="code">-fdump-analyzer</code><a class="copiable-link" href="#index-fdump-analyzer"> ¶</a></span> +</dt> <dd> +<p>Dump internal details about what the analyzer is doing to <samp class="file"><var class="var">file</var>.analyzer.txt</samp>. <samp class="option">-fdump-analyzer-stderr</samp> overrides this option. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-stderr</code><a class="copiable-link" href="#index-fdump-analyzer-stderr"> ¶</a></span> +</dt> <dd> +<p>Dump internal details about what the analyzer is doing to stderr. This option overrides <samp class="option">-fdump-analyzer</samp>. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-callgraph</code><a class="copiable-link" href="#index-fdump-analyzer-callgraph"> ¶</a></span> +</dt> <dd> +<p>Dump a representation of the call graph suitable for viewing with GraphViz to <samp class="file"><var class="var">file</var>.callgraph.dot</samp>. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-exploded-graph</code><a class="copiable-link" href="#index-fdump-analyzer-exploded-graph"> ¶</a></span> +</dt> <dd> +<p>Dump a representation of the “exploded graph” suitable for viewing with GraphViz to <samp class="file"><var class="var">file</var>.eg.dot</samp>. Nodes are color-coded based on state-machine states to emphasize state changes. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-exploded-nodes</code><a class="copiable-link" href="#index-dump-analyzer-exploded-nodes"> ¶</a></span> +</dt> <dd> +<p>Emit diagnostics showing where nodes in the “exploded graph” are in relation to the program source. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-exploded-nodes-2</code><a class="copiable-link" href="#index-dump-analyzer-exploded-nodes-2"> ¶</a></span> +</dt> <dd> +<p>Dump a textual representation of the “exploded graph” to <samp class="file"><var class="var">file</var>.eg.txt</samp>. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-exploded-nodes-3</code><a class="copiable-link" href="#index-dump-analyzer-exploded-nodes-3"> ¶</a></span> +</dt> <dd> +<p>Dump a textual representation of the “exploded graph” to one dump file per node, to <samp class="file"><var class="var">file</var>.eg-<var class="var">id</var>.txt</samp>. This is typically a large number of dump files. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-exploded-paths</code><a class="copiable-link" href="#index-fdump-analyzer-exploded-paths"> ¶</a></span> +</dt> <dd> +<p>Dump a textual representation of the “exploded path” for each diagnostic to <samp class="file"><var class="var">file</var>.<var class="var">idx</var>.<var class="var">kind</var>.epath.txt</samp>. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-feasibility</code><a class="copiable-link" href="#index-dump-analyzer-feasibility"> ¶</a></span> +</dt> <dd> +<p>Dump internal details about the analyzer’s search for feasible paths. The details are written in a form suitable for viewing with GraphViz to filenames of the form <samp class="file"><var class="var">file</var>.*.fg.dot</samp>, <samp class="file"><var class="var">file</var>.*.tg.dot</samp>, and <samp class="file"><var class="var">file</var>.*.fpath.txt</samp>. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-json</code><a class="copiable-link" href="#index-fdump-analyzer-json"> ¶</a></span> +</dt> <dd> +<p>Dump a compressed JSON representation of analyzer internals to <samp class="file"><var class="var">file</var>.analyzer.json.gz</samp>. The precise format is subject to change. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-state-purge</code><a class="copiable-link" href="#index-fdump-analyzer-state-purge"> ¶</a></span> +</dt> <dd> +<p>As per <samp class="option">-fdump-analyzer-supergraph</samp>, dump a representation of the “supergraph” suitable for viewing with GraphViz, but annotate the graph with information on what state will be purged at each node. The graph is written to <samp class="file"><var class="var">file</var>.state-purge.dot</samp>. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-supergraph</code><a class="copiable-link" href="#index-fdump-analyzer-supergraph"> ¶</a></span> +</dt> <dd> +<p>Dump representations of the “supergraph” suitable for viewing with GraphViz to <samp class="file"><var class="var">file</var>.supergraph.dot</samp> and to <samp class="file"><var class="var">file</var>.supergraph-eg.dot</samp>. These show all of the control flow graphs in the program, with interprocedural edges for calls and returns. The second dump contains annotations showing nodes in the “exploded graph” and diagnostics associated with them. </p> </dd> <dt> +<span><code class="code">-fdump-analyzer-untracked</code><a class="copiable-link" href="#index-fdump-analyzer-untracked"> ¶</a></span> +</dt> <dd> +<p>Emit custom warnings with internal details intended for analyzer developers. </p> </dd> </dl> </div> <div class="nav-panel"> <p> Next: <a href="debugging-options">Options for Debugging Your Program</a>, Previous: <a href="warning-options">Options to Request or Suppress Warnings</a>, Up: <a href="invoking-gcc">GCC Command Options</a> [<a href="index#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="indices" title="Index" rel="index">Index</a>]</p> </div><div class="_attribution"> + <p class="_attribution-p"> + © Free Software Foundation<br>Licensed under the GNU Free Documentation License, Version 1.3.<br> + <a href="https://gcc.gnu.org/onlinedocs/gcc-13.1.0/gcc/Static-Analyzer-Options.html" class="_attribution-link">https://gcc.gnu.org/onlinedocs/gcc-13.1.0/gcc/Static-Analyzer-Options.html</a> + </p> +</div> |