LLVM

Debugging Clang Static Analyzer

This post contains the steps and commands to debug a clang static analyzer issue. The contents of this post have been derived from various presentations and tutorials created by LLVM developers and conferences

Guide to analyzing a Clang Static Analyzer issue

STEP 1

Create a small reproducer testcase

STEP 2

Run the clang static analyzer using the following command

scan-build -o . clang -c test.c

STEP 3

Run the scan-view command (generated by launching the above analysis) to view the results

scan-view /home/saurabh/clangsa/2020-07-09-103350-238389-1

This will open the analysis report in a user friendly format.

If you are using a shell (which I do), this will open the report in ELinks. Navigate the report in a terminal as follows:
Use the UP and DOWN arrow keys to jump between different links
Use the FORWARD and REVERSE arrow keys to navigate between next and previous pages of the report
When selecting a particular link or arrow in the report, press ENTER to open the link

Alternatively, you can also open the generated index.html in a web browser. This is generated inside the directory created with a name similar to 2020-07-09-103350-238389-1

The HTML report looks as follows: Debug Report

STEP 4

Navigate to the Show analyzer invocation< section of the Bug Report and copy the command with complete set of command line flags to invoke the analyzer The command should looks as follows:

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -main-file-name test.c 
-analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core 
-analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode 
-analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw 
-analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp 
-analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork 
-analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull 
-analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all 
-fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 
-dwarf-column-info -fno-split-dwarf-inlining -debugger-tuning=gdb 
-resource-dir /home/saurabh/llvm-project/build/lib/clang/11.0.0 -internal-isystem /usr/local/include 
-internal-isystem /home/saurabh/llvm-project/build/lib/clang/11.0.0/include 
-internal-externc-isystem /include -internal-externc-isystem /usr/include 
-fdebug-compilation-dir /home/saurabh/clangsa -ferror-limit 19 -fgnuc-version=4.2.1 
-analyzer-output=html -faddrsig -o /home/saurabh/clangsa/2020-07-09-103350-238389-1 -x c test.c

STEP 5

Dump the complete exploded graph of the input source code in a .dot file. The exploded graph can be used to view the program states and environment information of the input source code at various program points. Add the following flag to the command obtained above to dump the exploded graph while invoking the static analyzer

    -analyzer-dump-egraph=graph.dot

STEP 6

Generate and view the exploded graph dumped above in a user friendly format. The following command will generate the exploded graph representation in HTML files which can be viewed in a web browser. The utility exploded-graph-rewriter.py can be found at llvm-project/clang/utils/analyzer/exploded-graph-rewriter.py in the LLVM repository

Prerequisites

  1. Specific versions of python2 (2.7.16 in my case) is needed to run the above utility and generate HTML files
  2. The HTML files by default are generated in /tmp and automatically launched in a browser. So it needs to be launched from a terminal with $DISPLAY access
exploded-graph-rewriter.py graph.dot

Next Post in LLVM

Discussion & Comments