diff options
Diffstat (limited to 'share/doc/gcc/Static-Analyzer-Options.html')
| -rw-r--r-- | share/doc/gcc/Static-Analyzer-Options.html | 1276 |
1 files changed, 1276 insertions, 0 deletions
diff --git a/share/doc/gcc/Static-Analyzer-Options.html b/share/doc/gcc/Static-Analyzer-Options.html new file mode 100644 index 0000000..67de490 --- /dev/null +++ b/share/doc/gcc/Static-Analyzer-Options.html @@ -0,0 +1,1276 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html> +<!-- This file documents the use of the GNU compilers. + +Copyright (C) 1988-2023 Free Software Foundation, Inc. + +Permission is granted to copy, distribute and/or modify this document +under the terms of the GNU Free Documentation License, Version 1.3 or +any later version published by the Free Software Foundation; with the +Invariant Sections being "Funding Free Software", the Front-Cover +Texts being (a) (see below), and with the Back-Cover Texts being (b) +(see below). A copy of the license is included in the section entitled +"GNU Free Documentation License". + +(a) The FSF's Front-Cover Text is: + +A GNU Manual + +(b) The FSF's Back-Cover Text is: + +You have freedom to copy and modify this GNU Manual, like GNU + software. Copies published by the Free Software Foundation raise + funds for GNU development. --> +<!-- Created by GNU Texinfo 5.1, http://www.gnu.org/software/texinfo/ --> +<head> +<title>Using the GNU Compiler Collection (GCC): Static Analyzer Options</title> + +<meta name="description" content="Using the GNU Compiler Collection (GCC): Static Analyzer Options"> +<meta name="keywords" content="Using the GNU Compiler Collection (GCC): Static Analyzer Options"> +<meta name="resource-type" content="document"> +<meta name="distribution" content="global"> +<meta name="Generator" content="makeinfo"> +<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +<link href="index.html#Top" rel="start" title="Top"> +<link href="Indices.html#Indices" rel="index" title="Indices"> +<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents"> +<link href="Invoking-GCC.html#Invoking-GCC" rel="up" title="Invoking GCC"> +<link href="Debugging-Options.html#Debugging-Options" rel="next" title="Debugging Options"> +<link href="Warning-Options.html#Warning-Options" rel="previous" title="Warning Options"> +<style type="text/css"> +<!-- +a.summary-letter {text-decoration: none} +blockquote.smallquotation {font-size: smaller} +div.display {margin-left: 3.2em} +div.example {margin-left: 3.2em} +div.indentedblock {margin-left: 3.2em} +div.lisp {margin-left: 3.2em} +div.smalldisplay {margin-left: 3.2em} +div.smallexample {margin-left: 3.2em} +div.smallindentedblock {margin-left: 3.2em; font-size: smaller} +div.smalllisp {margin-left: 3.2em} +kbd {font-style:oblique} +pre.display {font-family: inherit} +pre.format {font-family: inherit} +pre.menu-comment {font-family: serif} +pre.menu-preformatted {font-family: serif} +pre.smalldisplay {font-family: inherit; font-size: smaller} +pre.smallexample {font-size: smaller} +pre.smallformat {font-family: inherit; font-size: smaller} +pre.smalllisp {font-size: smaller} +span.nocodebreak {white-space:nowrap} +span.nolinebreak {white-space:nowrap} +span.roman {font-family:serif; font-weight:normal} +span.sansserif {font-family:sans-serif; font-weight:normal} +ul.no-bullet {list-style: none} +--> +</style> + + +</head> + +<body lang="en_US" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000"> +<a name="Static-Analyzer-Options"></a> +<div class="header"> +<p> +Next: <a href="Debugging-Options.html#Debugging-Options" accesskey="n" rel="next">Debugging Options</a>, Previous: <a href="Warning-Options.html#Warning-Options" accesskey="p" rel="previous">Warning Options</a>, Up: <a href="Invoking-GCC.html#Invoking-GCC" accesskey="u" rel="up">Invoking GCC</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Indices.html#Indices" title="Index" rel="index">Index</a>]</p> +</div> +<hr> +<a name="Options-That-Control-Static-Analysis"></a> +<h3 class="section">3.9 Options That Control Static Analysis</h3> + +<dl compact="compact"> +<dd><a name="index-analyzer"></a> +<a name="index-fanalyzer"></a> +<a name="index-fno_002danalyzer"></a> +</dd> +<dt><code>-fanalyzer</code></dt> +<dd><p>This option enables an static analysis of program flow which looks +for “interesting” interprocedural paths through the +code, and issues warnings for problems found on them. +</p> +<p>This analysis is much more expensive than other GCC warnings. +</p> +<p>In technical terms, it performs coverage-guided symbolic execution of +the code being compiled. It is neither sound nor complete: it can +have false positives and false negatives. It is a bug-finding tool, +rather than a tool for proving program correctness. +</p> +<p>The analyzer is only suitable for use on C code in this release. +</p> +<p>Enabling this option effectively enables the following warnings: +</p> +<div class="smallexample"> +<pre class="smallexample">-Wanalyzer-allocation-size +-Wanalyzer-deref-before-check +-Wanalyzer-double-fclose +-Wanalyzer-double-free +-Wanalyzer-exposure-through-output-file +-Wanalyzer-exposure-through-uninit-copy +-Wanalyzer-fd-access-mode-mismatch +-Wanalyzer-fd-double-close +-Wanalyzer-fd-leak +-Wanalyzer-fd-phase-mismatch +-Wanalyzer-fd-type-mismatch +-Wanalyzer-fd-use-after-close +-Wanalyzer-fd-use-without-check +-Wanalyzer-file-leak +-Wanalyzer-free-of-non-heap +-Wanalyzer-imprecise-fp-arithmetic +-Wanalyzer-infinite-recursion +-Wanalyzer-jump-through-null +-Wanalyzer-malloc-leak +-Wanalyzer-mismatching-deallocation +-Wanalyzer-null-argument +-Wanalyzer-null-dereference +-Wanalyzer-out-of-bounds +-Wanalyzer-possible-null-argument +-Wanalyzer-possible-null-dereference +-Wanalyzer-putenv-of-auto-var +-Wanalyzer-shift-count-negative +-Wanalyzer-shift-count-overflow +-Wanalyzer-stale-setjmp-buffer +-Wanalyzer-unsafe-call-within-signal-handler +-Wanalyzer-use-after-free +-Wanalyzer-use-of-pointer-in-stale-stack-frame +-Wanalyzer-use-of-uninitialized-value +-Wanalyzer-va-arg-type-mismatch +-Wanalyzer-va-list-exhausted +-Wanalyzer-va-list-leak +-Wanalyzer-va-list-use-after-va-end +-Wanalyzer-write-to-const +-Wanalyzer-write-to-string-literal + +</pre></div> + +<p>This option is only available if GCC was configured with analyzer +support enabled. +</p> +<a name="index-Wanalyzer_002dtoo_002dcomplex"></a> +<a name="index-Wno_002danalyzer_002dtoo_002dcomplex"></a> +</dd> +<dt><code>-Wanalyzer-too-complex</code></dt> +<dd><p>If <samp>-fanalyzer</samp> is enabled, the analyzer uses various heuristics +to attempt to explore the control flow and data flow in the program, +but these can be defeated by sufficiently complicated code. +</p> +<p>By default, the analysis silently stops if the code is too +complicated for the analyzer to fully explore and it reaches an internal +limit. The <samp>-Wanalyzer-too-complex</samp> option warns if this occurs. +</p> +<a name="index-Wanalyzer_002dallocation_002dsize"></a> +<a name="index-Wno_002danalyzer_002dallocation_002dsize"></a> +</dd> +<dt><code>-Wno-analyzer-allocation-size</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; +to disable it, use <samp>-Wno-analyzer-allocation-size</samp>. +</p> +<p>This diagnostic warns for paths through the code in which a pointer to +a buffer is assigned to point at a buffer with a size that is not a +multiple of <code>sizeof (*pointer)</code>. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/131.html">CWE-131: Incorrect Calculation of Buffer Size</a>. +</p> +<a name="index-Wanalyzer_002dderef_002dbefore_002dcheck"></a> +<a name="index-Wno_002danalyzer_002dderef_002dbefore_002dcheck"></a> +</dd> +<dt><code>-Wno-analyzer-deref-before-check</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-deref-before-check</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a pointer +is checked for <code>NULL</code> *after* it has already been +dereferenced, suggesting that the pointer could have been NULL. +Such cases suggest that the check for NULL is either redundant, +or that it needs to be moved to before the pointer is dereferenced. +</p> +<p>This diagnostic also considers values passed to a function argument +marked with <code>__attribute__((nonnull))</code> as requiring a non-NULL +value, and thus will complain if such values are checked for <code>NULL</code> +after returning from such a function call. +</p> +<p>This diagnostic is unlikely to be reported when any level of optimization +is enabled, as GCC’s optimization logic will typically consider such +checks for NULL as being redundant, and optimize them away before the +analyzer "sees" them. Hence optimization should be disabled when +attempting to trigger this diagnostic. +</p> +<a name="index-Wanalyzer_002ddouble_002dfclose"></a> +<a name="index-Wno_002danalyzer_002ddouble_002dfclose"></a> +</dd> +<dt><code>-Wno-analyzer-double-fclose</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-double-fclose</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a <code>FILE *</code> +can have <code>fclose</code> called on it more than once. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/1341.html">CWE-1341: Multiple Releases of Same Resource or Handle</a>. +</p> +<a name="index-Wanalyzer_002ddouble_002dfree"></a> +<a name="index-Wno_002danalyzer_002ddouble_002dfree"></a> +</dd> +<dt><code>-Wno-analyzer-double-free</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-double-free</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a pointer +can have a deallocator called on it more than once, either <code>free</code>, +or a deallocator referenced by attribute <code>malloc</code>. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/415.html">CWE-415: Double Free</a>. +</p> +<a name="index-Wanalyzer_002dexposure_002dthrough_002doutput_002dfile"></a> +<a name="index-Wno_002danalyzer_002dexposure_002dthrough_002doutput_002dfile"></a> +</dd> +<dt><code>-Wno-analyzer-exposure-through-output-file</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-exposure-through-output-file</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +security-sensitive value is written to an output file +(such as writing a password to a log file). +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/532.html">CWE-532: Information Exposure Through Log Files</a>. +</p> +<a name="index-Wanalyzer_002dexposure_002dthrough_002duninit_002dcopy"></a> +<a name="index-Wno_002danalyzer_002dexposure_002dthrough_002duninit_002dcopy"></a> +</dd> +<dt><code>-Wanalyzer-exposure-through-uninit-copy</code></dt> +<dd><p>This warning requires both <samp>-fanalyzer</samp> and the use of a plugin +to specify a function that copies across a “trust boundary”. Use +<samp>-Wno-analyzer-exposure-through-uninit-copy</samp> to disable it. +</p> +<p>This diagnostic warns for “infoleaks” - paths through the code in which +uninitialized values are copied across a security boundary +(such as code within an OS kernel that copies a partially-initialized +struct on the stack to user space). +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Exposure of Sensitive Information to an Unauthorized Actor</a>. +</p> +<a name="index-Wanalyzer_002dfd_002daccess_002dmode_002dmismatch"></a> +<a name="index-Wno_002danalyzer_002dfd_002daccess_002dmode_002dmismatch"></a> +</dd> +<dt><code>-Wno-analyzer-fd-access-mode-mismatch</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-fd-access-mode-mismatch</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through code in which a +<code>read</code> on a write-only file descriptor is attempted, or vice versa. +</p> +<p>This diagnostic also warns for code paths in a which a function with attribute +<code>fd_arg_read (N)</code> is called with a file descriptor opened with +<code>O_WRONLY</code> at referenced argument <code>N</code> or a function with attribute +<code>fd_arg_write (N)</code> is called with a file descriptor opened with +<code>O_RDONLY</code> at referenced argument <var>N</var>. +</p> +<a name="index-Wanalyzer_002dfd_002ddouble_002dclose"></a> +<a name="index-Wno_002danalyzer_002dfd_002ddouble_002dclose"></a> +</dd> +<dt><code>-Wno-analyzer-fd-double-close</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-fd-double-close</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through code in which a +file descriptor can be closed more than once. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/1341.html">CWE-1341: Multiple Releases of Same Resource or Handle</a>. +</p> +<a name="index-Wanalyzer_002dfd_002dleak"></a> +<a name="index-Wno_002danalyzer_002dfd_002dleak"></a> +</dd> +<dt><code>-Wno-analyzer-fd-leak</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-fd-leak</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through code in which an +open file descriptor is leaked. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/775.html">CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime</a>. +</p> +<a name="index-Wanalyzer_002dfd_002dphase_002dmismatch"></a> +<a name="index-Wno_002danalyzer_002dfd_002dphase_002dmismatch"></a> +</dd> +<dt><code>-Wno-analyzer-fd-phase-mismatch</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-fd-phase-mismatch</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through code in which an operation is +attempted in the wrong phase of a file descriptor’s lifetime. +For example, it will warn on attempts to call <code>accept</code> on a stream +socket that has not yet had <code>listen</code> successfully called on it. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/666.html">CWE-666: Operation on Resource in Wrong Phase of Lifetime</a>. +</p> +<a name="index-Wanalyzer_002dfd_002dtype_002dmismatch"></a> +<a name="index-Wno_002danalyzer_002dfd_002dtype_002dmismatch"></a> +</dd> +<dt><code>-Wno-analyzer-fd-type-mismatch</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-fd-type-mismatch</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through code in which an +operation is attempted on the wrong type of file descriptor. +For example, it will warn on attempts to use socket operations +on a file descriptor obtained via <code>open</code>, or when attempting +to use a stream socket operation on a datagram socket. +</p> +<a name="index-Wanalyzer_002dfd_002duse_002dafter_002dclose"></a> +<a name="index-Wno_002danalyzer_002dfd_002duse_002dafter_002dclose"></a> +</dd> +<dt><code>-Wno-analyzer-fd-use-after-close</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-fd-use-after-close</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through code in which a +read or write is called on a closed file descriptor. +</p> +<p>This diagnostic also warns for paths through code in which +a function with attribute <code>fd_arg (N)</code> or <code>fd_arg_read (N)</code> +or <code>fd_arg_write (N)</code> is called with a closed file descriptor at +referenced argument <code>N</code>. +</p> +<a name="index-Wanalyzer_002dfd_002duse_002dwithout_002dcheck"></a> +<a name="index-Wno_002danalyzer_002dfd_002duse_002dwithout_002dcheck"></a> +</dd> +<dt><code>-Wno-analyzer-fd-use-without-check</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-fd-use-without-check</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through code in which a +file descriptor is used without being checked for validity. +</p> +<p>This diagnostic also warns for paths through code in which +a function with attribute <code>fd_arg (N)</code> or <code>fd_arg_read (N)</code> +or <code>fd_arg_write (N)</code> is called with a file descriptor, at referenced +argument <code>N</code>, without being checked for validity. +</p> +<a name="index-Wanalyzer_002dfile_002dleak"></a> +<a name="index-Wno_002danalyzer_002dfile_002dleak"></a> +</dd> +<dt><code>-Wno-analyzer-file-leak</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-file-leak</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +<code><stdio.h></code> <code>FILE *</code> stream object is leaked. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/775.html">CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime</a>. +</p> +<a name="index-Wanalyzer_002dfree_002dof_002dnon_002dheap"></a> +<a name="index-Wno_002danalyzer_002dfree_002dof_002dnon_002dheap"></a> +</dd> +<dt><code>-Wno-analyzer-free-of-non-heap</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-free-of-non-heap</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which <code>free</code> +is called on a non-heap pointer (e.g. an on-stack buffer, or a global). +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/590.html">CWE-590: Free of Memory not on the Heap</a>. +</p> +<a name="index-Wanalyzer_002dimprecise_002dfp_002darithmetic"></a> +<a name="index-Wno_002danalyzer_002dimprecise_002dfp_002darithmetic"></a> +</dd> +<dt><code>-Wno-analyzer-imprecise-fp-arithmetic</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-imprecise-fp-arithmetic</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which floating-point +arithmetic is used in locations where precise computation is needed. This +diagnostic only warns on use of floating-point operands inside the +calculation of an allocation size at the moment. +</p> +<a name="index-Wanalyzer_002dinfinite_002drecursion"></a> +<a name="index-Wno_002danalyzer_002dinfinite_002drecursion"></a> +</dd> +<dt><code>-Wno-analyzer-infinite-recursion</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-infinite-recursion</samp> to disable it. +</p> +<p>This diagnostics warns for paths through the code which appear to +lead to infinite recursion. +</p> +<p>Specifically, when the analyzer "sees" a recursive call, it will compare +the state of memory at the entry to the new frame with that at the entry +to the previous frame of that function on the stack. The warning is +issued if nothing in memory appears to be changing; any changes observed +to parameters or globals are assumed to lead to termination of the +recursion and thus suppress the warning. +</p> +<p>This diagnostic is likely to miss cases of infinite recursion that +are convered to iteration by the optimizer before the analyzer "sees" +them. Hence optimization should be disabled when attempting to trigger +this diagnostic. +</p> +<p>Compare with <samp>-Winfinite-recursion</samp>, which provides a similar +diagnostic, but is implemented in a different way. +</p> +<a name="index-Wanalyzer_002djump_002dthrough_002dnull"></a> +<a name="index-Wno_002danalyzer_002djump_002dthrough_002dnull"></a> +</dd> +<dt><code>-Wno-analyzer-jump-through-null</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-jump-through-null</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a <code>NULL</code> +function pointer is called. +</p> +<a name="index-Wanalyzer_002dmalloc_002dleak"></a> +<a name="index-Wno_002danalyzer_002dmalloc_002dleak"></a> +</dd> +<dt><code>-Wno-analyzer-malloc-leak</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-malloc-leak</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +pointer allocated via an allocator is leaked: either <code>malloc</code>, +or a function marked with attribute <code>malloc</code>. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/401.html">CWE-401: Missing Release of Memory after Effective Lifetime</a>. +</p> +<a name="index-Wanalyzer_002dmismatching_002ddeallocation"></a> +<a name="index-Wno_002danalyzer_002dmismatching_002ddeallocation"></a> +</dd> +<dt><code>-Wno-analyzer-mismatching-deallocation</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-mismatching-deallocation</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which the +wrong deallocation function is called on a pointer value, based on +which function was used to allocate the pointer value. The diagnostic +will warn about mismatches between <code>free</code>, scalar <code>delete</code> +and vector <code>delete[]</code>, and those marked as allocator/deallocator +pairs using attribute <code>malloc</code>. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/762.html">CWE-762: Mismatched Memory Management Routines</a>. +</p> +<a name="index-Wanalyzer_002dout_002dof_002dbounds"></a> +<a name="index-Wno_002danalyzer_002dout_002dof_002dbounds"></a> +</dd> +<dt><code>-Wno-analyzer-out-of-bounds</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-out-of-bounds</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a buffer is +definitely read or written out-of-bounds. The diagnostic applies for +cases where the analyzer is able to determine a constant offset and for +accesses past the end of a buffer, also a constant capacity. Further, +the diagnostic does limited checking for accesses past the end when the +offset as well as the capacity is symbolic. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/119.html">CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer</a>. +</p> +<a name="index-Wanalyzer_002dpossible_002dnull_002dargument"></a> +<a name="index-Wno_002danalyzer_002dpossible_002dnull_002dargument"></a> +</dd> +<dt><code>-Wno-analyzer-possible-null-argument</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-possible-null-argument</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +possibly-NULL value is passed to a function argument marked +with <code>__attribute__((nonnull))</code> as requiring a non-NULL +value. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/690.html">CWE-690: Unchecked Return Value to NULL Pointer Dereference</a>. +</p> +<a name="index-Wanalyzer_002dpossible_002dnull_002ddereference"></a> +<a name="index-Wno_002danalyzer_002dpossible_002dnull_002ddereference"></a> +</dd> +<dt><code>-Wno-analyzer-possible-null-dereference</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-possible-null-dereference</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +possibly-NULL value is dereferenced. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/690.html">CWE-690: Unchecked Return Value to NULL Pointer Dereference</a>. +</p> +<a name="index-Wanalyzer_002dnull_002dargument"></a> +<a name="index-Wno_002danalyzer_002dnull_002dargument"></a> +</dd> +<dt><code>-Wno-analyzer-null-argument</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-null-argument</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +value known to be NULL is passed to a function argument marked +with <code>__attribute__((nonnull))</code> as requiring a non-NULL +value. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>. +</p> +<a name="index-Wanalyzer_002dnull_002ddereference"></a> +<a name="index-Wno_002danalyzer_002dnull_002ddereference"></a> +</dd> +<dt><code>-Wno-analyzer-null-dereference</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-null-dereference</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +value known to be NULL is dereferenced. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>. +</p> +<a name="index-Wanalyzer_002dputenv_002dof_002dauto_002dvar"></a> +<a name="index-Wno_002danalyzer_002dputenv_002dof_002dauto_002dvar"></a> +</dd> +<dt><code>-Wno-analyzer-putenv-of-auto-var</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-putenv-of-auto-var</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +call to <code>putenv</code> is passed a pointer to an automatic variable +or an on-stack buffer. +</p> +<p>See <a href="https://wiki.sei.cmu.edu/confluence/x/6NYxBQ">POS34-C. Do not call putenv() with a pointer to an automatic variable as the argument</a>. +</p> +<a name="index-Wanalyzer_002dshift_002dcount_002dnegative"></a> +<a name="index-Wno_002danalyzer_002dshift_002dcount_002dnegative"></a> +</dd> +<dt><code>-Wno-analyzer-shift-count-negative</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-shift-count-negative</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +shift is attempted with a negative count. It is analogous to +the <samp>-Wshift-count-negative</samp> diagnostic implemented in +the C/C++ front ends, but is implemented based on analyzing +interprocedural paths, rather than merely parsing the syntax tree. +However, the analyzer does not prioritize detection of such paths, so +false negatives are more likely relative to other warnings. +</p> +<a name="index-Wanalyzer_002dshift_002dcount_002doverflow"></a> +<a name="index-Wno_002danalyzer_002dshift_002dcount_002doverflow"></a> +</dd> +<dt><code>-Wno-analyzer-shift-count-overflow</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-shift-count-overflow</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +shift is attempted with a count greater than or equal to the +precision of the operand’s type. It is analogous to +the <samp>-Wshift-count-overflow</samp> diagnostic implemented in +the C/C++ front ends, but is implemented based on analyzing +interprocedural paths, rather than merely parsing the syntax tree. +However, the analyzer does not prioritize detection of such paths, so +false negatives are more likely relative to other warnings. +</p> +<a name="index-Wanalyzer_002dstale_002dsetjmp_002dbuffer"></a> +<a name="index-Wno_002danalyzer_002dstale_002dsetjmp_002dbuffer"></a> +</dd> +<dt><code>-Wno-analyzer-stale-setjmp-buffer</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-stale-setjmp-buffer</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which +<code>longjmp</code> is called to rewind to a <code>jmp_buf</code> relating +to a <code>setjmp</code> call in a function that has returned. +</p> +<p>When <code>setjmp</code> is called on a <code>jmp_buf</code> to record a rewind +location, it records the stack frame. The stack frame becomes invalid +when the function containing the <code>setjmp</code> call returns. Attempting +to rewind to it via <code>longjmp</code> would reference a stack frame that +no longer exists, and likely lead to a crash (or worse). +</p> +<a name="index-Wanalyzer_002dtainted_002dallocation_002dsize"></a> +<a name="index-Wno_002danalyzer_002dtainted_002dallocation_002dsize"></a> +</dd> +<dt><code>-Wno-analyzer-tainted-allocation-size</code></dt> +<dd><p>This warning requires both <samp>-fanalyzer</samp> and +<samp>-fanalyzer-checker=taint</samp> to enable it; +use <samp>-Wno-analyzer-tainted-allocation-size</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a value +that could be under an attacker’s control is used as the size +of an allocation without being sanitized, so that an attacker could +inject an excessively large allocation and potentially cause a denial +of service attack. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/789.html">CWE-789: Memory Allocation with Excessive Size Value</a>. +</p> +<a name="index-Wanalyzer_002dtainted_002dassertion"></a> +<a name="index-Wno_002danalyzer_002dtainted_002dassertion"></a> +</dd> +<dt><code>-Wno-analyzer-tainted-assertion</code></dt> +<dd> +<p>This warning requires both <samp>-fanalyzer</samp> and +<samp>-fanalyzer-checker=taint</samp> to enable it; +use <samp>-Wno-analyzer-tainted-assertion</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a value +that could be under an attacker’s control is used as part of a +condition without being first sanitized, and that condition guards a +call to a function marked with attribute <code>noreturn</code> +(such as the function <code>__builtin_unreachable</code>). Such functions +typically indicate abnormal termination of the program, such as for +assertion failure handlers. For example: +</p> +<div class="smallexample"> +<pre class="smallexample">assert (some_tainted_value < SOME_LIMIT); +</pre></div> + +<p>In such cases: +</p> +<ul> +<li> when assertion-checking is enabled: an attacker could trigger +a denial of service by injecting an assertion failure + +</li><li> when assertion-checking is disabled, such as by defining <code>NDEBUG</code>, +an attacker could inject data that subverts the process, since it +presumably violates a precondition that is being assumed by the code. + +</li></ul> + +<p>Note that when assertion-checking is disabled, the assertions are +typically removed by the preprocessor before the analyzer has a chance +to "see" them, so this diagnostic can only generate warnings on builds +in which assertion-checking is enabled. +</p> +<p>For the purpose of this warning, any function marked with attribute +<code>noreturn</code> is considered as a possible assertion failure +handler, including <code>__builtin_unreachable</code>. Note that these functions +are sometimes removed by the optimizer before the analyzer "sees" them. +Hence optimization should be disabled when attempting to trigger this +diagnostic. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/617.html">CWE-617: Reachable Assertion</a>. +</p> +<p>The warning can also report problematic constructions such as +</p> +<div class="smallexample"> +<pre class="smallexample">switch (some_tainted_value) { +case 0: + /* [...etc; various valid cases omitted...] */ + break; + +default: + __builtin_unreachable (); /* BUG: attacker can trigger this */ +} +</pre></div> + +<p>despite the above not being an assertion failure, strictly speaking. +</p> +<a name="index-Wanalyzer_002dtainted_002darray_002dindex"></a> +<a name="index-Wno_002danalyzer_002dtainted_002darray_002dindex"></a> +</dd> +<dt><code>-Wno-analyzer-tainted-array-index</code></dt> +<dd><p>This warning requires both <samp>-fanalyzer</samp> and +<samp>-fanalyzer-checker=taint</samp> to enable it; +use <samp>-Wno-analyzer-tainted-array-index</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a value +that could be under an attacker’s control is used as the index +of an array access without being sanitized, so that an attacker +could inject an out-of-bounds access. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/129.html">CWE-129: Improper Validation of Array Index</a>. +</p> +<a name="index-Wanalyzer_002dtainted_002ddivisor"></a> +<a name="index-Wno_002danalyzer_002dtainted_002ddivisor"></a> +</dd> +<dt><code>-Wno-analyzer-tainted-divisor</code></dt> +<dd><p>This warning requires both <samp>-fanalyzer</samp> and +<samp>-fanalyzer-checker=taint</samp> to enable it; +use <samp>-Wno-analyzer-tainted-divisor</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a value +that could be under an attacker’s control is used as the divisor +in a division or modulus operation without being sanitized, so that +an attacker could inject a division-by-zero. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/369.html">CWE-369: Divide By Zero</a>. +</p> +<a name="index-Wanalyzer_002dtainted_002doffset"></a> +<a name="index-Wno_002danalyzer_002dtainted_002doffset"></a> +</dd> +<dt><code>-Wno-analyzer-tainted-offset</code></dt> +<dd><p>This warning requires both <samp>-fanalyzer</samp> and +<samp>-fanalyzer-checker=taint</samp> to enable it; +use <samp>-Wno-analyzer-tainted-offset</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a value +that could be under an attacker’s control is used as a pointer offset +without being sanitized, so that an attacker could inject an out-of-bounds +access. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/823.html">CWE-823: Use of Out-of-range Pointer Offset</a>. +</p> +<a name="index-Wanalyzer_002dtainted_002dsize"></a> +<a name="index-Wno_002danalyzer_002dtainted_002dsize"></a> +</dd> +<dt><code>-Wno-analyzer-tainted-size</code></dt> +<dd><p>This warning requires both <samp>-fanalyzer</samp> and +<samp>-fanalyzer-checker=taint</samp> to enable it; +use <samp>-Wno-analyzer-tainted-size</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a value +that could be under an attacker’s control is used as the size of +an operation such as <code>memset</code> without being sanitized, so that an +attacker could inject an out-of-bounds access. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/129.html">CWE-129: Improper Validation of Array Index</a>. +</p> +<a name="index-Wanalyzer_002dunsafe_002dcall_002dwithin_002dsignal_002dhandler"></a> +<a name="index-Wno_002danalyzer_002dunsafe_002dcall_002dwithin_002dsignal_002dhandler"></a> +</dd> +<dt><code>-Wno-analyzer-unsafe-call-within-signal-handler</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-unsafe-call-within-signal-handler</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +function known to be async-signal-unsafe (such as <code>fprintf</code>) is +called from a signal handler. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/479.html">CWE-479: Signal Handler Use of a Non-reentrant Function</a>. +</p> +<a name="index-Wanalyzer_002duse_002dafter_002dfree"></a> +<a name="index-Wno_002danalyzer_002duse_002dafter_002dfree"></a> +</dd> +<dt><code>-Wno-analyzer-use-after-free</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-use-after-free</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a +pointer is used after a deallocator is called on it: either <code>free</code>, +or a deallocator referenced by attribute <code>malloc</code>. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a>. +</p> +<a name="index-Wanalyzer_002duse_002dof_002dpointer_002din_002dstale_002dstack_002dframe"></a> +<a name="index-Wno_002danalyzer_002duse_002dof_002dpointer_002din_002dstale_002dstack_002dframe"></a> +</dd> +<dt><code>-Wno-analyzer-use-of-pointer-in-stale-stack-frame</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-use-of-pointer-in-stale-stack-frame</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which a pointer +is dereferenced that points to a variable in a stale stack frame. +</p> +<a name="index-Wanalyzer_002dva_002darg_002dtype_002dmismatch"></a> +<a name="index-Wno_002danalyzer_002dva_002darg_002dtype_002dmismatch"></a> +</dd> +<dt><code>-Wno-analyzer-va-arg-type-mismatch</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-va-arg-type-mismatch</samp> +to disable it. +</p> +<p>This diagnostic warns for interprocedural paths through the code for which +the analyzer detects an attempt to use <code>va_arg</code> to extract a value +passed to a variadic call, but uses a type that does not match that of +the expression passed to the call. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/686.html">CWE-686: Function Call With Incorrect Argument Type</a>. +</p> +<a name="index-Wanalyzer_002dva_002dlist_002dexhausted"></a> +<a name="index-Wno_002danalyzer_002dva_002dlist_002dexhausted"></a> +</dd> +<dt><code>-Wno-analyzer-va-list-exhausted</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-va-list-exhausted</samp> +to disable it. +</p> +<p>This diagnostic warns for interprocedural paths through the code for which +the analyzer detects an attempt to use <code>va_arg</code> to access the next +value passed to a variadic call, but all of the values in the +<code>va_list</code> have already been consumed. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/685.html">CWE-685: Function Call With Incorrect Number of Arguments</a>. +</p> +<a name="index-Wanalyzer_002dva_002dlist_002dleak"></a> +<a name="index-Wno_002danalyzer_002dva_002dlist_002dleak"></a> +</dd> +<dt><code>-Wno-analyzer-va-list-leak</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-va-list-leak</samp> +to disable it. +</p> +<p>This diagnostic warns for interprocedural paths through the code for which +the analyzer detects that <code>va_start</code> or <code>va_copy</code> has been called +on a <code>va_list</code> without a corresponding call to <code>va_end</code>. +</p> +<a name="index-Wanalyzer_002dva_002dlist_002duse_002dafter_002dva_002dend"></a> +<a name="index-Wno_002danalyzer_002dva_002dlist_002duse_002dafter_002dva_002dend"></a> +</dd> +<dt><code>-Wno-analyzer-va-list-use-after-va-end</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-va-list-use-after-va-end</samp> +to disable it. +</p> +<p>This diagnostic warns for interprocedural paths through the code for which +the analyzer detects an attempt to use a <code>va_list</code> after +<code>va_end</code> has been called on it. +<code>va_list</code>. +</p> +<a name="index-Wanalyzer_002dwrite_002dto_002dconst"></a> +<a name="index-Wno_002danalyzer_002dwrite_002dto_002dconst"></a> +</dd> +<dt><code>-Wno-analyzer-write-to-const</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-write-to-const</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which the analyzer +detects an attempt to write through a pointer to a <code>const</code> object. +However, the analyzer does not prioritize detection of such paths, so +false negatives are more likely relative to other warnings. +</p> +<a name="index-Wanalyzer_002dwrite_002dto_002dstring_002dliteral"></a> +<a name="index-Wno_002danalyzer_002dwrite_002dto_002dstring_002dliteral"></a> +</dd> +<dt><code>-Wno-analyzer-write-to-string-literal</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-write-to-string-literal</samp> +to disable it. +</p> +<p>This diagnostic warns for paths through the code in which the analyzer +detects an attempt to write through a pointer to a string literal. +However, the analyzer does not prioritize detection of such paths, so +false negatives are more likely relative to other warnings. +</p> +<a name="index-Wanalyzer_002duse_002dof_002duninitialized_002dvalue"></a> +<a name="index-Wno_002danalyzer_002duse_002dof_002duninitialized_002dvalue"></a> +</dd> +<dt><code>-Wno-analyzer-use-of-uninitialized-value</code></dt> +<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use +<samp>-Wno-analyzer-use-of-uninitialized-value</samp> to disable it. +</p> +<p>This diagnostic warns for paths through the code in which an uninitialized +value is used. +</p> +<p>See <a href="https://cwe.mitre.org/data/definitions/457.html">CWE-457: Use of Uninitialized Variable</a>. +</p> +</dd> +</dl> + +<p>The analyzer has hardcoded knowledge about the behavior of the following +memory-management functions: +</p> +<ul> +<li> <code>alloca</code> +</li><li> The built-in functions <code>__builtin_alloc</code>, +<code>__builtin_alloc_with_align</code>, </li><li> <code>__builtin_calloc</code>, +<code>__builtin_free</code>, <code>__builtin_malloc</code>, <code>__builtin_memcpy</code>, +<code>__builtin_memcpy_chk</code>, <code>__builtin_memset</code>, +<code>__builtin_memset_chk</code>, <code>__builtin_realloc</code>, +<code>__builtin_stack_restore</code>, and <code>__builtin_stack_save</code> +</li><li> <code>calloc</code> +</li><li> <code>free</code> +</li><li> <code>malloc</code> +</li><li> <code>memset</code> +</li><li> <code>operator delete</code> +</li><li> <code>operator delete []</code> +</li><li> <code>operator new</code> +</li><li> <code>operator new []</code> +</li><li> <code>realloc</code> +</li><li> <code>strdup</code> +</li><li> <code>strndup</code> +</li></ul> + +<p>of the following functions for working with file descriptors: +</p> +<ul> +<li> <code>open</code> +</li><li> <code>close</code> +</li><li> <code>creat</code> +</li><li> <code>dup</code>, <code>dup2</code> and <code>dup3</code> +</li><li> <code>isatty</code> +</li><li> <code>pipe</code>, and <code>pipe2</code> +</li><li> <code>read</code> +</li><li> <code>write</code> +</li><li> <code>socket</code>, <code>bind</code>, <code>listen</code>, <code>accept</code>, and <code>connect</code> +</li></ul> + +<p>of the following functions for working with <code><stdio.h></code> streams: +</p><ul> +<li> The built-in functions <code>__builtin_fprintf</code>, +<code>__builtin_fprintf_unlocked</code>, <code>__builtin_fputc</code>, +<code>__builtin_fputc_unlocked</code>, <code>__builtin_fputs</code>, +<code>__builtin_fputs_unlocked</code>, <code>__builtin_fwrite</code>, +<code>__builtin_fwrite_unlocked</code>, <code>__builtin_printf</code>, +<code>__builtin_printf_unlocked</code>, <code>__builtin_putc</code>, +<code>__builtin_putchar</code>, <code>__builtin_putchar_unlocked</code>, +<code>__builtin_putc_unlocked</code>, <code>__builtin_puts</code>, +<code>__builtin_puts_unlocked</code>, <code>__builtin_vfprintf</code>, and +<code>__builtin_vprintf</code> +</li><li> <code>fopen</code> +</li><li> <code>fclose</code> +</li><li> <code>ferror</code> +</li><li> <code>fgets</code> +</li><li> <code>fgets_unlocked</code> +</li><li> <code>fileno</code> +</li><li> <code>fread</code> +</li><li> <code>getc</code> +</li><li> <code>getchar</code> +</li><li> <code>fprintf</code> +</li><li> <code>printf</code> +</li><li> <code>fwrite</code> +</li></ul> + +<p>and of the following functions: +</p> +<ul> +<li> The built-in functions <code>__builtin_expect</code>, +<code>__builtin_expect_with_probability</code>, <code>__builtin_strchr</code>, +<code>__builtin_strcpy</code>, <code>__builtin_strcpy_chk</code>, +<code>__builtin_strlen</code>, <code>__builtin_va_copy</code>, and +<code>__builtin_va_start</code> +</li><li> The GNU extensions <code>error</code> and <code>error_at_line</code> +</li><li> <code>getpass</code> +</li><li> <code>longjmp</code> +</li><li> <code>putenv</code> +</li><li> <code>setjmp</code> +</li><li> <code>siglongjmp</code> +</li><li> <code>signal</code> +</li><li> <code>sigsetjmp</code> +</li><li> <code>strchr</code> +</li><li> <code>strlen</code> +</li></ul> + +<p>In addition, various functions with an <code>__analyzer_</code> prefix have +special meaning to the analyzer, described in the GCC Internals manual. +</p> +<p>Pertinent parameters for controlling the exploration are: +</p><ul> +<li> <samp>--param analyzer-bb-explosion-factor=<var>value</var></samp> +</li><li> <samp>--param analyzer-max-enodes-per-program-point=<var>value</var></samp> +</li><li> <samp>--param analyzer-max-recursion-depth=<var>value</var></samp> +</li><li> <samp>--param analyzer-min-snodes-for-call-summary=<var>value</var></samp> +</li></ul> + +<p>The following options control the analyzer. +</p> +<dl compact="compact"> +<dd> +<a name="index-fanalyzer_002dcall_002dsummaries"></a> +<a name="index-fno_002danalyzer_002dcall_002dsummaries"></a> +</dd> +<dt><code>-fanalyzer-call-summaries</code></dt> +<dd><p>Simplify interprocedural analysis by computing the effect of certain calls, +rather than exploring all paths through the function from callsite to each +possible return. +</p> +<p>If enabled, call summaries are only used for functions with more than one +call site, and that are sufficiently complicated (as per +<samp>--param analyzer-min-snodes-for-call-summary=<var>value</var></samp>). +</p> +<a name="index-fanalyzer_002dchecker"></a> +</dd> +<dt><code>-fanalyzer-checker=<var>name</var></code></dt> +<dd><p>Restrict the analyzer to run just the named checker, and enable it. +</p> +<p>Some checkers are disabled by default (even with <samp>-fanalyzer</samp>), +such as the <code>taint</code> checker that implements +<samp>-Wanalyzer-tainted-array-index</samp>, and this option is required +to enable them. +</p> +<p><em>Note:</em> currently, <samp>-fanalyzer-checker=taint</samp> disables the +following warnings from <samp>-fanalyzer</samp>: +</p> +<div class="smallexample"> +<pre class="smallexample">-Wanalyzer-deref-before-check +-Wanalyzer-double-fclose +-Wanalyzer-double-free +-Wanalyzer-exposure-through-output-file +-Wanalyzer-fd-access-mode-mismatch +-Wanalyzer-fd-double-close +-Wanalyzer-fd-leak +-Wanalyzer-fd-use-after-close +-Wanalyzer-fd-use-without-check +-Wanalyzer-file-leak +-Wanalyzer-free-of-non-heap +-Wanalyzer-malloc-leak +-Wanalyzer-mismatching-deallocation +-Wanalyzer-null-argument +-Wanalyzer-null-dereference +-Wanalyzer-possible-null-argument +-Wanalyzer-possible-null-dereference +-Wanalyzer-unsafe-call-within-signal-handler +-Wanalyzer-use-after-free +-Wanalyzer-va-list-leak +-Wanalyzer-va-list-use-after-va-end + +</pre></div> + +<a name="index-fanalyzer_002dfeasibility"></a> +<a name="index-fno_002danalyzer_002dfeasibility"></a> +</dd> +<dt><code>-fno-analyzer-feasibility</code></dt> +<dd><p>This option is intended for analyzer developers. +</p> +<p>By default the analyzer verifies that there is a feasible control flow path +for each diagnostic it emits: that the conditions that hold are not mutually +exclusive. Diagnostics for which no feasible path can be found are rejected. +This filtering can be suppressed with <samp>-fno-analyzer-feasibility</samp>, for +debugging issues in this code. +</p> +<a name="index-fanalyzer_002dfine_002dgrained"></a> +<a name="index-fno_002danalyzer_002dfine_002dgrained"></a> +</dd> +<dt><code>-fanalyzer-fine-grained</code></dt> +<dd><p>This option is intended for analyzer developers. +</p> +<p>Internally the analyzer builds an “exploded graph” that combines +control flow graphs with data flow information. +</p> +<p>By default, an edge in this graph can contain the effects of a run +of multiple statements within a basic block. With +<samp>-fanalyzer-fine-grained</samp>, each statement gets its own edge. +</p> +<a name="index-fanalyzer_002dshow_002dduplicate_002dcount"></a> +<a name="index-fno_002danalyzer_002dshow_002dduplicate_002dcount"></a> +</dd> +<dt><code>-fanalyzer-show-duplicate-count</code></dt> +<dd><p>This option is intended for analyzer developers: if multiple diagnostics +have been detected as being duplicates of each other, it emits a note when +reporting the best diagnostic, giving the number of additional diagnostics +that were suppressed by the deduplication logic. +</p> +<a name="index-fanalyzer_002dstate_002dmerge"></a> +<a name="index-fno_002danalyzer_002dstate_002dmerge"></a> +</dd> +<dt><code>-fno-analyzer-state-merge</code></dt> +<dd><p>This option is intended for analyzer developers. +</p> +<p>By default the analyzer attempts to simplify analysis by merging +sufficiently similar states at each program point as it builds its +“exploded graph”. With <samp>-fno-analyzer-state-merge</samp> this +merging can be suppressed, for debugging state-handling issues. +</p> +<a name="index-fanalyzer_002dstate_002dpurge"></a> +<a name="index-fno_002danalyzer_002dstate_002dpurge"></a> +</dd> +<dt><code>-fno-analyzer-state-purge</code></dt> +<dd><p>This option is intended for analyzer developers. +</p> +<p>By default the analyzer attempts to simplify analysis by purging +aspects of state at a program point that appear to no longer be relevant +e.g. the values of locals that aren’t accessed later in the function +and which aren’t relevant to leak analysis. +</p> +<p>With <samp>-fno-analyzer-state-purge</samp> this purging of state can +be suppressed, for debugging state-handling issues. +</p> +<a name="index-fanalyzer_002dsuppress_002dfollowups"></a> +<a name="index-fno_002danalyzer_002dsuppress_002dfollowups"></a> +</dd> +<dt><code>-fno-analyzer-suppress-followups</code></dt> +<dd><p>This option is intended for analyzer developers. +</p> +<p>By default the analyzer will stop exploring an execution path after +encountering certain diagnostics, in order to avoid potentially issuing a +cascade of follow-up diagnostics. +</p> +<p>The diagnostics that terminate analysis along a path are: +</p> +<ul> +<li> <samp>-Wanalyzer-null-argument</samp> +</li><li> <samp>-Wanalyzer-null-dereference</samp> +</li><li> <samp>-Wanalyzer-use-after-free</samp> +</li><li> <samp>-Wanalyzer-use-of-pointer-in-stale-stack-frame</samp> +</li><li> <samp>-Wanalyzer-use-of-uninitialized-value</samp> +</li></ul> + +<p>With <samp>-fno-analyzer-suppress-followups</samp> the analyzer will +continue to explore such paths even after such diagnostics, which may +be helpful for debugging issues in the analyzer, or for microbenchmarks +for detecting undefined behavior. +</p> +<a name="index-fanalyzer_002dtransitivity"></a> +<a name="index-fno_002danalyzer_002dtransitivity"></a> +</dd> +<dt><code>-fanalyzer-transitivity</code></dt> +<dd><p>This option enables transitivity of constraints within the analyzer. +</p> +<a name="index-fanalyzer_002dundo_002dinlining"></a> +<a name="index-fno_002danalyzer_002dundo_002dinlining"></a> +</dd> +<dt><code>-fno-analyzer-undo-inlining</code></dt> +<dd><p>This option is intended for analyzer developers. +</p> +<p><samp>-fanalyzer</samp> runs relatively late compared to other code analysis +tools, and some optimizations have already been applied to the code. In +particular function inlining may have occurred, leading to the +interprocedural execution paths emitted by the analyzer containing +function frames that don’t correspond to those in the original source +code. +</p> +<p>By default the analyzer attempts to reconstruct the original function +frames, and to emit events showing the inlined calls. +</p> +<p>With <samp>-fno-analyzer-undo-inlining</samp> this attempt to reconstruct +the original frame information can be be disabled, which may be of help +when debugging issues in the analyzer. +</p> +</dd> +<dt><code>-fanalyzer-verbose-edges</code></dt> +<dd><p>This option is intended for analyzer developers. It enables more +verbose, lower-level detail in the descriptions of control flow +within diagnostic paths. +</p> +</dd> +<dt><code>-fanalyzer-verbose-state-changes</code></dt> +<dd><p>This option is intended for analyzer developers. It enables more +verbose, lower-level detail in the descriptions of events relating +to state machines within diagnostic paths. +</p> +</dd> +<dt><code>-fanalyzer-verbosity=<var>level</var></code></dt> +<dd><p>This option controls the complexity of the control flow paths that are +emitted for analyzer diagnostics. +</p> +<p>The <var>level</var> can be one of: +</p> +<dl compact="compact"> +<dt>‘<samp>0</samp>’</dt> +<dd><p>At this level, interprocedural call and return events are displayed, +along with the most pertinent state-change events relating to +a diagnostic. For example, for a double-<code>free</code> diagnostic, +both calls to <code>free</code> will be shown. +</p> +</dd> +<dt>‘<samp>1</samp>’</dt> +<dd><p>As per the previous level, but also show events for the entry +to each function. +</p> +</dd> +<dt>‘<samp>2</samp>’</dt> +<dd><p>As per the previous level, but also show events relating to +control flow that are significant to triggering the issue +(e.g. “true path taken” at a conditional). +</p> +<p>This level is the default. +</p> +</dd> +<dt>‘<samp>3</samp>’</dt> +<dd><p>As per the previous level, but show all control flow events, not +just significant ones. +</p> +</dd> +<dt>‘<samp>4</samp>’</dt> +<dd><p>This level is intended for analyzer developers; it adds various +other events intended for debugging the analyzer. +</p> +</dd> +</dl> + +<a name="index-fdump_002danalyzer"></a> +</dd> +<dt><code>-fdump-analyzer</code></dt> +<dd><p>Dump internal details about what the analyzer is doing to +<samp><var>file</var>.analyzer.txt</samp>. +<samp>-fdump-analyzer-stderr</samp> overrides this option. +</p> +<a name="index-fdump_002danalyzer_002dstderr"></a> +</dd> +<dt><code>-fdump-analyzer-stderr</code></dt> +<dd><p>Dump internal details about what the analyzer is doing to stderr. +This option overrides <samp>-fdump-analyzer</samp>. +</p> +<a name="index-fdump_002danalyzer_002dcallgraph"></a> +</dd> +<dt><code>-fdump-analyzer-callgraph</code></dt> +<dd><p>Dump a representation of the call graph suitable for viewing with +GraphViz to <samp><var>file</var>.callgraph.dot</samp>. +</p> +<a name="index-fdump_002danalyzer_002dexploded_002dgraph"></a> +</dd> +<dt><code>-fdump-analyzer-exploded-graph</code></dt> +<dd><p>Dump a representation of the “exploded graph” suitable for viewing with +GraphViz to <samp><var>file</var>.eg.dot</samp>. +Nodes are color-coded based on state-machine states to emphasize +state changes. +</p> +<a name="index-dump_002danalyzer_002dexploded_002dnodes"></a> +</dd> +<dt><code>-fdump-analyzer-exploded-nodes</code></dt> +<dd><p>Emit diagnostics showing where nodes in the “exploded graph” are +in relation to the program source. +</p> +<a name="index-dump_002danalyzer_002dexploded_002dnodes_002d2"></a> +</dd> +<dt><code>-fdump-analyzer-exploded-nodes-2</code></dt> +<dd><p>Dump a textual representation of the “exploded graph” to +<samp><var>file</var>.eg.txt</samp>. +</p> +<a name="index-dump_002danalyzer_002dexploded_002dnodes_002d3"></a> +</dd> +<dt><code>-fdump-analyzer-exploded-nodes-3</code></dt> +<dd><p>Dump a textual representation of the “exploded graph” to +one dump file per node, to <samp><var>file</var>.eg-<var>id</var>.txt</samp>. +This is typically a large number of dump files. +</p> +<a name="index-fdump_002danalyzer_002dexploded_002dpaths"></a> +</dd> +<dt><code>-fdump-analyzer-exploded-paths</code></dt> +<dd><p>Dump a textual representation of the “exploded path” for each +diagnostic to <samp><var>file</var>.<var>idx</var>.<var>kind</var>.epath.txt</samp>. +</p> +<a name="index-dump_002danalyzer_002dfeasibility"></a> +</dd> +<dt><code>-fdump-analyzer-feasibility</code></dt> +<dd><p>Dump internal details about the analyzer’s search for feasible paths. +The details are written in a form suitable for viewing with GraphViz +to filenames of the form <samp><var>file</var>.*.fg.dot</samp>, +<samp><var>file</var>.*.tg.dot</samp>, and <samp><var>file</var>.*.fpath.txt</samp>. +</p> +<a name="index-fdump_002danalyzer_002djson"></a> +</dd> +<dt><code>-fdump-analyzer-json</code></dt> +<dd><p>Dump a compressed JSON representation of analyzer internals to +<samp><var>file</var>.analyzer.json.gz</samp>. The precise format is subject +to change. +</p> +<a name="index-fdump_002danalyzer_002dstate_002dpurge"></a> +</dd> +<dt><code>-fdump-analyzer-state-purge</code></dt> +<dd><p>As per <samp>-fdump-analyzer-supergraph</samp>, dump a representation of the +“supergraph” suitable for viewing with GraphViz, but annotate the +graph with information on what state will be purged at each node. +The graph is written to <samp><var>file</var>.state-purge.dot</samp>. +</p> +<a name="index-fdump_002danalyzer_002dsupergraph"></a> +</dd> +<dt><code>-fdump-analyzer-supergraph</code></dt> +<dd><p>Dump representations of the “supergraph” suitable for viewing with +GraphViz to <samp><var>file</var>.supergraph.dot</samp> and to +<samp><var>file</var>.supergraph-eg.dot</samp>. These show all of the +control flow graphs in the program, with interprocedural edges for +calls and returns. The second dump contains annotations showing nodes +in the “exploded graph” and diagnostics associated with them. +</p> +<a name="index-fdump_002danalyzer_002duntracked"></a> +</dd> +<dt><code>-fdump-analyzer-untracked</code></dt> +<dd><p>Emit custom warnings with internal details intended for analyzer developers. +</p> +</dd> +</dl> + +<hr> +<div class="header"> +<p> +Next: <a href="Debugging-Options.html#Debugging-Options" accesskey="n" rel="next">Debugging Options</a>, Previous: <a href="Warning-Options.html#Warning-Options" accesskey="p" rel="previous">Warning Options</a>, Up: <a href="Invoking-GCC.html#Invoking-GCC" accesskey="u" rel="up">Invoking GCC</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Indices.html#Indices" title="Index" rel="index">Index</a>]</p> +</div> + + + +</body> +</html> |