当我们需要真正定义自己的checker,而不是简单地去测试能不能注册成功一个检查器时,我们需要清楚的知道,我们的checker到底要划分在Checkers.td中哪一个package下。下面我们用表格的形式整理罗列一下clang -cc1 -analyzer-checker-help命令后显示的内容。
OVERVIEW: Clang Static Analyzer Checkers List
|
Layer1 |
Layer2 |
Final layer ----class |
说明 |
|
Alpha 34个 有较高误报率的checker False positive rate ,因此属于实验阶段,experiment |
Core 9个 |
alpha.core.BoolAssignment (ObjC) |
|
|
alpha.core.CastSize (C) |
|||
|
alpha.core.CastToStruct (C, C++) |
|||
|
alpha.core.FixedAddr (C) |
|||
|
alpha.core.IdenticalExpr (C, C++) |
|||
|
alpha.core.IdenticalExpr (C, C++) |
|||
|
alpha.core.PointerArithm (C) |
|||
|
alpha.core.PointerSub (C) |
|||
|
alpha.core.SizeofPtr (C) |
|||
|
C++ 2个 |
alpha.cplusplus.NewDeleteLeaks (C++) |
||
|
alpha.cplusplus.VirtualCall (C++) |
|||
|
Variable Argument 3个 |
alpha.valist.CopyToSelf (C) |
||
|
alpha.valist.Uninitialized (C) |
|||
|
alpha.valist.Unterminated (C) |
|||
|
Dead code |
alpha.deadcode.UnreachableCode(C, C++, ObjC) |
||
|
OS X 5个 |
alpha.osx.cocoa.Dealloc (ObjC) |
||
|
alpha.osx.cocoa.DirectIvarAssignment (ObjC) |
|||
|
alpha.osx.cocoa.DirectIvarAssignmentForAnnotatedFunctions (ObjC) |
|||
|
alpha.osx.cocoa.InstanceVariableInvalidation (ObjC) |
|||
|
alpha.osx.cocoa.MissingInvalidationMethod (ObjC) |
|||
|
Security 5个 |
alpha.security.ArrayBound (C) |
||
|
alpha.security.ArrayBoundV2 (C) |
|||
|
alpha.security.MallocOverflow (C) |
|||
|
alpha.security.ReturnPtrRange (C) |
|||
|
alpha.security.taint.TaintPropagation (C) |
|||
|
Unix 9个 |
alpha.unix.Chroot (C) |
||
|
alpha.unix.MallocWithAnnotations (C) |
|||
|
alpha.unix.PthreadLock (C) |
|||
|
alpha.unix.SimpleStream (C) |
|||
|
alpha.unix.Stream (C) |
|||
|
alpha.unix.cstring.BufferOverlap (C) |
|||
|
alpha.unix.cstring.NotNullTerminated (C) |
|||
|
alpha.unix.cstring.OutOfBounds (C) |
|||
|
alpha.unix.cstring.BlockInCriticalSection (C) |
|||
|
Default 47 默认状态下是可以被利用的检查器 |
Core 12 |
core.CallAndMessage (C, C++, ObjC) |
|
|
core.DivideZero (C, C++, ObjC) |
|||
|
core.NonNullParamChecker (C, C++, ObjC) |
|||
|
core.NullDereference (C, C++, ObjC) |
|||
|
core.StackAddressEscape (C) |
|||
|
core.UndefinedBinaryOperatorResult (C) |
|||
|
core.VLASize (C) |
|||
|
core.uninitialized.ArraySubscript (C) |
|||
|
core.uninitialized.Assign (C) |
|||
|
core.uninitialized.Branch (C) |
|||
|
core.uninitialized.CapturedBlockVariable (C) |
|||
|
core.uninitialized.UndefReturn (C) |
|||
|
C++ |
cplusplus.NewDelete (C++) |
||
|
deadcode |
deadcode.DeadStores (C) |
||
|
OS X 18 |
osx.API (C) |
||
|
osx.SecKeychainAPI (C) |
|||
|
osx.cocoa.AtSync (ObjC) |
|||
|
osx.cocoa.ClassRelease (ObjC) |
|||
|
osx.cocoa.IncompatibleMethodTypes (ObjC) |
|||
|
alpha.osx.cocoa.MissingSuperCall (ObjC) |
|||
|
osx.cocoa.NSAutoreleasePool (ObjC) |
|||
|
osx.cocoa.NSError (ObjC) |
|||
|
osx.cocoa.NilArg (ObjC) |
|||
|
osx.cocoa.RetainCount (ObjC) |
|||
|
osx.cocoa.SelfInit (ObjC) |
|||
|
osx.cocoa.UnusedIvars (ObjC) |
|||
|
osx.cocoa.VariadicMethodTypes (ObjC) |
|||
|
osx.coreFoundation.CFError (C) |
|||
|
osx.coreFoundation.CFNumber (C) |
|||
|
osx.coreFoundation.CFRetainRelease (C) |
|||
|
osx.coreFoundation.containers.OutOfBounds (C) |
|||
|
osx.coreFoundation.containers.PointerSizedValues (C) |
|||
|
Security 9 |
security.FloatLoopCounter (C) |
||
|
security.insecureAPI.UncheckedReturn (C) |
|||
|
security.insecureAPI.getpw (C) |
|||
|
security.insecureAPI.gets (C) |
|||
|
security.insecureAPI.mkstemp (C) |
|||
|
security.insecureAPI.mktemp (C) |
|||
|
security.insecureAPI.rand (C) |
|||
|
security.insecureAPI.strcpy (C) |
|||
|
security.insecureAPI.vfork (C) |
|||
|
Unix 6 |
unix.API (C) |
||
|
unix.Malloc (C) |
|||
|
unix.MallocSizeof (C) |
|||
|
unix.MismatchedDeallocator (C, C++, ObjC) |
|||
|
unix.cstring.BadSizeArg (C) |
|||
|
unix.cstring.NullArg (C) |
|||
|
Implicit 隐性检查器不产生警告,只是用来支持分析其内核和模型接口的。 |
Core |
core.DynamicTypePropagation (C++, ObjC) |
|
|
core.builtin.BuiltinFunctions (C) |
|||
|
core.builtin.NoReturnFunctions (C, ObjC) |
|||
|
OS X |
osx.cocoa.Loops (ObjC) |
||
|
osx.cocoa.NonNilReturnValue (ObjC) |
|||
|
Debug http://clang-analyzer.llvm.org/checker_dev_manual.html#commands |
-- |
debug.ViewCFG View Control-Flow Graphs using GraphViz |
|
|
-- |
debug.DumpCFG Display Control-Flow Graphs |
||
|
-- |
debug.ViewCallGraph View Call Graph using GraphViz |
||
|
-- |
debug.DumpCallGraph Display Call Graph |
||
|
-- |
debug.ViewExplodedGraph View Exploded Graphs using GraphViz |
||
|
-- |
debug.Stats Emit warnings with analyzer statistics |
||
|
-- |
debug.AnalysisOrder Print callbacks that are called during analysis in order |
||
|
-- |
debug.ConfigDumper Dump config table |
||
|
-- |
debug.DumpBugHash Dump the bug hash for all statements |
||
|
-- |
debug.DumpCalls Print calls as they are traversed by the engine |
||
|
-- |
debug.DumpDominators :Print the dominance tree for a given CFG |
||
|
-- |
debug.DumpLiveVars Print results of live variable analysis |
||
|
-- |
debug.DumpTraversal Print branch conditions as they are traversed by the engine |
||
|
-- |
debug.TaintTest Mark tainted symbols as such |
||
|
-- |
debug.ExprInspection Check the analyzer's understanding of expressions |
||
|
LLVM |
llvm.Conventions Check code for LLVM codebase conventions |
||
|
其他 |
apiModeling.google.GTest Model gtest assertion APIs |
||
|
Optin |
共5个类 |
||
|
nullability |
共5个类 |
||
对照上面所有checker的简单描述,我们可以大致知道这些类所实现的功能,与内存相关的类都用黄色进行了标注。如果我们要写自己的检查器,应该放在Alpha下面的security package中。此外,在debug过程中我们常用的查看CFG和ExplodedGraph的checker类,用蓝色标注。
但是现在的问题是,我们并不知道clang对于内存检测实现到了哪个地步,所以接下来我们需要用CWE部分内存相关的测试集和几个开源软件来测试一下clang的功能和效果,直白地讲,就是看看clang覆盖了哪些缺陷检测,对特定缺陷检测的误报和漏报情况怎么样。
参考文献
http://clang-analyzer.llvm.org/alpha_checks.html