Menu
We have automated the builds of our current project by using TeamCity/Command Line Tools. To be sure to catch as much potential issues as possible, we have set the project to use the static analyser for each build. Several 3rd-party classes were flagged by the analyser so we excluded the dubious classes by flagging them with:
-w -Xanalyzer -analyzer-disable-checker
Everything works as expected when compiled in Xcode (tested with 4.6.3 and 5.0.1).
But when compiled on the TeamCity server, we're getting the following error for each excluded 3rd-party file:
__PIC__ level differs in PCH file vs. current fileerror: __PIC__ level differs in PCH file vs. current file2 errors generated.
The error goes away if we remove the -Xanalyzer -analyzer-disable-checker tags (but of course in this case we get the analyser warnings back).
The same error occurs if we compile using AppCode which makes me thinking this is somehow related to the command line tools, both AppCode and the TeamCity server using them to compile the builds.
The TeamCity server uses Xcode 4's command line tools and I've tried AppCode with both Xcode 4's and 5's.
When trying with AppCode using Xcode 5's command line tools the error differs slightly (once again, one for each excluded class):
error reading 'pic'
no analyzer checkers are associated with '-mrelocation-model'
So, the question: does anyone have any idea how to get rid of this error while suppressing the analyser warnings for specific classes when using command line tools (if command line tools are indeed at fault here)?
884
Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. SAST tools can be added into your IDE. Such tools can help you detect issues during software development.
Static analysis tools refer to a wide array of tools that examine source code, executables, or even documentation, to find problems before they happen; without actually running the code.
Machine Learning and Static AnalysisApplying coding standards, such as MISRA, AUTOSAR, and OWASP. Enforcing coding best practices. Identifying coding errors earlier in development — saving both time and money. Eliminating security vulnerabilities.
Static code analysis advantages:It allows a quicker turn around for fixes. It is relatively fast if automated tools are used. Automated tools can scan the entire code base. Automated tools can provide mitigation recommendations, reducing the research time.
I just ran into this issue and assume it is a bug with Clang. I think I found a workaround though.
Try replacing this
-w -Xanalyzer -analyzer-disable-checker
with this ridiculously long line (keep scrolling to the right to see it all):
-w -Xanalyzer -analyzer-disable-checker -Xanalyzer alpha -Xanalyzer -analyzer-disable-checker -Xanalyzer core -Xanalyzer -analyzer-disable-checker -Xanalyzer cplusplus -Xanalyzer -analyzer-disable-checker -Xanalyzer deadcode -Xanalyzer -analyzer-disable-checker -Xanalyzer debug -Xanalyzer -analyzer-disable-checker -Xanalyzer llvm -Xanalyzer -analyzer-disable-checker -Xanalyzer osx -Xanalyzer -analyzer-disable-checker -Xanalyzer security -Xanalyzer -analyzer-disable-checker -Xanalyzer unix -Xanalyzer -analyzer-disable-checker -Xanalyzer insecureAPI
OK, so here is how I got to that. It looks like Clang has a hierarchy of "Static Analyzer Checkers" and you can disable them individually or by group.
As an example the DeadStore checker is "deadcode.DeadStores" so you can disable it like this:
-Xanalyzer -analyzer-disable-checker -Xanalyzer deadcode.DeadStores
Alternatively you can disable ALL deadcode related checkers by specifying just "deadcode" like this:
-Xanalyzer -analyzer-disable-checker -Xanalyzer deadcode
You can get a list of all the checkers with this command:
clang -cc1 -analyzer-checker-help
It currently outputs the following:
OVERVIEW: Clang Static Analyzer Checkers List
USAGE: -analyzer-checker <CHECKER or PACKAGE,...>
CHECKERS:
alpha.core.BoolAssignment Warn about assigning non-{0,1} values to Boolean variables
alpha.core.CastSize Check when casting a malloc'ed type T, whether the size is a multiple of the size of T
alpha.core.CastToStruct Check for cast from non-struct pointer to struct pointer
alpha.core.FixedAddr Check for assignment of a fixed address to a pointer
alpha.core.PointerArithm Check for pointer arithmetic on locations other than array elements
alpha.core.PointerSub Check for pointer subtractions on two pointers pointing to different memory chunks
alpha.core.SizeofPtr Warn about unintended use of sizeof() on pointer expressions
alpha.cplusplus.NewDeleteLeaks Check for memory leaks. Traces memory managed by new/delete.
alpha.cplusplus.VirtualCall Check virtual function calls during construction or destruction
alpha.deadcode.IdempotentOperations
Warn about idempotent operations
alpha.deadcode.UnreachableCode Check unreachable code
alpha.osx.cocoa.Dealloc Warn about Objective-C classes that lack a correct implementation of -dealloc
alpha.osx.cocoa.DirectIvarAssignment
Check for direct assignments to instance variables
alpha.osx.cocoa.DirectIvarAssignmentForAnnotatedFunctions
Check for direct assignments to instance variables in the methods annotated with objc_no_direct_instance_variable_assignment
alpha.osx.cocoa.InstanceVariableInvalidation
Check that the invalidatable instance variables are invalidated in the methods annotated with objc_instance_variable_invalidator
alpha.osx.cocoa.MissingInvalidationMethod
Check that the invalidation methods are present in classes that contain invalidatable instance variables
alpha.osx.cocoa.MissingSuperCall
Warn about Objective-C methods that lack a necessary call to super
alpha.security.ArrayBound Warn about buffer overflows (older checker)
alpha.security.ArrayBoundV2 Warn about buffer overflows (newer checker)
alpha.security.MallocOverflow Check for overflows in the arguments to malloc()
alpha.security.ReturnPtrRange Check for an out-of-bound pointer being returned to callers
alpha.security.taint.TaintPropagation
Generate taint information used by other checkers
alpha.unix.Chroot Check improper use of chroot
alpha.unix.MallocWithAnnotations
Check for memory leaks, double free, and use-after-free problems. Traces memory managed by malloc()/free(). Assumes that all user-defined functions which might free a pointer are annotated.
alpha.unix.PthreadLock Simple lock -> unlock checker
alpha.unix.SimpleStream Check for misuses of stream APIs
alpha.unix.Stream Check stream handling functions
alpha.unix.cstring.BufferOverlap
Checks for overlap in two buffer arguments
alpha.unix.cstring.NotNullTerminated
Check for arguments which are not null-terminating strings
alpha.unix.cstring.OutOfBounds Check for out-of-bounds access in string functions
core.CallAndMessage Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers)
core.DivideZero Check for division by zero
core.DynamicTypePropagation Generate dynamic type information
core.NonNullParamChecker Check for null pointers passed as arguments to a function whose arguments are references or marked with the 'nonnull' attribute
core.NullDereference Check for dereferences of null pointers
core.StackAddressEscape Check that addresses to stack memory do not escape the function
core.UndefinedBinaryOperatorResult
Check for undefined results of binary operators
core.VLASize Check for declarations of VLA of undefined or zero size
core.builtin.BuiltinFunctions Evaluate compiler builtin functions (e.g., alloca())
core.builtin.NoReturnFunctions Evaluate "panic" functions that are known to not return to the caller
core.uninitialized.ArraySubscript
Check for uninitialized values used as array subscripts
core.uninitialized.Assign Check for assigning uninitialized values
core.uninitialized.Branch Check for uninitialized values used as branch conditions
core.uninitialized.CapturedBlockVariable
Check for blocks that capture uninitialized values
core.uninitialized.UndefReturn Check for uninitialized values being returned to the caller
cplusplus.NewDelete Check for double-free and use-after-free problems. Traces memory managed by new/delete.
deadcode.DeadStores Check for values stored to variables that are never read afterwards
debug.ConfigDumper Dump config table
debug.DumpCFG Display Control-Flow Graphs
debug.DumpCallGraph Display Call Graph
debug.DumpCalls Print calls as they are traversed by the engine
debug.DumpDominators Print the dominance tree for a given CFG
debug.DumpLiveVars Print results of live variable analysis
debug.DumpTraversal Print branch conditions as they are traversed by the engine
debug.ExprInspection Check the analyzer's understanding of expressions
debug.Stats Emit warnings with analyzer statistics
debug.TaintTest Mark tainted symbols as such.
debug.ViewCFG View Control-Flow Graphs using GraphViz
debug.ViewCallGraph View Call Graph using GraphViz
llvm.Conventions Check code for LLVM codebase conventions
osx.API Check for proper uses of various Apple APIs
osx.SecKeychainAPI Check for proper uses of Secure Keychain APIs
osx.cocoa.AtSync Check for nil pointers used as mutexes for @synchronized
osx.cocoa.ClassRelease Check for sending 'retain', 'release', or 'autorelease' directly to a Class
osx.cocoa.IncompatibleMethodTypes
Warn about Objective-C method signatures with type incompatibilities
osx.cocoa.Loops Improved modeling of loops using Cocoa collection types
osx.cocoa.NSAutoreleasePool Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode
osx.cocoa.NSError Check usage of NSError** parameters
osx.cocoa.NilArg Check for prohibited nil arguments to ObjC method calls
osx.cocoa.NonNilReturnValue Model the APIs that are guaranteed to return a non-nil value
osx.cocoa.RetainCount Check for leaks and improper reference count management
osx.cocoa.SelfInit Check that 'self' is properly initialized inside an initializer method
osx.cocoa.UnusedIvars Warn about private ivars that are never used
osx.cocoa.VariadicMethodTypes Check for passing non-Objective-C types to variadic collection initialization methods that expect only Objective-C types
osx.coreFoundation.CFError Check usage of CFErrorRef* parameters
osx.coreFoundation.CFNumber Check for proper uses of CFNumberCreate
osx.coreFoundation.CFRetainRelease
Check for null arguments to CFRetain/CFRelease/CFMakeCollectable
osx.coreFoundation.containers.OutOfBounds
Checks for index out-of-bounds when using 'CFArray' API
osx.coreFoundation.containers.PointerSizedValues
Warns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values
security.FloatLoopCounter Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP)
security.insecureAPI.UncheckedReturn
Warn on uses of functions whose return values must be always checked
security.insecureAPI.getpw Warn on uses of the 'getpw' function
security.insecureAPI.gets Warn on uses of the 'gets' function
security.insecureAPI.mkstemp Warn when 'mkstemp' is passed fewer than 6 X's in the format string
security.insecureAPI.mktemp Warn on uses of the 'mktemp' function
security.insecureAPI.rand Warn on uses of the 'rand', 'random', and related functions
security.insecureAPI.strcpy Warn on uses of the 'strcpy' and 'strcat' functions
security.insecureAPI.vfork Warn on uses of the 'vfork' function
unix.API Check calls to various UNIX/Posix functions
unix.Malloc Check for memory leaks, double free, and use-after-free problems. Traces memory managed by malloc()/free().
unix.MallocSizeof Check for dubious malloc arguments involving sizeof
unix.MismatchedDeallocator Check for mismatched deallocators.
unix.cstring.BadSizeArg Check the size argument passed into C string functions for common erroneous patterns
unix.cstring.NullArg Check for null pointers being passed as arguments to C string functions
The long command line I provided above in my answer disables all 9 top level checkers: alpha, core, cplusplus, deadcode, debug, llvm, osx, security, and unix PLUS "insecureAPI" based on the comments below as it seems disabling security doesn't also disable security.insecureAPI.
Hopefully this is equivalent to not running the analyzer at all.
For more info see the Checker Developer Manual here: http://clang-analyzer.llvm.org/checker_dev_manual.html
77
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
