Clang checker類總結

當咱們須要真正定義本身的checker，而不是簡單地去測試能不能註冊成功一個檢查器時，咱們須要清楚的知道，咱們的checker到底要劃分在Checkers.td中哪個package下。下面咱們用表格的形式整理羅列一下clang -cc1 -analyzer-checker-help命令後顯示的內容。

OVERVIEW: Clang Static Analyzer Checkers List

 

Layer1	Layer2	Final layer ----class	說明
Alpha 34個 有較高誤報率的checker False positive rate ，所以屬於實驗階段，experiment	Core 9個	alpha.core.BoolAssignment (ObjC)
		alpha.core.CastSize (C)
		alpha.core.CastToStruct (C, C++)
		alpha.core.FixedAddr (C)
		alpha.core.IdenticalExpr (C, C++)
		alpha.core.IdenticalExpr (C, C++)
		alpha.core.PointerArithm (C)
		alpha.core.PointerSub (C)
		alpha.core.SizeofPtr (C)
	C++ 2個	alpha.cplusplus.NewDeleteLeaks (C++)
		alpha.cplusplus.VirtualCall (C++)
	Variable Argument 3個	alpha.valist.CopyToSelf (C)
		alpha.valist.Uninitialized (C)
		alpha.valist.Unterminated (C)
	Dead code	alpha.deadcode.UnreachableCode(C, C++, ObjC)
	OS X 5個	alpha.osx.cocoa.Dealloc (ObjC)
		alpha.osx.cocoa.DirectIvarAssignment (ObjC)
		alpha.osx.cocoa.DirectIvarAssignmentForAnnotatedFunctions (ObjC)
		alpha.osx.cocoa.InstanceVariableInvalidation (ObjC)
		alpha.osx.cocoa.MissingInvalidationMethod (ObjC)
	Security 5個	alpha.security.ArrayBound (C)
		alpha.security.ArrayBoundV2 (C)
		alpha.security.MallocOverflow (C)
		alpha.security.ReturnPtrRange (C)
		alpha.security.taint.TaintPropagation (C)
	Unix 9個	alpha.unix.Chroot (C)
		alpha.unix.MallocWithAnnotations (C)
		alpha.unix.PthreadLock (C)
		alpha.unix.SimpleStream (C)
		alpha.unix.Stream (C)
		alpha.unix.cstring.BufferOverlap (C)
		alpha.unix.cstring.NotNullTerminated (C)
		alpha.unix.cstring.OutOfBounds (C)
		alpha.unix.cstring.BlockInCriticalSection (C)
Default 47 默認狀態下是能夠被利用的檢查器	Core 12	core.CallAndMessage (C, C++, ObjC)
		core.DivideZero (C, C++, ObjC)
		core.NonNullParamChecker (C, C++, ObjC)
		core.NullDereference (C, C++, ObjC)
		core.StackAddressEscape (C)
		core.UndefinedBinaryOperatorResult (C)
		core.VLASize (C)
		core.uninitialized.ArraySubscript (C)
		core.uninitialized.Assign (C)
		core.uninitialized.Branch (C)
		core.uninitialized.CapturedBlockVariable (C)
		core.uninitialized.UndefReturn (C)
	C++	cplusplus.NewDelete (C++)
	deadcode	deadcode.DeadStores (C)
	OS X 18	osx.API (C)
		osx.SecKeychainAPI (C)
		osx.cocoa.AtSync (ObjC)
		osx.cocoa.ClassRelease (ObjC)
		osx.cocoa.IncompatibleMethodTypes (ObjC)
		alpha.osx.cocoa.MissingSuperCall (ObjC)
		osx.cocoa.NSAutoreleasePool (ObjC)
		osx.cocoa.NSError (ObjC)
		osx.cocoa.NilArg (ObjC)
		osx.cocoa.RetainCount (ObjC)
		osx.cocoa.SelfInit (ObjC)
		osx.cocoa.UnusedIvars (ObjC)
		osx.cocoa.VariadicMethodTypes (ObjC)
		osx.coreFoundation.CFError (C)
		osx.coreFoundation.CFNumber (C)
		osx.coreFoundation.CFRetainRelease (C)
		osx.coreFoundation.containers.OutOfBounds (C)
		osx.coreFoundation.containers.PointerSizedValues (C)
	Security 9	security.FloatLoopCounter (C)
		security.insecureAPI.UncheckedReturn (C)
		security.insecureAPI.getpw (C)
		security.insecureAPI.gets (C)
		security.insecureAPI.mkstemp (C)
		security.insecureAPI.mktemp (C)
		security.insecureAPI.rand (C)
		security.insecureAPI.strcpy (C)
		security.insecureAPI.vfork (C)
	Unix 6	unix.API (C)
		unix.Malloc (C)
		unix.MallocSizeof (C)
		unix.MismatchedDeallocator (C, C++, ObjC)
		unix.cstring.BadSizeArg (C)
		unix.cstring.NullArg (C)
Implicit 隱性檢查器不產生警告，只是用來支持分析其內核和模型接口的。	Core	core.DynamicTypePropagation (C++, ObjC)
		core.builtin.BuiltinFunctions (C)
		core.builtin.NoReturnFunctions (C, ObjC)
	OS X	osx.cocoa.Loops (ObjC)
		osx.cocoa.NonNilReturnValue (ObjC)
Debug http://clang-analyzer.llvm.org/checker_dev_manual.html#commands	--	debug.ViewCFG        View Control-Flow Graphs using GraphViz
	--	debug.DumpCFG       Display Control-Flow Graphs
	--	debug.ViewCallGraph    View Call Graph using GraphViz
	--	debug.DumpCallGraph   Display Call Graph
	--	debug.ViewExplodedGraph  View Exploded Graphs using GraphViz
	--	debug.Stats            Emit warnings with analyzer statistics
	--	debug.AnalysisOrder   Print callbacks that are called during analysis in order
	--	debug.ConfigDumper              Dump config table
	--	debug.DumpBugHash     Dump the bug hash for all statements
	--	debug.DumpCalls   Print calls as they are traversed by the engine
	--	debug.DumpDominators :Print the dominance tree for a given CFG
	--	debug.DumpLiveVars      Print results of live variable analysis
	--	debug.DumpTraversal   Print branch conditions as they are traversed by the engine
	--	debug.TaintTest                 Mark tainted symbols as such
	--	debug.ExprInspection    Check the analyzer's understanding of expressions
LLVM		llvm.Conventions    Check code for LLVM codebase conventions
其餘		apiModeling.google.GTest        Model gtest assertion APIs
Optin		共5個類
nullability		共5個類

對照上面全部checker的簡單描述，咱們能夠大體知道這些類所實現的功能，與內存相關的類都用黃色進行了標註。若是咱們要寫本身的檢查器，應該放在Alpha下面的security package中。此外，在debug過程當中咱們經常使用的查看CFG和ExplodedGraph的checker類，用藍色標註。

可是如今的問題是，咱們並不知道clang對於內存檢測實現到了哪一個地步，因此接下來咱們須要用CWE部份內存相關的測試集和幾個開源軟件來測試一下clang的功能和效果，直白地講，就是看看clang覆蓋了哪些缺陷檢測，對特定缺陷檢測的誤報和漏報狀況怎麼樣。

 

參考文獻

http://clang-analyzer.llvm.org/alpha_checks.html

http://clang-analyzer.llvm.org/available_checks.html

http://clang-analyzer.llvm.org/implicit_checks.html