Clang checker类总结

当咱们须要真正定义本身的checker，而不是简单地去测试能不能注册成功一个检查器时，咱们须要清楚的知道，咱们的checker到底要划分在Checkers.td中哪个package下。下面咱们用表格的形式整理罗列一下clang -cc1 -analyzer-checker-help命令后显示的内容。

OVERVIEW: Clang Static Analyzer Checkers List

 

Layer1	Layer2	Final layer ----class	说明
Alpha 34个 有较高误报率的checker False positive rate ，所以属于实验阶段，experiment	Core 9个	alpha.core.BoolAssignment (ObjC)
		alpha.core.CastSize (C)
		alpha.core.CastToStruct (C, C++)
		alpha.core.FixedAddr (C)
		alpha.core.IdenticalExpr (C, C++)
		alpha.core.IdenticalExpr (C, C++)
		alpha.core.PointerArithm (C)
		alpha.core.PointerSub (C)
		alpha.core.SizeofPtr (C)
	C++ 2个	alpha.cplusplus.NewDeleteLeaks (C++)
		alpha.cplusplus.VirtualCall (C++)
	Variable Argument 3个	alpha.valist.CopyToSelf (C)
		alpha.valist.Uninitialized (C)
		alpha.valist.Unterminated (C)
	Dead code	alpha.deadcode.UnreachableCode(C, C++, ObjC)
	OS X 5个	alpha.osx.cocoa.Dealloc (ObjC)
		alpha.osx.cocoa.DirectIvarAssignment (ObjC)
		alpha.osx.cocoa.DirectIvarAssignmentForAnnotatedFunctions (ObjC)
		alpha.osx.cocoa.InstanceVariableInvalidation (ObjC)
		alpha.osx.cocoa.MissingInvalidationMethod (ObjC)
	Security 5个	alpha.security.ArrayBound (C)
		alpha.security.ArrayBoundV2 (C)
		alpha.security.MallocOverflow (C)
		alpha.security.ReturnPtrRange (C)
		alpha.security.taint.TaintPropagation (C)
	Unix 9个	alpha.unix.Chroot (C)
		alpha.unix.MallocWithAnnotations (C)
		alpha.unix.PthreadLock (C)
		alpha.unix.SimpleStream (C)
		alpha.unix.Stream (C)
		alpha.unix.cstring.BufferOverlap (C)
		alpha.unix.cstring.NotNullTerminated (C)
		alpha.unix.cstring.OutOfBounds (C)
		alpha.unix.cstring.BlockInCriticalSection (C)
Default 47 默认状态下是能够被利用的检查器	Core 12	core.CallAndMessage (C, C++, ObjC)
		core.DivideZero (C, C++, ObjC)
		core.NonNullParamChecker (C, C++, ObjC)
		core.NullDereference (C, C++, ObjC)
		core.StackAddressEscape (C)
		core.UndefinedBinaryOperatorResult (C)
		core.VLASize (C)
		core.uninitialized.ArraySubscript (C)
		core.uninitialized.Assign (C)
		core.uninitialized.Branch (C)
		core.uninitialized.CapturedBlockVariable (C)
		core.uninitialized.UndefReturn (C)
	C++	cplusplus.NewDelete (C++)
	deadcode	deadcode.DeadStores (C)
	OS X 18	osx.API (C)
		osx.SecKeychainAPI (C)
		osx.cocoa.AtSync (ObjC)
		osx.cocoa.ClassRelease (ObjC)
		osx.cocoa.IncompatibleMethodTypes (ObjC)
		alpha.osx.cocoa.MissingSuperCall (ObjC)
		osx.cocoa.NSAutoreleasePool (ObjC)
		osx.cocoa.NSError (ObjC)
		osx.cocoa.NilArg (ObjC)
		osx.cocoa.RetainCount (ObjC)
		osx.cocoa.SelfInit (ObjC)
		osx.cocoa.UnusedIvars (ObjC)
		osx.cocoa.VariadicMethodTypes (ObjC)
		osx.coreFoundation.CFError (C)
		osx.coreFoundation.CFNumber (C)
		osx.coreFoundation.CFRetainRelease (C)
		osx.coreFoundation.containers.OutOfBounds (C)
		osx.coreFoundation.containers.PointerSizedValues (C)
	Security 9	security.FloatLoopCounter (C)
		security.insecureAPI.UncheckedReturn (C)
		security.insecureAPI.getpw (C)
		security.insecureAPI.gets (C)
		security.insecureAPI.mkstemp (C)
		security.insecureAPI.mktemp (C)
		security.insecureAPI.rand (C)
		security.insecureAPI.strcpy (C)
		security.insecureAPI.vfork (C)
	Unix 6	unix.API (C)
		unix.Malloc (C)
		unix.MallocSizeof (C)
		unix.MismatchedDeallocator (C, C++, ObjC)
		unix.cstring.BadSizeArg (C)
		unix.cstring.NullArg (C)
Implicit 隐性检查器不产生警告，只是用来支持分析其内核和模型接口的。	Core	core.DynamicTypePropagation (C++, ObjC)
		core.builtin.BuiltinFunctions (C)
		core.builtin.NoReturnFunctions (C, ObjC)
	OS X	osx.cocoa.Loops (ObjC)
		osx.cocoa.NonNilReturnValue (ObjC)
Debug http://clang-analyzer.llvm.org/checker_dev_manual.html#commands	--	debug.ViewCFG        View Control-Flow Graphs using GraphViz
	--	debug.DumpCFG       Display Control-Flow Graphs
	--	debug.ViewCallGraph    View Call Graph using GraphViz
	--	debug.DumpCallGraph   Display Call Graph
	--	debug.ViewExplodedGraph  View Exploded Graphs using GraphViz
	--	debug.Stats            Emit warnings with analyzer statistics
	--	debug.AnalysisOrder   Print callbacks that are called during analysis in order
	--	debug.ConfigDumper              Dump config table
	--	debug.DumpBugHash     Dump the bug hash for all statements
	--	debug.DumpCalls   Print calls as they are traversed by the engine
	--	debug.DumpDominators :Print the dominance tree for a given CFG
	--	debug.DumpLiveVars      Print results of live variable analysis
	--	debug.DumpTraversal   Print branch conditions as they are traversed by the engine
	--	debug.TaintTest                 Mark tainted symbols as such
	--	debug.ExprInspection    Check the analyzer's understanding of expressions
LLVM		llvm.Conventions    Check code for LLVM codebase conventions
其余		apiModeling.google.GTest        Model gtest assertion APIs
Optin		共5个类
nullability		共5个类

对照上面全部checker的简单描述，咱们能够大体知道这些类所实现的功能，与内存相关的类都用黄色进行了标注。若是咱们要写本身的检查器，应该放在Alpha下面的security package中。此外，在debug过程当中咱们经常使用的查看CFG和ExplodedGraph的checker类，用蓝色标注。

可是如今的问题是，咱们并不知道clang对于内存检测实现到了哪一个地步，因此接下来咱们须要用CWE部份内存相关的测试集和几个开源软件来测试一下clang的功能和效果，直白地讲，就是看看clang覆盖了哪些缺陷检测，对特定缺陷检测的误报和漏报状况怎么样。

 

参考文献

http://clang-analyzer.llvm.org/alpha_checks.html

http://clang-analyzer.llvm.org/available_checks.html

http://clang-analyzer.llvm.org/implicit_checks.html