1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
| //===-- AnalyzerOptions.def - Metadata about Static Analyses ----*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines the analyzer options avaible with -analyzer-config.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_ADT_STRINGREF_H
#error This .def file is expected to be included in translation units where \
"llvm/ADT/StringRef.h" is already included!
#endif
#ifdef ANALYZER_OPTION
#ifndef ANALYZER_OPTION_DEPENDS_ON_USER_MODE
#error If you didnt include this file with the intent of generating methods, \
define both 'ANALYZER_OPTION' and 'ANALYZER_OPTION_DEPENDS_ON_USER_MODE' macros!
#endif
#endif
#ifndef ANALYZER_OPTION_DEPENDS_ON_USER_MODE
#ifdef ANALYZER_OPTION
#error If you didnt include this file with the intent of generating methods, \
define both 'ANALYZER_OPTION' and 'ANALYZER_OPTION_DEPENDS_ON_USER_MODE' macros!
#endif
#endif
#ifndef ANALYZER_OPTION
/// Create a new analyzer option, but dont generate a method for it in
/// AnalyzerOptions.
///
/// TYPE - The type of the option object that will be stored in
/// AnalyzerOptions. This file is expected to be icluded in translation
/// units where AnalyzerOptions.h is included, so types from that
/// header should be used.
/// NAME - The name of the option object.
/// CMDFLAG - The command line flag for the option.
/// (-analyzer-config CMDFLAG=VALUE)
/// DESC - Description of the flag.
/// DEFAULT_VAL - The default value for CMDFLAG.
#define ANALYZER_OPTION(TYPE, NAME, CMDFLAG, DESC, DEFAULT_VAL)
#endif
#ifndef ANALYZER_OPTION_DEPENDS_ON_USER_MODE
/// Create a new analyzer option, but dont generate a method for it in
/// AnalyzerOptions. It's value depends on the option "user-mode".
///
/// TYPE - The type of the option object that will be stored in
/// AnalyzerOptions. This file is expected to be icluded in translation
/// units where AnalyzerOptions.h is included, so types from that
/// header should be used.
/// NAME - The name of the option object.
/// CMDFLAG - The command line flag for the option.
/// (-analyzer-config CMDFLAG=VALUE)
/// DESC - Description of the flag.
/// SHALLOW_VAL - The default value for CMDFLAG, when "user-mode" was set to
/// "shallow".
/// DEEP_VAL - The default value for CMDFLAG, when "user-mode" was set to
/// "deep".
#define ANALYZER_OPTION_DEPENDS_ON_USER_MODE(TYPE, NAME, CMDFLAG, DESC, \
SHALLOW_VAL, DEEP_VAL)
#endif
//===----------------------------------------------------------------------===//
// The "mode" option. Since some options depend on this, we list it on top of
// this file in order to make sure that the generated field for it is
// initialized before the rest.
//===----------------------------------------------------------------------===//
ANALYZER_OPTION(
StringRef, UserMode, "mode",
"(string) Controls the high-level analyzer mode, which influences the "
"default settings for some of the lower-level config options (such as "
"IPAMode). Value: \"deep\", \"shallow\".",
"deep")
//===----------------------------------------------------------------------===//
// Boolean analyzer options.
//===----------------------------------------------------------------------===//
ANALYZER_OPTION(bool, ShouldIncludeImplicitDtorsInCFG, "cfg-implicit-dtors",
"Whether or not implicit destructors for C++ objects "
"should be included in the CFG.",
true)
ANALYZER_OPTION(bool, ShouldIncludeTemporaryDtorsInCFG, "cfg-temporary-dtors",
"Whether or not the destructors for C++ temporary "
"objects should be included in the CFG.",
true)
ANALYZER_OPTION(
bool, ShouldIncludeLifetimeInCFG, "cfg-lifetime",
"Whether or not end-of-lifetime information should be included in the CFG.",
false)
ANALYZER_OPTION(bool, ShouldIncludeLoopExitInCFG, "cfg-loopexit",
"Whether or not the end of the loop information should "
"be included in the CFG.",
false)
ANALYZER_OPTION(bool, ShouldIncludeRichConstructorsInCFG,
"cfg-rich-constructors",
"Whether or not construction site information should be "
"included in the CFG C++ constructor elements.",
true)
ANALYZER_OPTION(
bool, ShouldIncludeScopesInCFG, "cfg-scopes",
"Whether or not scope information should be included in the CFG.", false)
ANALYZER_OPTION(
bool, MayInlineTemplateFunctions, "c++-template-inlining",
"Whether or not templated functions may be considered for inlining.", true)
ANALYZER_OPTION(bool, MayInlineCXXStandardLibrary, "c++-stdlib-inlining",
"Whether or not C++ standard library functions may be "
"considered for inlining.",
true)
ANALYZER_OPTION(bool, MayInlineCXXAllocator, "c++-allocator-inlining",
"Whether or not allocator call may be considered for inlining.",
true)
ANALYZER_OPTION(
bool, MayInlineCXXSharedPtrDtor, "c++-shared_ptr-inlining",
"Whether or not the destructor of C++ 'shared_ptr' may be considered for "
"inlining. This covers std::shared_ptr, std::tr1::shared_ptr, and "
"boost::shared_ptr, and indeed any destructor named '~shared_ptr'.",
false)
ANALYZER_OPTION(bool, MayInlineCXXTemporaryDtors, "c++-temp-dtor-inlining",
"Whether C++ temporary destructors should be inlined "
"during analysis. If temporary destructors are disabled "
"in the CFG via the 'cfg-temporary-dtors' option, "
"temporary destructors would not be inlined anyway.",
true)
ANALYZER_OPTION(
bool, ShouldSuppressNullReturnPaths, "suppress-null-return-paths",
"Whether or not paths that go through null returns should be suppressed. "
"This is a heuristic for avoiding bug reports with paths that go through "
"inlined functions that are more defensive than their callers.",
true)
ANALYZER_OPTION(
bool, ShouldAvoidSuppressingNullArgumentPaths,
"avoid-suppressing-null-argument-paths",
"Whether a bug report should not be suppressed if its path includes a call "
"with a null argument, even if that call has a null return. This option "
"has no effect when ShouldSuppressNullReturnPaths is false. This is a "
"counter-heuristic to avoid false negatives.",
false)
ANALYZER_OPTION(bool, ShouldSuppressInlinedDefensiveChecks,
"suppress-inlined-defensive-checks",
"Whether or not diagnostics containing inlined "
"defensive NULL checks should be suppressed.",
true)
ANALYZER_OPTION(bool, MayInlineCXXContainerMethods, "c++-container-inlining",
"Whether or not methods of C++ container objects may be "
"considered for inlining.",
false)
ANALYZER_OPTION(bool, ShouldSuppressFromCXXStandardLibrary,
"suppress-c++-stdlib",
"Whether or not diagnostics reported within the C++ "
"standard library should be suppressed.",
true)
ANALYZER_OPTION(bool, ShouldCrosscheckWithZ3, "crosscheck-with-z3",
"Whether bug reports should be crosschecked with the Z3 "
"constraint manager backend.",
false)
ANALYZER_OPTION(bool, ShouldReportIssuesInMainSourceFile,
"report-in-main-source-file",
"Whether or not the diagnostic report should be always "
"reported in the main source file and not the headers.",
false)
ANALYZER_OPTION(bool, ShouldWriteStableReportFilename, "stable-report-filename",
"Whether or not the report filename should be random or not.",
false)
ANALYZER_OPTION(
bool, ShouldSerializeStats, "serialize-stats",
"Whether the analyzer should serialize statistics to plist output. "
"Statistics would be serialized in JSON format inside the main dictionary "
"under the statistics key. Available only if compiled in assert mode or "
"with LLVM statistics explicitly enabled.",
false)
ANALYZER_OPTION(bool, MayInlineObjCMethod, "objc-inlining",
"Whether ObjectiveC inlining is enabled, false otherwise.",
true)
ANALYZER_OPTION(bool, ShouldPrunePaths, "prune-paths",
"Whether irrelevant parts of a bug report path should "
"be pruned out of the final output.",
true)
ANALYZER_OPTION(bool, ShouldAddPopUpNotes, "add-pop-up-notes",
"Whether pop-up notes should be added to the final output.",
true)
ANALYZER_OPTION(
bool, ShouldConditionalizeStaticInitializers,
"cfg-conditional-static-initializers",
"Whether 'static' initializers should be in conditional logic in the CFG.",
true)
ANALYZER_OPTION(bool, ShouldSynthesizeBodies, "faux-bodies",
"Whether the analyzer engine should synthesize fake "
"bodies for well-known functions.",
true)
ANALYZER_OPTION(
bool, ShouldElideConstructors, "elide-constructors",
"Whether elidable C++ copy-constructors and move-constructors should be "
"actually elided during analysis. Both behaviors are allowed by the C++ "
"standard, and the analyzer, like CodeGen, defaults to eliding. Starting "
"with C++17 some elisions become mandatory, and in these cases the option "
"will be ignored.",
true)
ANALYZER_OPTION(
bool, ShouldInlineLambdas, "inline-lambdas",
"Whether lambdas should be inlined. Otherwise a sink node will be "
"generated each time a LambdaExpr is visited.",
true)
ANALYZER_OPTION(bool, ShouldWidenLoops, "widen-loops",
"Whether the analysis should try to widen loops.", false)
ANALYZER_OPTION(
bool, ShouldUnrollLoops, "unroll-loops",
"Whether the analysis should try to unroll loops with known bounds.", false)
ANALYZER_OPTION(
bool, ShouldDisplayNotesAsEvents, "notes-as-events",
"Whether the bug reporter should transparently treat extra note diagnostic "
"pieces as event diagnostic pieces. Useful when the diagnostic consumer "
"doesn't support the extra note pieces.",
false)
ANALYZER_OPTION(
bool, ShouldAggressivelySimplifyBinaryOperation,
"aggressive-binary-operation-simplification",
"Whether SValBuilder should rearrange comparisons and additive operations "
"of symbolic expressions which consist of a sum of a symbol and a concrete "
"integer into the format where symbols are on the left-hand side and the "
"integer is on the right. This is only done if both symbols and both "
"concrete integers are signed, greater than or equal to the quarter of the "
"minimum value of the type and less than or equal to the quarter of the "
"maximum value of that type. A + n <OP> B + m becomes A - B <OP> m - n, "
"where A and B symbolic, n and m are integers. <OP> is any of '==', '!=', "
"'<', '<=', '>', '>=', '+' or '-'. The rearrangement also happens with '-' "
"instead of '+' on either or both side and also if any or both integers "
"are missing.",
false)
ANALYZER_OPTION(
bool, ShouldEagerlyAssume, "eagerly-assume",
"Whether we should eagerly assume evaluations of conditionals, thus, "
"bifurcating the path. This indicates how the engine should handle "
"expressions such as: 'x = (y != 0)'. When this is true then the "
"subexpression 'y != 0' will be eagerly assumed to be true or false, thus "
"evaluating it to the integers 0 or 1 respectively. The upside is that "
"this can increase analysis precision until we have a better way to lazily "
"evaluate such logic. The downside is that it eagerly bifurcates paths.",
true)
ANALYZER_OPTION(
bool, IsNaiveCTUEnabled, "experimental-enable-naive-ctu-analysis",
"Whether naive cross translation unit analysis is enabled. This is an "
"experimental feature to inline functions from other translation units.",
false)
ANALYZER_OPTION(bool, ShouldDisplayMacroExpansions, "expand-macros",
"Whether macros related to the bugpath should be "
"expanded and included in the plist output.",
false)
ANALYZER_OPTION(bool, DisplayCTUProgress, "display-ctu-progress",
"Whether to emit verbose output about "
"the analyzer's progress related to ctu.",
false)
ANALYZER_OPTION(bool, ShouldTrackConditions, "track-conditions",
"Whether to track conditions that are a control dependency of "
"an already tracked variable.",
true)
ANALYZER_OPTION(bool, ShouldTrackConditionsDebug, "track-conditions-debug",
"Whether to place an event at each tracked condition.",
false)
ANALYZER_OPTION(bool, ShouldEmitFixItHintsAsRemarks, "fixits-as-remarks",
"Emit fix-it hints as remarks for testing purposes",
false)
//===----------------------------------------------------------------------===//
// Unsigned analyzer options.
//===----------------------------------------------------------------------===//
ANALYZER_OPTION(unsigned, CTUImportThreshold, "ctu-import-threshold",
"The maximal amount of translation units that is considered "
"for import when inlining functions during CTU analysis. "
"Lowering this threshold can alleviate the memory burder of "
"analysis with many interdependent definitions located in "
"various translation units.",
100u)
ANALYZER_OPTION(
unsigned, AlwaysInlineSize, "ipa-always-inline-size",
"The size of the functions (in basic blocks), which should be considered "
"to be small enough to always inline.",
3)
ANALYZER_OPTION(
unsigned, GraphTrimInterval, "graph-trim-interval",
"How often nodes in the ExplodedGraph should be recycled to save memory. "
"To disable node reclamation, set the option to 0.",
1000)
ANALYZER_OPTION(
unsigned, MinCFGSizeTreatFunctionsAsLarge,
"min-cfg-size-treat-functions-as-large",
"The number of basic blocks a function needs to have to be considered "
"large for the 'max-times-inline-large' config option.",
14)
ANALYZER_OPTION(unsigned, MaxSymbolComplexity, "max-symbol-complexity",
"The maximum complexity of symbolic constraint.", 35)
ANALYZER_OPTION(unsigned, MaxTimesInlineLarge, "max-times-inline-large",
"The maximum times a large function could be inlined.", 32)
ANALYZER_OPTION_DEPENDS_ON_USER_MODE(
unsigned, MaxInlinableSize, "max-inlinable-size",
"The bound on the number of basic blocks in an inlined function.",
/* SHALLOW_VAL */ 4, /* DEEP_VAL */ 100)
ANALYZER_OPTION_DEPENDS_ON_USER_MODE(
unsigned, MaxNodesPerTopLevelFunction, "max-nodes",
"The maximum number of nodes the analyzer can generate while exploring a "
"top level function (for each exploded graph). 0 means no limit.",
/* SHALLOW_VAL */ 75000, /* DEEP_VAL */ 225000)
ANALYZER_OPTION(
unsigned, RegionStoreSmallStructLimit, "region-store-small-struct-limit",
"The largest number of fields a struct can have and still be considered "
"small This is currently used to decide whether or not it is worth forcing "
"a LazyCompoundVal on bind. To disable all small-struct-dependent "
"behavior, set the option to 0.",
2)
//===----------------------------------------------------------------------===//
// String analyzer options.
//===----------------------------------------------------------------------===//
ANALYZER_OPTION(StringRef, CTUDir, "ctu-dir",
"The directory containing the CTU related files.", "")
ANALYZER_OPTION(StringRef, CTUIndexName, "ctu-index-name",
"the name of the file containing the CTU index of definitions.",
"externalDefMap.txt")
ANALYZER_OPTION(
StringRef, ModelPath, "model-path",
"The analyzer can inline an alternative implementation written in C at the "
"call site if the called function's body is not available. This is a path "
"where to look for those alternative implementations (called models).",
"")
ANALYZER_OPTION(
StringRef, CXXMemberInliningMode, "c++-inlining",
"Controls which C++ member functions will be considered for inlining. "
"Value: \"constructors\", \"destructors\", \"methods\".",
"destructors")
ANALYZER_OPTION(
StringRef, ExplorationStrategy, "exploration_strategy",
"Value: \"dfs\", \"bfs\", \"unexplored_first\", "
"\"unexplored_first_queue\", \"unexplored_first_location_queue\", "
"\"bfs_block_dfs_contents\".",
"unexplored_first_queue")
ANALYZER_OPTION(
StringRef, RawSilencedCheckersAndPackages, "silence-checkers",
"A semicolon separated list of checker and package names to silence. "
"Silenced checkers will not emit reports, but the modeling remain enabled.",
"")
ANALYZER_OPTION_DEPENDS_ON_USER_MODE(
StringRef, IPAMode, "ipa",
"Controls the mode of inter-procedural analysis. Value: \"none\", "
"\"basic-inlining\", \"inlining\", \"dynamic\", \"dynamic-bifurcate\".",
/* SHALLOW_VAL */ "inlining", /* DEEP_VAL */ "dynamic-bifurcate")
#undef ANALYZER_OPTION_DEPENDS_ON_USER_MODE
#undef ANALYZER_OPTION
|