Next:Options for Debugging Your Program, Previous:Options to Request or Suppress Warnings, Up:GCC Command Options [Contents][Index]
-fanalyzer ¶This option enables an static analysis of program flow which looksfor “interesting” interprocedural paths through thecode, and issues warnings for problems found on them.
This analysis is much more expensive than other GCC warnings.
In technical terms, it performs coverage-guided symbolic execution ofthe code being compiled. It is neither sound nor complete: it canhave false positives and false negatives. It is a bug-finding tool,rather than a tool for proving program correctness.
The analyzer is only suitable for use on C code in this release.
Enabling this option effectively enables the following warnings:
-Wanalyzer-allocation-size-Wanalyzer-deref-before-check-Wanalyzer-double-fclose-Wanalyzer-double-free-Wanalyzer-exposure-through-output-file-Wanalyzer-exposure-through-uninit-copy-Wanalyzer-fd-access-mode-mismatch-Wanalyzer-fd-double-close-Wanalyzer-fd-leak-Wanalyzer-fd-phase-mismatch-Wanalyzer-fd-type-mismatch-Wanalyzer-fd-use-after-close-Wanalyzer-fd-use-without-check-Wanalyzer-file-leak-Wanalyzer-free-of-non-heap-Wanalyzer-imprecise-fp-arithmetic-Wanalyzer-infinite-loop-Wanalyzer-infinite-recursion-Wanalyzer-jump-through-null-Wanalyzer-malloc-leak-Wanalyzer-mismatching-deallocation-Wanalyzer-null-argument-Wanalyzer-null-dereference-Wanalyzer-out-of-bounds-Wanalyzer-overlapping-buffers-Wanalyzer-possible-null-argument-Wanalyzer-possible-null-dereference-Wanalyzer-putenv-of-auto-var-Wanalyzer-shift-count-negative-Wanalyzer-shift-count-overflow-Wanalyzer-stale-setjmp-buffer-Wanalyzer-tainted-allocation-size-Wanalyzer-tainted-array-index-Wanalyzer-tainted-assertion-Wanalyzer-tainted-divisor-Wanalyzer-tainted-offset-Wanalyzer-tainted-size-Wanalyzer-throw-of-unexpected-type-Wanalyzer-undefined-behavior-ptrdiff-Wanalyzer-undefined-behavior-strtok-Wanalyzer-unsafe-call-within-signal-handler-Wanalyzer-use-after-free-Wanalyzer-use-of-pointer-in-stale-stack-frame-Wanalyzer-use-of-uninitialized-value-Wanalyzer-va-arg-type-mismatch-Wanalyzer-va-list-exhausted-Wanalyzer-va-list-leak-Wanalyzer-va-list-use-after-va-end-Wanalyzer-write-to-const-Wanalyzer-write-to-string-literal
This option is only available if GCC was configured with analyzersupport enabled.
-Wanalyzer-symbol-too-complex ¶If-fanalyzer is enabled, the analyzer uses various heuristicsto attempt to track the state of memory, but these can be defeated bysufficiently complicated code.
By default, the analysis silently stops tracking values of expressionsif they exceed an internal limit, and falls backto an imprecise representation for such expressions.The-Wanalyzer-symbol-too-complex option warns if this occurs.
-Wanalyzer-too-complex ¶If-fanalyzer is enabled, the analyzer uses various heuristicsto attempt to explore the control flow and data flow in the program,but these can be defeated by sufficiently complicated code.
By default, the analysis silently stops if the code is toocomplicated for the analyzer to fully explore and it reaches an internallimit. The-Wanalyzer-too-complex option warns if this occurs.
-Wno-analyzer-allocation-size ¶This warning requires-fanalyzer, which enables it;to disable it, use-Wno-analyzer-allocation-size.
This diagnostic warns for paths through the code in which a pointer toa buffer is assigned to point at a buffer with a size that is not amultiple ofsizeof (*pointer).
-Wno-analyzer-deref-before-check ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-deref-before-checkto disable it.
This diagnostic warns for paths through the code in which a pointeris checked forNULL *after* it has already beendereferenced, suggesting that the pointer could have been NULL.Such cases suggest that the check for NULL is either redundant,or that it needs to be moved to before the pointer is dereferenced.
This diagnostic also considers values passed to a function argumentmarked with__attribute__((nonnull)) as requiring a non-NULLvalue, and thus will complain if such values are checked forNULLafter returning from such a function call.
This diagnostic is unlikely to be reported when any level of optimizationis enabled, as GCC’s optimization logic will typically consider suchchecks for NULL as being redundant, and optimize them away before theanalyzer "sees" them. Hence optimization should be disabled whenattempting to trigger this diagnostic.
-Wno-analyzer-double-fclose ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-double-fclose to disable it.
This diagnostic warns for paths through the code in which aFILE *can havefclose called on it more than once.
-Wno-analyzer-double-free ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-double-free to disable it.
This diagnostic warns for paths through the code in which a pointercan have a deallocator called on it more than once, eitherfree,or a deallocator referenced by attributemalloc.
-Wno-analyzer-exposure-through-output-file ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-exposure-through-output-fileto disable it.
This diagnostic warns for paths through the code in which asecurity-sensitive value is written to an output file(such as writing a password to a log file).
-Wanalyzer-exposure-through-uninit-copy ¶This warning requires both-fanalyzer and the use of a pluginto specify a function that copies across a “trust boundary”. Use-Wno-analyzer-exposure-through-uninit-copy to disable it.
This diagnostic warns for “infoleaks” - paths through the code in whichuninitialized values are copied across a security boundary(such as code within an OS kernel that copies a partially-initializedstruct on the stack to user space).
SeeCWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
-Wno-analyzer-fd-access-mode-mismatch ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-fd-access-mode-mismatchto disable it.
This diagnostic warns for paths through code in which aread on a write-only file descriptor is attempted, or vice versa.
This diagnostic also warns for code paths in a which a function with attributefd_arg_read (N) is called with a file descriptor opened withO_WRONLY at referenced argumentN or a function with attributefd_arg_write (N) is called with a file descriptor opened withO_RDONLY at referenced argumentN.
-Wno-analyzer-fd-double-close ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-fd-double-closeto disable it.
This diagnostic warns for paths through code in which afile descriptor can be closed more than once.
-Wno-analyzer-fd-leak ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-fd-leakto disable it.
This diagnostic warns for paths through code in which anopen file descriptor is leaked.
SeeCWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime.
-Wno-analyzer-fd-phase-mismatch ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-fd-phase-mismatchto disable it.
This diagnostic warns for paths through code in which an operation isattempted in the wrong phase of a file descriptor’s lifetime.For example, it will warn on attempts to callaccept on a streamsocket that has not yet hadlisten successfully called on it.
SeeCWE-666: Operation on Resource in Wrong Phase of Lifetime.
-Wno-analyzer-fd-type-mismatch ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-fd-type-mismatchto disable it.
This diagnostic warns for paths through code in which anoperation is attempted on the wrong type of file descriptor.For example, it will warn on attempts to use socket operationson a file descriptor obtained viaopen, or when attemptingto use a stream socket operation on a datagram socket.
-Wno-analyzer-fd-use-after-close ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-fd-use-after-closeto disable it.
This diagnostic warns for paths through code in which aread or write is called on a closed file descriptor.
This diagnostic also warns for paths through code in whicha function with attributefd_arg (N) orfd_arg_read (N)orfd_arg_write (N) is called with a closed file descriptor atreferenced argumentN.
-Wno-analyzer-fd-use-without-check ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-fd-use-without-checkto disable it.
This diagnostic warns for paths through code in which afile descriptor is used without being checked for validity.
This diagnostic also warns for paths through code in whicha function with attributefd_arg (N) orfd_arg_read (N)orfd_arg_write (N) is called with a file descriptor, at referencedargumentN, without being checked for validity.
-Wno-analyzer-file-leak ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-file-leakto disable it.
This diagnostic warns for paths through the code in which a<stdio.h>FILE * stream object is leaked.
SeeCWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime.
-Wno-analyzer-free-of-non-heap ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-free-of-non-heapto disable it.
This diagnostic warns for paths through the code in whichfreeis called on a non-heap pointer (e.g. an on-stack buffer, or a global).
-Wno-analyzer-imprecise-fp-arithmetic ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-imprecise-fp-arithmeticto disable it.
This diagnostic warns for paths through the code in which floating-pointarithmetic is used in locations where precise computation is needed. Thisdiagnostic only warns on use of floating-point operands inside thecalculation of an allocation size at the moment.
-Wno-analyzer-infinite-loop ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-infinite-loop to disable it.
This diagnostics warns for paths through the code which appear tolead to an infinite loop.
Specifically, the analyzer will issue this warning when it "sees" a loopin which:
One way for this warning to be emitted is when there is an executionpath through a loop for which taking the path on one iteration impliesthat the same path will be taken on all subsequent iterations.
For example, consider:
while (1) { char opcode = *cpu_state.pc; switch (opcode) { case OPCODE_FOO: handle_opcode_foo (&cpu_state); break; case OPCODE_BAR: handle_opcode_bar (&cpu_state); break; } }The analyzer will complain for the above case because ifopcodeever matches none of the cases, theswitch will follow theimplicitdefault case, making the body of the loop be a “no-op”withcpu_state.pc unchanged, and thus using the same value ofopcode on all subseqent iterations, leading to an infinite loop.
SeeCWE-835: Loop with Unreachable Exit Condition (’Infinite Loop’).
-Wno-analyzer-infinite-recursion ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-infinite-recursion to disable it.
This diagnostics warns for paths through the code which appear tolead to infinite recursion.
Specifically, when the analyzer "sees" a recursive call, it will comparethe state of memory at the entry to the new frame with that at the entryto the previous frame of that function on the stack. The warning isissued if nothing in memory appears to be changing; any changes observedto parameters or globals are assumed to lead to termination of therecursion and thus suppress the warning.
This diagnostic is likely to miss cases of infinite recursion thatare convered to iteration by the optimizer before the analyzer "sees"them. Hence optimization should be disabled when attempting to triggerthis diagnostic.
Compare with-Winfinite-recursion, which provides a similardiagnostic, but is implemented in a different way.
-Wno-analyzer-jump-through-null ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-jump-through-nullto disable it.
This diagnostic warns for paths through the code in which aNULLfunction pointer is called.
-Wno-analyzer-malloc-leak ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-malloc-leakto disable it.
This diagnostic warns for paths through the code in which apointer allocated via an allocator is leaked: eithermalloc,or a function marked with attributemalloc.
SeeCWE-401: Missing Release of Memory after Effective Lifetime.
-Wno-analyzer-mismatching-deallocation ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-mismatching-deallocationto disable it.
This diagnostic warns for paths through the code in which thewrong deallocation function is called on a pointer value, based onwhich function was used to allocate the pointer value. The diagnosticwill warn about mismatches betweenfree, scalardeleteand vectordelete[], and those marked as allocator/deallocatorpairs using attributemalloc.
-Wno-analyzer-out-of-bounds ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-out-of-bounds to disable it.
This diagnostic warns for paths through the code in which a buffer isdefinitely read or written out-of-bounds. The diagnostic applies forcases where the analyzer is able to determine a constant offset and foraccesses past the end of a buffer, also a constant capacity. Further,the diagnostic does limited checking for accesses past the end when theoffset as well as the capacity is symbolic.
SeeCWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer.
For cases where the analyzer is able, it will emit a text art diagramvisualizing the spatial relationship between the memory region that theanalyzer predicts would be accessed, versus the range of memory that isvalid to access: whether they overlap, are touching, are close or farapart; which one is before or after in memory, the relative sizesinvolved, the direction of the access (read vs write), and, in somecases, the values of data involved. This diagram can be suppressedusing-fdiagnostics-text-art-charset=none.
-Wno-analyzer-overlapping-buffers ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-overlapping-buffers to disable it.
This diagnostic warns for paths through the code in which overlappingbuffers are passed to an API for which the behavior on such buffersis undefined.
Specifically, the diagnostic occurs on calls to the following functions
memcpystrcatstrcpyfor cases where the buffers are known to overlap.
-Wno-analyzer-possible-null-argument ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-possible-null-argument to disable it.
This diagnostic warns for paths through the code in which apossibly-NULL value is passed to a function argument markedwith__attribute__((nonnull)) as requiring a non-NULLvalue.
SeeCWE-690: Unchecked Return Value to NULL Pointer Dereference.
-Wno-analyzer-possible-null-dereference ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-possible-null-dereference to disable it.
This diagnostic warns for paths through the code in which apossibly-NULL value is dereferenced.
SeeCWE-690: Unchecked Return Value to NULL Pointer Dereference.
-Wno-analyzer-null-argument ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-null-argument to disable it.
This diagnostic warns for paths through the code in which avalue known to be NULL is passed to a function argument markedwith__attribute__((nonnull)) as requiring a non-NULLvalue.
-Wno-analyzer-null-dereference ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-null-dereference to disable it.
This diagnostic warns for paths through the code in which avalue known to be NULL is dereferenced.
-Wno-analyzer-putenv-of-auto-var ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-putenv-of-auto-var to disable it.
This diagnostic warns for paths through the code in which acall toputenv is passed a pointer to an automatic variableor an on-stack buffer.
SeePOS34-C. Do not call putenv() with a pointer to an automatic variable as the argument.
-Wno-analyzer-shift-count-negative ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-shift-count-negative to disable it.
This diagnostic warns for paths through the code in which ashift is attempted with a negative count. It is analogous tothe-Wshift-count-negative diagnostic implemented inthe C/C++ front ends, but is implemented based on analyzinginterprocedural paths, rather than merely parsing the syntax tree.However, the analyzer does not prioritize detection of such paths, sofalse negatives are more likely relative to other warnings.
-Wno-analyzer-shift-count-overflow ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-shift-count-overflow to disable it.
This diagnostic warns for paths through the code in which ashift is attempted with a count greater than or equal to theprecision of the operand’s type. It is analogous tothe-Wshift-count-overflow diagnostic implemented inthe C/C++ front ends, but is implemented based on analyzinginterprocedural paths, rather than merely parsing the syntax tree.However, the analyzer does not prioritize detection of such paths, sofalse negatives are more likely relative to other warnings.
-Wno-analyzer-stale-setjmp-buffer ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-stale-setjmp-buffer to disable it.
This diagnostic warns for paths through the code in whichlongjmp is called to rewind to ajmp_buf relatingto asetjmp call in a function that has returned.
Whensetjmp is called on ajmp_buf to record a rewindlocation, it records the stack frame. The stack frame becomes invalidwhen the function containing thesetjmp call returns. Attemptingto rewind to it vialongjmp would reference a stack frame thatno longer exists, and likely lead to a crash (or worse).
-Wno-analyzer-tainted-allocation-size ¶This warning requires-fanalyzer which enables it;use-Wno-analyzer-tainted-allocation-size to disable it.
This diagnostic warns for paths through the code in which a valuethat could be under an attacker’s control is used as the sizeof an allocation without being sanitized, so that an attacker couldinject an excessively large allocation and potentially cause a denialof service attack.
-Wno-analyzer-tainted-assertion ¶This warning requires-fanalyzer which enables it;use-Wno-analyzer-tainted-assertion to disable it.
This diagnostic warns for paths through the code in which a valuethat could be under an attacker’s control is used as part of acondition without being first sanitized, and that condition guards acall to a function marked with attributenoreturn(such as the function__builtin_unreachable). Such functionstypically indicate abnormal termination of the program, such as forassertion failure handlers. For example:
assert (some_tainted_value < SOME_LIMIT);
In such cases:
NDEBUG,an attacker could inject data that subverts the process, since itpresumably violates a precondition that is being assumed by the code.Note that when assertion-checking is disabled, the assertions aretypically removed by the preprocessor before the analyzer has a chanceto "see" them, so this diagnostic can only generate warnings on buildsin which assertion-checking is enabled.
For the purpose of this warning, any function marked with attributenoreturn is considered as a possible assertion failurehandler, including__builtin_unreachable. Note that these functionsare sometimes removed by the optimizer before the analyzer "sees" them.Hence optimization should be disabled when attempting to trigger thisdiagnostic.
SeeCWE-617: Reachable Assertion.
The warning can also report problematic constructions such as
switch (some_tainted_value) {case 0: /* [...etc; various valid cases omitted...] */ break;default: __builtin_unreachable (); /* BUG: attacker can trigger this */}despite the above not being an assertion failure, strictly speaking.
-Wno-analyzer-tainted-array-index ¶This warning requires-fanalyzer which enables it;use-Wno-analyzer-tainted-array-index to disable it.
This diagnostic warns for paths through the code in which a valuethat could be under an attacker’s control is used as the indexof an array access without being sanitized, so that an attackercould inject an out-of-bounds access.
-Wno-analyzer-tainted-divisor ¶This warning requires-fanalyzer which enables it;use-Wno-analyzer-tainted-divisor to disable it.
This diagnostic warns for paths through the code in which a valuethat could be under an attacker’s control is used as the divisorin a division or modulus operation without being sanitized, so thatan attacker could inject a division-by-zero.
-Wno-analyzer-tainted-offset ¶This warning requires-fanalyzer which enables it;use-Wno-analyzer-tainted-offset to disable it.
This diagnostic warns for paths through the code in which a valuethat could be under an attacker’s control is used as a pointer offsetwithout being sanitized, so that an attacker could inject an out-of-boundsaccess.
-Wno-analyzer-tainted-size ¶This warning requires-fanalyzer which enables it;use-Wno-analyzer-tainted-size to disable it.
This diagnostic warns for paths through the code in which a valuethat could be under an attacker’s control is used as the size ofan operation such asmemset without being sanitized, so that anattacker could inject an out-of-bounds access.
-Wno-analyzer-throw-of-unexpected-type ¶This warning requires-fanalyzer which enables it;use-Wno-analyzer-throw-of-unexpected-type to disable it.Dynamic exception specifications are only available in C++14 and earlier.
This diagnostic warns for paths through the code in which a an exceptionis thrown from a function with a dynamic exception specification wherethe exception does not comply with the specification.
-Wno-analyzer-undefined-behavior-ptrdiff ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-undefined-behavior-ptrdiff to disable it.
This diagnostic warns for paths through the code in which a pointersubtraction occurs where the pointers refer to different chunks ofmemory. Such code relies on undefined behavior, as pointer subtractionis only defined for cases where both pointers point to within (or justafter) the same array.
-Wno-analyzer-undefined-behavior-strtok ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-undefined-behavior-strtok to disable it.
This diagnostic warns for paths through the code in which acall is made tostrtok with undefined behavior.
Specifically, passing NULL as the first parameter for the initialcall tostrtok within a process has undefined behavior.
-Wno-analyzer-unsafe-call-within-signal-handler ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-unsafe-call-within-signal-handler to disable it.
This diagnostic warns for paths through the code in which afunction known to be async-signal-unsafe (such asfprintf) iscalled from a signal handler.
-Wno-analyzer-use-after-free ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-use-after-free to disable it.
This diagnostic warns for paths through the code in which apointer is used after a deallocator is called on it: eitherfree,or a deallocator referenced by attributemalloc.
-Wno-analyzer-use-of-pointer-in-stale-stack-frame ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-use-of-pointer-in-stale-stack-frameto disable it.
This diagnostic warns for paths through the code in which a pointeris dereferenced that points to a variable in a stale stack frame.
-Wno-analyzer-va-arg-type-mismatch ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-va-arg-type-mismatchto disable it.
This diagnostic warns for interprocedural paths through the code for whichthe analyzer detects an attempt to useva_arg to extract a valuepassed to a variadic call, but uses a type that does not match that ofthe expression passed to the call.
-Wno-analyzer-va-list-exhausted ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-va-list-exhaustedto disable it.
This diagnostic warns for interprocedural paths through the code for whichthe analyzer detects an attempt to useva_arg to access the nextvalue passed to a variadic call, but all of the values in theva_list have already been consumed.
SeeCWE-685: Function Call With Incorrect Number of Arguments.
-Wno-analyzer-va-list-leak ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-va-list-leakto disable it.
This diagnostic warns for interprocedural paths through the code for whichthe analyzer detects thatva_start orva_copy has been calledon ava_list without a corresponding call tova_end.
-Wno-analyzer-va-list-use-after-va-end ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-va-list-use-after-va-endto disable it.
This diagnostic warns for interprocedural paths through the code for whichthe analyzer detects an attempt to use ava_list afterva_end has been called on it.va_list.
-Wno-analyzer-write-to-const ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-write-to-constto disable it.
This diagnostic warns for paths through the code in which the analyzerdetects an attempt to write through a pointer to aconst object.However, the analyzer does not prioritize detection of such paths, sofalse negatives are more likely relative to other warnings.
-Wno-analyzer-write-to-string-literal ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-write-to-string-literalto disable it.
This diagnostic warns for paths through the code in which the analyzerdetects an attempt to write through a pointer to a string literal.However, the analyzer does not prioritize detection of such paths, sofalse negatives are more likely relative to other warnings.
-Wno-analyzer-use-of-uninitialized-value ¶This warning requires-fanalyzer, which enables it; use-Wno-analyzer-use-of-uninitialized-value to disable it.
This diagnostic warns for paths through the code in which an uninitializedvalue is used.
The analyzer has hardcoded knowledge about the behavior of the followingmemory-management functions:
alloca__builtin_alloc,__builtin_alloc_with_align,__builtin_calloc,__builtin_free,__builtin_malloc,__builtin_memcpy,__builtin_memcpy_chk,__builtin_memset,__builtin_memset_chk,__builtin_realloc,__builtin_stack_restore, and__builtin_stack_savecallocfreemallocmemsetoperator deleteoperator delete []operator newoperator new []reallocstrdupstrndupof the following functions for working with file descriptors:
openclosecreatdup,dup2 anddup3isattypipe, andpipe2readwritesocket,bind,listen,accept, andconnectof the following functions for working with<stdio.h> streams:
__builtin_fprintf,__builtin_fprintf_unlocked,__builtin_fputc,__builtin_fputc_unlocked,__builtin_fputs,__builtin_fputs_unlocked,__builtin_fwrite,__builtin_fwrite_unlocked,__builtin_printf,__builtin_printf_unlocked,__builtin_putc,__builtin_putchar,__builtin_putchar_unlocked,__builtin_putc_unlocked,__builtin_puts,__builtin_puts_unlocked,__builtin_vfprintf, and__builtin_vprintffopenfcloseferrorfgetsfgets_unlockedfilenofreadgetcgetcharfprintfprintffwriteand of the following functions:
__builtin_expect,__builtin_expect_with_probability,__builtin_strchr,__builtin_strcpy,__builtin_strcpy_chk,__builtin_strlen,__builtin_va_copy, and__builtin_va_starterror anderror_at_linegetpasslongjmpputenvsetjmpsiglongjmpsignalsigsetjmpstrcatstrchrstrlenIn addition, various functions with an__analyzer_ prefix havespecial meaning to the analyzer, described in the GCC Internals manual.Various internal parameters, settable via--param, are usedto control the exploration; these are also documented in the GCC Internalsmanual.
The following options control the analyzer.
-fanalyzer-assume-nothrow ¶By default, if-fexceptions is enabled, the analyzer will assumethat a call to any function without attributenothrow could throwan exception. This can help detect execution paths that leak due toexceptions bypassing clean-up code, but could lead to false positives whenusing headers where the author has not added thenothrow attribute.
If-fanalyzer-assume-nothrow is enabled, then the analyzer willassume that external functions do not throw exceptions. This may be usefulfor reducing “noise” from the analyzer when enabling-fexceptions on C code, but could hide true issues if anexception could be raised by something the C code calls.
-fanalyzer-call-summaries ¶Simplify interprocedural analysis by computing the effect of certain calls,rather than exploring all paths through the function from callsite to eachpossible return.
If enabled, call summaries are only used for functions with more than onecall site, and that are sufficiently complicated.
-fanalyzer-checker=name ¶Restrict the analyzer to run just the named checker, and enable it.
-fanalyzer-debug-text-art-headings ¶This option is intended for analyzer developers. If enabled,the analyzer will add extra annotations to any diagrams it generates.
-fno-analyzer-feasibility ¶This option is intended for analyzer developers.
By default the analyzer verifies that there is a feasible control flow pathfor each diagnostic it emits: that the conditions that hold are not mutuallyexclusive. Diagnostics for which no feasible path can be found are rejected.This filtering can be suppressed with-fno-analyzer-feasibility, fordebugging issues in this code.
-fanalyzer-fine-grained ¶Does nothing. Preserved for backward compatibility.
-fanalyzer-show-duplicate-count ¶This option is intended for analyzer developers: if multiple diagnosticshave been detected as being duplicates of each other, it emits a note whenreporting the best diagnostic, giving the number of additional diagnosticsthat were suppressed by the deduplication logic.
-fanalyzer-show-events-in-system-headers ¶By default the analyzer emits simplified diagnostics paths by hidingevents fully located within a system header.With-fanalyzer-show-events-in-system-headers suchevents are no longer suppressed.
-fno-analyzer-simplify-supergraph ¶This option is intended for analyzer developers.
By default, the analyzer performs various simplifications to theprogram supergraph before analyzing it. With-fno-analyzer-simplify-supergraph this simplification can besuppressed, for debugging issues with it.
-fno-analyzer-state-merge ¶This option is intended for analyzer developers.
By default the analyzer attempts to simplify analysis by mergingsufficiently similar states at each program point as it builds its“exploded graph”. With-fno-analyzer-state-merge thismerging can be suppressed, for debugging state-handling issues.
-fno-analyzer-state-purge ¶This option is intended for analyzer developers.
By default the analyzer attempts to simplify analysis by purgingaspects of state at a program point that appear to no longer be relevante.g. the values of locals that aren’t accessed later in the functionand which aren’t relevant to leak analysis.
With-fno-analyzer-state-purge this purging of state canbe suppressed, for debugging state-handling issues.
-fno-analyzer-suppress-followups ¶This option is intended for analyzer developers.
By default the analyzer will stop exploring an execution path afterencountering certain diagnostics, in order to avoid potentially issuing acascade of follow-up diagnostics.
The diagnostics that terminate analysis along a path are:
With-fno-analyzer-suppress-followups the analyzer willcontinue to explore such paths even after such diagnostics, which maybe helpful for debugging issues in the analyzer, or for microbenchmarksfor detecting undefined behavior.
-fanalyzer-transitivity ¶This option enables transitivity of constraints within the analyzer.
-fno-analyzer-undo-inlining ¶This option is intended for analyzer developers.
-fanalyzer runs relatively late compared to other code analysistools, and some optimizations have already been applied to the code. Inparticular function inlining may have occurred, leading to theinterprocedural execution paths emitted by the analyzer containingfunction frames that don’t correspond to those in the original sourcecode.
By default the analyzer attempts to reconstruct the original functionframes, and to emit events showing the inlined calls.
With-fno-analyzer-undo-inlining this attempt to reconstructthe original frame information can be disabled, which may be of helpwhen debugging issues in the analyzer.
-fanalyzer-verbose-edges ¶This option is intended for analyzer developers. It enables moreverbose, lower-level detail in the descriptions of control flowwithin diagnostic paths.
-fanalyzer-verbose-state-changes ¶This option is intended for analyzer developers. It enables moreverbose, lower-level detail in the descriptions of events relatingto state machines within diagnostic paths.
-fanalyzer-verbosity=level ¶This option controls the complexity of the control flow paths that areemitted for analyzer diagnostics.
Thelevel can be one of:
At this level, interprocedural call and return events are displayed,along with the most pertinent state-change events relating toa diagnostic. For example, for a double-free diagnostic,both calls tofree will be shown.
As per the previous level, but also show events for the entryto each function.
As per the previous level, but also show events relating tocontrol flow that are significant to triggering the issue(e.g. “true path taken” at a conditional).
This level is the default.
As per the previous level, but show all control flow events, notjust significant ones.
This level is intended for analyzer developers; it adds variousother events intended for debugging the analyzer.
-fdump-analyzer ¶Dump internal details about what the analyzer is doing tofile.analyzer.txt.-fdump-analyzer-stderr overrides this option.
-fdump-analyzer-stderr ¶Dump internal details about what the analyzer is doing to stderr.This option overrides-fdump-analyzer.
-fdump-analyzer-callgraph ¶Dump a representation of the call graph suitable for viewing withGraphViz tofile.callgraph.dot.
-fdump-analyzer-exploded-graph ¶Dump a representation of the “exploded graph” suitable for viewing withGraphViz tofile.eg.dot.Nodes are color-coded based on state-machine states to emphasizestate changes.
-fdump-analyzer-exploded-nodes ¶Emit diagnostics showing where nodes in the “exploded graph” arein relation to the program source.
-fdump-analyzer-exploded-nodes-2 ¶Dump a textual representation of the “exploded graph” tofile.eg.txt.
-fdump-analyzer-exploded-nodes-3 ¶Dump a textual representation of the “exploded graph” toone dump file per node, tofile.eg-id.txt.This is typically a large number of dump files.
-fdump-analyzer-exploded-paths ¶Dump a textual representation of the “exploded path” for eachdiagnostic tofile.idx.kind.epath.txt.
-fdump-analyzer-feasibility ¶Dump internal details about the analyzer’s search for feasible paths.The details are written in a form suitable for viewing with GraphVizto filenames of the formfile.*.fg.dot,file.*.tg.dot, andfile.*.fpath.txt.
-fdump-analyzer-infinite-loop ¶Dump internal details about the analyzer’s search for infinite loops.The details are written in a form suitable for viewing with GraphVizto filenames of the formfile.*.infinite-loop.dot.
-fdump-analyzer-json ¶Dump a compressed JSON representation of analyzer internals tofile.analyzer.json.gz. The precise format is subjectto change.
-fdump-analyzer-state-purge ¶As per-fdump-analyzer-supergraph, dump a representation of the“supergraph” suitable for viewing with GraphViz, but annotate thegraph with information on what state will be purged at each node.The graph is written tofile.state-purge.dot.
-fdump-analyzer-supergraph ¶Dump representations of the “supergraph” suitable for viewing withGraphViz tofile.supergraph.index.kind.dot.These show all of the control flow graphs in the program, at various stagesof the analysis. The precise set of dumps and what they show is subjectto change.
-fdump-analyzer-untracked ¶Emit custom warnings with internal details intended for analyzer developers.
Next:Options for Debugging Your Program, Previous:Options to Request or Suppress Warnings, Up:GCC Command Options [Contents][Index]