I'm currently trying to integrate the Clang Static Analyzer v9.0.1 into my CMake v3.16.5 build system using the Microsoft Visual C++ Compiler (MSVC) v19.25.28610.4 on a Windows v10.0.18363.720 operating system.
Everything is build for the architecture x86_64. LLVM and Clang have been build from source.
After some reading on the World Wide Web (WWW), there seems to be multiple ways to use the Clang Static Analyzer. Sadly the documentation is horrible and there seems to be some special quirks on a Windows operating system (mostly related to clang-cl), therefore it is not straight-forward to integrate. IMO, it shouldn't take a professional programmer longer than one hour to integrate this into the C++ defacto standard build system.
There seems to be at least five possibilities to invoke the Clang Static Analyzer:
scan-buildscript.- Requires a Perl runtime environment.
- Is able to analyze multiple files with one invocation.
- Is able to generate HTML (more advance than the other possibilities), plist or sarif output file(s).
- My issue: Does not detect any bugs, always printing
scan-build: No bugs found.to STDOUT.
clang-checkexecutable.- Requires a JSON compilation database file
compile_commands.json. - Is able to analyze multiple files with one invocation.
- Should be able to generate HTML report file(s). by the means of the
--extra-argargument. - My issue: Unable to make it work (refer to the second script below).
- Requires a JSON compilation database file
clang/clang++executables.- Is able to analyze one file with one invocation.
- My issue: Basically works, but looks like the worst possibility to me (due to missing build information).
c++-analyzer.bat/ccc-analyzer.batbatch scripts.- Does seem to support Clang and GCC only.
- My issue: I'm unable to find any documentation for these scripts.
clang-tidyexecutable withclang-analyzer-*checks only.- Can use a JSON compilation database file
compile_commands.json. - Is able to analyze multiple files with one invocation.
- My issue: Is not able to generate HTML report file(s), but YAML only.
- Can use a JSON compilation database file
Here are three batch scripts, one for each of the first three approaches:
scan-build-example.cmd@echo off setlocal cls rem Configure call scan-build.bat^ -v^ -v^ -v^ -analyze-headers^ --force-analyze-debug-code^ -o _scan_build_out^ --keep-cc^ --html-title="Scan Build Example"^ --show-description^ --use-cc="C:Program Files (x86)Microsoft Visual Studio2019CommunityVCToolsMSVC14.25.28610inHostx64x64cl.exe"^ --use-c++="C:Program Files (x86)Microsoft Visual Studio2019CommunityVCToolsMSVC14.25.28610inHostx64x64cl.exe"^ -stats^ -maxloop 4^ -internal-stats^ --use-analyzer="E:dev ativellvmllvm-9.0.1Releasestaticx64-windows-msvc1924-v142inclang.exe"^ -analyzer-config stable-report-filename=true^ -enable-checker core,cplusplus,deadcode,nullability,optin,osx,security,unix,valist^ cmake^ -S "D:cmakecmake-example-clang-static-analyzer"^ -B "D:cmakecmake-example-clang-static-analyzer\_scan-build"^ -G "Ninja"^ -DCMAKE_C_COMPILER:PATH="C:Program Files (x86)Microsoft Visual Studio2019CommunityVCToolsMSVC14.25.28610inHostx64x64cl.exe"^ -DCMAKE_CXX_COMPILER:PATH="C:Program Files (x86)Microsoft Visual Studio2019CommunityVCToolsMSVC14.25.28610inHostx64x64cl.exe"^ -DCMAKE_BUILD_TYPE:STRING=Debug rem Build call scan-build.bat^ -v^ -v^ -v^ -analyze-headers^ --force-analyze-debug-code^ -o _scan_build_out^ --keep-cc^ --html-title="Scan Build Example"^ --show-description^ --use-cc="C:Program Files (x86)Microsoft Visual Studio2019CommunityVCToolsMSVC14.25.28610inHostx64x64cl.exe"^ --use-c++="C:Program Files (x86)Microsoft Visual Studio2019CommunityVCToolsMSVC14.25.28610inHostx64x64cl.exe"^ -stats^ -maxloop 4^ -internal-stats^ --use-analyzer="E:dev ativellvmllvm-9.0.1Releasestaticx64-windows-msvc1924-v142inclang.exe"^ -analyzer-config stable-report-filename=true^ -enable-checker core,cplusplus,deadcode,nullability,optin,osx,security,unix,valist^ cmake^ --build "D:cmakecmake-example-clang-static-analyzer\_scan-build"^ --config Debugclang-check-example.cmd@echo off setlocal cls set out_dir=%~dp0.\_clang_check_out mkdir "%out_dir%" > nul 2>&1 rem Issue: "warning: could not create file in 'main.plist': no such file or directory" clang-check^ -analyze^ -extra-arg=-Xclang^ -extra-arg=-analyzer-config^ -extra-arg=-Xclang^ -extra-arg=add-pop-up-notes=true,mode=deep^ -extra-arg=-Xclang^ -extra-arg=-analyzer-checker=core,cplusplus,deadcode,nullability,optin,osx,security,unix,valist^ -extra-arg=-Xclang^ -extra-arg=-analyzer-output=html^ -extra-arg=-o=%out_dir%^ -p "D:cmakecmake-example-clang-static-analyzer\_build"^ "D:cmakecmake-example-clang-static-analyzerappmain.cpp"clang_analyze-example.cmd@echo off setlocal cls set out_dir=%~dp0.\_clang_analyzer_out mkdir "%out_dir%" clang++^ --analyze^ -Xanalyzer^ -analyzer-checker=core,cplusplus,deadcode,nullability,optin,osx,security,unix,valist^ -Xanalyzer^ -analyzer-output=html^ -o "%out_dir%"^ -I"D:cmakecmake-example-clang-static-analyzersrc"^ "D:cmakecmake-example-clang-static-analyzerappmain.cpp
My questions are:
- How-to make
scan-build.batwork on Windows (I tried both using MSVC and Clang)? - How-to pass the options to
clang-check.exeto make it create HTML output files and get rid of thewarning: could not create file in 'main.plist': no such file or directorywarning? - Can be using
clang.exe/clang++.exea suitable alternative (imo, its missing the build information that should be available with the other two non-working alternatives)?
In general: What's the easiest way to generate a HTML report with the Clang Static Analyzer using MSVC on Windows?
Related questions:
- How to make the Clang Static Analyzer output its working from command line?
- Clang Static Analyzer doesn't find the most basic problems
- How do I use the clang static analyzer with msbuild on Windows?
- scan-build make does not detect any bugs
Changelog:
- 2020-03-20T12:06Z
- Update
clang-check-example.cmdscript.
- Update
- 2020-03-20T08:50Z
- Add mention of
clang-tidy.
- Add mention of
