Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com>, Endre =?utf-8?q?Fülöp?= <endre.fu...@sigmatechnology.com> Message-ID: In-Reply-To: <llvm.org/llvm/llvm-project/pull/97...@github.com>
================ @@ -0,0 +1,239 @@ +Command Line Usage: scan-build and CodeChecker +============================================== + +This document provides guidelines for running Clang Static Analyzer from the command line on whole projects. +CodeChecker and scan-build are two CLI tools for using CSA on multiple files (tranlation units). +Both provide a way of driving the analyzer, detecting compilation flags, and generating reports. +CodeChecker is more actively maintained, provides heuristics for working with multiple versions of popular compilers and it also comes with a web-based GUI for viewing, filtering, categorizing and suppressing the results. +Therefore CodeChecker is recommended in case you need any of the above features or just more customizability in general. + +Comparison of CodeChecker and scan-build +---------------------------------------- + +Static Analyzer is by design a GUI tool originally intended to be consumed by the XCode IDE. +Its purpose is to find buggy execution paths in the program, and such paths are very hard to comprehend by looking at a non-interactive standard output. +It is possible, however, to invoke the Static Analyzer from the command line in order to obtain analysis results, and then later view them interactively in a graphical interface. +The following tools are used commonly to run the analyzer from the command line. +Both tools are wrapper scripts to drive the analysis and the underlying invocations of the Clang compiler: + +1. scan-build_ is an old and simple command line tool that emits static analyzer warnings as HTML files while compiling your project. You can view the analysis results in your web browser. + - Useful for individual developers who simply want to view static analysis results at their desk, or in a very simple collaborative environment. + - Works on all major platforms (Windows, Linux, macOS) and is available as a package in many Linux distributions. + - Does not include support for cross-translation-unit analysis. + +2. CodeChecker_ is a driver and web server that runs the Static Analyzer on your projects on demand and maintains a database of issues. + - Perfect for managing large amounts of Static Analyzer warnings in a collaborative environment. + - Generally much more feature-rich than scan-build. + - Supports incremental analysis: Results can be stored in a database, subsequent analysis runs can be compared to list the newly added defects. + - :doc:`CrossTranslationUnit` is supported fully on Linux via CodeChecker. + - Can run clang-tidy checkers too. + - Open source, but out-of-tree, i.e. not part of the LLVM project. + +scan-build +---------- + +**scan-build** is a command line utility that enables a user to run the static analyzer over their codebase as part of performing a regular build (from the command line). ---------------- haoNoQ wrote: I prefer "the static analyzer". It was never a name, it's just "a" static analyzer, "the" one who happens to live in Clang. Some people call it "scan-build", some people call it "clang-tidy", some people call it "CodeChecker", some people call it "Xcode". It's known under many names, but it never had its own name, because it was never supposed to be the entire product. It's just a compiler flag. So I think the technically/historically correct spelling is: small letters, prefixed with a "the". I'm very softly against using "CSA" even though I'm largely responsible for spreading this acronym back in the day. (I make a hiccup every time I accidentally look at [Hollywood movie credits](https://en.wikipedia.org/wiki/Casting_Society_of_America).) I support giving the static analyzer a proper name though, if we can actually make it a thing! https://github.com/llvm/llvm-project/pull/97034 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
