1//===-- AnalyzerOptions.def - Metadata about Static Analyses ----*- C++ -*-===// 2// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6// 7//===----------------------------------------------------------------------===// 8// 9// This file defines the analyzer options avaible with -analyzer-config. 10// 11//===----------------------------------------------------------------------===// 12 13#ifndef LLVM_ADT_STRINGREF_H 14#error This .def file is expected to be included in translation units where \ 15"llvm/ADT/StringRef.h" is already included! 16#endif 17 18#ifdef ANALYZER_OPTION 19#ifndef ANALYZER_OPTION_DEPENDS_ON_USER_MODE 20#error If you didnt include this file with the intent of generating methods, \ 21define both 'ANALYZER_OPTION' and 'ANALYZER_OPTION_DEPENDS_ON_USER_MODE' macros! 22#endif 23#endif 24 25#ifndef ANALYZER_OPTION_DEPENDS_ON_USER_MODE 26#ifdef ANALYZER_OPTION 27#error If you didnt include this file with the intent of generating methods, \ 28define both 'ANALYZER_OPTION' and 'ANALYZER_OPTION_DEPENDS_ON_USER_MODE' macros! 29#endif 30#endif 31 32#ifndef ANALYZER_OPTION 33/// Create a new analyzer option, but dont generate a method for it in 34/// AnalyzerOptions. 35/// 36/// TYPE - The type of the option object that will be stored in 37/// AnalyzerOptions. This file is expected to be icluded in translation 38/// units where AnalyzerOptions.h is included, so types from that 39/// header should be used. 40/// NAME - The name of the option object. 41/// CMDFLAG - The command line flag for the option. 42/// (-analyzer-config CMDFLAG=VALUE) 43/// DESC - Description of the flag. 44/// DEFAULT_VAL - The default value for CMDFLAG. 45#define ANALYZER_OPTION(TYPE, NAME, CMDFLAG, DESC, DEFAULT_VAL) 46#endif 47 48#ifndef ANALYZER_OPTION_DEPENDS_ON_USER_MODE 49/// Create a new analyzer option, but dont generate a method for it in 50/// AnalyzerOptions. It's value depends on the option "user-mode". 51/// 52/// TYPE - The type of the option object that will be stored in 53/// AnalyzerOptions. This file is expected to be icluded in translation 54/// units where AnalyzerOptions.h is included, so types from that 55/// header should be used. 56/// NAME - The name of the option object. 57/// CMDFLAG - The command line flag for the option. 58/// (-analyzer-config CMDFLAG=VALUE) 59/// DESC - Description of the flag. 60/// SHALLOW_VAL - The default value for CMDFLAG, when "user-mode" was set to 61/// "shallow". 62/// DEEP_VAL - The default value for CMDFLAG, when "user-mode" was set to 63/// "deep". 64#define ANALYZER_OPTION_DEPENDS_ON_USER_MODE(TYPE, NAME, CMDFLAG, DESC, \ 65 SHALLOW_VAL, DEEP_VAL) 66#endif 67 68//===----------------------------------------------------------------------===// 69// The "mode" option. Since some options depend on this, we list it on top of 70// this file in order to make sure that the generated field for it is 71// initialized before the rest. 72//===----------------------------------------------------------------------===// 73 74ANALYZER_OPTION( 75 StringRef, UserMode, "mode", 76 "(string) Controls the high-level analyzer mode, which influences the " 77 "default settings for some of the lower-level config options (such as " 78 "IPAMode). Value: \"deep\", \"shallow\".", 79 "deep") 80 81//===----------------------------------------------------------------------===// 82// Boolean analyzer options. 83//===----------------------------------------------------------------------===// 84 85ANALYZER_OPTION(bool, ShouldIncludeImplicitDtorsInCFG, "cfg-implicit-dtors", 86 "Whether or not implicit destructors for C++ objects " 87 "should be included in the CFG.", 88 true) 89 90ANALYZER_OPTION(bool, ShouldIncludeTemporaryDtorsInCFG, "cfg-temporary-dtors", 91 "Whether or not the destructors for C++ temporary " 92 "objects should be included in the CFG.", 93 true) 94 95ANALYZER_OPTION( 96 bool, ShouldIncludeLifetimeInCFG, "cfg-lifetime", 97 "Whether or not end-of-lifetime information should be included in the CFG.", 98 false) 99 100ANALYZER_OPTION(bool, ShouldIncludeLoopExitInCFG, "cfg-loopexit", 101 "Whether or not the end of the loop information should " 102 "be included in the CFG.", 103 false) 104 105ANALYZER_OPTION(bool, ShouldIncludeRichConstructorsInCFG, 106 "cfg-rich-constructors", 107 "Whether or not construction site information should be " 108 "included in the CFG C++ constructor elements.", 109 true) 110 111ANALYZER_OPTION( 112 bool, ShouldIncludeScopesInCFG, "cfg-scopes", 113 "Whether or not scope information should be included in the CFG.", false) 114 115ANALYZER_OPTION(bool, ShouldIncludeDefaultInitForAggregates, 116 "cfg-expand-default-aggr-inits", 117 "Whether or not inline CXXDefaultInitializers for aggregate " 118 "initialization in the CFG.", 119 false) 120 121ANALYZER_OPTION( 122 bool, MayInlineTemplateFunctions, "c++-template-inlining", 123 "Whether or not templated functions may be considered for inlining.", true) 124 125ANALYZER_OPTION(bool, MayInlineCXXStandardLibrary, "c++-stdlib-inlining", 126 "Whether or not C++ standard library functions may be " 127 "considered for inlining.", 128 true) 129 130ANALYZER_OPTION(bool, MayInlineCXXAllocator, "c++-allocator-inlining", 131 "Whether or not allocator and deallocator calls may be " 132 "considered for inlining.", 133 true) 134 135ANALYZER_OPTION( 136 bool, MayInlineCXXSharedPtrDtor, "c++-shared_ptr-inlining", 137 "Whether or not the destructor of C++ 'shared_ptr' may be considered for " 138 "inlining. This covers std::shared_ptr, std::tr1::shared_ptr, and " 139 "boost::shared_ptr, and indeed any destructor named '~shared_ptr'.", 140 false) 141 142ANALYZER_OPTION(bool, MayInlineCXXTemporaryDtors, "c++-temp-dtor-inlining", 143 "Whether C++ temporary destructors should be inlined " 144 "during analysis. If temporary destructors are disabled " 145 "in the CFG via the 'cfg-temporary-dtors' option, " 146 "temporary destructors would not be inlined anyway.", 147 true) 148 149ANALYZER_OPTION( 150 bool, ShouldSuppressNullReturnPaths, "suppress-null-return-paths", 151 "Whether or not paths that go through null returns should be suppressed. " 152 "This is a heuristic for avoiding bug reports with paths that go through " 153 "inlined functions that are more defensive than their callers.", 154 true) 155 156ANALYZER_OPTION( 157 bool, ShouldAvoidSuppressingNullArgumentPaths, 158 "avoid-suppressing-null-argument-paths", 159 "Whether a bug report should not be suppressed if its path includes a call " 160 "with a null argument, even if that call has a null return. This option " 161 "has no effect when ShouldSuppressNullReturnPaths is false. This is a " 162 "counter-heuristic to avoid false negatives.", 163 false) 164 165ANALYZER_OPTION(bool, ShouldSuppressInlinedDefensiveChecks, 166 "suppress-inlined-defensive-checks", 167 "Whether or not diagnostics containing inlined " 168 "defensive NULL checks should be suppressed.", 169 true) 170 171ANALYZER_OPTION(bool, MayInlineCXXContainerMethods, "c++-container-inlining", 172 "Whether or not methods of C++ container objects may be " 173 "considered for inlining.", 174 false) 175 176ANALYZER_OPTION(bool, ShouldSuppressFromCXXStandardLibrary, 177 "suppress-c++-stdlib", 178 "Whether or not diagnostics reported within the C++ " 179 "standard library should be suppressed.", 180 true) 181 182ANALYZER_OPTION(bool, ShouldCrosscheckWithZ3, "crosscheck-with-z3", 183 "Whether bug reports should be crosschecked with the Z3 " 184 "constraint manager backend.", 185 false) 186 187ANALYZER_OPTION( 188 unsigned, Z3CrosscheckEQClassTimeoutThreshold, 189 "crosscheck-with-z3-eqclass-timeout-threshold", 190 "Set a timeout for bug report equivalence classes in milliseconds. " 191 "If we exhaust this threshold, we will drop the bug report eqclass " 192 "instead of doing more Z3 queries. Set 0 for no timeout.", 700) 193 194ANALYZER_OPTION( 195 unsigned, Z3CrosscheckTimeoutThreshold, 196 "crosscheck-with-z3-timeout-threshold", 197 "Set a timeout for individual Z3 queries in milliseconds. " 198 "Set 0 for no timeout.", 300) 199 200ANALYZER_OPTION( 201 unsigned, Z3CrosscheckRLimitThreshold, 202 "crosscheck-with-z3-rlimit-threshold", 203 "Set the Z3 resource limit threshold. This sets a deterministic cutoff " 204 "point for Z3 queries, as longer queries usually consume more resources. " 205 "Set 0 for unlimited.", 400'000) 206 207ANALYZER_OPTION(bool, ShouldReportIssuesInMainSourceFile, 208 "report-in-main-source-file", 209 "Whether or not the diagnostic report should be always " 210 "reported in the main source file and not the headers.", 211 false) 212 213ANALYZER_OPTION(bool, ShouldWriteStableReportFilename, "stable-report-filename", 214 "Deprecated: report filenames are now always stable. " 215 "See also 'verbose-report-filename'.", 216 false) 217 218ANALYZER_OPTION(bool, ShouldWriteVerboseReportFilename, "verbose-report-filename", 219 "Whether or not the report filename should contain extra " 220 "information about the issue.", 221 false) 222 223ANALYZER_OPTION( 224 bool, ShouldSerializeStats, "serialize-stats", 225 "Whether the analyzer should serialize statistics to plist output. " 226 "Statistics would be serialized in JSON format inside the main dictionary " 227 "under the statistics key. Available only if compiled in assert mode or " 228 "with LLVM statistics explicitly enabled.", 229 false) 230 231ANALYZER_OPTION(bool, MayInlineObjCMethod, "objc-inlining", 232 "Whether ObjectiveC inlining is enabled, false otherwise.", 233 true) 234 235ANALYZER_OPTION(bool, ShouldPrunePaths, "prune-paths", 236 "Whether irrelevant parts of a bug report path should " 237 "be pruned out of the final output.", 238 true) 239 240ANALYZER_OPTION(bool, ShouldAddPopUpNotes, "add-pop-up-notes", 241 "Whether pop-up notes should be added to the final output.", 242 true) 243 244ANALYZER_OPTION( 245 bool, ShouldConditionalizeStaticInitializers, 246 "cfg-conditional-static-initializers", 247 "Whether 'static' initializers should be in conditional logic in the CFG.", 248 true) 249 250ANALYZER_OPTION(bool, ShouldSynthesizeBodies, "faux-bodies", 251 "Whether the analyzer engine should synthesize fake " 252 "bodies for well-known functions.", 253 true) 254 255ANALYZER_OPTION( 256 bool, ShouldElideConstructors, "elide-constructors", 257 "Whether elidable C++ copy-constructors and move-constructors should be " 258 "actually elided during analysis. Both behaviors are allowed by the C++ " 259 "standard, and the analyzer, like CodeGen, defaults to eliding. Starting " 260 "with C++17 some elisions become mandatory, and in these cases the option " 261 "will be ignored.", 262 true) 263 264ANALYZER_OPTION( 265 bool, ShouldInlineLambdas, "inline-lambdas", 266 "Whether lambdas should be inlined. Otherwise a sink node will be " 267 "generated each time a LambdaExpr is visited.", 268 true) 269 270ANALYZER_OPTION(bool, ShouldWidenLoops, "widen-loops", 271 "Whether the analysis should try to widen loops.", false) 272 273ANALYZER_OPTION( 274 bool, ShouldUnrollLoops, "unroll-loops", 275 "Whether the analysis should try to unroll loops with known bounds.", false) 276 277ANALYZER_OPTION( 278 bool, ShouldDisplayNotesAsEvents, "notes-as-events", 279 "Whether the bug reporter should transparently treat extra note diagnostic " 280 "pieces as event diagnostic pieces. Useful when the diagnostic consumer " 281 "doesn't support the extra note pieces.", 282 false) 283 284ANALYZER_OPTION( 285 bool, ShouldAggressivelySimplifyBinaryOperation, 286 "aggressive-binary-operation-simplification", 287 "Whether SValBuilder should rearrange comparisons and additive operations " 288 "of symbolic expressions which consist of a sum of a symbol and a concrete " 289 "integer into the format where symbols are on the left-hand side and the " 290 "integer is on the right. This is only done if both symbols and both " 291 "concrete integers are signed, greater than or equal to the quarter of the " 292 "minimum value of the type and less than or equal to the quarter of the " 293 "maximum value of that type. A + n <OP> B + m becomes A - B <OP> m - n, " 294 "where A and B symbolic, n and m are integers. <OP> is any of '==', '!=', " 295 "'<', '<=', '>', '>=', '+' or '-'. The rearrangement also happens with '-' " 296 "instead of '+' on either or both side and also if any or both integers " 297 "are missing.", 298 false) 299 300ANALYZER_OPTION( 301 bool, ShouldEagerlyAssume, "eagerly-assume", 302 "Whether we should eagerly assume evaluations of conditionals, thus, " 303 "bifurcating the path. This indicates how the engine should handle " 304 "expressions such as: 'x = (y != 0)'. When this is true then the " 305 "subexpression 'y != 0' will be eagerly assumed to be true or false, thus " 306 "evaluating it to the integers 0 or 1 respectively. The upside is that " 307 "this can increase analysis precision until we have a better way to lazily " 308 "evaluate such logic. The downside is that it eagerly bifurcates paths.", 309 true) 310 311ANALYZER_OPTION( 312 bool, IsNaiveCTUEnabled, "experimental-enable-naive-ctu-analysis", 313 "Whether naive cross translation unit analysis is enabled. This is an " 314 "experimental feature to inline functions from other translation units.", 315 false) 316 317ANALYZER_OPTION(bool, ShouldDisplayMacroExpansions, "expand-macros", 318 "Whether macros related to the bugpath should be " 319 "expanded and included in the plist output.", 320 false) 321 322ANALYZER_OPTION(bool, DisplayCTUProgress, "display-ctu-progress", 323 "Whether to emit verbose output about " 324 "the analyzer's progress related to ctu.", 325 false) 326 327ANALYZER_OPTION(bool, ShouldTrackConditions, "track-conditions", 328 "Whether to track conditions that are a control dependency of " 329 "an already tracked variable.", 330 true) 331 332ANALYZER_OPTION(bool, ShouldTrackConditionsDebug, "track-conditions-debug", 333 "Whether to place an event at each tracked condition.", 334 false) 335 336ANALYZER_OPTION(bool, ShouldApplyFixIts, "apply-fixits", 337 "Apply the fix-it hints to the files", 338 false) 339 340ANALYZER_OPTION(bool, ShouldDisplayCheckerNameForText, "display-checker-name", 341 "Display the checker name for textual outputs", 342 true) 343 344ANALYZER_OPTION(bool, ShouldSupportSymbolicIntegerCasts, 345 "support-symbolic-integer-casts", 346 "Produce cast symbols for integral types.", 347 false) 348 349ANALYZER_OPTION( 350 bool, ShouldAssumeControlledEnvironment, "assume-controlled-environment", 351 "Whether the analyzed application runs in a controlled environment. " 352 "We will assume that environment variables exist in queries and they hold " 353 "no malicious data. For instance, if this option is enabled, 'getenv()' " 354 "might be modeled by the analyzer to never return NULL.", 355 false) 356 357ANALYZER_OPTION( 358 bool, ShouldIgnoreBisonGeneratedFiles, "ignore-bison-generated-files", 359 "If enabled, any files containing the \"/* A Bison parser, made by\" " 360 "won't be analyzed.", 361 true) 362 363ANALYZER_OPTION( 364 bool, ShouldIgnoreFlexGeneratedFiles, "ignore-flex-generated-files", 365 "If enabled, any files containing the \"/* A lexical scanner generated by " 366 "flex\" won't be analyzed.", 367 true) 368 369//===----------------------------------------------------------------------===// 370// Unsigned analyzer options. 371//===----------------------------------------------------------------------===// 372 373ANALYZER_OPTION(unsigned, CTUImportThreshold, "ctu-import-threshold", 374 "The maximal amount of translation units that is considered " 375 "for import when inlining functions during CTU analysis. " 376 "Lowering this threshold can alleviate the memory burden of " 377 "analysis with many interdependent definitions located in " 378 "various translation units. This is valid only for non C++ " 379 "source files.", 380 24u) 381 382ANALYZER_OPTION(unsigned, CTUImportCppThreshold, "ctu-import-cpp-threshold", 383 "The maximal amount of translation units that is considered " 384 "for import when inlining functions during CTU analysis of C++ " 385 "source files.", 386 8u) 387 388ANALYZER_OPTION( 389 unsigned, AlwaysInlineSize, "ipa-always-inline-size", 390 "The size of the functions (in basic blocks), which should be considered " 391 "to be small enough to always inline.", 392 3) 393 394ANALYZER_OPTION( 395 unsigned, GraphTrimInterval, "graph-trim-interval", 396 "How often nodes in the ExplodedGraph should be recycled to save memory. " 397 "To disable node reclamation, set the option to 0.", 398 1000) 399 400ANALYZER_OPTION( 401 unsigned, MinCFGSizeTreatFunctionsAsLarge, 402 "min-cfg-size-treat-functions-as-large", 403 "The number of basic blocks a function needs to have to be considered " 404 "large for the 'max-times-inline-large' config option.", 405 14) 406 407ANALYZER_OPTION(unsigned, MaxSymbolComplexity, "max-symbol-complexity", 408 "The maximum complexity of symbolic constraint.", 35) 409 410// HACK:https://discourse.llvm.org/t/rfc-make-istainted-and-complex-symbols-friends/79570 411// Ideally, we should get rid of this option soon. 412ANALYZER_OPTION(unsigned, MaxTaintedSymbolComplexity, "max-tainted-symbol-complexity", 413 "[DEPRECATED] The maximum complexity of a symbol to carry taint", 9) 414 415ANALYZER_OPTION(unsigned, MaxTimesInlineLarge, "max-times-inline-large", 416 "The maximum times a large function could be inlined.", 32) 417 418ANALYZER_OPTION_DEPENDS_ON_USER_MODE( 419 unsigned, MaxInlinableSize, "max-inlinable-size", 420 "The bound on the number of basic blocks in an inlined function.", 421 /* SHALLOW_VAL */ 4, /* DEEP_VAL */ 100) 422 423ANALYZER_OPTION_DEPENDS_ON_USER_MODE( 424 unsigned, MaxNodesPerTopLevelFunction, "max-nodes", 425 "The maximum number of nodes the analyzer can generate while exploring a " 426 "top level function (for each exploded graph). 0 means no limit.", 427 /* SHALLOW_VAL */ 75000, /* DEEP_VAL */ 225000) 428 429ANALYZER_OPTION( 430 unsigned, CTUMaxNodesPercentage, "ctu-max-nodes-pct", 431 "The percentage of single-TU analysed nodes that the CTU analysis is " 432 "allowed to visit.", 50) 433 434ANALYZER_OPTION( 435 unsigned, CTUMaxNodesMin, "ctu-max-nodes-min", 436 "The maximum number of nodes in CTU mode is determinded by " 437 "'ctu-max-nodes-pct'. However, if the number of nodes in single-TU " 438 "analysis is too low, it is meaningful to provide a minimum value that " 439 "serves as an upper bound instead.", 10000) 440 441ANALYZER_OPTION( 442 unsigned, RegionStoreSmallStructLimit, "region-store-small-struct-limit", 443 "The largest number of fields a struct can have and still be considered " 444 "small. This is currently used to decide whether or not it is worth forcing " 445 "a LazyCompoundVal on bind. To disable all small-struct-dependent " 446 "behavior, set the option to 0.", 447 2) 448 449ANALYZER_OPTION( 450 unsigned, RegionStoreSmallArrayLimit, "region-store-small-array-limit", 451 "The largest number of elements an array can have and still be considered " 452 "small. This is currently used to decide whether or not it is worth forcing " 453 "a LazyCompoundVal on bind. To disable all small-array-dependent " 454 "behavior, set the option to 0.", 455 5) 456 457//===----------------------------------------------------------------------===// 458// String analyzer options. 459//===----------------------------------------------------------------------===// 460 461ANALYZER_OPTION(StringRef, CTUDir, "ctu-dir", 462 "The directory containing the CTU related files.", "") 463 464ANALYZER_OPTION(StringRef, CTUIndexName, "ctu-index-name", 465 "The name of the file containing the CTU index of definitions. " 466 "The index file maps USR-names to identifiers. An identifier " 467 "can end with an '.ast' suffix, indicating the indentifier is " 468 "a path to a pch-dump. Otherwise the identifier is regarded as " 469 "path to a source file which is parsed on-demand. Relative " 470 "paths are prefixed with ctu-dir, absolute paths are used " 471 "unmodified during lookup.", 472 "externalDefMap.txt") 473 474ANALYZER_OPTION( 475 StringRef, CTUInvocationList, "ctu-invocation-list", 476 "The path to the YAML format file containing a mapping from source file " 477 "paths to command-line invocations represented as a list of arguments. " 478 "This invocation is used produce the source-file's AST in case on-demand " 479 "loading is performed. Example file-content: " 480 "{/main.cpp: [clang++, /main.cpp], other.cpp: [clang++, /other.cpp]}", 481 "invocations.yaml") 482 483ANALYZER_OPTION( 484 StringRef, ModelPath, "model-path", 485 "The analyzer can inline an alternative implementation written in C at the " 486 "call site if the called function's body is not available. This is a path " 487 "where to look for those alternative implementations (called models).", 488 "") 489 490ANALYZER_OPTION( 491 StringRef, CTUPhase1InliningMode, "ctu-phase1-inlining", 492 "Controls which functions will be inlined during the first phase of the ctu " 493 "analysis. " 494 "If the value is set to 'all' then all foreign functions are inlinied " 495 "immediately during the first phase, thus rendering the second phase a noop. " 496 "The 'ctu-max-nodes-*' budge has no effect in this case. " 497 "If the value is 'small' then only functions with a linear CFG and with a " 498 "limited number of statements would be inlined during the first phase. The " 499 "long and/or nontrivial functions are handled in the second phase and are " 500 "controlled by the 'ctu-max-nodes-*' budge. " 501 "The value 'none' means that all foreign functions are inlined only in the " 502 "second phase, 'ctu-max-nodes-*' budge limits the second phase. " 503 "Value: \"none\", \"small\", \"all\".", 504 "small") 505 506ANALYZER_OPTION( 507 StringRef, CXXMemberInliningMode, "c++-inlining", 508 "Controls which C++ member functions will be considered for inlining. " 509 "Value: \"constructors\", \"destructors\", \"methods\".", 510 "destructors") 511 512ANALYZER_OPTION( 513 StringRef, ExplorationStrategy, "exploration_strategy", 514 "Value: \"dfs\", \"bfs\", \"unexplored_first\", " 515 "\"unexplored_first_queue\", \"unexplored_first_location_queue\", " 516 "\"bfs_block_dfs_contents\".", 517 "unexplored_first_queue") 518 519ANALYZER_OPTION( 520 StringRef, RawSilencedCheckersAndPackages, "silence-checkers", 521 "A semicolon separated list of checker and package names to silence. " 522 "Silenced checkers will not emit reports, but the modeling remain enabled.", 523 "") 524 525ANALYZER_OPTION_DEPENDS_ON_USER_MODE( 526 StringRef, IPAMode, "ipa", 527 "Controls the mode of inter-procedural analysis. Value: \"none\", " 528 "\"basic-inlining\", \"inlining\", \"dynamic\", \"dynamic-bifurcate\".", 529 /* SHALLOW_VAL */ "inlining", /* DEEP_VAL */ "dynamic-bifurcate") 530 531#undef ANALYZER_OPTION_DEPENDS_ON_USER_MODE 532#undef ANALYZER_OPTION 533