You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

599 lines
24 KiB

NAME
infer-analyze - analyze the files captured by infer
SYNOPSIS
infer analyze [options]
infer [options]
DESCRIPTION
Analyze the files captured in the project results directory and
report.
OPTIONS
--annotation-reachability
Activates: checker annotation-reachability: Given a pair of source
and sink annotation, e.g. `@PerformanceCritical` and `@Expensive`,
this checker will warn whenever some method annotated with
`@PerformanceCritical` calls, directly or indirectly, another
method annotated with `@Expensive` (Conversely:
--no-annotation-reachability)
--annotation-reachability-only
Activates: Enable annotation-reachability and disable all other
checkers (Conversely: --no-annotation-reachability-only)
--no-biabduction
Deactivates: checker biabduction: This analysis deals with a range
of issues, many linked to memory safety. (Conversely:
--biabduction)
--biabduction-only
Activates: Enable biabduction and disable all other checkers
(Conversely: --no-biabduction-only)
--biabduction-write-dotty
Activates: Produce dotty files for specs and retain cycles reports
in infer-out/captured. (Conversely: --no-biabduction-write-dotty)
--bufferoverrun
Activates: checker bufferoverrun: InferBO is a detector for
out-of-bounds array accesses. (Conversely: --no-bufferoverrun)
--bufferoverrun-only
Activates: Enable bufferoverrun and disable all other checkers
(Conversely: --no-bufferoverrun-only)
--changed-files-index file
Specify the file containing the list of source files from which
reactive analysis should start. Source files should be specified
relative to project root or be absolute
--config-checks-between-markers
Activates: checker config-checks-between-markers: [EXPERIMENTAL]
Collects config checks between marker start and end. (Conversely:
--no-config-checks-between-markers)
--config-checks-between-markers-only
Activates: Enable config-checks-between-markers and disable all
other checkers (Conversely:
--no-config-checks-between-markers-only)
--config-impact-analysis
Activates: checker config-impact-analysis: [EXPERIMENTAL] Collects
function that are called without config checks. (Conversely:
--no-config-impact-analysis)
--config-impact-analysis-only
Activates: Enable config-impact-analysis and disable all other
checkers (Conversely: --no-config-impact-analysis-only)
--continue-analysis
Activates: Continue the analysis after more targets are captured
by --continue. The other analysis options should be given the same
before. Not compatible with --reanalyze and
--incremental-analysis. (Conversely: --no-continue-analysis)
--cost
Activates: checker cost: Computes the time complexity of functions
and methods. Can be used to detect changes in runtime complexity
with `infer reportdiff`. (Conversely: --no-cost)
--cost-only
Activates: Enable cost and disable all other checkers (Conversely:
--no-cost-only)
--no-cost-suppress-func-ptr
Deactivates: Suppress printing function pointers in cost reports
(Conversely: --cost-suppress-func-ptr)
--custom-symbols json
Specify named lists of symbols available to rules
--debug,-g
Activates: Debug mode (also sets --debug-level 2,
--developer-mode, --print-buckets, --print-types,
--reports-include-ml-loc, --no-only-cheap-debug, --trace-error,
--write-html) (Conversely: --no-debug | -G)
--debug-level level
Debug level (sets --bo-debug level, --debug-level-analysis level,
--debug-level-capture level, --debug-level-linters level):
- 0: only basic debugging enabled
- 1: verbose debugging enabled
- 2: very verbose debugging enabled
--debug-level-analysis int
Debug level for the analysis. See --debug-level for accepted
values.
--debug-level-capture int
Debug level for the capture. See --debug-level for accepted
values.
--debug-level-linters int
Debug level for the linters. See --debug-level for accepted
values.
--no-deduplicate
Deactivates: Apply issue-specific deduplication during analysis
and/or reporting. (Conversely: --deduplicate)
--no-default-checkers
Deactivates: Default checkers: --biabduction,
--fragment-retains-view, --inefficient-keyset-iterator, --linters,
--liveness, --racerd, --dotnet-resource-leak, --siof,
--self-in-block, --starvation (Conversely: --default-checkers)
--eradicate
Activates: checker eradicate: The eradicate `@Nullable` checker
for Java annotations. (Conversely: --no-eradicate)
--eradicate-only
Activates: Enable eradicate and disable all other checkers
(Conversely: --no-eradicate-only)
--no-fragment-retains-view
Deactivates: checker fragment-retains-view: Detects when Android
fragments are not explicitly nullified before becoming
unreachable. (Conversely: --fragment-retains-view)
--fragment-retains-view-only
Activates: Enable fragment-retains-view and disable all other
checkers (Conversely: --no-fragment-retains-view-only)
--help
Show this manual
--help-format { auto | groff | pager | plain }
Show this help in the specified format. auto sets the format to
plain if the environment variable TERM is "dumb" or undefined, and
to pager otherwise.
--help-full
Show this manual with all internal options in the INTERNAL OPTIONS
section
--immutable-cast
Activates: checker immutable-cast: Detection of object cast from
immutable types to mutable types. For instance, it will detect
casts from `ImmutableList` to `List`, `ImmutableMap` to `Map`, and
`ImmutableSet` to `Set`. (Conversely: --no-immutable-cast)
--immutable-cast-only
Activates: Enable immutable-cast and disable all other checkers
(Conversely: --no-immutable-cast-only)
--impurity
Activates: checker impurity: Detects functions with potential
side-effects. Same as "purity", but implemented on top of Pulse.
(Conversely: --no-impurity)
--impurity-only
Activates: Enable impurity and disable all other checkers
(Conversely: --no-impurity-only)
--impurity-report-immutable-modifications
Activates: Report modifications to immutable fields in the
Impurity checker (Conversely:
--no-impurity-report-immutable-modifications)
--no-inefficient-keyset-iterator
Deactivates: checker inefficient-keyset-iterator: Check for
inefficient uses of iterators that iterate on keys then lookup
their values, instead of iterating on key-value pairs directly.
(Conversely: --inefficient-keyset-iterator)
--inefficient-keyset-iterator-only
Activates: Enable inefficient-keyset-iterator and disable all
other checkers (Conversely: --no-inefficient-keyset-iterator-only)
--jobs,-j int
Run the specified number of analysis jobs simultaneously
--keep-going
Activates: Keep going when the analysis encounters a failure
(Conversely: --no-keep-going)
--no-linters
Deactivates: checker linters: Declarative linting framework over
the Clang AST. (Conversely: --linters)
--linters-only
Activates: Enable linters and disable all other checkers
(Conversely: --no-linters-only)
--litho-required-props
Activates: checker litho-required-props: Checks that all
non-optional `@Prop`s have been specified when constructing Litho
components. (Conversely: --no-litho-required-props)
--litho-required-props-only
Activates: Enable litho-required-props and disable all other
checkers (Conversely: --no-litho-required-props-only)
--no-liveness
Deactivates: checker liveness: Detection of dead stores and unused
variables. (Conversely: --liveness)
--liveness-ignored-constant +string
List of integer constants to be ignored by liveness analysis
--liveness-only
Activates: Enable liveness and disable all other checkers
(Conversely: --no-liveness-only)
--loop-hoisting
Activates: checker loop-hoisting: Detect opportunities to hoist
function calls that are invariant outside of loop bodies for
efficiency. (Conversely: --no-loop-hoisting)
--loop-hoisting-only
Activates: Enable loop-hoisting and disable all other checkers
(Conversely: --no-loop-hoisting-only)
--max-jobs int
Maximum number of analysis jobs running simultaneously
--memtrace-analysis-profiling
Activates: Generate OCaml analysis allocation traces in
`infer-out/memtrace`. (Conversely:
--no-memtrace-analysis-profiling)
--memtrace-sampling-rate float
Sampling rate for Memtrace allocation profiling. Default is 1e-6.
--print-active-checkers
Activates: Print the active checkers before starting the analysis
(Conversely: --no-print-active-checkers)
--print-logs
Activates: Also log messages to stdout and stderr (Conversely:
--no-print-logs)
--printf-args
Activates: checker printf-args: Detect mismatches between the Java
`printf` format strings and the argument types For example, this
checker will warn about the type error in `printf("Hello %d",
"world")` (Conversely: --no-printf-args)
--printf-args-only
Activates: Enable printf-args and disable all other checkers
(Conversely: --no-printf-args-only)
--progress-bar-style { auto | plain | multiline }
Style of the progress bar. auto selects multiline if connected to
a tty, otherwise plain.
--project-root,-C dir
Specify the root directory of the project
--pulse
Activates: checker pulse: Memory and lifetime analysis.
(Conversely: --no-pulse)
--pulse-cut-to-one-path-procedures-pattern string
Regex of methods for which pulse will only explore one path. Can
be used on pathologically large procedures to prevent too-big
states from being produced.
--pulse-model-abort +string
Methods that should be modelled as abort in Pulse
--pulse-model-alloc-pattern string
Regex of methods that should be modelled as allocs in Pulse
--pulse-model-free-pattern string
Regex of methods that should be modelled as wrappers to free(3) in
Pulse. The pointer to be freed should be the first argument of the
function. This should only be needed if the code of the wrapper is
not visible to infer or if Pulse somehow doesn't understand it
(e.g. the call is dispatched to global function pointers).
--pulse-model-malloc-pattern string
Regex of methods that should be modelled as wrappers to malloc(3)
in Pulse. The size to allocate should be the first argument of the
function. See --pulse-model-free-pattern for more information.
--pulse-model-realloc-pattern string
Regex of methods that should be modelled as wrappers to realloc(3)
in Pulse. The pointer to be reallocated should be the first
argument of the function and the new size the second argument. See
--pulse-model-free-pattern for more information.
--pulse-model-release-pattern string
Regex of methods that should be modelled as release in Pulse
--pulse-model-return-first-arg string
Regex of methods that should be modelled as returning the first
argument in Pulse
--pulse-model-return-nonnull string
Regex of methods that should be modelled as returning non-null in
Pulse
--pulse-model-skip-pattern string
Regex of methods that should be modelled as "skip" in Pulse
--pulse-model-transfer-ownership +string
Methods that should be modelled as transfering memory ownership in
Pulse. Accepted formats are method or namespace::method
--pulse-only
Activates: Enable pulse and disable all other checkers
(Conversely: --no-pulse-only)
--pulse-prune-unsupported-arithmetic
Activates: The arithmetic engine in Pulse sometimes does not
detect that the collection of conditions on the path makes it
infeasible, especially outside the well-supported linear
arithmetic fragment. To avoid false positives, Pulse tries to
detect when there is a possibility of imprecise arithmetic
treatment and if so pessimistically assumes the path is
infeasible. (Conversely: --no-pulse-prune-unsupported-arithmetic)
--pulse-report-ignore-unknown-java-methods-patterns +string
On Java, issues that are found on program paths that contain calls
to unknown methods (those without implementation) are not reported
unless all the unknown method names match this pattern. If the
empty list is provided with
--pulse-report-ignore-unknown-java-methods-patterns-reset, all
issues will be reported regardless the presence of unknown code
--purity
Activates: checker purity: Detects pure (side-effect-free)
functions. A different implementation of "impurity". (Conversely:
--no-purity)
--purity-only
Activates: Enable purity and disable all other checkers
(Conversely: --no-purity-only)
--quandary
Activates: checker quandary: The Quandary taint analysis detects
flows of values between sources and sinks, except if the value
went through a "sanitizer". In addition to some defaults, users
can specify their own sources, sinks, and sanitizers functions.
(Conversely: --no-quandary)
--quandary-only
Activates: Enable quandary and disable all other checkers
(Conversely: --no-quandary-only)
--quiet,-q
Activates: Do not print anything on standard output. (Conversely:
--no-quiet | -Q)
--no-racerd
Deactivates: checker racerd: Thread safety analysis. (Conversely:
--racerd)
--racerd-only
Activates: Enable racerd and disable all other checkers
(Conversely: --no-racerd-only)
--reactive,-r
Activates: Reactive mode: the analysis starts from the files
captured since the infer command started (Conversely:
--no-reactive | -R)
--no-report
Deactivates: Run the reporting phase once the analysis has
completed (Conversely: --report)
--report-force-relative-path
Activates: Force converting an absolute path to a relative path to
the root directory (Conversely: --no-report-force-relative-path)
--results-dir,-o dir
Write results and internal files in the specified directory
--scheduler { file | restart | callgraph }
Specify the scheduler used for the analysis phase: - file: schedule one job per file
- callgraph: schedule one job per procedure, following the
syntactic call graph. Usually faster than "file".
- restart: same as callgraph but uses locking to try and avoid
duplicate work between different analysis processes and thus
performs better in some circumstances
--no-self-in-block
Deactivates: checker self-in-block: An Objective-C-specific
analysis to detect when a block captures `self`. (Conversely:
--self-in-block)
--self-in-block-only
Activates: Enable self-in-block and disable all other checkers
(Conversely: --no-self-in-block-only)
--no-siof
Deactivates: checker siof: Catches Static Initialization Order
Fiascos in C++, that can lead to subtle,
compiler-version-dependent errors. (Conversely: --siof)
--siof-only
Activates: Enable siof and disable all other checkers (Conversely:
--no-siof-only)
--sqlite-cache-size int
SQLite cache size in pages (if positive) or kB (if negative),
follows formal of corresponding SQLite PRAGMA.
--sqlite-lock-timeout int
Timeout for SQLite results database operations, in milliseconds.
--sqlite-page-size int
SQLite page size in bytes, must be a power of two between 512 and
65536.
--no-starvation
Deactivates: checker starvation: Detect various kinds of
situations when no progress is being made because of concurrency
errors. (Conversely: --starvation)
--starvation-only
Activates: Enable starvation and disable all other checkers
(Conversely: --no-starvation-only)
--topl
Activates: checker topl: Detect errors based on user-provided
state machines describing temporal properties over multiple
objects. (Conversely: --no-topl)
--topl-only
Activates: Enable topl and disable all other checkers (Conversely:
--no-topl-only)
--uninit
Activates: checker uninit: Warns when values are used before
having been initialized. (Conversely: --no-uninit)
--uninit-only
Activates: Enable uninit and disable all other checkers
(Conversely: --no-uninit-only)
--write-html
Activates: Produce html debug output for the analyses in
infer-out/captured. This shows the abstract state of all analyses
at each program point in the source code. Each captured source
file has its own html page. This HTML file contains the source
file, and at each line of the file there are links to the nodes of the control flow graph
of Infer's translation of that line of code into its intermediate
representation (SIL). This way it's possible to see what the
translation is, and the details of the symbolic execution on each
node. (Conversely: --no-write-html)
--xcode-isysroot-suffix string
Specify the suffix of Xcode isysroot directory, to avoid absolute
paths in tests
BUCK OPTIONS
--merge
Activates: Merge the captured results directories specified in the
dependency file. (Conversely: --no-merge)
BUFFER OVERRUN OPTIONS
--bo-debug int
Debug level for buffer-overrun checker (0-4)
--bo-field-depth-limit int
Limit of field depth of abstract location in buffer-overrun
checker
CLANG OPTIONS
--annotation-reachability-cxx json
Specify annotation reachability analyses to be performed on
C/C++/ObjC code. Each entry is a JSON object whose key is the
issue name. "sources" and "sinks" can be specified either by
symbol (including regexps) or path prefix. "sinks" optionally can
specify "overrides" (by symbol or path prefix) that block the
reachability analysis when hit. Example: {
"ISOLATED_REACHING_CONNECT": {
"doc_url":
"http:://example.com/issue/doc/optional_link.html",
"sources": {
"desc": "Code that should not call connect [optional]",
"paths": [ "isolated/" ]
},
"sinks": {
"symbols": [ "connect" ],
"overrides": { "symbol_regexps": [ ".*::Trusted::.*" ] }
}
}
}
This will cause us to create a new ISOLATED_REACHING_CONNECT
issue for every function whose source path starts with "isolated/"
that may reach the function named "connect", ignoring paths that
go through a symbol matching the OCaml regexp ".*::Trusted::.*".
--annotation-reachability-cxx-sources json
Override sources in all cxx annotation reachability specs with the
given sources spec
--biabduction-unsafe-malloc
Activates: Assume that malloc(3) never returns null. (Conversely:
--no-biabduction-unsafe-malloc)
--clang-compound-literal-init-limit int
Limit after which initialization of compound types (structs and
arrays) is not done element by element but using a builtin
function that each analysis has to model.
--cxx-scope-guards json
Specify scope guard classes that can be read only by destructors
without being reported as dead stores.
--liveness-dangerous-classes json
Specify classes where the destructor should be ignored when
computing liveness. In other words, assignement to variables of
these types (or common wrappers around these types such as
unique_ptr<type>) will count as dead stores when the variables are
not read explicitly by the program.
JAVA OPTIONS
--annotation-reachability-custom-pairs json
Specify custom sources/sink for the annotation reachability
checker Example format: for custom annotations
com.my.annotation.{Source1,Source2,Sink1}
{ "sources" : ["Source1", "Source2"], "sink" : "Sink1" }
--external-java-packages +prefix
Specify a list of Java package prefixes for external Java
packages. If set, the analysis will not report non-actionable
warnings on those packages.
--java-version int
The version of Java being used. Set it to your Java version if mvn
is failing.
QUANDARY CHECKER OPTIONS
--quandary-endpoints json
Specify endpoint classes for Quandary
--quandary-sanitizers json
Specify custom sanitizers for Quandary
--quandary-sinks json
Specify custom sinks for Quandary
--quandary-sources json
Specify custom sources for Quandary
RACERD CHECKER OPTIONS
--racerd-guardedby
Activates: Check @GuardedBy annotations with RacerD (Conversely:
--no-racerd-guardedby)
--no-racerd-unknown-returns-owned
Deactivates: DEPRECATED, does nothing. (Conversely:
--racerd-unknown-returns-owned)
--threadsafe-aliases json
Specify custom annotations that should be considered aliases of
@ThreadSafe
SIOF CHECKER OPTIONS
--siof-check-iostreams
Activates: Do not assume that iostreams (cout, cerr, ...) are
always initialized. The default is to assume they are always
initialized to avoid false positives. However, if your program
compiles against a recent libstdc++ then it is safe to turn this
option on. (Conversely: --no-siof-check-iostreams)
--siof-safe-methods +string
Methods that are SIOF-safe; "foo::bar" will match "foo::bar()",
"foo<int>::bar()", etc. (can be specified multiple times)
ENVIRONMENT
INFER_ARGS, INFERCONFIG, INFER_STRICT_MODE
See the ENVIRONMENT section in the manual of infer(1).
FILES
.inferconfig
See the FILES section in the manual of infer(1).
SEE ALSO
infer-report(1), infer-run(1)