GCC Static Analyzer

caution

Static analyzer are not magic, they will not catch all errors and can report false positives.

info

GCC 10 is required, it is not shipped by default on macOS.

This project is still considered as experimental¹, and C++ is not yet supported.²

Since its version 10, GCC has a static analyzer that can be enabled with the -fanalyzer flag.

It can find issues such as:

• Double free
• Use after free
• Source leaks
• Uninitialized value

More features can be toggled o or off to reduce the compilation time increase or hide false positive, like a taint mode to track untrusted variables. For a list of all options, refer to the GCC manual.

On average, your compilation time will increase by 2x.

Example

Resources

• https://gcc.gnu.org/wiki/DavidMalcolm/StaticAnalyzer

---

1. https://developers.redhat.com/articles/2022/04/12/state-static-analysis-gcc-12-compiler↩
2. https://gcc.gnu.org/bugzilla/showdependencytree.cgi?id=97110↩