From patchwork Sat Nov 16 01:22:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Malcolm X-Patchwork-Id: 1195993 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-513717-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="E1aAgDun"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.b="YXVfQE8H"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47FHPq6HDyz9s7T for ; Sat, 16 Nov 2019 12:17:17 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:in-reply-to:references :content-type:content-transfer-encoding; q=dns; s=default; b=IXB VsaYVrjezygeYt3VXRh4iKFG1u9dMAqBUxedr7GTnsUIlJ54+tR9t+Oa7MhfrsZA F4odUfkH9HM2qlBKb6UCtWHwq7xTd74blO3PVcVdl2J0A5zH8bY075Kw5lg+FHsB Idee3ZS1vLxQQ6eWXH2FNX5rags8gpJ8GN/MsBrQ= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:in-reply-to:references :content-type:content-transfer-encoding; s=default; bh=J1T4w2v1r q3eI2wytIuKQGXve5g=; b=E1aAgDunVJUpPxoEO1b8G18qU2q87HYLZ192KQyk8 TbjLSd3KteOpvZ8+vSKXULdvBmEJCiG2yH9NES/O3Fhc9Bl82mUDTamOxSw/ZMr1 zn+uQsThhh+B50cSxiSTBMqyHoF37qmMoQtpmUFIsKngBJ5QYJ2azdTC5b9PMVbA TA= Received: (qmail 54831 invoked by alias); 16 Nov 2019 01:17:08 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 54821 invoked by uid 89); 16 Nov 2019 01:17:08 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-19.4 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3 autolearn=ham version=3.3.1 spammy=Program, Enabling, 1853, sk:Waddres X-HELO: us-smtp-delivery-1.mimecast.com Received: from us-smtp-1.mimecast.com (HELO us-smtp-delivery-1.mimecast.com) (207.211.31.81) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sat, 16 Nov 2019 01:17:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573867023; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G//31KK5wu7lUYQesVancSSYAqozgHg7z6YrnXl/Mco=; b=YXVfQE8HbMp+PAd/rub6OWZ36UJRgBxfK6kXlNEhm797187pTD39WVnLYAT4Yn1AlPGQym QbnOVxV4TNrFbIdjcRQrhXTSGojqQTbNqidRw3D4+QYAo7beymDnnIB+yphjWUz7LN8fDR 2amWa4Gk5+TQhOTEe0ck+wDGogtxpVA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-155-pJmZR2F7Ne2My6A0L9RWvQ-1; Fri, 15 Nov 2019 20:17:02 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 29685107ACC5 for ; Sat, 16 Nov 2019 01:17:01 +0000 (UTC) Received: from c64.redhat.com (ovpn-112-32.phx2.redhat.com [10.3.112.32]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4FC3010246FB; Sat, 16 Nov 2019 01:17:00 +0000 (UTC) From: David Malcolm To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [PATCH 01/49] analyzer: user-facing documentation Date: Fri, 15 Nov 2019 20:22:48 -0500 Message-Id: <1573867416-55618-2-git-send-email-dmalcolm@redhat.com> In-Reply-To: <1573867416-55618-1-git-send-email-dmalcolm@redhat.com> References: <1573867416-55618-1-git-send-email-dmalcolm@redhat.com> X-Mimecast-Spam-Score: 0 X-IsSubscribed: yes gcc/ChangeLog: * doc/invoke.texi ("Static Analyzer Options"): New list and new section. ("Warning Options"): Add static analysis warnings to the list. (-Wno-analyzer-double-fclose): New option. (-Wno-analyzer-double-free): New option. (-Wno-analyzer-exposure-through-output-file): New option. (-Wno-analyzer-file-leak): New option. (-Wno-analyzer-free-of-non-heap): New option. (-Wno-analyzer-malloc-leak): New option. (-Wno-analyzer-possible-null-argument): New option. (-Wno-analyzer-possible-null-dereference): New option. (-Wno-analyzer-null-argument): New option. (-Wno-analyzer-null-dereference): New option. (-Wno-analyzer-stale-setjmp-buffer): New option. (-Wno-analyzer-tainted-array-index): New option. (-Wno-analyzer-use-after-free): New option. (-Wno-analyzer-use-of-pointer-in-stale-stack-frame): New option. (-Wno-analyzer-use-of-uninitialized-value): New option. (-Wanalyzer-too-complex): New option. (-fanalyzer-call-summaries): New warning. (-fanalyzer-checker=): New warning. (-fanalyzer-fine-grained): New warning. (-fno-analyzer-state-merge): New warning. (-fno-analyzer-state-purge): New warning. (-fanalyzer-transitivity): New warning. (-fanalyzer-verbose-edges): New warning. (-fanalyzer-verbose-state-changes): New warning. (-fanalyzer-verbosity=): New warning. (-fdump-analyzer): New warning. (-fdump-analyzer-callgraph): New warning. (-fdump-analyzer-exploded-graph): New warning. (-fdump-analyzer-exploded-nodes): New warning. (-fdump-analyzer-exploded-nodes-2): New warning. (-fdump-analyzer-exploded-nodes-3): New warning. (-fdump-analyzer-supergraph): New warning. --- gcc/doc/invoke.texi | 420 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 418 insertions(+), 2 deletions(-) diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index 085e8b0..384848a 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -153,6 +153,7 @@ listing and explanation of the binary and decimal byte size prefixes. * Diagnostic Message Formatting Options:: Controlling how diagnostics should be formatted. * Warning Options:: How picky should the compiler be? +* Static Analyzer Options:: More expensive warnings. * Debugging Options:: Producing debuggable code. * Optimize Options:: How much optimization? * Instrumentation Options:: Enabling profiling and extra run-time error checking. @@ -284,13 +285,30 @@ Objective-C and Objective-C++ Dialects}. @item Warning Options @xref{Warning Options,,Options to Request or Suppress Warnings}. -@gccoptlist{-fsyntax-only -fmax-errors=@var{n} -Wpedantic @gol +@gccoptlist{--analyzer -fsyntax-only -fmax-errors=@var{n} -Wpedantic @gol -pedantic-errors @gol -w -Wextra -Wall -Waddress -Waddress-of-packed-member @gol -Waggregate-return -Waligned-new @gol -Walloc-zero -Walloc-size-larger-than=@var{byte-size} @gol -Walloca -Walloca-larger-than=@var{byte-size} @gol --Wno-aggressive-loop-optimizations -Warray-bounds -Warray-bounds=@var{n} @gol +-Wno-aggressive-loop-optimizations @gol +-Wno-analyzer-double-fclose @gol +-Wno-analyzer-double-free @gol +-Wno-analyzer-exposure-through-output-file @gol +-Wno-analyzer-file-leak @gol +-Wno-analyzer-free-of-non-heap @gol +-Wno-analyzer-malloc-leak @gol +-Wno-analyzer-possible-null-argument @gol +-Wno-analyzer-possible-null-dereference @gol +-Wno-analyzer-null-argument @gol +-Wno-analyzer-null-dereference @gol +-Wno-analyzer-stale-setjmp-buffer @gol +-Wno-analyzer-tainted-array-index @gol +-Wno-analyzer-use-after-free @gol +-Wno-analyzer-use-of-pointer-in-stale-stack-frame @gol +-Wno-analyzer-use-of-uninitialized-value @gol +-Wanalyzer-too-complex @gol +-Warray-bounds -Warray-bounds=@var{n} @gol -Wno-attributes -Wattribute-alias=@var{n} @gol -Wbool-compare -Wbool-operation @gol -Wno-builtin-declaration-mismatch @gol @@ -370,6 +388,43 @@ Objective-C and Objective-C++ Dialects}. -Wwrite-strings @gol -Wzero-as-null-pointer-constant} +@item Static Analyzer Options +@gccoptlist{-Wanalyzer-double-fclose @gol +-Wanalyzer-double-free @gol +-Wanalyzer-exposure-through-output-file @gol +-Wanalyzer-file-leak @gol +-Wanalyzer-free-of-non-heap @gol +-Wanalyzer-malloc-leak @gol +-Wanalyzer-null-argument @gol +-Wanalyzer-null-dereference @gol +-Wanalyzer-possible-null-argument @gol +-Wanalyzer-possible-null-dereference @gol +-Wanalyzer-stale-setjmp-buffer @gol +-Wanalyzer-tainted-array-index @gol +-Wanalyzer-use-after-free @gol +-Wanalyzer-use-of-pointer-in-stale-stack-frame @gol +-Wanalyzer-use-of-uninitialized-value @gol +-Wanalyzer-too-complex @gol +-fanalyzer-call-summaries @gol +-fanalyzer-checker=@var{name} @gol +-fanalyzer-fine-grained @gol +-fanalyzer-state-merge @gol +-fanalyzer-state-purge @gol +-fanalyzer-transitivity @gol +-fanalyzer-verbose-edges @gol +-fanalyzer-verbose-state-changes @gol +-fanalyzer-verbosity=@var{level} @gol +-fdump-analyzer @gol +-fdump-analyzer-stderr @gol +-fdump-analyzer-callgraph @gol +-fdump-analyzer-exploded-graph @gol +-fdump-analyzer-exploded-nodes @gol +-fdump-analyzer-exploded-nodes-2 @gol +-fdump-analyzer-exploded-nodes-3 @gol +-fdump-analyzer-state-purge @gol +-fdump-analyzer-supergraph @gol +} + @item C and Objective-C-only Warning Options @gccoptlist{-Wbad-function-cast -Wmissing-declarations @gol -Wmissing-parameter-type -Wmissing-prototypes -Wnested-externs @gol @@ -6184,6 +6239,159 @@ See also @option{-Wvla-larger-than=}@samp{byte-size}. Disable @option{-Walloca-larger-than=} warnings. The option is equivalent to @option{-Walloca-larger-than=}@samp{SIZE_MAX} or larger. +@item -Wno-analyzer-double-fclose +@opindex Wanalyzer-double-fclose +@opindex Wno-analyzer-double-fclose +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-double-fclose} to disable it. + +This diagnostic warns for paths through the code in which a @code{FILE *} +can have @code{fclose} called on it more than once. + +@item -Wno-analyzer-double-free +@opindex Wanalyzer-double-free +@opindex Wno-analyzer-double-free +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-double-free} to disable it. + +This diagnostic warns for paths through the code in which a pointer +can have @code{free} called on it more than once. + +@item -Wno-analyzer-exposure-through-output-file +@opindex Wanalyzer-exposure-through-output-file +@opindex Wno-analyzer-exposure-through-output-file +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-exposure-through-output-file} +to disable it. + +This diagnostic warns for paths through the code in which a +security-sensitive value is written to an output file +(such as writing a password to a log file). + +@item -Wno-analyzer-file-leak +@opindex Wanalyzer-file-leak +@opindex Wno-analyzer-file-leak +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-file-leak} +to disable it. + +This diagnostic warns for paths through the code in which a +@code{} @code{FILE *} stream object is leaked. + +@item -Wno-analyzer-free-of-non-heap +@opindex Wanalyzer-free-of-non-heap +@opindex Wno-analyzer-free-of-non-heap +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-free-of-non-heap} +to disable it. + +This diagnostic warns for paths through the code in which @code{free} +is called on a non-heap pointer (e.g. an on-stack buffer, or a global). + +@item -Wno-analyzer-malloc-leak +@opindex Wanalyzer-malloc-leak +@opindex Wno-analyzer-malloc-leak +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-malloc-leak} +to disable it. + +This diagnostic warns for paths through the code in which a +pointer allocated via @code{malloc} is leaked. + +@item -Wno-analyzer-possible-null-argument +@opindex Wanalyzer-possible-null-argument +@opindex Wno-analyzer-possible-null-argument +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-possible-null-argument} to disable it. + +This diagnostic warns for paths through the code in which a +possibly-NULL value is passed to a function argument marked +with @code{__attribute__((nonnull))} as requiring a non-NULL +value. + +@item -Wno-analyzer-possible-null-dereference +@opindex Wanalyzer-possible-null-dereference +@opindex Wno-analyzer-possible-null-dereference +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-possible-null-dereference} to disable it. + +This diagnostic warns for paths through the code in which a +possibly-NULL value is dereferenced. + +@item -Wno-analyzer-null-argument +@opindex Wanalyzer-null-argument +@opindex Wno-analyzer-null-argument +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-null-argument} to disable it. + +This diagnostic warns for paths through the code in which a +value known to be NULL is passed to a function argument marked +with @code{__attribute__((nonnull))} as requiring a non-NULL +value. + +@item -Wno-analyzer-null-dereference +@opindex Wanalyzer-null-dereference +@opindex Wno-analyzer-null-dereference +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-null-dereference} to disable it. + +This diagnostic warns for paths through the code in which a +value known to be NULL is dereferenced. + +@item -Wno-analyzer-stale-setjmp-buffer +@opindex Wanalyzer-stale-setjmp-buffer +@opindex Wno-analyzer-stale-setjmp-buffer +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-stale-setjmp-buffer} to disable it. + +This diagnostic warns for paths through the code in which +@code{longjmp} is called to rewind to a @code{jmp_buf} relating +to a @code{setjmp} call in a function that has returned. + +When @code{setjmp} is called on a @code{jmp_buf} to record a rewind +location, it records the stack frame. The stack frame becomes invalid +when the function containing the @code{setjmp} call returns. Attempting +to rewind to it via @code{longjmp} would reference a stack frame that +no longer exists, and likely lead to a crash (or worse). + +@item -Wno-analyzer-tainted-array-index +@opindex Wanalyzer-tainted-array-index +@opindex Wno-analyzer-tainted-array-index +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-tainted-array-index} to disable it. + +This diagnostic warns for paths through the code in which a value +that could be under an attacker's control is used as the index +of an array access without being sanitized. + +@item -Wno-analyzer-use-after-free +@opindex Wanalyzer-use-after-free +@opindex Wno-analyzer-use-after-free +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-use-after-free} to disable it. + +This diagnostic warns for paths through the code in which a +pointer is used after @code{free} is called on it. + +@item -Wno-analyzer-use-of-pointer-in-stale-stack-frame +@opindex Wanalyzer-use-of-pointer-in-stale-stack-frame +@opindex Wno-analyzer-use-of-pointer-in-stale-stack-frame +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-use-of-pointer-in-stale-stack-frame} +to disable it. + +This diagnostic warns for paths through the code in which a pointer +is dereferenced that points to a variable in a stale stack frame. + +@item -Wno-analyzer-use-of-uninitialized-value +@opindex Wanalyzer-use-of-uninitialized-value +@opindex Wno-analyzer-use-of-uninitialized-value +This warning requires @option{--analyzer}, which enables it; use +@option{-Wno-analyzer-use-of-uninitialized-value} to disable it. + +This diagnostic warns for paths through the code in which an uninitialized +value is used. + @item -Warray-bounds @itemx -Warray-bounds=@var{n} @opindex Wno-array-bounds @@ -7808,6 +8016,214 @@ OpenMP construct. @end table +@node Static Analyzer Options +@section Options That Control Static Analysis + +@table @gcctabopt +@item --analyzer +@opindex analyzer +This option enables an static analysis of program flow which looks +for ``interesting'' interprocedural paths through the +code, and issues warnings for problems found on them. + +This analysis is much more expensive than other GCC warnings. + +Enabling this option effectively enables the following warnings: + +@gccoptlist{ @gol +-Wanalyzer-double-fclose @gol +-Wanalyzer-double-free @gol +-Wanalyzer-exposure-through-output-file @gol +-Wanalyzer-file-leak @gol +-Wanalyzer-free-of-non-heap @gol +-Wanalyzer-malloc-leak @gol +-Wanalyzer-possible-null-argument @gol +-Wanalyzer-possible-null-dereference @gol +-Wanalyzer-null-argument @gol +-Wanalyzer-null-dereference @gol +-Wanalyzer-tainted-array-index @gol +-Wanalyzer-use-after-free @gol +-Wanalyzer-use-of-uninitialized-value @gol +-Wanalyzer-use-of-pointer-in-stale-stack-frame @gol +} + +This option is only available if GCC was configured with analyzer +support enabled. + +@item -Wanalyzer-too-complex +@opindex Wanalyzer-too-complex +@opindex Wno-analyzer-too-complex +If @option{--analyzer} is enabled, the analyzer uses various heuristics +to attempt to explore the control flow and data flow in the program, +but these can be defeated by sufficiently complicated code. + +By default, the analysis will silently stop if the code is too +complicated for the analyzer to fully explore and it reaches an internal +limit. + +The @option{-Wanalyzer-too-complex} option will warn if this occurs. + +@end table + +Pertinent parameters for controlling the exploration are: +@option{--param analyzer-bb-explosion-factor=@var{value}}, +@option{--param analyzer-max-enodes-per-program-point=@var{value}}, +@option{--param analyzer-max-recursion-depth=@var{value}}, and +@option{--param analyzer-min-snodes-for-call-summary=@var{value}}. + +The following options control the analyzer. + +@table @gcctabopt + +@item -fanalyzer-call-summaries +@opindex fanalyzer-call-summaries +@opindex fno-analyzer-call-summaries +Simplify interprocedural analysis by computing the effect of certain calls, +rather than exploring all paths through the function from callsite to each +possible return. + +If enabled, call summaries are only used for functions with more than one +call site, and that are sufficiently complicated (as per +@option{--param analyzer-min-snodes-for-call-summary=@var{value}}). + +@item -fanalyzer-checker=@var{name} +@opindex fanalyzer-checker +Restrict the analyzer to run just the named checker. + +@item -fanalyzer-fine-grained +@opindex fanalyzer-fine-grained +@opindex fno-analyzer-fine-grained +This option is intended for analyzer developers. + +Internally the analyzer builds an ``exploded graph'' that combines +control flow graphs with data flow information. + +By default, an edge in this graph can contain the effects of a run +of multiple statements within a basic block. With +@option{-fanalyzer-fine-grained}, each statement gets its own edge. + +@item -fno-analyzer-state-merge +@opindex fanalyzer-state-merge +@opindex fno-analyzer-state-merge +This option is intended for analyzer developers. + +By default the analyzer will attempt to simplify analysis by merging +sufficiently similar states at each program point as it builds its +``exploded graph''. With @option{-fno-analyzer-state-merge} this +merging can be suppressed, for debugging state-handling issues. + +@item -fno-analyzer-state-purge +@opindex fanalyzer-state-purge +@opindex fno-analyzer-state-purge +This option is intended for analyzer developers. + +By default the analyzer will attempt to simplify analysis by purging +aspects of state at a program point that appear to no longer be relevant +e.g. the values of locals that aren't accessed later in the function +and which aren't relevant to leak analysis. + +With @option{-fno-analyzer-state-purge} this purging of state can +be suppressed, for debugging state-handling issues. + +@item -fanalyzer-transitivity +@opindex fanalyzer-transitivity +@opindex fno-analyzer-transitivity +This option enables transitivity of constraints within the analyzer. + +@item -fanalyzer-verbose-edges +This option is intended for analyzer developers. It enables more +verbose, lower-level detail in the descriptions of control flow +within diagnostic paths. + +@item -fanalyzer-verbose-state-changes +This option is intended for analyzer developers. It enables more +verbose, lower-level detail in the descriptions of events relating +to state machines within diagnostic paths. + +@item -fanalyzer-verbosity=@var{level} +This option controls the complexity of the control flow paths that are +emitted for analyzer diagnostics. + +The @var{level} can be one of: + +@table @samp +@item 0 +At this level, interprocedural call and return events are displayed, +along with the most pertinent state-change events relating to +a diagnostic. For example, for a double-@code{free} diagnostic, +both calls to @code{free} will be shown. + +@item 1 +As per the previous level, but also show events for the entry +to each function. + +@item 2 +As per the previous level, but also show events relating to +control flow (e.g. ``true path taken'' at a conditional). + +This level is the default. + +@item 3 +This level is intended for analyzer developers; it adds various +other events intended for debugging the analyzer. + +@end table + +@item -fdump-analyzer +@opindex fdump-analyzer +Dump internal details about what the analyzer is doing to +@file{@var{file}.analyzer.txt}. +This option is overridden by @option{-fdump-analyzer-stderr}. + +@item -fdump-analyzer-stderr +@opindex fdump-analyzer-stderr +Dump internal details about what the analyzer is doing to stderr. +This option overrides @option{-fdump-analyzer}. + +@item -fdump-analyzer-callgraph +@opindex fdump-analyzer-callgraph +Dump a representation of the call graph suitable for viewing with +GraphViz to @file{@var{file}.callgraph.dot}. + +@item -fdump-analyzer-exploded-graph +@opindex fdump-analyzer-exploded-graph +Dump a representation of the ``exploded graph'' suitable for viewing with +GraphViz to @file{@var{file}.eg.dot}. +Nodes are color-coded based on state-machine states to emphasize +state changes. + +@item -fdump-analyzer-exploded-nodes +@opindex dump-analyzer-exploded-nodes +Emit diagnostics showing where nodes in the ``exploded graph'' are +in relation to the program source. + +@item -fdump-analyzer-exploded-nodes-2 +@opindex dump-analyzer-exploded-nodes-2 +Dump a textual representation of the ``exploded graph'' to +@file{@var{file}.eg.txt}. + +@item -fdump-analyzer-exploded-nodes-3 +@opindex dump-analyzer-exploded-nodes-3 +Dump a textual representation of the ``exploded graph'' to +one dump file per node, to @file{@var{file}.eg-@var{id}.txt}. +This is typically a large number of dump files. + +@item -fdump-analyzer-state-purge +@opindex fdump-analyzer-state-purge +As per @option{-fdump-analyzer-supergraph}, dump a representation of the +``supergraph'' suitable for viewing with GraphViz, but annotate the +graph with information on what state will be purged at each node. +The graph is written to @file{@var{file}.state-purge.dot}. + +@item -fdump-analyzer-supergraph +@opindex fdump-analyzer-supergraph +Dump a representation of the ``supergraph'' suitable for viewing with +GraphViz to @file{@var{file}.supergraph.dot}. This shows all of the +control flow graphs in the program, with interprocedural edges for +calls and returns. + +@end table + @node Debugging Options @section Options for Debugging Your Program @cindex options, debugging