-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Hugo edited this page Feb 26, 2026
·
2 revisions
Static stack usage and safety analysis for C/C++ code -- detects stack overflows, stack-buffer issues, VLA/alloca risks, resource-lifetime bugs, uninitialized reads, and quality issues.
CoreTrace Stack Analyzer is a static analysis tool working on LLVM IR and C/C++ source files. It integrates with CI/CD pipelines via GitHub Actions, Docker, JSON, and SARIF reports compatible with GitHub Code Scanning.
For users who want to analyze their C/C++ code with the tool.
| Page | Description |
|---|---|
| Getting Started | Installation, first scan, understanding results |
| CLI Reference | Complete command-line options reference |
| Analysis Categories | All diagnostic checks explained with examples |
| Analysis Profiles |
fast vs full precision/performance tradeoff |
| Output Formats | Human-readable, JSON, and SARIF output |
| External Models | Resource lifetime and stack escape model files |
| Filtering and Configuration | File, directory, and function filters |
| Diagnostic Rule Catalog | Rule IDs emitted in JSON/SARIF and severity mapping |
| CI/CD Integration | GitHub Actions, Docker, compile_commands.json |
| Troubleshooting | Common issues and solutions |
For contributors who want to understand, modify, or extend the analyzer source code.
| Page | Description |
|---|---|
| Architecture Overview | High-level design, module map, data flow |
| Analyzer Modules Architecture | Detailed split of analyzer orchestration modules |
| Analysis Pipeline | How analysis passes are orchestrated |
| Adding a New Check | Step-by-step guide to implement a new diagnostic |
| Test Infrastructure | Regression tests, unit tests, fixtures |
| Build System | CMake configuration, dependencies, targets |
| Code Style and Conventions | Formatting, naming, patterns |
| Public API and Library Mode | Using the analyzer as a C++ library |
# Build
./build.sh --type Release
# Analyze a single file
./build/stack_usage_analyzer main.cpp -I./include
# Analyze a project with compile_commands.json
./build/stack_usage_analyzer --compile-commands=build/compile_commands.json
# Get JSON output for CI
./build/stack_usage_analyzer main.cpp --format=json- 16 diagnostic families with sub-rules for resources/const-correctness/uninitialized usage
- Cross-TU analysis: track resource lifetimes and uninitialized variables across translation units
- External model files: define API ownership semantics without modifying analyzer code
- Multiple output formats: human-readable, JSON, SARIF 2.1.0 (GitHub Code Scanning)
- CI/CD ready: GitHub Actions module, Docker images, policy gates
- Library mode: embed the analyzer in your own tools via the C++ API
-
Parallel analysis:
--jobs=Nfor multi-file scanning