-
Notifications
You must be signed in to change notification settings - Fork 0
Output Formats
The analyzer supports three output formats, controlled with --format=<format>.
./build/stack_usage_analyzer main.cShows per-function stack metrics followed by inline diagnostics:
Mode: ABI
Function: main
local stack: 32 bytes
max stack (including callees): 32 bytes
at line 4, column 14
[ !!Warn ] potential stack buffer overflow on variable 'buf' (size 10)
... constant index 15 is out of bounds (0..9)
... (this is a write access)
Diagnostics summary: info=0, warning=1, error=0
For multi-file analysis, each file is separated with a header:
File: src/main.cpp
Mode: IR
...
File: src/utils.cpp
Mode: IR
...
Total diagnostics summary: info=2, warning=5, error=1 (across 2 files)
-
--quietsuppresses per-function diagnostics entirely, showing only stack sizes -
--warnings-onlyhides info-level diagnostics; in human output, only functions with remaining warnings/errors are listed
./build/stack_usage_analyzer main.c --format=jsonStructured JSON for CI pipelines and machine consumption. Contains:
-
functions: array of per-function results (name, stack sizes, flags) -
diagnostics: array of diagnostic objects with full location and rule metadata -
meta: tool/input/mode metadata
Key diagnostic fields in JSON:
{
"diagnostics": [
{
"id": "diag-1",
"ruleId": "StackBufferOverflow",
"severity": "WARNING",
"confidence": null,
"cwe": null,
"location": {
"file": "main.c",
"function": "main",
"startLine": 4,
"startColumn": 14,
"endLine": 4,
"endColumn": 14
},
"details": {
"message": "potential stack buffer overflow on variable 'buf'...",
"variableAliasing": []
}
}
]
}Severity values are emitted as strings: INFO, WARNING, ERROR.
./build/stack_usage_analyzer main.c --format=sarif --base-dir=/workspaceSARIF (Static Analysis Results Interchange Format) version 2.1.0, compatible with GitHub Code Scanning.
Key features:
-
--base-dir=<path>strips a path prefix from SARIF artifact URIs - Tool metadata:
coretrace-stack-analyzerversion0.1.0 - Results include rule IDs, CWE identifiers, severity levels, and source regions
Upload to GitHub Code Scanning:
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: artifacts/stack-usage.sarif
category: coretrace-stack-analyzerWhen analyzing multiple files, all formats merge results into a single output:
- Human: files are printed sequentially with headers
- JSON: all functions and diagnostics are merged into one JSON object
- SARIF: all results are merged into a single SARIF run
For CI pipelines, the scripts/ci/run_code_analysis.py wrapper can produce both JSON and SARIF in one invocation:
python3 scripts/ci/run_code_analysis.py \
--analyzer ./build/stack_usage_analyzer \
--compdb ./build/compile_commands.json \
--fail-on error \
--json-out artifacts/stack-usage.json \
--sarif-out artifacts/stack-usage.sarifThis runs the analyzer twice (once for JSON, once for SARIF) and applies a CI gate policy. See CI/CD Integration for more.