scan-build currently seems to produce no reports on macOS even with system integrity protection disabled. This is unlike using intercept-build + analyze-build in combination.

For the following example, a Memory error | Use-after-free should be reported.

#include <iostream>

int main() {
    auto a = new int;
    delete a;
    std::cout << *a << std::endl;
    return 0;
}

Thanks for the report. Will create a test case for it, because the existing one does not check properly.

Same problem here. It produces: "[]"

@cento you experience empty compilation database from intercept-build on macOS? (Just asking because that can be a different problem from this.)

@rizsotto yes, exactly. According to the "SIP" problem, I also tried to run only scan-build using intercept-build --intercept-first --override-compiler

Okay, that could have been something else. I need some more context in order to help... One notable challenge if you have SIP enabled, that it will intercept the compiler calls via compiler wrapper. It works only if the build system allows you to override the CC and CXX variables... If you run intercept-build -vvvv ... to have more verbose output, you can verify that the wrappers were actually called or not... But that's just the begining, the generated execution trace files are collected and filtered... With the verbose flags you can also inspect that. (Or you can attach to the bug report here.)

Thank you, running in verbose mode, the only useful information message is the one concerning "scan-build: DEBUG: run_build: run build ... in environment { .... } ". Which variable we should check?

Edit:
'INTERCEPT_BUILD': '{"cc": ["cc"], "cxx": ["c++"], "verbose": 4}', 'HISTFILESIZE': '100000', 'TERM_SESSION_ID': '3FD3B5F1-3C9C-4CF0-A035-D8627718D718', 'SSH_AUTH_SOCK': '/private/tmp/com.apple.launchd.XhKfFrh4GF/Listeners', 'CC': 'intercept-cc', 'XPC_SERVICE_NAME': '0', 'SHELL': '/usr/local/bin/bash', 'TMPDIR': '/var/folders/m7/fw_0h2_x3jg7kdcyt4r2ps8hhxvj82/T/', 'CXX': 'intercept-c++', 'OLDPWD': '(MYHOME)', 'HISTCONTROL': 'ignorespaceignoredupserasedups', 'PWD': '(WORKING_DIRECTORY)', 'DISABLE_UPDATE_CHECK': '1', 'HH_CONFIG': 'hicolor'}

(Home and Working directory changed)

From this I can't see anything. I need to know a couple of other things too... Like what build system we are trying to intercept? (The full command you were give would be helpful.) Do you make a "clean" build? (Built already and the build process actually does not compile anything is a frequently reported mistake.) Then I need the whole output. (You can replae the paths at this stage.)

From this output I saw that intercept-build was set the CC and CXX environment variables before calling the build command. But that's not anything I did not know before. The interesting part comes later, when the build command runs. Need to figure out was it run the intercept-cc or the real compiler?

I run a simple make. After the previous log entry, I only see the build output (the same I see without using scan-build), and ending with a scan-build: WARNING: report_directory: Removing directory '/var/folders/....' because it contains no report.

Okay, then it means that your makefile does not respect the CC and CXX variables. (This is a documented limitation of this tool.) You can either change the makefile to use the compiler from these environment, or disable SIP. (I've seen a tool which was working with gnu-make and could generate compilation database from it's dry-run output. Don't remember the name of it.)

In the Makefile, both CC and CXX are set and used. What do you mean with "does not respect" ? Maybe I can try to fix the makefile.

I meant if you run CC=clang make ... then it compiles the source files with clang instead of the default compiler. intercept-build does call your build as CC=intercept-cc CXX=intercept-c++ make ... and you have seen no messages from the wrappers... Changing the makefile sounds reasonable this case.

Could you provide an example of a working makefile? I can try to interpolate the mechanism and the way in which I should fix mine

Sorry @cento , but not only I have no idea which make program you use on your computer, but also not really good at makefiles. :) The test set has examples for Scons and QMake, but those also were using the intercept library not the wrappers.

Ok @rizsotto of course, I will give a look at the QMake example, btw thank you

intercept-build make CC=intercept-cc seems to do the trick in catalina.

@lu-zero your comment is probably specific to that Makefile. intercept-build does set the CC environment variable to the intercept-cc by itself.

I'm attempting to intercept a Zig build of FastFEC.

I can build that normally (and quickly) with zig build. Here's my verbose output with a few things truncated for security

FastFEC % intercept-build -vvvv zig build
intercept-build: DEBUG: parse_args_for_intercept_build: Raw arguments ['/opt/homebrew/bin/intercept-build', '-vvvv', 'zig', 'build']
intercept-build: DEBUG: parse_args_for_intercept_build: Parsed arguments: Namespace(verbose=4, cdb='compile_commands.json', override_compiler=False, cc='cc', cxx='c++', append=False, build=['zig', 'build'])
intercept-build: DEBUG: run_command: exec command ['csrutil', 'status'] in /Users/davidfisher/code/FastFEC
intercept-build: DEBUG: run_build: run build ['zig', 'build'], in environment:
{'CC': 'intercept-cc',
 'COLORFGBG': '7;0',
 'COLORTERM': 'truecolor',
 'COMMAND_MODE': 'unix2003',
 'CXX': 'intercept-c++',
 'HOME': '/Users/davidfisher',
 'HOMEBREW_CELLAR': '/opt/homebrew/Cellar',
 'HOMEBREW_PREFIX': '/opt/homebrew',
 'HOMEBREW_REPOSITORY': '/opt/homebrew',
 'INFOPATH': '/opt/homebrew/share/info:',
 'INTERCEPT_BUILD': '{"verbose": 4, "cc": ["cc"], "cxx": ["c++"]}',
 'INTERCEPT_BUILD_TARGET_DIR': '/var/folders/5w/2v1mgyl54tj7yjcym5s055yw0000gq/T/intercept-l3711kst',
 'ITERM_PROFILE': 'Default',
 'LANG': 'en_US.UTF-8',
 'LC_TERMINAL': 'iTerm2',
 'LC_TERMINAL_VERSION': '3.4.15',
 'LOGNAME': 'davidfisher',
 'MANPATH': '/opt/homebrew/share/man::',
 'OLDPWD': '/Users/davidfisher/code',
 'PATH': '/Users/davidfisher/.rbenv/shims:/Users/davidfisher/.rbenv/bin:/Users/david/.ebcli-virtual-env/executables:/Users/davidfisher/.krew/bin:/usr/local/sbin:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/davidfisher/.cargo/bin:/Users/davidfisher/.rbenv/bin:/Users/david/.ebcli-virtual-env/executables',
 'PWD': '/Users/davidfisher/code/FastFEC',
 'PYENV_SHELL': 'zsh',
 'RBENV_SHELL': 'zsh',
 'SHELL': '/bin/zsh',
 'SHLVL': '1',
 'SSH_AUTH_SOCK': '/private/tmp/com.apple.launchd.1Wb4rd0hK7/Listeners',
 'TERM': 'xterm-256color',
 'TERM_PROGRAM': 'iTerm.app',
 'TERM_PROGRAM_VERSION': '3.4.15',
 'TMPDIR': '/var/folders/5w/2v1mgyl54tj7yjcym5s055yw0000gq/T/',
 'USER': 'davidfisher',
 'XPC_FLAGS': '0x0',
 'XPC_SERVICE_NAME': '0',
 '_': '/opt/homebrew/bin/intercept-build',
 '__CFBundleIdentifier': 'com.googlecode.iterm2',
 '__CF_USER_TEXT_ENCODING': '0x1F7:0x0:0x0'}
intercept-build: DEBUG: run_build: build finished with exit code: 0

My final output is [].

Mac OS 12.4 (21F79)

@tibbon from the truncated output I don't see if the build was executing the compilers or not. What I do see is the CC and CXX variables are correctly replaced with the intercept compiler wrappers. It is still possible if the build is not using them, it won't have any effect. (And result an empty output.)

I have no experience with zig as a build tool. So, not sure if you can use intercept-build against it.

Have you tried Bear (my other tool to create compilation database)? It works the same way on MacOS, but it will enforce the compilers more (by change the PATH environment variable too). That might do the trick.