smatch
Timeline
2026-05-21
init
Smatch is a static analysis tool specifically designed for the Linux kernel. It can deeply trace code execution paths and discover deeply hidden bugs, such as null pointer dereferences, lock usage errors, resource leaks, etc. Reference documentation:
Building smatch:
1 | # Install dependencies |
Kernel
Smatch essentially hooks into the kernel build system, so it must be able to correctly locate the compiler and header files. Therefore, if cross-compilation is needed, environment variables must be set first.
1 | export ARCH=arm64 |
Analyze and build the database:
1 | cd ~/repository/linux/linux-5.10.256 |
build_kernel_data.sh calls smatch_scripts/test_kernel.sh with --call-tree, --info, --spammy, --data=$DATA_DIR flags, then calls smatch_data/db/create_db.sh to build the smatch database.
smatch does not strictly require building a database, but having one makes it much more powerful. Once the global database is built, the next time you compile, Smatch can answer questions like: “How many times has printk been called across the entire kernel?”, “Has this struct pointer been freed in other C files?”, enabling epic-level cross-file vulnerability detection.
Run smatch for static analysis on the kernel: run smatch checks on the entire kernel
1 | ~/repository/linux/smatch-1.74/smatch_scripts/test_kernel.sh --data="$HOME/repository/linux/smatch-1.74/smatch_data" |
Script parameters:
--endian: Enable big/little endian checks.--target "bzImage": Specify build target (default is bzImage modules).--log smatch_compile.warns: Specify the build log output file.--wlog smatch_warns.txt: Custom Smatch warning output filename.
After compilation, two files are generated in the current directory:
smatch_compile.warns: Full kernel build log (including errors and warnings).smatch_warns.txt: Pure Smatch static check warning messages.
You can also check only specific files or directories:
1 | ~/repository/linux/smatch-1.74/smatch_scripts/kchecker drivers/rpmsg/rpmsg_core.c |
The smatch author recommends frequently updating the smatch database, as each update improves the accuracy of cross-function checks:
1 | ~/repository/linux/smatch-1.74/smatch_data/db/create_db.sh -p=kernel smatch_warns.txt |
When running, smatch reads rules set in smatch_data. The relevant logic is in ~/repository/linux/smatch-1.74/smatch.c in static char *get_data_dir(char *arg0): the data directory can be specified with --data=/path/to/smatch_data.
Out-of-tree Module
For non-kernel projects, use the following method to build the database and analyze:
1 | export ARCH=arm64 |
--file-output: Output one result file per source file.--succeed: Continue analysis even on errors.--call-tree: Enable cross-function call analysis.--info: More detailed analysis logs.--spammy: More aggressive checks.
When using the --file-output parameter, smatch will not print warnings directly to stdout/stderr by default. Instead, it generates a bunch of hidden text files alongside your source code:
.hello_world.c.smatch(regular warnings).hello_world.c.smatch.caller_info(if you added --info, etc.)
Static check analysis.