Canalyze Static Code Analyzer

Canalyze is a static code analyzer for C. It aims for detecting bugs automatically in C programs. C++ support is in progress.

Canalyze analyzes the code by symbolically simulating the execution of the code in every path. Corner cases are explored systematically. Many code defects are found in this way, for example, in GDB, Coreutils, and sed.

Canalyze employs a sophisticated memory modeling technique, which enables Canalyze to support reasoning about pointers, array elements, and struct fields. An (outdated) paper describes some of the details of the method.

Interprocedural analysis is instrumental for detecting deep bugs in the program. Canalyze implements a novel function summary mechanism to support precise interprocedural analysis. This feature is still experimental, and is not enabled by default.

Canalyze can analyze the whole software package without manually modifying the build system. An analysis driver is developed to integrate Canalyze to the building process of software packages.

The current bug types that can be checked are here. Only default checkers are considered to emit sane results.

Canalyze uses the clang C language family frontend.


The Canalyze directory should be in the PATH. We only provide some simple examples here. For detailed description of the tool, see driver and analyzer manuals.

Suppose we have a simple preprocessed C program in file foo.i:

// foo.i
void f() {
  int *p = 0;
  *p = 1;

Execute the command:

$ analyze foo.i

A bug report file in XML format will be generated under the current directory.

To analyze a full package the analysis driver is needed. Suppose we have a package that can be built by executing make under current path. Then we could analyze the package by the following commands.

canalyze log -dir ~/datadir
canalyze preprocess -dir ~/datadir
canalyze analyze -dir ~/datadir

The first command logs the building process. It should be executed in the package building directory. The second command generates preprocessed source files. The last command do the analysis. The analysis results will be put under the ~/datadir/report directory.

Bug Reports


We only provide binary for the Linux system for now. I would appreciate if you send me an email after downloading the tool.

Note that although many packages have been scanned by Canalyze, it is still expected to crash on some of the code. If such cases happen, please send the code to me. I will fix the tool as soon as possible.

Emails could be sent to

The current build of Canalyze:


To use canalyze and its UI, you need to install Python3 and wxPython.
Python3 provides better support for unicode encoding. UI is used for demo illustrating only.
Please make sure the canalyze directory (the top directory) and driver directory is added in you enviroment path.