1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
2          "http://www.w3.org/TR/html4/strict.dtd">
3<html>
4<head>
5  <title>List of potential checkers</title>
6  <link type="text/css" rel="stylesheet" href="content.css">
7  <link type="text/css" rel="stylesheet" href="menu.css">
8  <script type="text/javascript" src="scripts/expandcollapse.js"></script>
9  <script type="text/javascript" src="scripts/menu.js"></script>
10</head>
11<body onload="initExpandCollapse()">
12
13<div id="page">
14
15<!-- menu -->
16<!--#include virtual="menu.html.incl"-->
17<!-- page content -->
18<div id="content">
19<h1>List of potential checkers</h1>
20
21<p>This page contains a list of potential checkers to implement in the static analyzer.  If you are interested in contributing to the analyzer's development, this is a good resource to help you get started.  The specific names of the checkers are subject to review, and are provided here as suggestions.</p>
22
23<!-- ========================= allocation/deallocation ======================= -->
24<h3>memory</h3>
25<table class="checkers">
26<col class="namedescr"><col class="example"><col class="progress">
27<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
28
29<tr><td><div class="namedescr expandable"><span class="name">
30memory.LeakEvalOrder</span><span class="lang">
31(C, C++)</span><div class="descr">
32Potential memory leaks caused by an undefined argument evaluation order.
33<p>Source: <a href="http://www.boost.org/doc/libs/1_49_0/libs/smart_ptr/shared_ptr.htm#BestPractices">
34boost docs: shared_ptr</a>.</p></div></div></td>
35<td><div class="exampleContainer expandable">
36<div class="example"><pre>
37void f(int, int);
38int g(void *);
39int h() __attribute__((noreturn));
40
41void test() {
42  // It is possible that 'malloc(1)' is called first,
43  // then 'h()', that is (or calls) noreturn and eventually
44  // 'g()' is never called.
45  f(g(malloc(1)), h()); // warn: 'g()' may never be called.
46}
47</pre></div>
48<div class="example"><pre>
49void f(int, int);
50int g(int *);
51int h() { throw 1; };
52
53void test() {
54  // It is possible that 'new int' is called first,
55  // then 'h()', that throws an exception and eventually
56  // 'g()' is never called.
57  f(g(new int), h()); // warn: 'g()' may never be called.
58}
59</pre></div></div></td>
60<td class="aligned"></td></tr>
61
62
63<tr><td><div class="namedescr expandable"><span class="name">
64memory.DstBufferTooSmall</span><span class="lang">
65(C, C++)</span><div class="descr">
66Destination buffer passed to memory function is too small.
67<br>Note: <span class="name">security.insecureAPI.strcpy</span> currently warns
68on usage of <code>strcpy</code> and suggests to replace it.
69<br>Note: <span class="name">alpha.unix.CStringChecker</span> contains some similar checks.
70<p>Source: <a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>.</p></div></div></td>
71<td><div class="exampleContainer expandable">
72<div class="example"><pre>
73void test() {
74  const char* s1 = "abc";
75  char *s2 = new char;
76  strcpy(s2, s1); // warn
77}
78</pre></div>
79<div class="example"><pre>
80void test() {
81  int* p1 = new int[3];
82  int* p2 = new int;
83  memcpy(p2, p1, 3); // warn
84}
85</pre></div></div></td>
86<td class="aligned"></td></tr>
87
88
89<tr><td><div class="namedescr expandable"><span class="name">
90memory.NegativeArraySize</span><span class="lang">
91(C, C++)</span><div class="descr">
92'n' is used to specify the buffer size may be negative.
93<br>Note: possibly an enhancement to <span class="name">
94alpha.security.MallocOverflow</span>.
95<p>Source: <a href="http://cwe.mitre.org/data/definitions/20.html">CWE-20,
96Example 2</a>.</p></div></div></td>
97<td><div class="exampleContainer expandable">
98<div class="example"><pre>
99void test() {
100  int *p;
101  int n1 = -1;
102  p = new int[n1]; // warn
103}
104</pre></div></div></td>
105<td class="aligned"></td></tr>
106
107<tr><td><div class="namedescr expandable"><span class="name">
108memory.ZeroAlloc</span><span class="lang">
109(C, C++)</span><div class="descr">
110Allocation of zero bytes.
111<br>Note: an enhancement to <span class="name">unix.Malloc</span>.
112<br>Note: <span class="name">unix.API</span> perform C-checks for zero
113allocation. This should be moved to <span class="name">unix.Malloc</span>.
114<p>Source: C++03 3.7.3.1p2; C++11 3.7.4.1p2.</p></div></div></td>
115<td><div class="exampleContainer expandable">
116<div class="example"><pre>
117#include &lt;stdlib.h&gt;
118
119void test() {
120  int *p = malloc(0); // warn
121  free(p);
122}
123</pre></div>
124<div class="example"><pre>
125void test() {
126  int *p = new int[0]; // warn
127  delete[] p;
128}
129</pre></div></div></td>
130<td class="aligned"><a href="http://reviews.llvm.org/D6178">
131D6178</a></td></tr>
132
133</table>
134
135<!-- ======================= constructors/destructors ====================== -->
136<h3>constructors/destructors</h3>
137<table class="checkers">
138<col class="namedescr"><col class="example"><col class="progress">
139<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
140
141<tr><td><div class="namedescr expandable"><span class="name">
142ctordtor.ExptInsideDtor</span><span class="lang">
143(C++)</span><div class="descr">
144It is dangerous to let an exception leave a destructor.
145Using <code>try..catch</code> solves the problem.
146<p>Source: Scott Meyers "More Effective C++", item 11: Prevent exceptions from
147leaving destructors.</p></div></div></td>
148<td><div class="exampleContainer expandable">
149<div class="example"><pre>
150class A {
151  A() {}
152  ~A() { throw 1; } // warn
153};
154</pre></div>
155<div class="example"><pre>
156void f() throw(int);
157
158class A {
159  A() {}
160  ~A() { f(); } // warn
161};
162</pre></div></div></td>
163<td class="aligned"></td></tr>
164
165
166<tr><td><div class="namedescr expandable"><span class="name">
167ctordtor.PlacementSelfCopy</span><span class="lang">
168(C++11)</span><div class="descr">
169For a placement copy or move, it is almost certainly an error if the
170constructed object is also the object being copied from.</div></div></td>
171<td><div class="exampleContainer expandable">
172<div class="example"><pre>
173class A {};
174
175void test(A *dst, A *src) {
176  ::new (dst) A(*dst); // warn (should be 'src')
177}
178</pre></div></div></td>
179<td class="aligned"><!--rdar://problem/13688366--></td></tr>
180
181</table>
182
183<!-- =============================== va_list =============================== -->
184<h3>va_list</h3>
185<table class="checkers">
186<col class="namedescr"><col class="example"><col class="progress">
187<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
188
189<tr><td><div class="namedescr expandable"><span class="name">
190valist.Uninitialized</span><span class="lang">
191(C)</span><div class="descr">
192Calls to the <code>va_arg</code>, <code>va_copy</code>, or
193<code>va_end</code> macro must happen after calling <code>va_start</code> and
194before calling <code>va_end</code>.</div></div></td>
195<td><div class="exampleContainer expandable">
196<div class="example"><pre>
197#include &lt;stdarg.h&gt;
198
199void test(int x, ...) {
200  va_list args;
201  int y = va_arg(args, int); // warn
202}
203</pre></div>
204<div class="example"><pre>
205#include &lt;stdarg.h&gt;
206
207void test(int x, ...) {
208  va_list args;
209  va_start(args, x);
210  va_end(args);
211  int z = va_arg(args, int); // warn
212}
213</pre></div></div></td>
214<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812">
215PR16811</a></td></tr>
216
217<tr><td><div class="namedescr expandable"><span class="name">
218valist.Unterminated</span><span class="lang">
219(C)</span><div class="descr">
220Every <code>va_start</code> must be matched by a <code>va_end</code>. A va_list
221can only be ended once.
222
223<i>This should be folded into the generalized "ownership checker"
224described on the <a href="open_projects.html">
225Open Projects</a> page.</i></div></div></td>
226<td><div class="exampleContainer expandable">
227<div class="example"><pre>
228#include &lt;stdarg.h&gt;
229
230void test(int x, ...) {
231  va_list args;
232  va_start(args, x);
233  int y = x + va_arg(args, int);
234} // warn: missing va_end
235</pre></div></div></td>
236<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812">
237PR16812</a></td></tr>
238
239</table>
240
241<!-- ============================== exceptions ============================= -->
242<h3>exceptions</h3>
243<table class="checkers">
244<col class="namedescr"><col class="example"><col class="progress">
245<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
246
247<tr><td><div class="namedescr expandable"><span class="name">
248exceptions.ThrowSpecButNotThrow</span><span class="lang">
249(C++)</span><div class="descr">
250Function declaration has a <code>throw(<i>type</i>)</code> specifier but the
251function do not throw exceptions.</div></div></td>
252<td><div class="exampleContainer expandable">
253<div class="example"><pre>
254void test() throw(int) {
255} // warn
256</pre></div></div></td>
257<td class="aligned"></td></tr>
258
259
260<tr><td><div class="namedescr expandable"><span class="name">
261exceptions.NoThrowSpecButThrows</span><span class="lang">
262(C++)</span><div class="descr">
263An exception is throw from a function having a <code>throw()</code>
264specifier.</div></div></td>
265<td><div class="exampleContainer expandable">
266<div class="example"><pre>
267void test() throw() {
268  throw(1); // warn
269}
270</pre></div></div></td>
271<td class="aligned"></td></tr>
272
273
274<tr><td><div class="namedescr expandable"><span class="name">
275exceptions.ThrownTypeDiffersSpec</span><span class="lang">
276(C++)</span><div class="descr">
277The type of a thrown exception differs from those specified in
278a <code>throw(<i>type</i>)</code> specifier.</div></div></td>
279<td><div class="exampleContainer expandable">
280<div class="example"><pre>
281struct S{};
282
283void test() throw(int) {
284  S s;
285  throw (s); // warn
286}
287</pre></div></div></td>
288<td class="aligned"></td></tr>
289
290</table>
291
292<!-- ========================= smart pointers ============================== -->
293<h3>smart pointers</h3>
294<table class="checkers">
295<col class="namedescr"><col class="example"><col class="progress">
296<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
297
298<tr><td><div class="namedescr expandable"><span class="name">
299smartptr.SmartPtrInit</span><span class="lang">
300(C++)</span><div class="descr">
301C++03: <code>auto_ptr</code> should store a pointer to an object obtained via
302new as allocated memory will be cleaned using <code>delete</code>.<br>
303C++11: one should use <code>unique_ptr&lt;<i>type</i>[]&gt;</code> to keep a
304pointer to memory allocated by <code>new[]</code>.<br>
305C++11: to keep a pointer to memory allocated by <code>new[]</code> in
306a <code>shared_ptr</code> one should use a custom deleter that calls <code>
307delete[].</code>.
308<p>Source: C++03 20.4.5p1; C++11 <code>auto_ptr</code> is deprecated (D.10).</p></div></div></td>
309<td><div class="exampleContainer expandable">
310<div class="example"><pre>
311#include &lt;stdlib.h&gt;
312#include &lt;memory&gt;
313
314void test() {
315  std::auto_ptr&lt;int&gt; p1(new int); // Ok
316  std::auto_ptr&lt;int&gt; p2(new int[3]); // warn
317}
318</pre></div>
319<div class="example"><pre>
320#include &lt;stdlib.h&gt;
321#include &lt;memory&gt;
322
323void test() {
324  std::auto_ptr&lt;int&gt; p((int *)malloc(sizeof(int))); // warn
325}
326</pre></div></div></td>
327<td class="aligned"></td></tr>
328
329</table>
330
331<!-- ============================== dead code ============================== -->
332<h3>dead code</h3>
333<table class="checkers">
334<col class="namedescr"><col class="example"><col class="progress">
335<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
336
337<tr><td><div class="namedescr expandable"><span class="name">
338deadcode.UnmodifiedVariable</span><span class="lang">
339(C, C++)</span><div class="descr">
340A variable is never modified but was not declared const and is not a
341reference.<br><br><i>(opt-in checker)</i></div></div></td>
342<td><div class="exampleContainer expandable">
343<div class="example"><pre>
344extern int computeDelta();
345
346int test(bool cond) {
347  int i = 0;
348  if (cond) {
349    const int delta = computeDelta();
350    // warn: forgot to modify 'i'
351  }
352  return i;
353}
354</pre></div></div></td>
355<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16890">PR16890</a></td></tr>
356
357<tr><td><div class="namedescr expandable"><span class="name">
358deadcode.IdempotentOperations</span><span class="lang">
359(C)</span><div class="descr">
360Warn about idempotent operations.</div></div></td>
361<td><div class="exampleContainer expandable">
362<div class="example"><pre>
363void test() {
364  int x = 7;
365  x = x; // warn: value is always the same
366}
367</pre></div>
368<div class="example"><pre>
369void test() {
370  int x = 7;
371  x /= x; // warn: value is always 1
372}
373</pre></div>
374<div class="example"><pre>
375void test() {
376  int x = 7, one = 1;
377  x *= one; // warn: right op is always 1
378}
379</pre></div>
380<div class="example"><pre>
381void test() {
382  int x = 7, zero = 0;
383  x = x - zero;
384   // warn: the right operand to '-' is always 0
385}
386</pre></div></div></td>
387<td class="aligned">removed from alpha.deadcode.* at r198476</td></tr>
388
389</table>
390
391<!-- ================================ POSIX ================================ -->
392<h3>POSIX</h3>
393<table class="checkers">
394<col class="namedescr"><col class="example"><col class="progress">
395<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
396
397<tr><td><div class="namedescr expandable"><span class="name">
398posix.Errno</span><span class="lang">
399(C)</span><div class="descr">
400Record that <code>errno</code> is non-zero when certain functions
401fail.</div></div></td>
402<td><div class="exampleContainer expandable">
403<div class="example"><pre>
404#include &lt;stdlib.h&gt;
405
406int readWrapper(int fd, int *count) {
407  int lcount = read(fd, globalBuf, sizeof(globalBuf));
408  if (lcount < 0)
409    return errno;
410  *count = lcount;
411  return 0;
412}
413
414void use(int fd) {
415  int count;
416  if (!readWrapper(fd, &amp;count))
417    print("%d", count); // should not warn
418}
419</pre></div></div></td>
420<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=18701">PR18701</a></td></tr>
421
422</table>
423
424<!-- ========================= undefined behavior ========================== -->
425<h3>undefined behavior</h3>
426<table class="checkers">
427<col class="namedescr"><col class="example"><col class="progress">
428<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
429
430<tr><td><div class="namedescr expandable"><span class="name">
431undefbehavior.ExitInDtor</span><span class="lang">
432(C++)</span><div class="descr">
433Undefined behavior: <code>std::exit()</code> is called to end the program during
434the destruction of an object with static storage duration.
435<p>Source: C++11 3.6.1p4.</p></div></div></td>
436<td><div class="exampleContainer expandable">
437<div class="example"><pre>
438#include &lt;cstdlib&gt;
439
440class A {
441public:
442  ~A() {
443    std::exit(1); // warn
444  }
445};
446</pre></div></div></td>
447<td class="aligned"></td></tr>
448
449
450<tr><td><div class="namedescr expandable"><span class="name">
451undefbehavior.LocalStaticDestroyed</span><span class="lang">
452(C++)</span><div class="descr">
453Undefined behavior: function containing a definition of static local object is
454called during the destruction of an object with static storage duration so that
455flow of control passes through the definition of the previously destroyed
456static local object.
457<p>Source: C++11 3.6.3p2.</p></div></div></td>
458<td><div class="exampleContainer expandable">
459<div class="example"><pre>
460void f();
461
462class A {
463public:
464  ~A() {
465    f(); // warn
466  }
467};
468
469class B {};
470
471A a;
472
473void f() {
474  static B b;
475}
476</pre></div></div></td>
477<td class="aligned"></td></tr>
478
479
480<tr><td><div class="namedescr expandable"><span class="name">
481undefbehavior.ZeroAllocDereference</span><span class="lang">
482(C, C++)</span><div class="descr">
483The effect of dereferencing a pointer returned as a request for zero size is
484undefined.<br>
485Note: possibly an enhancement to <span class="name">
486unix.Malloc</span>.
487<p>Source: C++03 3.7.3.1p2; C++11 3.7.4.1p2.</p></div></div></td>
488<td><div class="exampleContainer expandable">
489<div class="example"><pre>
490#include &lt;stdlib.h&gt;
491
492void test() {
493  int *p = (int *)malloc(0);
494  *p = 1; // warn
495  free(p);
496}
497</pre></div>
498<div class="example"><pre>
499void f(int);
500
501void test() {
502  int *p = new int[0];
503  f(*p); // warn
504  delete[] p;
505}
506</pre></div></div></td>
507<td class="aligned"><a href="http://reviews.llvm.org/D8273">D8273</a></td></tr>
508
509
510<tr><td><div class="namedescr expandable"><span class="name">
511undefbehavior.DeadReferenced</span><span class="lang">
512(C++)</span><div class="descr">
513Undefined behavior: the following usage of the pointer to the object whose
514lifetime has ended can result in undefined behavior:<br>
515The object will be or was of a class type with a non-trivial destructor and
516<ul><li>the pointer is used as the operand of a delete-expression</li></ul>
517The object will be or was of a non-POD class type (C++11: any class type) and
518<ul><li>the pointer is used to access a non-static data member or call a
519non-static member function of the object</li>
520<li>the pointer is implicitly converted to a pointer to a base class
521type</li>
522<li>the pointer is used as the operand of a <code>static_cast</code> (except
523when the conversion is to <code>void*</code>, or to <code>void*</code> and
524subsequently to <code>char*</code>, or <code>unsigned char*</code>)</li>
525<li>the pointer is used as the operand of a <code>dynamic_cast</code></li></ul>
526<p>Source: C++03 3.8p5, p7; C++11 3.8p5, p7.</p></div></div></td>
527<td><div class="exampleContainer expandable">
528<div class="example"><pre>
529#include &lt;new&gt;
530
531class A {
532public:
533  ~A();
534};
535
536class B : public A {};
537
538void test() {
539  A *a = new A;
540  new(a) B;
541  delete a; // warn
542}
543</pre></div>
544<div class="example"><pre>
545#include &lt;new&gt;
546
547class A {
548public:
549  ~A();
550};
551
552class B {};
553
554void test() {
555  A *a = new A;
556  new(a) B;
557  a->~A();
558}
559</pre></div>
560<div class="example"><pre>
561#include &lt;new&gt;
562
563class A {
564public:
565  ~A();
566};
567
568class B : public A {};
569
570class C {};
571
572void f(A*);
573
574void test() {
575  B *b = new B;
576  new(b) C;
577  f(b); // warn
578}
579</pre></div>
580<div class="example"><pre>
581#include &lt;new&gt;
582
583class A {
584public:
585  ~A();
586};
587
588class B : public A {};
589
590class C {};
591
592A* test() {
593  B *b = new B;
594  new(b) C;
595  return static_cast&lt;A*&gt;(b); // warn
596}
597</pre></div>
598<div class="example"><pre>
599#include &lt;new&gt;
600
601class A {
602public:
603  ~A();
604};
605
606class B : public A {};
607
608class C {};
609
610A* test() {
611  B *b = new B;
612  new(b) C;
613  return dynamic_cast&lt;A*&gt;(b); // warn
614}
615</pre></div></div></td>
616<td class="aligned"></td></tr>
617
618
619<tr><td><div class="namedescr expandable"><span class="name">
620undefbehavior.ObjLocChanges</span><span class="lang">
621(C++)</span><div class="descr">
622Undefined behavior: the program must ensure that an object occupies the same
623storage location when the implicit or explicit destructor call takes place.
624<p>Source: C++11 3.8p8.</p></div></div></td>
625<td><div class="exampleContainer expandable">
626<div class="example"><pre>
627#include &lt;new&gt;
628
629class A {};
630
631class B {
632public:
633  ~B();
634};
635
636void test() {
637  B b;
638  new (&b) A;
639} // warn
640</pre></div>
641<div class="example"><pre>
642#include &lt;new&gt;
643
644class A {};
645
646class B {
647public:
648  ~B();
649};
650
651void test() {
652  B *b = new B;
653  new (b) A;
654  delete b; // warn
655}
656</pre></div></div></td>
657<td class="aligned"></td></tr>
658
659
660<tr><td><div class="namedescr expandable"><span class="name">
661undefbehavior.ExprEvalOrderUndef</span><span class="lang">
662(C, C++03)</span><div class="descr">
663Undefined behavior: a scalar object shall have its stored value modified at
664most once by the evaluation of an expression.<br>
665Note: most cases are currently handled by the Clang core (search for 'multiple
666unsequenced modifications' warning in Clang tests).
667<p>Source: C++03 5p4.</p></div></div></td>
668<td><div class="exampleContainer expandable">
669<div class="example"><pre>
670int test () {
671  int i = 0;
672  i = ++i + 1; // warn
673  return i;
674}
675</pre></div></div></td>
676<td class="aligned"></td></tr>
677
678
679<tr><td><div class="namedescr expandable"><span class="name">
680undefbehavior.StaticInitReentered</span><span class="lang">
681(C++)</span><div class="descr">
682Undefined behavior: static declaration is re-entered while the object is being
683initialized.
684<p>Source: C++11 6.7p4.</p></div></div></td>
685<td><div class="exampleContainer expandable">
686<div class="example"><pre>
687int test(int i) {
688  static int s = test(2 * i); // warn
689  return i + 1;
690}
691</pre></div></div></td>
692<td class="aligned"></td></tr>
693
694
695<tr><td><div class="namedescr expandable"><span class="name">
696undefbehavior.ConstModified</span><span class="lang">
697(C, C++)</span><div class="descr">
698Undefined behavior: const object is being modified.
699<p>Source: C++03 7.1.5.1p4, C++11 7.1.6.1p4.</p></div></div></td>
700<td><div class="exampleContainer expandable">
701<div class="example"><pre>
702void test() {
703  const int *cp = new const int (0);
704  int *p = const_cast&lt;int *&gt;(cp);
705  *p = 1; // warn
706  delete p;
707}
708</pre></div>
709<div class="example"><pre>
710class C {
711public :
712  int i;
713  C();
714};
715
716void test() {
717  const C cb;
718
719  C* cp = const_cast&lt;C *&gt;(&cb);
720  cp-&gt;i = 1; // warn
721}
722</pre></div></div></td>
723<td class="aligned"></td></tr>
724
725
726<tr><td><div class="namedescr expandable"><span class="name">
727undefbehavior.DeadDestructed</span><span class="lang">
728(C++)</span><div class="descr">
729Undefined behavior: the destructor is invoked for an object whose lifetime
730has ended.
731<p>Source: C++11 12.4p14.</p></div></div></td>
732<td><div class="exampleContainer expandable">
733<div class="example"><pre>
734class A {
735public:
736  void f();
737  A();
738  ~A();
739};
740
741void test() {
742  A a;
743  a.~A();
744} // warn
745</pre></div></div></td>
746<td class="aligned"></td></tr>
747
748
749<tr><td><div class="namedescr expandable"><span class="name">
750undefbehavior.MethodCallBeforeBaseInit</span><span class="lang">
751(C++)</span><div class="descr">
752Undefined behavior: calls member function but base not yet initialized.
753<p>Source: C++03 12.6.2p8; C++11 12.6.2p13.</p></div></div></td>
754<td><div class="exampleContainer expandable">
755<div class="example"><pre>
756class A {
757public :
758  A(int);
759};
760
761class B : public A {
762public :
763  int f();
764  B() : A(f()) {} // warn
765};
766</pre></div></div></td>
767<td class="aligned"></td></tr>
768
769
770<tr><td><div class="namedescr expandable"><span class="name">
771undefbehavior.MemberOrBaseRefBeforeCtor</span><span class="lang">
772(C++)</span><div class="descr">
773C++ Undefined behavior: non-static member or base class of non-POD class type
774is referred before constructor begins execution.<br>
775C++11 Undefined behavior: non-static member or base class of a class with a
776non-trivial constructor is referred before constructor begins execution.
777<p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td>
778<td><div class="exampleContainer expandable">
779<div class="example"><pre>
780struct non_POD {
781  int i;
782  non_POD();
783};
784
785extern non_POD non_pod;
786
787int *p = &amp;non_pod.i; // warn
788</pre></div>
789<div class="example"><pre>
790struct POD {
791  int i;
792};
793
794struct non_POD : public POD {
795  POD pod;
796};
797
798extern non_POD non_pod;
799
800int *p = &amp;non_pod.pod.i; // warn
801</pre></div>
802<div class="example"><pre>
803struct POD {
804  int i;
805};
806
807struct non_POD : public POD {};
808
809extern non_POD non_pod;
810
811POD *p = &amp;non_pod; // warn
812</pre></div>
813<div class="example"><pre>
814struct non_POD {
815  int i;
816  non_POD();
817};
818
819struct S {
820  int *k;
821  non_POD non_pod;
822  S() : k(&amp;non_pod.i) {} // warn
823};
824</pre></div></div></td>
825<td class="aligned"></td></tr>
826
827
828<tr><td><div class="namedescr expandable"><span class="name">
829undefbehavior.MemberRefAfterDtor</span><span class="lang">
830(C++)</span><div class="descr">
831C++03: Undefined behavior: non-static member of non-POD class type is referred
832after destructor ends execution.<br>
833C++11: Undefined behavior: non-static member of a class with a non-trivial
834destructor is referred after destructor ends execution.
835<p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td>
836<td><div class="exampleContainer expandable">
837<div class="example"><pre>
838class C {
839public:
840  C();
841  void f();
842};
843
844void test() {
845  C *c = new C();
846  c-&gt;~C();
847  c-&gt;f(); // warn
848}
849</pre></div></div></td>
850<td class="aligned"></td></tr>
851
852
853<tr><td><div class="namedescr expandable"><span class="name">
854undefbehavior.CtorForeignCall</span><span class="lang">
855(C++)</span><div class="descr">
856Undefined behavior: call to virtual function of an object under construction
857whose type is neither the constructors own class or one of its bases.
858<p>Source: C++11 12.7p4.</p></div></div></td>
859<td><div class="exampleContainer expandable">
860<div class="example"><pre>
861class A {
862public:
863  virtual void f() {};
864};
865
866class B {
867public:
868  B(A* a) { a-&gt;f(); } // warn
869};
870
871class C : public A, B {
872public:
873  C() : B((A*)this) {}
874};
875</pre></div></div></td>
876<td class="aligned"></td></tr>
877
878
879<tr><td><div class="namedescr expandable"><span class="name">
880undefbehavior.CtorForeignTypeid</span><span class="lang">
881(C++)</span><div class="descr">
882Undefined behavior: the operand of <code>typeid</code> is an object under
883construction whose type is neither the constructors own class or one of its
884bases.
885<p>Source: C++11 12.7p5.</p></div></div></td>
886<td><div class="exampleContainer expandable">
887<div class="example"><pre>
888#include &lt;typeinfo&gt;
889
890class A {};
891
892class B {
893public:
894  B(A* a) {
895    (void)typeid(*a); // warn
896  }
897};
898
899class C : public A, B {
900public:
901  C() : B((A*)this) {}
902};
903</pre></div></div></td>
904<td class="aligned"></td></tr>
905
906
907<tr><td><div class="namedescr expandable"><span class="name">
908undefbehavior.CtorForeignCast</span><span class="lang">
909(C++)</span><div class="descr">
910Undefined behavior: the operand of <code>dynamic_cast</code> is an object under
911construction whose type is neither the constructors own class or one of its
912bases.
913<p>Source: C++11 12.7p6.</p></div></div></td>
914<td><div class="exampleContainer expandable">
915<div class="example"><pre>
916#include &lt;typeinfo&gt;
917
918class A {
919public:
920  virtual void f() {};
921};
922
923class B {
924public:
925  B(A* a) {
926    (void)dynamic_cast&lt;B*&gt;(a); //warn
927  }
928};
929
930class C : public A, B {
931public:
932  C() : B((A*)this) {}
933};
934</pre></div></div></td>
935<td class="aligned"></td></tr>
936
937
938<tr><td><div class="namedescr expandable"><span class="name">
939undefbehavior.MemberOrBaseRefInCatch</span><span class="lang">
940(C++)</span><div class="descr">
941Undefined behavior: referring to any non-static member or base class of an
942object in the handler for a function-try-block of a constructor or destructor
943for that object results in undefined behavior.
944<p>Source: C++11 15.3p10.</p></div></div></td>
945<td><div class="exampleContainer expandable">
946<div class="example"><pre>
947void f() { throw 1; }
948
949class C {
950  int i;
951public :
952  C()
953  try {
954    f();
955  }
956  catch (...) {
957    i=2; // warn
958  }
959};
960</pre></div>
961<div class="example"><pre>
962void f() { throw 1; }
963
964class Base {
965public:
966  int i;
967};
968
969class C: public Base {
970public :
971  ~C() try {
972    f();
973  }
974  catch (...) {
975    i=2; // warn
976  }
977};
978</pre></div></div></td>
979<td class="aligned"></td></tr>
980
981
982<tr><td><div class="namedescr expandable"><span class="name">
983undefbehavior.ReturnAtCatchEnd</span><span class="lang">
984(C++)</span><div class="descr">
985Undefined behavior: a function returns when control reaches the end of a
986handler. This results in undefined behavior in a value-returning function.
987<p>Source: C++11 15.3p10.</p></div></div></td>
988<td><div class="exampleContainer expandable">
989<div class="example"><pre>
990void f() { throw 1; }
991
992int test() try {
993  f();
994  return 1;
995}
996catch(int) {
997} // warn
998</pre></div></div></td>
999<td class="aligned"></td></tr>
1000
1001
1002<tr><td><div class="namedescr expandable"><span class="name">
1003undefbehavior.AutoptrsOwnSameObj</span><span class="lang">
1004(C++03)</span><div class="descr">
1005Undefined behavior: if more than one <code>auto_ptr</code> owns the same object
1006at the same time the behavior of the program is undefined.
1007<p>Source: C++03 20.4.5p3; C++11 <code>auto_ptr</code> is deprecated
1008(D.10).</p></div></div></td>
1009<td><div class="exampleContainer expandable">
1010<div class="example"><pre>
1011#include &lt;memory&gt;
1012
1013void test() {
1014  int *data = new int;
1015  std::auto_ptr&lt;int&gt; p(data);
1016  std::auto_ptr&lt;int&gt; q(data); // warn
1017}
1018</pre></div></div></td>
1019<td class="aligned"></td></tr>
1020
1021
1022<tr><td><div class="namedescr expandable"><span class="name">
1023undefbehavior.BasicStringOutOfBound</span><span class="lang">
1024(C++03)</span><div class="descr">
1025Undefined behavior: out-of-bound <code>basic_string</code> access/modification.
1026<br>Note: possibly an enhancement to <span class="name">
1027alpha.security.ArrayBoundV2</span>.
1028<p>Source: C++03 21.3.4p1; C++11 behavior is defined
1029(21.4.5p2).</p></div></div></td>
1030<td><div class="exampleContainer expandable">
1031<div class="example"><pre>
1032#include &lt;string&gt;
1033
1034void test() {
1035  std::basic_string&lt;char&gt; s;
1036  char c = s[10]; // warn
1037}
1038</pre></div>
1039<div class="example"><pre>
1040#include &lt;string&gt;
1041
1042void test() {
1043  std::basic_string&lt;char&gt; s;
1044  s[10] = 0; // warn
1045}
1046</pre></div></div></td>
1047<td class="aligned"></td></tr>
1048
1049
1050<tr><td><div class="namedescr expandable"><span class="name">
1051undefbehavior.EosDereference</span><span class="lang">
1052(C++)</span><div class="descr">
1053Undefined behavior: the result of <code>operator*()</code> on an end of a
1054stream is undefined.
1055<p>Source: C++03 24.5.3p2; C++11 24.6.3p2.</p></div></div></td>
1056<td><div class="exampleContainer expandable">
1057<div class="example"><pre>
1058#include &lt;vector&gt;
1059
1060int test() {
1061  std::vector&lt;int&gt; v;
1062  return *v.end(); // warn
1063}
1064</pre></div></div></td>
1065<td class="aligned"></td></tr>
1066
1067
1068<tr><td><div class="namedescr expandable"><span class="name">
1069undefbehavior.QsortNonPODNonTrivial</span><span class="lang">
1070(C++)</span><div class="descr">
1071C++03: Undefined behavior: the objects in the array passed to qsort are of
1072non-POD type.<br>
1073C++11: Undefined behavior: the objects in the array passed to qsort are of
1074non-trivial type.
1075<p>Source: C++03 25.4p4; C++11 25.5p4.</p></div></div></td>
1076<td><div class="exampleContainer expandable">
1077<div class="example"><pre>
1078// C++03
1079#include &lt;cstdlib&gt;
1080
1081
1082struct non_POD {
1083  non_POD();
1084};
1085
1086non_POD values[] = { non_POD(), non_POD() };
1087
1088int compare(const void *a, const void *b);
1089
1090void test() {
1091  qsort(values, 2, sizeof(non_POD), compare); // warn
1092}
1093</pre></div>
1094<div class="example"><pre>
1095// C++11
1096#include &lt;cstdlib&gt;
1097
1098struct S {};
1099
1100struct trivial_non_POD : public S {
1101  int i;
1102};
1103
1104struct non_trivial {
1105  int i;
1106  non_trivial();
1107};
1108
1109trivial_non_POD tnp[2];
1110non_trivial nt[2];
1111
1112int compare1(const void *a, const void *b);
1113
1114int compare2(const void *a, const void *b);
1115
1116void test() {
1117  qsort(tnp, 2, sizeof(trivial_non_POD), compare1); // ok
1118  qsort(nt, 2, sizeof(non_trivial), compare2); // warn
1119}
1120</pre></div></div></td>
1121<td class="aligned"></td></tr>
1122
1123
1124<tr><td><div class="namedescr expandable"><span class="name">
1125undefbehavior.ThrowWhileCopy</span><span class="lang">
1126(C++)</span><div class="descr">
1127Undefined behavior: copy constructor/assignment operator can throw an exception.
1128The effects are undefined if an exception is thrown.</div></div></td>
1129<td><div class="exampleContainer expandable">
1130<div class="example"><pre>
1131class C {
1132public:
1133  int i, j;
1134  C (const C &amp;c) {
1135    i = c.i;
1136    throw 1; // warn
1137    j = c.j;
1138  };
1139};
1140</pre></div>
1141<div class="example"><pre>
1142class C {
1143public:
1144  int i, j;
1145  C &amp;operator=(const C &amp;c) {
1146    i = c.i;
1147    throw 1; // warn
1148    j = c.j;
1149  };
1150};
1151</pre></div></div></td>
1152<td class="aligned"></td></tr>
1153
1154
1155<tr><td><div class="namedescr expandable"><span class="name">
1156undefbehavior.ValarrayArgBound</span><span class="lang">
1157(C++)</span><div class="descr">
1158Undefined behavior: the value of the <code><i>n</i></code> argument passed
1159to <code>valarray</code> constructor is greater than the number of values
1160pointed to by the first argument (source).
1161<p>Source: C++03 26.3.2.1p4; C++11 26.6.2.2p4.</p></div></div></td>
1162<td><div class="exampleContainer expandable">
1163<div class="example"><pre>
1164#include &lt;valarray&gt;
1165
1166struct S {
1167  int i;
1168  S(int ii) : i(ii) {};
1169};
1170
1171void test(void) {
1172  S s[] = { S(1), S(2) };
1173  std::valarray&lt;S&gt; v(s,3); // warn
1174}
1175</pre></div></div></td>
1176<td class="aligned"></td></tr>
1177
1178
1179<tr><td><div class="namedescr expandable"><span class="name">
1180undefbehavior.ValarrayLengthDiffer</span><span class="lang">
1181(C++)</span><div class="descr">
1182Undefined behavior: <code>valarray</code> operands are of different length.
1183<p>Source: C++03 26.3.2.2p1, 26.3.2.6p3, 26.3.3.1p3, 26.3.3.2p3;
1184C++11 defined (26.6.2.3p1), 26.6.2.7p3, 26.6.3.1p3,
118526.6.3.2p3.</p></div></div></td>
1186<td><div class="exampleContainer expandable">
1187<div class="example"><pre>
1188// C++03
1189#include &lt;valarray&gt;
1190
1191void test(void) {
1192  std::valarray&lt;int&gt; a(0, 1), b(0, 2);
1193  a = b; // warn
1194  b.resize(1);
1195  a = b; // ok
1196}
1197</pre></div>
1198<div class="example"><pre>
1199// C++03, C++11
1200#include &lt;valarray&gt;
1201
1202void test(void) {
1203  std::valarray&lt;int&gt; a(0, 1), b(0, 2);
1204  a *= b; // warn
1205}
1206</pre></div>
1207<div class="example"><pre>
1208// C++03, C++11
1209#include &lt;valarray&gt;
1210
1211void test(void) {
1212  std::valarray&lt;int&gt; a(0, 1), b(0, 2);
1213  a = a + b; // warn
1214}
1215</pre></div>
1216<div class="example"><pre>
1217// C++03, C++11
1218#include &lt;valarray&gt;
1219
1220void test(void) {
1221  std::valarray&lt;int&gt; a(0, 1), b(0, 2);
1222  std::valarray&lt;bool&gt; c(false, 1);
1223  c = a == b; // warn
1224}
1225</pre></div></div></td>
1226<td class="aligned"></td></tr>
1227
1228
1229<tr><td><div class="namedescr expandable"><span class="name">
1230undefbehavior.ValarrayZeroLength</span><span class="lang">
1231(C++)</span><div class="descr">
1232Undefined behavior: calling <code>sum()</code>/<code>min()</code>/<code>
1233max()</code> methods of a zero length <code>valarray<code> the behavior is
1234undefined.
1235<p>Source: C++03 26.3.2.7p2, p3, p4; C++11 26.6.2.8p5, p6,
1236p7.</p></div></div></td>
1237<td><div class="exampleContainer expandable">
1238<div class="example"><pre>
1239#include &lt;valarray&gt;
1240
1241void test(void) {
1242  std::valarray&lt;int&gt; v(0, 0);
1243  v.sum(); // warn
1244}
1245</pre></div></div></td>
1246<td class="aligned"></td></tr>
1247
1248
1249<tr><td><div class="namedescr expandable"><span class="name">
1250undefbehavior.ValarrayBadIndirection</span><span class="lang">
1251(C++)</span><div class="descr">
1252Undefined behavior: element is specified more than once in an indirection.
1253<p>Source: C++03 26.3.9.2p2, 26.3.9.3p2; C++11 26.6.9.2p2,
125426.6.9.3p2.</p></div></div></td>
1255<td><div class="exampleContainer expandable">
1256<div class="example"><pre>
1257#include &lt;valarray&gt;
1258
1259void test() {
1260  // '1' is specified more then once
1261  size_t addr[] = {0, 1, 1};
1262  std::valarray&lt;size_t&gt;indirect(addr, 3);
1263  std::valarray&lt;int&gt; a(0, 5), b(1, 3);
1264  a[indirect] = b; //warn
1265}
1266</pre></div>
1267<div class="example"><pre>
1268#include &lt;valarray&gt;
1269
1270void test() {
1271  // '1' is specified more then once
1272  size_t addr[] = {0, 1, 1};
1273  std::valarray&lt;size_t&gt;indirect(addr, 3);
1274  std::valarray&lt;int&gt; a(0, 5), b(1, 3);
1275  a[indirect] *= b; //warn
1276}
1277</pre></div></div></td>
1278<td class="aligned"></td></tr>
1279
1280
1281<tr><td><div class="namedescr expandable"><span class="name">
1282undefbehavior.IosBaseDestroyedBeforeInit</span><span class="lang">
1283(C++)</span><div class="descr">
1284Undefined behavior: <code>ios_base</code> object is destroyed before
1285initialization have taken place. <code>basic_ios::init</code> should be call to
1286initialize <code>ios_base</code> members.
1287<p>Source: C++03 27.4.2.7p1, 27.4.4.1p2; C++11 27.5.3.7p1,
128827.5.5.2p2.</p></div></div></td>
1289<td><div class="exampleContainer expandable">
1290<div class="example"><pre>
1291#include &lt;ios&gt;
1292
1293using namespace std;
1294template &lt;class T, class Traits = std::char_traits&lt;T&gt; &gt;
1295class my_stream1 : public std::basic_ios&lt;T, Traits&gt; {
1296};
1297
1298template &lt;class T, class Traits = std::char_traits&lt;T&gt; &gt;
1299class my_stream2 : public std::basic_ios&lt;T, Traits&gt; {
1300  class my_streambuf
1301  : public std::basic_streambuf&lt;T, Traits&gt; {
1302  };
1303public:
1304  my_stream2() {
1305    this->init(new my_streambuf);
1306  }
1307};
1308
1309void test() {
1310  my_stream1&lt;char&gt; *p1 = new my_stream1&lt;char&gt;;
1311  my_stream2&lt;char&gt; *p2 = new my_stream2&lt;char&gt;;
1312  delete p1; // warn
1313  delete p2; // ok
1314}
1315</pre></div></div></td>
1316<td class="aligned"></td></tr>
1317
1318
1319<tr><td><div class="namedescr expandable"><span class="name">
1320undefbehavior.IosBaseUsedBeforeInit</span><span class="lang">
1321(C++11)</span><div class="descr">
1322Undefined behavior: <code>ios_base</code> object is used before initialization
1323have taken place. <code>basic_ios::init</code> should be call to
1324initialize <code>ios_base</code> members.
1325<p>Source: C++11 27.5.3.7p1, 27.5.5.2p2.</p></div></div></td>
1326<td><div class="exampleContainer expandable">
1327<div class="example"><pre>
1328#include &lt;ios&gt;
1329
1330using namespace std;
1331template &lt;class T, class Traits = std::char_traits&lt;T&gt; &gt;
1332class my_stream1 : public std::basic_ios&lt;T, Traits&gt; {
1333};
1334
1335template &lt;class T, class Traits = std::char_traits&lt;T&gt; &gt;
1336class my_stream2 : public std::basic_ios&lt;T, Traits&gt; {
1337  class my_streambuf
1338  : public std::basic_streambuf&lt;T, Traits&gt; {
1339  };
1340public:
1341  my_stream2() {
1342    this->init(new my_streambuf);
1343  }
1344};
1345
1346void test() {
1347  my_stream1&lt;char&gt; *p1 = new my_stream1&lt;char&gt;;
1348  my_stream2&lt;char&gt; *p2 = new my_stream2&lt;char&gt;;
1349  p1->narrow('a', 'b'); // warn
1350  p2->narrow('a', 'b'); // ok
1351}
1352</pre></div></div></td>
1353<td class="aligned"></td></tr>
1354
1355
1356<tr><td><div class="namedescr expandable"><span class="name">
1357undefbehavior.MinusOnePosType</span><span class="lang">
1358(C++)</span><div class="descr">
1359Undefined behavior: passing -1 to any <code>streambuf</code>/<code>
1360istream</code>/<code>ostream</code> member that accepts a value of
1361type <code>traits::pos_type</code> result in undefined behavior.
1362<p>Source: C++03 27.4.3.2p3; C++11 27.5.4.2p3.</p></div></div></td>
1363<td><div class="exampleContainer expandable">
1364<div class="example"><pre>
1365#include &lt;fstream&gt;
1366
1367class my_streambuf : public std::streambuf {
1368  void f() {
1369    seekpos(-1); // warn
1370  }
1371};
1372</pre></div>
1373<div class="example"><pre>
1374#include &lt;fstream&gt;
1375
1376void test() {
1377  std::filebuf fb;
1378  std::istream in(&amp;fb);
1379  std::filebuf::off_type pos(-1);
1380  in.seekg(pos); // warn
1381}
1382</pre></div></div></td>
1383<td class="aligned"></td></tr>
1384
1385</table>
1386
1387<!-- ============================ different ================================ -->
1388<h3>different</h3>
1389<table class="checkers">
1390<col class="namedescr"><col class="example"><col class="progress">
1391<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr>
1392</thead>
1393
1394<tr><td><div class="namedescr expandable"><span class="name">
1395different.SuccessiveAssign</span><span class="lang">
1396(C)</span><div class="descr">
1397Successive assign to a variable.</div></div></td>
1398<td><div class="exampleContainer expandable">
1399<div class="example"><pre>
1400int test() {
1401  int i;
1402  i=1;
1403  i=2; // warn
1404  return i;
1405}
1406</pre></div></div></td>
1407<td class="aligned"></td></tr>
1408
1409
1410<tr><td><div class="namedescr expandable"><span class="name">
1411different.NullDerefStmtOrder</span><span class="lang">
1412(C)</span><div class="descr">
1413Dereferencing of the null pointer might take place. Checking the pointer for
1414null should be performed first.
1415<br>Note: possibly an enhancement to <span class="name">
1416core.NullDereference</span>.</div></div></td>
1417<td><div class="exampleContainer expandable">
1418<div class="example"><pre>
1419struct S {
1420  int x;
1421};
1422
1423struct S* f();
1424
1425void test() {
1426  struct S *p1 = f();
1427  int x1 = p1-&gt;x; // warn
1428  if (p1) {};
1429
1430  struct S *p2 = f();
1431  int x2 = p2-&gt;x; // ok
1432}
1433</pre></div></div></td>
1434<td class="aligned"></td></tr>
1435
1436
1437<tr><td><div class="namedescr expandable"><span class="name">
1438different.NullDerefCondOrder</span><span class="lang">
1439(C)</span><div class="descr">
1440Dereferencing of the null pointer might take place. Checking the pointer for
1441null should be performed first.
1442<br>Note: possibly an enhancement to <span class="name">
1443core.NullDereference</span>.</div></div></td>
1444<td><div class="exampleContainer expandable">
1445<div class="example"><pre>
1446struct S {int i;};
1447
1448struct S* f();
1449
1450void test() {
1451  struct S *p = f();
1452  if (p-&gt;i && p) {}; // warn
1453}
1454</pre></div></div></td>
1455<td class="aligned"></td></tr>
1456
1457
1458<tr><td><div class="namedescr expandable"><span class="name">
1459different.MultipleAccessors</span><span class="lang">
1460(C++)</span><div class="descr">
1461Identical accessor bodies. Possibly a misprint.</div></div></td>
1462<td><div class="exampleContainer expandable">
1463<div class="example"><pre>
1464class A {
1465  int i;
1466  int j;
1467public:
1468  int getI() { return i; }
1469  int getJ() { return i; } // warn
1470};
1471</pre></div>
1472<div class="example"><pre>
1473class A {
1474  int i;
1475  int j;
1476public:
1477  void setI(int& ii) { i = ii; }
1478  void setJ(int& jj) { i = jj; } // warn
1479};
1480</pre></div></div></td>
1481<td class="aligned"></td></tr>
1482
1483
1484<tr><td><div class="namedescr expandable"><span class="name">
1485different.AccessorsForPublic</span><span class="lang">
1486(C++)</span><div class="descr">
1487Accessors exist for a public class field. Should this field really be
1488public?</div></div></td>
1489<td><div class="exampleContainer expandable">
1490<div class="example"><pre>
1491class A {
1492public:
1493  int i; // warn
1494  int getI() { return i; }
1495  void setI(int& ii) { i = ii; }
1496};
1497</pre></div></div></td>
1498<td class="aligned"></td></tr>
1499
1500
1501<tr><td><div class="namedescr expandable"><span class="name">
1502different.LibFuncResultUnised</span><span class="lang">
1503(C, C++)</span><div class="descr">
1504Calling a function ignoring its return value is of no use (create the list of
1505known system/library/API functions falling into this category).</div></div></td>
1506<td><div class="exampleContainer expandable">
1507<div class="example"><pre>
1508#include &lt;vector&gt;
1509
1510void test() {
1511  std::vector&lt;int&gt; v;
1512  v.empty(); // warn
1513}
1514</pre></div></div></td>
1515<td class="aligned"></td></tr>
1516
1517
1518<tr><td><div class="namedescr expandable"><span class="name">
1519different.WrongVarForStmt</span><span class="lang">
1520(C, C++)</span><div class="descr">
1521Wrong variable is possibly used in the loop/cond-expression of
1522the <code>for</code> statement. Did you mean
1523'proper_variable_name'?</div></div></td>
1524<td><div class="exampleContainer expandable">
1525<div class="example"><pre>
1526void test() {
1527  int i = 0;
1528  int j = 0;
1529  for (i = 0; i < 3; j += 1); // warn
1530}
1531</pre></div>
1532<div class="example"><pre>
1533void test() {
1534  int i = 0;
1535  int j = 0;
1536  for (int j = 0; i < 3; ++j); // warn
1537}
1538</pre></div></div></td>
1539<td class="aligned"></td></tr>
1540
1541
1542<tr><td><div class="namedescr expandable"><span class="name">
1543different.FloatingCompare</span><span class="lang">
1544(C)</span><div class="descr">
1545Comparing floating point numbers may be not precise.</div></div></td>
1546<td><div class="exampleContainer expandable">
1547<div class="example"><pre>
1548#include &lt;math.h&gt;
1549
1550double test() {
1551  double b = sin(M_PI / 6.0);
1552  if (b == 0.5) // warn
1553    b = 0;
1554  return b;
1555}
1556</pre></div></div></td>
1557<td class="aligned"></td></tr>
1558
1559
1560<tr><td><div class="namedescr expandable"><span class="name">
1561different.BitwiseOpBoolArg</span><span class="lang">
1562(C, C++)</span><div class="descr">
1563Boolean value met at the left/right part of the bitwise <code>&amp;</code>
1564or <code>|</code> operator.
1565Did you mean <code>&amp;&amp;</code> (<code>||</code>) ?</div></div></td>
1566<td><div class="exampleContainer expandable">
1567<div class="example"><pre>
1568int f();
1569
1570void test() {
1571  bool b = true;
1572  if (b &amp; f()) {} // warn
1573}
1574</pre></div></div></td>
1575<td class="aligned"></td></tr>
1576
1577
1578<tr><td><div class="namedescr expandable"><span class="name">
1579different.LabelInsideSwitch</span><span class="lang">
1580(C)</span><div class="descr">
1581Possibly a misprint: label found inside a <code>switch()</code>
1582statement.</div></div></td>
1583<td><div class="exampleContainer expandable">
1584<div class="example"><pre>
1585void test(int c) {
1586  switch(c){
1587  case 1:
1588    c += 1; break;
1589  defalt: // warn (did you mean 'default'?)
1590    c -= 1; break;
1591  }
1592}
1593</pre></div></div></td>
1594<td class="aligned"></td></tr>
1595
1596
1597<tr><td><div class="namedescr expandable"><span class="name">
1598different.IdenticalCondIfIf</span><span class="lang">
1599(C)</span><div class="descr">
1600The conditions of two subsequent <code>if</code> statements are
1601identical.</div></div></td>
1602<td><div class="exampleContainer expandable">
1603<div class="example"><pre>
1604int test(int c) {
1605  if (c &gt; 5)
1606    c += 1;
1607  if (c &gt; 5) // warn
1608    c -= 1;
1609  return c;
1610}
1611</pre></div></div></td>
1612<td class="aligned"></td></tr>
1613
1614
1615<tr><td><div class="namedescr expandable"><span class="name">
1616different.LogicalOpUselessArg</span><span class="lang">
1617(C)</span><div class="descr">
1618The second operand of a <code>&amp;&amp;</code> operator has no impact on
1619expression result.</div></div></td>
1620<td><div class="exampleContainer expandable">
1621<div class="example"><pre>
1622void test(unsigned a) {
1623  if (a&lt;7 &amp;&amp; a&lt;10) {}; // warn
1624}
1625</pre></div></div></td>
1626<td class="aligned"></td></tr>
1627
1628
1629<tr><td><div class="namedescr expandable"><span class="name">
1630different.SameResLogicalExpr</span><span class="lang">
1631(C)</span><div class="descr">
1632An expression is always evaluated to true/false.</div></div></td>
1633<td><div class="exampleContainer expandable">
1634<div class="example"><pre>
1635void test() {
1636  int i = 0;
1637  if (i != 0) {}; // warn
1638}
1639</pre></div>
1640<div class="example"><pre>
1641void test(int i) {
1642  if (i == 0 &amp;&amp; i == 1) {}; // warn
1643}
1644</pre></div>
1645<div class="example"><pre>
1646void test(int i) {
1647  if (i < 0 || i >= 0) {}; // warn
1648}
1649</pre></div></div></td>
1650<td class="aligned"></td></tr>
1651
1652
1653<tr><td><div class="namedescr expandable"><span class="name">
1654different.OpPrecedenceAssignCmp</span><span class="lang">
1655(C, C++)</span><div class="descr">
1656Comparison operation has higher precedence then assignment. Boolean value is
1657assigned to a variable of other type. Parenthesis may bee required around an
1658assignment.</div></div></td>
1659<td><div class="exampleContainer expandable">
1660<div class="example"><pre>
1661int f();
1662
1663void test(int x, int y) {
1664  bool b;
1665  if((b = x != y)) {} // ok
1666  if((x = f() != y)) {} // warn
1667}
1668</pre></div></div></td>
1669<td class="aligned"></td></tr>
1670
1671
1672<tr><td><div class="namedescr expandable"><span class="name">
1673different.OpPrecedenceIifShift</span><span class="lang">
1674(C, C++)</span><div class="descr">
1675<code>?:</code> has lower precedence then <code>&lt;&lt;</code>.
1676<p>Source: Stephen C. Dewhurst "C++ Gotchas: Avoiding Common Problems in Coding
1677and Design", advise 15.</p></div></div></td>
1678<td><div class="exampleContainer expandable">
1679<div class="example"><pre>
1680#include &lt;iostream&gt;
1681
1682void test(int a) {
1683  std::cout &lt;&lt; a ? "a" : "b"; // warn
1684}
1685</pre></div>
1686<div class="example"><pre>
1687void test(int a) {
1688  a &lt;&lt; a &gt; 7 ? 1 : 2; // warn
1689}
1690</pre></div></div></td>
1691<td class="aligned"></td></tr>
1692
1693
1694<tr><td><div class="namedescr expandable"><span class="name">
1695different.ObjectUnused</span><span class="lang">
1696(C++)</span><div class="descr">
1697The object was created but is not being used.</div></div></td>
1698<td><div class="exampleContainer expandable">
1699<div class="example"><pre>
1700struct S {
1701  int x, y;
1702  S(int xx, int yy) : x(xx), y(yy) {}
1703  S(int xx) {
1704    S(xx, 0); // warn
1705  }
1706};
1707</pre></div>
1708<div class="example"><pre>
1709#include &lt;exception&gt;
1710
1711void test() {
1712  std::exception();
1713    // warn (did you mean 'throw std::exception()'?)
1714}
1715</pre></div></div></td>
1716<td class="aligned"></td></tr>
1717
1718
1719<tr><td><div class="namedescr expandable"><span class="name">
1720different.StaticArrayPtrCompare</span><span class="lang">
1721(C)</span><div class="descr">
1722Pointer to static array is being compared to NULL. May the subscripting is
1723missing.</div></div></td>
1724<td><div class="exampleContainer expandable">
1725<div class="example"><pre>
1726void test() {
1727  int a[1][1];
1728  if (a[0] == 0) {}; // warn
1729}
1730</pre></div></div></td>
1731<td class="aligned"></td></tr>
1732
1733
1734<tr><td><div class="namedescr expandable"><span class="name">
1735different.ConversionToBool</span><span class="lang">
1736(C, C++)</span><div class="descr">
1737Odd implicit conversion to boolean.
1738<br>Note: possibly merge with <span class="name">
1739alpha.core.BoolAssignment</span>.</div></div></td>
1740<td><div class="exampleContainer expandable">
1741<div class="example"><pre>
1742bool test() {
1743  return 1.; // warn
1744}
1745</pre></div>
1746<div class="example"><pre>
1747bool test() {
1748  return ""; // warn
1749}
1750</pre></div></div></td>
1751<td class="aligned"></td></tr>
1752
1753
1754<tr><td><div class="namedescr expandable"><span class="name">
1755different.ArrayBound</span><span class="lang">
1756(C++)</span><div class="descr">
1757Out-of-bound dynamic array access.
1758<br>Note: possibly an enhancement to <span class="name">
1759alpha.security.ArrayBoundV2</span>.</div></div></td>
1760<td><div class="exampleContainer expandable">
1761<div class="example"><pre>
1762void test() {
1763  int *p = new int[1];
1764  int i = 1;
1765  if(p[i]) {}; // warn
1766  delete[] p;
1767}
1768</pre></div></div></td>
1769<td class="aligned"></td></tr>
1770
1771
1772<tr><td><div class="namedescr expandable"><span class="name">
1773different.StrcpyInputSize</span><span class="lang">
1774(C)</span><div class="descr">
1775Buffer copy without checking the size of input.
1776<br>Note: possibly an enhancement to <span class="name">
1777alpha.unix.cstring.OutOfBounds</span>.</div></div></td>
1778<td><div class="exampleContainer expandable">
1779<div class="example"><pre>
1780void test(char* string) {
1781  char buf[24];
1782  strcpy(buf, string); // warn
1783}
1784</pre></div></div></td>
1785<td class="aligned"></td></tr>
1786
1787
1788<tr><td><div class="namedescr expandable"><span class="name">
1789different.IntegerOverflow</span><span class="lang">
1790(C)</span><div class="descr">
1791Integer overflow.
1792<br>Note: partially handled by Clang core
1793(search for 'overflow in expression' warning in Clang tests).
1794<p>Source: <a href="http://cwe.mitre.org/data/definitions/190.html">
1795CWE-190</a>.</p></div></div></td>
1796<td><div class="exampleContainer expandable">
1797<div class="example"><pre>
1798#include &lt;limits.h&gt;
1799
1800int f(int x);
1801
1802void test() {
1803  f(INT_MAX + 1); // warn
1804}
1805</pre></div>
1806<div class="example"><pre>
1807#include &lt;limits.h&gt;
1808
1809int test() {
1810  int x = INT_MAX / 2 + 1;
1811  return x * 2; // warn
1812}
1813</pre></div></div></td>
1814<td class="aligned"></td></tr>
1815
1816
1817<tr><td><div class="namedescr expandable"><span class="name">
1818different.SignExtension</span><span class="lang">
1819(C)</span><div class="descr">
1820Unexpected sign extension might take place.
1821<p>Source: <a href="http://cwe.mitre.org/data/definitions/194.html">
1822CWE-194</a>.</p></div></div></td>
1823<td><div class="exampleContainer expandable">
1824<div class="example"><pre>
1825unsigned long long test(long long sll) {
1826  unsigned long long ull = sll; // warn
1827  return ull;
1828}
1829</pre></div>
1830<div class="example"><pre>
1831void f(unsigned int i);
1832
1833void test(int si) {
1834  f(si); // warn
1835}
1836</pre></div>
1837<div class="example"><pre>
1838unsigned int test(int i) {
1839  return i;
1840}
1841</pre></div></div></td>
1842<td class="aligned"></td></tr>
1843
1844
1845<tr><td><div class="namedescr expandable"><span class="name">
1846different.NumericTruncation</span><span class="lang">
1847(C)</span><div class="descr">
1848Numeric truncation might take place.
1849<p>Source: <a href="http://cwe.mitre.org/data/definitions/197.html">
1850CWE-197</a>.</p></div></div></td>
1851<td><div class="exampleContainer expandable">
1852<div class="example"><pre>
1853unsigned long test(unsigned long long ull) {
1854  unsigned long ul = ull; // warn
1855  return ul;
1856}
1857</pre></div>
1858<div class="example"><pre>
1859void f(int i);
1860
1861void test(long long sll) {
1862  f(sll); // warn
1863}
1864</pre></div>
1865<div class="example"><pre>
1866int f();
1867
1868short test(long long sll) {
1869  short ss = f();
1870  return ss;
1871}
1872</pre></div></div></td>
1873<td class="aligned"></td></tr>
1874
1875
1876<tr><td><div class="namedescr expandable"><span class="name">
1877different.MissingCopyCtorAssignOp</span><span class="lang">
1878(C++)</span><div class="descr">
1879A class has dynamically allocated data members but do not define a copy
1880constructor/assignment operator.
1881<p>Source: Scott Meyers "Effective C++", item 11: Prevent exceptions from
1882leaving destructors.</p></div></div></td>
1883<td><div class="exampleContainer expandable">
1884<div class="example"><pre>
1885class C {
1886  int *p; // warn
1887public:
1888  C() { p = new int; }
1889  ~C() { delete p; }
1890};
1891</pre></div></div></td>
1892<td class="aligned"></td></tr>
1893
1894</table>
1895
1896<!-- ============================ WinAPI =================================== -->
1897<h3>WinAPI</h3>
1898<table class="checkers">
1899<col class="namedescr"><col class="example"><col class="progress">
1900<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
1901
1902<tr><td><div class="namedescr expandable"><span class="name">
1903WinAPI.CreateProcess</span><span class="lang">
1904(C)</span><div class="descr">
1905<code>CreateProcess()</code>: if the first parameter <code><i>
1906lpApplicationName</i></code> is NULL then the executable name must be in the
1907white space-delimited string pointed to by <code><i>lpCommandLine</code></i>.
1908If the executable or path name has a space in it, there is a risk that a
1909different executable could be run because of the way the function parses
1910spaces.
1911<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx">
1912MSDN: CreateProcess function, Security Remarks</a>.</p></div></div></td>
1913<td><div class="exampleContainer expandable">
1914<div class="example"><pre>
1915#include &lt;windows.h&gt;
1916
1917void test() {
1918  STARTUPINFO si;
1919  PROCESS_INFORMATION pi;
1920  CreateProcess(NULL, TEXT("C:\\Program Files\\App -L -S"),
1921                NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
1922    // warn
1923}
1924</pre></div></div></td>
1925<td class="aligned"></td></tr>
1926
1927
1928<tr><td><div class="namedescr expandable"><span class="name">
1929WinAPI.LoadLibrary</span><span class="lang">
1930(C)</span><div class="descr">
1931The <code>SearchPath()</code> function is used to retrieve a path to a DLL for
1932a subsequent <code>LoadLibrary()</code> call.
1933<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175%28v=vs.85%29.aspx">
1934MSDN: LoadLibrary function, Security Remarks</a>.</p></div></div></td>
1935<td><div class="exampleContainer expandable">
1936<div class="example"><pre>
1937#include &lt;windows.h&gt;
1938
1939HINSTANCE test() {
1940  char filePath[100];
1941  SearchPath(NULL, "file.dll", NULL, 100, filePath, NULL);
1942  return LoadLibrary(filePath); // warn
1943}
1944</pre></div></div></td>
1945<td class="aligned"></td></tr>
1946
1947
1948<tr><td><div class="namedescr expandable"><span class="name">
1949WinAPI.WideCharToMultiByte</span><span class="lang">
1950(C)</span><div class="descr">
1951Buffer overrun while calling <code>WideCharToMultiByte()</code>. The size of
1952the input buffer equals the number of characters in the Unicode string, while
1953the size of the output buffer equals the number of bytes.
1954<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/dd374130%28v=vs.85%29.aspx">
1955MSDN: WideCharToMultiByte function</a>.</p></div></div></td>
1956<td><div class="exampleContainer expandable">
1957<div class="example"><pre>
1958#include &lt;windows.h&gt;
1959
1960void test() {
1961  wchar_t ws[] = L"abc";
1962  char s[3];
1963  WideCharToMultiByte(CP_UTF8, 0, ws, -1, s,
1964                      3, NULL, NULL); // warn
1965}
1966</pre></div></div></td>
1967<td class="aligned"></td></tr>
1968
1969
1970</table>
1971
1972<!-- =========================== optimization ============================== -->
1973<h3>optimization</h3>
1974<table class="checkers">
1975<col class="namedescr"><col class="example"><col class="progress">
1976<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
1977
1978<tr><td><div class="namedescr expandable"><span class="name">
1979optimization.PassConstObjByValue</span><span class="lang">
1980(C, C++)</span><div class="descr">
1981Optimization: It is more effective to pass constant parameter by reference to
1982avoid unnecessary object copying.</div></div></td>
1983<td><div class="exampleContainer expandable">
1984<div class="example"><pre>
1985struct A {};
1986
1987void f(const struct A a); // warn
1988</pre></div></div></td>
1989<td class="aligned"></td></tr>
1990
1991
1992<tr><td><div class="namedescr expandable"><span class="name">
1993optimization.PostfixIncIter</span><span class="lang">
1994(C++)</span><div class="descr">
1995Optimization: It is more effective to use prefix increment operator with
1996iterator.
1997<p>Source: Scott Meyers "More Effective C++", item 6:
1998Distinguish between prefix and postfix forms of increment and decrement
1999operators.</p></div></div></td>
2000<td><div class="exampleContainer expandable">
2001<div class="example"><pre>
2002#include &lt;vector&gt;
2003
2004void test() {
2005  std::vector&lt;int&gt; v;
2006  std::vector&lt;int&gt;::const_iterator it;
2007  for(it = v.begin();
2008      it != v.end(); it++) {}; // warn
2009}
2010</pre></div></div></td>
2011<td class="aligned"></td></tr>
2012
2013
2014<tr><td><div class="namedescr expandable"><span class="name">
2015optimization.MultipleCallsStrlen</span><span class="lang">
2016(C)</span><div class="descr">
2017Optimization: multiple calls to <code>strlen()</code> for a string in an
2018expression. It is more effective to hold a value returned
2019from <code>strlen()</code> in a temporary variable.</div></div></td>
2020<td><div class="exampleContainer expandable">
2021<div class="example"><pre>
2022#include &lt;string.h&gt;
2023
2024void test(const char* s) {
2025  if (strlen(s) &gt; 0 &amp;&amp;
2026      strlen(s) &lt; 7) {}; // warn
2027}
2028</pre></div></div></td>
2029<td class="aligned"></td></tr>
2030
2031
2032<tr><td><div class="namedescr expandable"><span class="name">
2033optimization.StrLengthCalculation</span><span class="lang">
2034(C++)</span><div class="descr">
2035Optimization: it is more efficient to use <code>string::length()</code> to
2036calculate the length of an <code>std::string</code>.</div></div></td>
2037<td><div class="exampleContainer expandable">
2038<div class="example"><pre>
2039#include &lt;string&gt;
2040#include &lt;string.h&gt;
2041
2042void test() {
2043  std::string s;
2044  if (strlen(s.c_str()) != 0) {}; // warn
2045}
2046</pre></div></div></td>
2047<td class="aligned"></td></tr>
2048
2049
2050<tr><td><div class="namedescr expandable"><span class="name">
2051optimization.EmptyContainerDetect</span><span class="lang">
2052(C++)</span><div class="descr">
2053Optimization: It is more efficient to use containers <code>empty()</code>
2054method to identify an empty container.</div></div></td>
2055<td><div class="exampleContainer expandable">
2056<div class="example"><pre>
2057#include &lt;list&gt;
2058
2059void test() {
2060  std::list&lt;int&gt; l;
2061  if (l.size() != 0) {}; // warn
2062}
2063</pre></div></div></td>
2064<td class="aligned"></td></tr>
2065
2066
2067</table>
2068
2069<br>
2070</div> <!-- page -->
2071</div> <!-- content -->
2072</body>
2073</html>
2074