1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 2 "http://www.w3.org/TR/html4/strict.dtd"> 3<html> 4<head> 5 <title>List of potential checkers</title> 6 <link type="text/css" rel="stylesheet" href="content.css"> 7 <link type="text/css" rel="stylesheet" href="menu.css"> 8 <script type="text/javascript" src="scripts/expandcollapse.js"></script> 9 <script type="text/javascript" src="scripts/menu.js"></script> 10</head> 11<body onload="initExpandCollapse()"> 12 13<div id="page"> 14 15<!-- menu --> 16<!--#include virtual="menu.html.incl"--> 17<!-- page content --> 18<div id="content"> 19<h1>List of potential checkers</h1> 20 21<p>This page contains a list of potential checkers to implement in the static analyzer. If you are interested in contributing to the analyzer's development, this is a good resource to help you get started. The specific names of the checkers are subject to review, and are provided here as suggestions.</p> 22 23<!-- ========================= allocation/deallocation ======================= --> 24<h3>memory</h3> 25<table class="checkers"> 26<col class="namedescr"><col class="example"><col class="progress"> 27<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 28 29<tr><td><div class="namedescr expandable"><span class="name"> 30memory.LeakEvalOrder</span><span class="lang"> 31(C, C++)</span><div class="descr"> 32Potential memory leaks caused by an undefined argument evaluation order. 33<p>Source: <a href="https://www.boost.org/doc/libs/1_49_0/libs/smart_ptr/shared_ptr.htm#BestPractices"> 34boost docs: shared_ptr</a>.</p></div></div></td> 35<td><div class="exampleContainer expandable"> 36<div class="example"><pre> 37void f(int, int); 38int g(void *); 39int h() __attribute__((noreturn)); 40 41void test() { 42 // It is possible that 'malloc(1)' is called first, 43 // then 'h()', that is (or calls) noreturn and eventually 44 // 'g()' is never called. 45 f(g(malloc(1)), h()); // warn: 'g()' may never be called. 46} 47</pre></div> 48<div class="example"><pre> 49void f(int, int); 50int g(int *); 51int h() { throw 1; }; 52 53void test() { 54 // It is possible that 'new int' is called first, 55 // then 'h()', that throws an exception and eventually 56 // 'g()' is never called. 57 f(g(new int), h()); // warn: 'g()' may never be called. 58} 59</pre></div></div></td> 60<td class="aligned"></td></tr> 61 62 63<tr><td><div class="namedescr expandable"><span class="name"> 64memory.DstBufferTooSmall</span><span class="lang"> 65(C, C++)</span><div class="descr"> 66Destination buffer passed to memory function is too small. 67<br>Note: <span class="name">security.insecureAPI.strcpy</span> currently warns 68on usage of <code>strcpy</code> and suggests to replace it. 69<br>Note: <span class="name">alpha.unix.CStringChecker</span> contains some similar checks. 70<p>Source: <a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>.</p></div></div></td> 71<td><div class="exampleContainer expandable"> 72<div class="example"><pre> 73void test() { 74 const char* s1 = "abc"; 75 char *s2 = new char; 76 strcpy(s2, s1); // warn 77} 78</pre></div> 79<div class="example"><pre> 80void test() { 81 int* p1 = new int[3]; 82 int* p2 = new int; 83 memcpy(p2, p1, 3); // warn 84} 85</pre></div></div></td> 86<td class="aligned"></td></tr> 87 88 89<tr><td><div class="namedescr expandable"><span class="name"> 90memory.NegativeArraySize</span><span class="lang"> 91(C, C++)</span><div class="descr"> 92'n' is used to specify the buffer size may be negative. 93<br>Note: possibly an enhancement to <span class="name"> 94alpha.security.MallocOverflow</span>. 95<p>Source: <a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20, 96Example 2</a>.</p></div></div></td> 97<td><div class="exampleContainer expandable"> 98<div class="example"><pre> 99void test() { 100 int *p; 101 int n1 = -1; 102 p = new int[n1]; // warn 103} 104</pre></div></div></td> 105<td class="aligned"></td></tr> 106 107<tr><td><div class="namedescr expandable"><span class="name"> 108memory.ZeroAlloc</span><span class="lang"> 109(C, C++)</span><div class="descr"> 110Allocation of zero bytes. 111<br>Note: an enhancement to <span class="name">unix.Malloc</span>. 112<br>Note: <span class="name">unix.API</span> perform C-checks for zero 113allocation. This should be moved to <span class="name">unix.Malloc</span>. 114<p>Source: C++03 3.7.3.1p2; C++11 3.7.4.1p2.</p></div></div></td> 115<td><div class="exampleContainer expandable"> 116<div class="example"><pre> 117#include <stdlib.h> 118 119void test() { 120 int *p = malloc(0); // warn 121 free(p); 122} 123</pre></div> 124<div class="example"><pre> 125void test() { 126 int *p = new int[0]; // warn 127 delete[] p; 128} 129</pre></div></div></td> 130<td class="aligned"><a href="https://reviews.llvm.org/D6178"> 131D6178</a></td></tr> 132 133</table> 134 135<!-- ======================= constructors/destructors ====================== --> 136<h3>constructors/destructors</h3> 137<table class="checkers"> 138<col class="namedescr"><col class="example"><col class="progress"> 139<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 140 141<tr><td><div class="namedescr expandable"><span class="name"> 142ctordtor.ExptInsideDtor</span><span class="lang"> 143(C++)</span><div class="descr"> 144It is dangerous to let an exception leave a destructor. 145Using <code>try..catch</code> solves the problem. 146<p>Source: Scott Meyers "More Effective C++", item 11: Prevent exceptions from 147leaving destructors.</p></div></div></td> 148<td><div class="exampleContainer expandable"> 149<div class="example"><pre> 150class A { 151 A() {} 152 ~A() { throw 1; } // warn 153}; 154</pre></div> 155<div class="example"><pre> 156void f() throw(int); 157 158class A { 159 A() {} 160 ~A() { f(); } // warn 161}; 162</pre></div></div></td> 163<td class="aligned"></td></tr> 164 165 166<tr><td><div class="namedescr expandable"><span class="name"> 167ctordtor.PlacementSelfCopy</span><span class="lang"> 168(C++11)</span><div class="descr"> 169For a placement copy or move, it is almost certainly an error if the 170constructed object is also the object being copied from.</div></div></td> 171<td><div class="exampleContainer expandable"> 172<div class="example"><pre> 173class A {}; 174 175void test(A *dst, A *src) { 176 ::new (dst) A(*dst); // warn (should be 'src') 177} 178</pre></div></div></td> 179<td class="aligned"><!--rdar://problem/13688366--></td></tr> 180 181</table> 182 183<!-- ============================== exceptions ============================= --> 184<h3>exceptions</h3> 185<table class="checkers"> 186<col class="namedescr"><col class="example"><col class="progress"> 187<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 188 189<tr><td><div class="namedescr expandable"><span class="name"> 190exceptions.ThrowSpecButNotThrow</span><span class="lang"> 191(C++)</span><div class="descr"> 192Function declaration has a <code>throw(<i>type</i>)</code> specifier but the 193function do not throw exceptions.</div></div></td> 194<td><div class="exampleContainer expandable"> 195<div class="example"><pre> 196void test() throw(int) { 197} // warn 198</pre></div></div></td> 199<td class="aligned"></td></tr> 200 201 202<tr><td><div class="namedescr expandable"><span class="name"> 203exceptions.NoThrowSpecButThrows</span><span class="lang"> 204(C++)</span><div class="descr"> 205An exception is throw from a function having a <code>throw()</code> 206specifier.</div></div></td> 207<td><div class="exampleContainer expandable"> 208<div class="example"><pre> 209void test() throw() { 210 throw(1); // warn 211} 212</pre></div></div></td> 213<td class="aligned"></td></tr> 214 215 216<tr><td><div class="namedescr expandable"><span class="name"> 217exceptions.ThrownTypeDiffersSpec</span><span class="lang"> 218(C++)</span><div class="descr"> 219The type of a thrown exception differs from those specified in 220a <code>throw(<i>type</i>)</code> specifier.</div></div></td> 221<td><div class="exampleContainer expandable"> 222<div class="example"><pre> 223struct S{}; 224 225void test() throw(int) { 226 S s; 227 throw (s); // warn 228} 229</pre></div></div></td> 230<td class="aligned"></td></tr> 231 232</table> 233 234<!-- ========================= smart pointers ============================== --> 235<h3>smart pointers</h3> 236<table class="checkers"> 237<col class="namedescr"><col class="example"><col class="progress"> 238<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 239 240<tr><td><div class="namedescr expandable"><span class="name"> 241smartptr.SmartPtrInit</span><span class="lang"> 242(C++)</span><div class="descr"> 243C++03: <code>auto_ptr</code> should store a pointer to an object obtained via 244new as allocated memory will be cleaned using <code>delete</code>.<br> 245C++11: one should use <code>unique_ptr<<i>type</i>[]></code> to keep a 246pointer to memory allocated by <code>new[]</code>.<br> 247C++11: to keep a pointer to memory allocated by <code>new[]</code> in 248a <code>shared_ptr</code> one should use a custom deleter that calls <code> 249delete[].</code>. 250<p>Source: C++03 20.4.5p1; C++11 <code>auto_ptr</code> is deprecated (D.10).</p></div></div></td> 251<td><div class="exampleContainer expandable"> 252<div class="example"><pre> 253#include <stdlib.h> 254#include <memory> 255 256void test() { 257 std::auto_ptr<int> p1(new int); // Ok 258 std::auto_ptr<int> p2(new int[3]); // warn 259} 260</pre></div> 261<div class="example"><pre> 262#include <stdlib.h> 263#include <memory> 264 265void test() { 266 std::auto_ptr<int> p((int *)malloc(sizeof(int))); // warn 267} 268</pre></div></div></td> 269<td class="aligned"></td></tr> 270 271</table> 272 273<!-- ============================== dead code ============================== --> 274<h3>dead code</h3> 275<table class="checkers"> 276<col class="namedescr"><col class="example"><col class="progress"> 277<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 278 279<tr><td><div class="namedescr expandable"><span class="name"> 280deadcode.UnmodifiedVariable</span><span class="lang"> 281(C, C++)</span><div class="descr"> 282A variable is never modified but was not declared const and is not a 283reference.<br><br><i>(opt-in checker)</i></div></div></td> 284<td><div class="exampleContainer expandable"> 285<div class="example"><pre> 286extern int computeDelta(); 287 288int test(bool cond) { 289 int i = 0; 290 if (cond) { 291 const int delta = computeDelta(); 292 // warn: forgot to modify 'i' 293 } 294 return i; 295} 296</pre></div></div></td> 297<td class="aligned"><a href="https://bugs.llvm.org/show_bug.cgi?id=16890">PR16890</a></td></tr> 298 299<tr><td><div class="namedescr expandable"><span class="name"> 300deadcode.IdempotentOperations</span><span class="lang"> 301(C)</span><div class="descr"> 302Warn about idempotent operations.</div></div></td> 303<td><div class="exampleContainer expandable"> 304<div class="example"><pre> 305void test() { 306 int x = 7; 307 x = x; // warn: value is always the same 308} 309</pre></div> 310<div class="example"><pre> 311void test() { 312 int x = 7; 313 x /= x; // warn: value is always 1 314} 315</pre></div> 316<div class="example"><pre> 317void test() { 318 int x = 7, one = 1; 319 x *= one; // warn: right op is always 1 320} 321</pre></div> 322<div class="example"><pre> 323void test() { 324 int x = 7, zero = 0; 325 x = x - zero; 326 // warn: the right operand to '-' is always 0 327} 328</pre></div></div></td> 329<td class="aligned">removed from alpha.deadcode.* at 330<a href="https://reviews.llvm.org/rL198476">r198476</a></td></tr> 331 332</table> 333 334<!-- ================================ POSIX ================================ --> 335<h3>POSIX</h3> 336<table class="checkers"> 337<col class="namedescr"><col class="example"><col class="progress"> 338<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 339 340<tr><td><div class="namedescr expandable"><span class="name"> 341posix.Errno</span><span class="lang"> 342(C)</span><div class="descr"> 343Record that <code>errno</code> is non-zero when certain functions 344fail.</div></div></td> 345<td><div class="exampleContainer expandable"> 346<div class="example"><pre> 347#include <stdlib.h> 348 349int readWrapper(int fd, int *count) { 350 int lcount = read(fd, globalBuf, sizeof(globalBuf)); 351 if (lcount < 0) 352 return errno; 353 *count = lcount; 354 return 0; 355} 356 357void use(int fd) { 358 int count; 359 if (!readWrapper(fd, &count)) 360 print("%d", count); // should not warn 361} 362</pre></div></div></td> 363<td class="aligned"><a href="https://bugs.llvm.org/show_bug.cgi?id=18701">PR18701</a></td></tr> 364 365</table> 366 367<!-- ========================= undefined behavior ========================== --> 368<h3>undefined behavior</h3> 369<table class="checkers"> 370<col class="namedescr"><col class="example"><col class="progress"> 371<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 372 373<tr><td><div class="namedescr expandable"><span class="name"> 374undefbehavior.ExitInDtor</span><span class="lang"> 375(C++)</span><div class="descr"> 376Undefined behavior: <code>std::exit()</code> is called to end the program during 377the destruction of an object with static storage duration. 378<p>Source: C++11 3.6.1p4.</p></div></div></td> 379<td><div class="exampleContainer expandable"> 380<div class="example"><pre> 381#include <cstdlib> 382 383class A { 384public: 385 ~A() { 386 std::exit(1); // warn 387 } 388}; 389</pre></div></div></td> 390<td class="aligned"></td></tr> 391 392 393<tr><td><div class="namedescr expandable"><span class="name"> 394undefbehavior.LocalStaticDestroyed</span><span class="lang"> 395(C++)</span><div class="descr"> 396Undefined behavior: function containing a definition of static local object is 397called during the destruction of an object with static storage duration so that 398flow of control passes through the definition of the previously destroyed 399static local object. 400<p>Source: C++11 3.6.3p2.</p></div></div></td> 401<td><div class="exampleContainer expandable"> 402<div class="example"><pre> 403void f(); 404 405class A { 406public: 407 ~A() { 408 f(); // warn 409 } 410}; 411 412class B {}; 413 414A a; 415 416void f() { 417 static B b; 418} 419</pre></div></div></td> 420<td class="aligned"></td></tr> 421 422 423<tr><td><div class="namedescr expandable"><span class="name"> 424undefbehavior.ZeroAllocDereference</span><span class="lang"> 425(C, C++)</span><div class="descr"> 426The effect of dereferencing a pointer returned as a request for zero size is 427undefined.<br> 428Note: possibly an enhancement to <span class="name"> 429unix.Malloc</span>. 430<p>Source: C++03 3.7.3.1p2; C++11 3.7.4.1p2.</p></div></div></td> 431<td><div class="exampleContainer expandable"> 432<div class="example"><pre> 433#include <stdlib.h> 434 435void test() { 436 int *p = (int *)malloc(0); 437 *p = 1; // warn 438 free(p); 439} 440</pre></div> 441<div class="example"><pre> 442void f(int); 443 444void test() { 445 int *p = new int[0]; 446 f(*p); // warn 447 delete[] p; 448} 449</pre></div></div></td> 450<td class="aligned"><a href="https://reviews.llvm.org/D8273">D8273</a></td></tr> 451 452 453<tr><td><div class="namedescr expandable"><span class="name"> 454undefbehavior.DeadReferenced</span><span class="lang"> 455(C++)</span><div class="descr"> 456Undefined behavior: the following usage of the pointer to the object whose 457lifetime has ended can result in undefined behavior:<br> 458The object will be or was of a class type with a non-trivial destructor and 459<ul><li>the pointer is used as the operand of a delete-expression</li></ul> 460The object will be or was of a non-POD class type (C++11: any class type) and 461<ul><li>the pointer is used to access a non-static data member or call a 462non-static member function of the object</li> 463<li>the pointer is implicitly converted to a pointer to a base class 464type</li> 465<li>the pointer is used as the operand of a <code>static_cast</code> (except 466when the conversion is to <code>void*</code>, or to <code>void*</code> and 467subsequently to <code>char*</code>, or <code>unsigned char*</code>)</li> 468<li>the pointer is used as the operand of a <code>dynamic_cast</code></li></ul> 469<p>Source: C++03 3.8p5, p7; C++11 3.8p5, p7.</p></div></div></td> 470<td><div class="exampleContainer expandable"> 471<div class="example"><pre> 472#include <new> 473 474class A { 475public: 476 ~A(); 477}; 478 479class B : public A {}; 480 481void test() { 482 A *a = new A; 483 new(a) B; 484 delete a; // warn 485} 486</pre></div> 487<div class="example"><pre> 488#include <new> 489 490class A { 491public: 492 ~A(); 493}; 494 495class B {}; 496 497void test() { 498 A *a = new A; 499 new(a) B; 500 a->~A(); 501} 502</pre></div> 503<div class="example"><pre> 504#include <new> 505 506class A { 507public: 508 ~A(); 509}; 510 511class B : public A {}; 512 513class C {}; 514 515void f(A*); 516 517void test() { 518 B *b = new B; 519 new(b) C; 520 f(b); // warn 521} 522</pre></div> 523<div class="example"><pre> 524#include <new> 525 526class A { 527public: 528 ~A(); 529}; 530 531class B : public A {}; 532 533class C {}; 534 535A* test() { 536 B *b = new B; 537 new(b) C; 538 return static_cast<A*>(b); // warn 539} 540</pre></div> 541<div class="example"><pre> 542#include <new> 543 544class A { 545public: 546 ~A(); 547}; 548 549class B : public A {}; 550 551class C {}; 552 553A* test() { 554 B *b = new B; 555 new(b) C; 556 return dynamic_cast<A*>(b); // warn 557} 558</pre></div></div></td> 559<td class="aligned"></td></tr> 560 561 562<tr><td><div class="namedescr expandable"><span class="name"> 563undefbehavior.ObjLocChanges</span><span class="lang"> 564(C++)</span><div class="descr"> 565Undefined behavior: the program must ensure that an object occupies the same 566storage location when the implicit or explicit destructor call takes place. 567<p>Source: C++11 3.8p8.</p></div></div></td> 568<td><div class="exampleContainer expandable"> 569<div class="example"><pre> 570#include <new> 571 572class A {}; 573 574class B { 575public: 576 ~B(); 577}; 578 579void test() { 580 B b; 581 new (&b) A; 582} // warn 583</pre></div> 584<div class="example"><pre> 585#include <new> 586 587class A {}; 588 589class B { 590public: 591 ~B(); 592}; 593 594void test() { 595 B *b = new B; 596 new (b) A; 597 delete b; // warn 598} 599</pre></div></div></td> 600<td class="aligned"></td></tr> 601 602 603<tr><td><div class="namedescr expandable"><span class="name"> 604undefbehavior.ExprEvalOrderUndef</span><span class="lang"> 605(C, C++03)</span><div class="descr"> 606Undefined behavior: a scalar object shall have its stored value modified at 607most once by the evaluation of an expression.<br> 608Note: most cases are currently handled by the Clang core (search for 'multiple 609unsequenced modifications' warning in Clang tests). 610<p>Source: C++03 5p4.</p></div></div></td> 611<td><div class="exampleContainer expandable"> 612<div class="example"><pre> 613int test () { 614 int i = 0; 615 i = ++i + 1; // warn 616 return i; 617} 618</pre></div></div></td> 619<td class="aligned"></td></tr> 620 621 622<tr><td><div class="namedescr expandable"><span class="name"> 623undefbehavior.StaticInitReentered</span><span class="lang"> 624(C++)</span><div class="descr"> 625Undefined behavior: static declaration is re-entered while the object is being 626initialized. 627<p>Source: C++11 6.7p4.</p></div></div></td> 628<td><div class="exampleContainer expandable"> 629<div class="example"><pre> 630int test(int i) { 631 static int s = test(2 * i); // warn 632 return i + 1; 633} 634</pre></div></div></td> 635<td class="aligned"></td></tr> 636 637 638<tr><td><div class="namedescr expandable"><span class="name"> 639undefbehavior.ConstModified</span><span class="lang"> 640(C, C++)</span><div class="descr"> 641Undefined behavior: const object is being modified. 642<p>Source: C++03 7.1.5.1p4, C++11 7.1.6.1p4.</p></div></div></td> 643<td><div class="exampleContainer expandable"> 644<div class="example"><pre> 645void test() { 646 const int *cp = new const int (0); 647 int *p = const_cast<int *>(cp); 648 *p = 1; // warn 649 delete p; 650} 651</pre></div> 652<div class="example"><pre> 653class C { 654public : 655 int i; 656 C(); 657}; 658 659void test() { 660 const C cb; 661 662 C* cp = const_cast<C *>(&cb); 663 cp->i = 1; // warn 664} 665</pre></div></div></td> 666<td class="aligned"></td></tr> 667 668 669<tr><td><div class="namedescr expandable"><span class="name"> 670undefbehavior.DeadDestructed</span><span class="lang"> 671(C++)</span><div class="descr"> 672Undefined behavior: the destructor is invoked for an object whose lifetime 673has ended. 674<p>Source: C++11 12.4p14.</p></div></div></td> 675<td><div class="exampleContainer expandable"> 676<div class="example"><pre> 677class A { 678public: 679 void f(); 680 A(); 681 ~A(); 682}; 683 684void test() { 685 A a; 686 a.~A(); 687} // warn 688</pre></div></div></td> 689<td class="aligned"></td></tr> 690 691 692<tr><td><div class="namedescr expandable"><span class="name"> 693undefbehavior.MethodCallBeforeBaseInit</span><span class="lang"> 694(C++)</span><div class="descr"> 695Undefined behavior: calls member function but base not yet initialized. 696<p>Source: C++03 12.6.2p8; C++11 12.6.2p13.</p></div></div></td> 697<td><div class="exampleContainer expandable"> 698<div class="example"><pre> 699class A { 700public : 701 A(int); 702}; 703 704class B : public A { 705public : 706 int f(); 707 B() : A(f()) {} // warn 708}; 709</pre></div></div></td> 710<td class="aligned"></td></tr> 711 712 713<tr><td><div class="namedescr expandable"><span class="name"> 714undefbehavior.MemberOrBaseRefBeforeCtor</span><span class="lang"> 715(C++)</span><div class="descr"> 716C++ Undefined behavior: non-static member or base class of non-POD class type 717is referred before constructor begins execution.<br> 718C++11 Undefined behavior: non-static member or base class of a class with a 719non-trivial constructor is referred before constructor begins execution. 720<p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td> 721<td><div class="exampleContainer expandable"> 722<div class="example"><pre> 723struct non_POD { 724 int i; 725 non_POD(); 726}; 727 728extern non_POD non_pod; 729 730int *p = &non_pod.i; // warn 731</pre></div> 732<div class="example"><pre> 733struct POD { 734 int i; 735}; 736 737struct non_POD : public POD { 738 POD pod; 739}; 740 741extern non_POD non_pod; 742 743int *p = &non_pod.pod.i; // warn 744</pre></div> 745<div class="example"><pre> 746struct POD { 747 int i; 748}; 749 750struct non_POD : public POD {}; 751 752extern non_POD non_pod; 753 754POD *p = &non_pod; // warn 755</pre></div> 756<div class="example"><pre> 757struct non_POD { 758 int i; 759 non_POD(); 760}; 761 762struct S { 763 int *k; 764 non_POD non_pod; 765 S() : k(&non_pod.i) {} // warn 766}; 767</pre></div></div></td> 768<td class="aligned"></td></tr> 769 770 771<tr><td><div class="namedescr expandable"><span class="name"> 772undefbehavior.MemberRefAfterDtor</span><span class="lang"> 773(C++)</span><div class="descr"> 774C++03: Undefined behavior: non-static member of non-POD class type is referred 775after destructor ends execution.<br> 776C++11: Undefined behavior: non-static member of a class with a non-trivial 777destructor is referred after destructor ends execution. 778<p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td> 779<td><div class="exampleContainer expandable"> 780<div class="example"><pre> 781class C { 782public: 783 C(); 784 void f(); 785}; 786 787void test() { 788 C *c = new C(); 789 c->~C(); 790 c->f(); // warn 791} 792</pre></div></div></td> 793<td class="aligned"></td></tr> 794 795 796<tr><td><div class="namedescr expandable"><span class="name"> 797undefbehavior.CtorForeignCall</span><span class="lang"> 798(C++)</span><div class="descr"> 799Undefined behavior: call to virtual function of an object under construction 800whose type is neither the constructors own class or one of its bases. 801<p>Source: C++11 12.7p4.</p></div></div></td> 802<td><div class="exampleContainer expandable"> 803<div class="example"><pre> 804class A { 805public: 806 virtual void f() {}; 807}; 808 809class B { 810public: 811 B(A* a) { a->f(); } // warn 812}; 813 814class C : public A, B { 815public: 816 C() : B((A*)this) {} 817}; 818</pre></div></div></td> 819<td class="aligned"></td></tr> 820 821 822<tr><td><div class="namedescr expandable"><span class="name"> 823undefbehavior.CtorForeignTypeid</span><span class="lang"> 824(C++)</span><div class="descr"> 825Undefined behavior: the operand of <code>typeid</code> is an object under 826construction whose type is neither the constructors own class or one of its 827bases. 828<p>Source: C++11 12.7p5.</p></div></div></td> 829<td><div class="exampleContainer expandable"> 830<div class="example"><pre> 831#include <typeinfo> 832 833class A {}; 834 835class B { 836public: 837 B(A* a) { 838 (void)typeid(*a); // warn 839 } 840}; 841 842class C : public A, B { 843public: 844 C() : B((A*)this) {} 845}; 846</pre></div></div></td> 847<td class="aligned"></td></tr> 848 849 850<tr><td><div class="namedescr expandable"><span class="name"> 851undefbehavior.CtorForeignCast</span><span class="lang"> 852(C++)</span><div class="descr"> 853Undefined behavior: the operand of <code>dynamic_cast</code> is an object under 854construction whose type is neither the constructors own class or one of its 855bases. 856<p>Source: C++11 12.7p6.</p></div></div></td> 857<td><div class="exampleContainer expandable"> 858<div class="example"><pre> 859#include <typeinfo> 860 861class A { 862public: 863 virtual void f() {}; 864}; 865 866class B { 867public: 868 B(A* a) { 869 (void)dynamic_cast<B*>(a); //warn 870 } 871}; 872 873class C : public A, B { 874public: 875 C() : B((A*)this) {} 876}; 877</pre></div></div></td> 878<td class="aligned"></td></tr> 879 880 881<tr><td><div class="namedescr expandable"><span class="name"> 882undefbehavior.MemberOrBaseRefInCatch</span><span class="lang"> 883(C++)</span><div class="descr"> 884Undefined behavior: referring to any non-static member or base class of an 885object in the handler for a function-try-block of a constructor or destructor 886for that object results in undefined behavior. 887<p>Source: C++11 15.3p10.</p></div></div></td> 888<td><div class="exampleContainer expandable"> 889<div class="example"><pre> 890void f() { throw 1; } 891 892class C { 893 int i; 894public : 895 C() 896 try { 897 f(); 898 } 899 catch (...) { 900 i=2; // warn 901 } 902}; 903</pre></div> 904<div class="example"><pre> 905void f() { throw 1; } 906 907class Base { 908public: 909 int i; 910}; 911 912class C: public Base { 913public : 914 ~C() try { 915 f(); 916 } 917 catch (...) { 918 i=2; // warn 919 } 920}; 921</pre></div></div></td> 922<td class="aligned"></td></tr> 923 924 925<tr><td><div class="namedescr expandable"><span class="name"> 926undefbehavior.ReturnAtCatchEnd</span><span class="lang"> 927(C++)</span><div class="descr"> 928Undefined behavior: a function returns when control reaches the end of a 929handler. This results in undefined behavior in a value-returning function. 930<p>Source: C++11 15.3p10.</p></div></div></td> 931<td><div class="exampleContainer expandable"> 932<div class="example"><pre> 933void f() { throw 1; } 934 935int test() try { 936 f(); 937 return 1; 938} 939catch(int) { 940} // warn 941</pre></div></div></td> 942<td class="aligned"></td></tr> 943 944 945<tr><td><div class="namedescr expandable"><span class="name"> 946undefbehavior.AutoptrsOwnSameObj</span><span class="lang"> 947(C++03)</span><div class="descr"> 948Undefined behavior: if more than one <code>auto_ptr</code> owns the same object 949at the same time the behavior of the program is undefined. 950<p>Source: C++03 20.4.5p3; C++11 <code>auto_ptr</code> is deprecated 951(D.10).</p></div></div></td> 952<td><div class="exampleContainer expandable"> 953<div class="example"><pre> 954#include <memory> 955 956void test() { 957 int *data = new int; 958 std::auto_ptr<int> p(data); 959 std::auto_ptr<int> q(data); // warn 960} 961</pre></div></div></td> 962<td class="aligned"></td></tr> 963 964 965<tr><td><div class="namedescr expandable"><span class="name"> 966undefbehavior.BasicStringOutOfBound</span><span class="lang"> 967(C++03)</span><div class="descr"> 968Undefined behavior: out-of-bound <code>basic_string</code> access/modification. 969<br>Note: possibly an enhancement to <span class="name"> 970alpha.security.ArrayBoundV2</span>. 971<p>Source: C++03 21.3.4p1; C++11 behavior is defined 972(21.4.5p2).</p></div></div></td> 973<td><div class="exampleContainer expandable"> 974<div class="example"><pre> 975#include <string> 976 977void test() { 978 std::basic_string<char> s; 979 char c = s[10]; // warn 980} 981</pre></div> 982<div class="example"><pre> 983#include <string> 984 985void test() { 986 std::basic_string<char> s; 987 s[10] = 0; // warn 988} 989</pre></div></div></td> 990<td class="aligned"></td></tr> 991 992 993<tr><td><div class="namedescr expandable"><span class="name"> 994undefbehavior.EosDereference</span><span class="lang"> 995(C++)</span><div class="descr"> 996Undefined behavior: the result of <code>operator*()</code> on an end of a 997stream is undefined. 998<p>Source: C++03 24.5.3p2; C++11 24.6.3p2.</p></div></div></td> 999<td><div class="exampleContainer expandable"> 1000<div class="example"><pre> 1001#include <vector> 1002 1003int test() { 1004 std::vector<int> v; 1005 return *v.end(); // warn 1006} 1007</pre></div></div></td> 1008<td class="aligned"></td></tr> 1009 1010 1011<tr><td><div class="namedescr expandable"><span class="name"> 1012undefbehavior.QsortNonPODNonTrivial</span><span class="lang"> 1013(C++)</span><div class="descr"> 1014C++03: Undefined behavior: the objects in the array passed to qsort are of 1015non-POD type.<br> 1016C++11: Undefined behavior: the objects in the array passed to qsort are of 1017non-trivial type. 1018<p>Source: C++03 25.4p4; C++11 25.5p4.</p></div></div></td> 1019<td><div class="exampleContainer expandable"> 1020<div class="example"><pre> 1021// C++03 1022#include <cstdlib> 1023 1024 1025struct non_POD { 1026 non_POD(); 1027}; 1028 1029non_POD values[] = { non_POD(), non_POD() }; 1030 1031int compare(const void *a, const void *b); 1032 1033void test() { 1034 qsort(values, 2, sizeof(non_POD), compare); // warn 1035} 1036</pre></div> 1037<div class="example"><pre> 1038// C++11 1039#include <cstdlib> 1040 1041struct S {}; 1042 1043struct trivial_non_POD : public S { 1044 int i; 1045}; 1046 1047struct non_trivial { 1048 int i; 1049 non_trivial(); 1050}; 1051 1052trivial_non_POD tnp[2]; 1053non_trivial nt[2]; 1054 1055int compare1(const void *a, const void *b); 1056 1057int compare2(const void *a, const void *b); 1058 1059void test() { 1060 qsort(tnp, 2, sizeof(trivial_non_POD), compare1); // ok 1061 qsort(nt, 2, sizeof(non_trivial), compare2); // warn 1062} 1063</pre></div></div></td> 1064<td class="aligned"></td></tr> 1065 1066 1067<tr><td><div class="namedescr expandable"><span class="name"> 1068undefbehavior.ThrowWhileCopy</span><span class="lang"> 1069(C++)</span><div class="descr"> 1070Undefined behavior: copy constructor/assignment operator can throw an exception. 1071The effects are undefined if an exception is thrown.</div></div></td> 1072<td><div class="exampleContainer expandable"> 1073<div class="example"><pre> 1074class C { 1075public: 1076 int i, j; 1077 C (const C &c) { 1078 i = c.i; 1079 throw 1; // warn 1080 j = c.j; 1081 }; 1082}; 1083</pre></div> 1084<div class="example"><pre> 1085class C { 1086public: 1087 int i, j; 1088 C &operator=(const C &c) { 1089 i = c.i; 1090 throw 1; // warn 1091 j = c.j; 1092 }; 1093}; 1094</pre></div></div></td> 1095<td class="aligned"></td></tr> 1096 1097 1098<tr><td><div class="namedescr expandable"><span class="name"> 1099undefbehavior.ValarrayArgBound</span><span class="lang"> 1100(C++)</span><div class="descr"> 1101Undefined behavior: the value of the <code><i>n</i></code> argument passed 1102to <code>valarray</code> constructor is greater than the number of values 1103pointed to by the first argument (source). 1104<p>Source: C++03 26.3.2.1p4; C++11 26.6.2.2p4.</p></div></div></td> 1105<td><div class="exampleContainer expandable"> 1106<div class="example"><pre> 1107#include <valarray> 1108 1109struct S { 1110 int i; 1111 S(int ii) : i(ii) {}; 1112}; 1113 1114void test(void) { 1115 S s[] = { S(1), S(2) }; 1116 std::valarray<S> v(s,3); // warn 1117} 1118</pre></div></div></td> 1119<td class="aligned"></td></tr> 1120 1121 1122<tr><td><div class="namedescr expandable"><span class="name"> 1123undefbehavior.ValarrayLengthDiffer</span><span class="lang"> 1124(C++)</span><div class="descr"> 1125Undefined behavior: <code>valarray</code> operands are of different length. 1126<p>Source: C++03 26.3.2.2p1, 26.3.2.6p3, 26.3.3.1p3, 26.3.3.2p3; 1127C++11 defined (26.6.2.3p1), 26.6.2.7p3, 26.6.3.1p3, 112826.6.3.2p3.</p></div></div></td> 1129<td><div class="exampleContainer expandable"> 1130<div class="example"><pre> 1131// C++03 1132#include <valarray> 1133 1134void test(void) { 1135 std::valarray<int> a(0, 1), b(0, 2); 1136 a = b; // warn 1137 b.resize(1); 1138 a = b; // ok 1139} 1140</pre></div> 1141<div class="example"><pre> 1142// C++03, C++11 1143#include <valarray> 1144 1145void test(void) { 1146 std::valarray<int> a(0, 1), b(0, 2); 1147 a *= b; // warn 1148} 1149</pre></div> 1150<div class="example"><pre> 1151// C++03, C++11 1152#include <valarray> 1153 1154void test(void) { 1155 std::valarray<int> a(0, 1), b(0, 2); 1156 a = a + b; // warn 1157} 1158</pre></div> 1159<div class="example"><pre> 1160// C++03, C++11 1161#include <valarray> 1162 1163void test(void) { 1164 std::valarray<int> a(0, 1), b(0, 2); 1165 std::valarray<bool> c(false, 1); 1166 c = a == b; // warn 1167} 1168</pre></div></div></td> 1169<td class="aligned"></td></tr> 1170 1171 1172<tr><td><div class="namedescr expandable"><span class="name"> 1173undefbehavior.ValarrayZeroLength</span><span class="lang"> 1174(C++)</span><div class="descr"> 1175Undefined behavior: calling <code>sum()</code>/<code>min()</code>/<code> 1176max()</code> methods of a zero length <code>valarray<code> the behavior is 1177undefined. 1178<p>Source: C++03 26.3.2.7p2, p3, p4; C++11 26.6.2.8p5, p6, 1179p7.</p></div></div></td> 1180<td><div class="exampleContainer expandable"> 1181<div class="example"><pre> 1182#include <valarray> 1183 1184void test(void) { 1185 std::valarray<int> v(0, 0); 1186 v.sum(); // warn 1187} 1188</pre></div></div></td> 1189<td class="aligned"></td></tr> 1190 1191 1192<tr><td><div class="namedescr expandable"><span class="name"> 1193undefbehavior.ValarrayBadIndirection</span><span class="lang"> 1194(C++)</span><div class="descr"> 1195Undefined behavior: element is specified more than once in an indirection. 1196<p>Source: C++03 26.3.9.2p2, 26.3.9.3p2; C++11 26.6.9.2p2, 119726.6.9.3p2.</p></div></div></td> 1198<td><div class="exampleContainer expandable"> 1199<div class="example"><pre> 1200#include <valarray> 1201 1202void test() { 1203 // '1' is specified more then once 1204 size_t addr[] = {0, 1, 1}; 1205 std::valarray<size_t>indirect(addr, 3); 1206 std::valarray<int> a(0, 5), b(1, 3); 1207 a[indirect] = b; //warn 1208} 1209</pre></div> 1210<div class="example"><pre> 1211#include <valarray> 1212 1213void test() { 1214 // '1' is specified more then once 1215 size_t addr[] = {0, 1, 1}; 1216 std::valarray<size_t>indirect(addr, 3); 1217 std::valarray<int> a(0, 5), b(1, 3); 1218 a[indirect] *= b; //warn 1219} 1220</pre></div></div></td> 1221<td class="aligned"></td></tr> 1222 1223 1224<tr><td><div class="namedescr expandable"><span class="name"> 1225undefbehavior.IosBaseDestroyedBeforeInit</span><span class="lang"> 1226(C++)</span><div class="descr"> 1227Undefined behavior: <code>ios_base</code> object is destroyed before 1228initialization have taken place. <code>basic_ios::init</code> should be call to 1229initialize <code>ios_base</code> members. 1230<p>Source: C++03 27.4.2.7p1, 27.4.4.1p2; C++11 27.5.3.7p1, 123127.5.5.2p2.</p></div></div></td> 1232<td><div class="exampleContainer expandable"> 1233<div class="example"><pre> 1234#include <ios> 1235 1236using namespace std; 1237template <class T, class Traits = std::char_traits<T> > 1238class my_stream1 : public std::basic_ios<T, Traits> { 1239}; 1240 1241template <class T, class Traits = std::char_traits<T> > 1242class my_stream2 : public std::basic_ios<T, Traits> { 1243 class my_streambuf 1244 : public std::basic_streambuf<T, Traits> { 1245 }; 1246public: 1247 my_stream2() { 1248 this->init(new my_streambuf); 1249 } 1250}; 1251 1252void test() { 1253 my_stream1<char> *p1 = new my_stream1<char>; 1254 my_stream2<char> *p2 = new my_stream2<char>; 1255 delete p1; // warn 1256 delete p2; // ok 1257} 1258</pre></div></div></td> 1259<td class="aligned"></td></tr> 1260 1261 1262<tr><td><div class="namedescr expandable"><span class="name"> 1263undefbehavior.IosBaseUsedBeforeInit</span><span class="lang"> 1264(C++11)</span><div class="descr"> 1265Undefined behavior: <code>ios_base</code> object is used before initialization 1266have taken place. <code>basic_ios::init</code> should be call to 1267initialize <code>ios_base</code> members. 1268<p>Source: C++11 27.5.3.7p1, 27.5.5.2p2.</p></div></div></td> 1269<td><div class="exampleContainer expandable"> 1270<div class="example"><pre> 1271#include <ios> 1272 1273using namespace std; 1274template <class T, class Traits = std::char_traits<T> > 1275class my_stream1 : public std::basic_ios<T, Traits> { 1276}; 1277 1278template <class T, class Traits = std::char_traits<T> > 1279class my_stream2 : public std::basic_ios<T, Traits> { 1280 class my_streambuf 1281 : public std::basic_streambuf<T, Traits> { 1282 }; 1283public: 1284 my_stream2() { 1285 this->init(new my_streambuf); 1286 } 1287}; 1288 1289void test() { 1290 my_stream1<char> *p1 = new my_stream1<char>; 1291 my_stream2<char> *p2 = new my_stream2<char>; 1292 p1->narrow('a', 'b'); // warn 1293 p2->narrow('a', 'b'); // ok 1294} 1295</pre></div></div></td> 1296<td class="aligned"></td></tr> 1297 1298 1299<tr><td><div class="namedescr expandable"><span class="name"> 1300undefbehavior.MinusOnePosType</span><span class="lang"> 1301(C++)</span><div class="descr"> 1302Undefined behavior: passing -1 to any <code>streambuf</code>/<code> 1303istream</code>/<code>ostream</code> member that accepts a value of 1304type <code>traits::pos_type</code> result in undefined behavior. 1305<p>Source: C++03 27.4.3.2p3; C++11 27.5.4.2p3.</p></div></div></td> 1306<td><div class="exampleContainer expandable"> 1307<div class="example"><pre> 1308#include <fstream> 1309 1310class my_streambuf : public std::streambuf { 1311 void f() { 1312 seekpos(-1); // warn 1313 } 1314}; 1315</pre></div> 1316<div class="example"><pre> 1317#include <fstream> 1318 1319void test() { 1320 std::filebuf fb; 1321 std::istream in(&fb); 1322 std::filebuf::off_type pos(-1); 1323 in.seekg(pos); // warn 1324} 1325</pre></div></div></td> 1326<td class="aligned"></td></tr> 1327 1328</table> 1329 1330<!-- ============================ different ================================ --> 1331<h3>different</h3> 1332<table class="checkers"> 1333<col class="namedescr"><col class="example"><col class="progress"> 1334<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr> 1335</thead> 1336 1337<tr><td><div class="namedescr expandable"><span class="name"> 1338different.SuccessiveAssign</span><span class="lang"> 1339(C)</span><div class="descr"> 1340Successive assign to a variable.</div></div></td> 1341<td><div class="exampleContainer expandable"> 1342<div class="example"><pre> 1343int test() { 1344 int i; 1345 i=1; 1346 i=2; // warn 1347 return i; 1348} 1349</pre></div></div></td> 1350<td class="aligned"></td></tr> 1351 1352 1353<tr><td><div class="namedescr expandable"><span class="name"> 1354different.NullDerefStmtOrder</span><span class="lang"> 1355(C)</span><div class="descr"> 1356Dereferencing of the null pointer might take place. Checking the pointer for 1357null should be performed first. 1358<br>Note: possibly an enhancement to <span class="name"> 1359core.NullDereference</span>.</div></div></td> 1360<td><div class="exampleContainer expandable"> 1361<div class="example"><pre> 1362struct S { 1363 int x; 1364}; 1365 1366struct S* f(); 1367 1368void test() { 1369 struct S *p1 = f(); 1370 int x1 = p1->x; // warn 1371 if (p1) {}; 1372 1373 struct S *p2 = f(); 1374 int x2 = p2->x; // ok 1375} 1376</pre></div></div></td> 1377<td class="aligned"></td></tr> 1378 1379 1380<tr><td><div class="namedescr expandable"><span class="name"> 1381different.NullDerefCondOrder</span><span class="lang"> 1382(C)</span><div class="descr"> 1383Dereferencing of the null pointer might take place. Checking the pointer for 1384null should be performed first. 1385<br>Note: possibly an enhancement to <span class="name"> 1386core.NullDereference</span>.</div></div></td> 1387<td><div class="exampleContainer expandable"> 1388<div class="example"><pre> 1389struct S {int i;}; 1390 1391struct S* f(); 1392 1393void test() { 1394 struct S *p = f(); 1395 if (p->i && p) {}; // warn 1396} 1397</pre></div></div></td> 1398<td class="aligned"></td></tr> 1399 1400 1401<tr><td><div class="namedescr expandable"><span class="name"> 1402different.MultipleAccessors</span><span class="lang"> 1403(C++)</span><div class="descr"> 1404Identical accessor bodies. Possibly a misprint.</div></div></td> 1405<td><div class="exampleContainer expandable"> 1406<div class="example"><pre> 1407class A { 1408 int i; 1409 int j; 1410public: 1411 int getI() { return i; } 1412 int getJ() { return i; } // warn 1413}; 1414</pre></div> 1415<div class="example"><pre> 1416class A { 1417 int i; 1418 int j; 1419public: 1420 void setI(int& ii) { i = ii; } 1421 void setJ(int& jj) { i = jj; } // warn 1422}; 1423</pre></div></div></td> 1424<td class="aligned"></td></tr> 1425 1426 1427<tr><td><div class="namedescr expandable"><span class="name"> 1428different.AccessorsForPublic</span><span class="lang"> 1429(C++)</span><div class="descr"> 1430Accessors exist for a public class field. Should this field really be 1431public?</div></div></td> 1432<td><div class="exampleContainer expandable"> 1433<div class="example"><pre> 1434class A { 1435public: 1436 int i; // warn 1437 int getI() { return i; } 1438 void setI(int& ii) { i = ii; } 1439}; 1440</pre></div></div></td> 1441<td class="aligned"></td></tr> 1442 1443 1444<tr><td><div class="namedescr expandable"><span class="name"> 1445different.LibFuncResultUnised</span><span class="lang"> 1446(C, C++)</span><div class="descr"> 1447Calling a function ignoring its return value is of no use (create the list of 1448known system/library/API functions falling into this category).</div></div></td> 1449<td><div class="exampleContainer expandable"> 1450<div class="example"><pre> 1451#include <vector> 1452 1453void test() { 1454 std::vector<int> v; 1455 v.empty(); // warn 1456} 1457</pre></div></div></td> 1458<td class="aligned"></td></tr> 1459 1460 1461<tr><td><div class="namedescr expandable"><span class="name"> 1462different.WrongVarForStmt</span><span class="lang"> 1463(C, C++)</span><div class="descr"> 1464Wrong variable is possibly used in the loop/cond-expression of 1465the <code>for</code> statement. Did you mean 1466'proper_variable_name'?</div></div></td> 1467<td><div class="exampleContainer expandable"> 1468<div class="example"><pre> 1469void test() { 1470 int i = 0; 1471 int j = 0; 1472 for (i = 0; i < 3; j += 1); // warn 1473} 1474</pre></div> 1475<div class="example"><pre> 1476void test() { 1477 int i = 0; 1478 int j = 0; 1479 for (int j = 0; i < 3; ++j); // warn 1480} 1481</pre></div></div></td> 1482<td class="aligned"></td></tr> 1483 1484 1485<tr><td><div class="namedescr expandable"><span class="name"> 1486different.FloatingCompare</span><span class="lang"> 1487(C)</span><div class="descr"> 1488Comparing floating point numbers may be not precise.</div></div></td> 1489<td><div class="exampleContainer expandable"> 1490<div class="example"><pre> 1491#include <math.h> 1492 1493double test() { 1494 double b = sin(M_PI / 6.0); 1495 if (b == 0.5) // warn 1496 b = 0; 1497 return b; 1498} 1499</pre></div></div></td> 1500<td class="aligned"></td></tr> 1501 1502 1503<tr><td><div class="namedescr expandable"><span class="name"> 1504different.BitwiseOpBoolArg</span><span class="lang"> 1505(C, C++)</span><div class="descr"> 1506Boolean value met at the left/right part of the bitwise <code>&</code> 1507or <code>|</code> operator. 1508Did you mean <code>&&</code> (<code>||</code>) ?</div></div></td> 1509<td><div class="exampleContainer expandable"> 1510<div class="example"><pre> 1511int f(); 1512 1513void test() { 1514 bool b = true; 1515 if (b & f()) {} // warn 1516} 1517</pre></div></div></td> 1518<td class="aligned"></td></tr> 1519 1520 1521<tr><td><div class="namedescr expandable"><span class="name"> 1522different.LabelInsideSwitch</span><span class="lang"> 1523(C)</span><div class="descr"> 1524Possibly a misprint: label found inside a <code>switch()</code> 1525statement.</div></div></td> 1526<td><div class="exampleContainer expandable"> 1527<div class="example"><pre> 1528void test(int c) { 1529 switch(c){ 1530 case 1: 1531 c += 1; break; 1532 defalt: // warn (did you mean 'default'?) 1533 c -= 1; break; 1534 } 1535} 1536</pre></div></div></td> 1537<td class="aligned"></td></tr> 1538 1539 1540<tr><td><div class="namedescr expandable"><span class="name"> 1541different.IdenticalCondIfIf</span><span class="lang"> 1542(C)</span><div class="descr"> 1543The conditions of two subsequent <code>if</code> statements are 1544identical.</div></div></td> 1545<td><div class="exampleContainer expandable"> 1546<div class="example"><pre> 1547int test(int c) { 1548 if (c > 5) 1549 c += 1; 1550 if (c > 5) // warn 1551 c -= 1; 1552 return c; 1553} 1554</pre></div></div></td> 1555<td class="aligned"></td></tr> 1556 1557 1558<tr><td><div class="namedescr expandable"><span class="name"> 1559different.LogicalOpUselessArg</span><span class="lang"> 1560(C)</span><div class="descr"> 1561The second operand of a <code>&&</code> operator has no impact on 1562expression result.</div></div></td> 1563<td><div class="exampleContainer expandable"> 1564<div class="example"><pre> 1565void test(unsigned a) { 1566 if (a<7 && a<10) {}; // warn 1567} 1568</pre></div></div></td> 1569<td class="aligned"></td></tr> 1570 1571 1572<tr><td><div class="namedescr expandable"><span class="name"> 1573different.SameResLogicalExpr</span><span class="lang"> 1574(C)</span><div class="descr"> 1575An expression is always evaluated to true/false.</div></div></td> 1576<td><div class="exampleContainer expandable"> 1577<div class="example"><pre> 1578void test() { 1579 int i = 0; 1580 if (i != 0) {}; // warn 1581} 1582</pre></div> 1583<div class="example"><pre> 1584void test(int i) { 1585 if (i == 0 && i == 1) {}; // warn 1586} 1587</pre></div> 1588<div class="example"><pre> 1589void test(int i) { 1590 if (i < 0 || i >= 0) {}; // warn 1591} 1592</pre></div></div></td> 1593<td class="aligned"></td></tr> 1594 1595 1596<tr><td><div class="namedescr expandable"><span class="name"> 1597different.OpPrecedenceAssignCmp</span><span class="lang"> 1598(C, C++)</span><div class="descr"> 1599Comparison operation has higher precedence then assignment. Boolean value is 1600assigned to a variable of other type. Parenthesis may bee required around an 1601assignment.</div></div></td> 1602<td><div class="exampleContainer expandable"> 1603<div class="example"><pre> 1604int f(); 1605 1606void test(int x, int y) { 1607 bool b; 1608 if((b = x != y)) {} // ok 1609 if((x = f() != y)) {} // warn 1610} 1611</pre></div></div></td> 1612<td class="aligned"></td></tr> 1613 1614 1615<tr><td><div class="namedescr expandable"><span class="name"> 1616different.OpPrecedenceIifShift</span><span class="lang"> 1617(C, C++)</span><div class="descr"> 1618<code>?:</code> has lower precedence then <code><<</code>. 1619<p>Source: Stephen C. Dewhurst "C++ Gotchas: Avoiding Common Problems in Coding 1620and Design", advise 15.</p></div></div></td> 1621<td><div class="exampleContainer expandable"> 1622<div class="example"><pre> 1623#include <iostream> 1624 1625void test(int a) { 1626 std::cout << a ? "a" : "b"; // warn 1627} 1628</pre></div> 1629<div class="example"><pre> 1630void test(int a) { 1631 a << a > 7 ? 1 : 2; // warn 1632} 1633</pre></div></div></td> 1634<td class="aligned"></td></tr> 1635 1636 1637<tr><td><div class="namedescr expandable"><span class="name"> 1638different.ObjectUnused</span><span class="lang"> 1639(C++)</span><div class="descr"> 1640The object was created but is not being used.</div></div></td> 1641<td><div class="exampleContainer expandable"> 1642<div class="example"><pre> 1643struct S { 1644 int x, y; 1645 S(int xx, int yy) : x(xx), y(yy) {} 1646 S(int xx) { 1647 S(xx, 0); // warn 1648 } 1649}; 1650</pre></div> 1651<div class="example"><pre> 1652#include <exception> 1653 1654void test() { 1655 std::exception(); 1656 // warn (did you mean 'throw std::exception()'?) 1657} 1658</pre></div></div></td> 1659<td class="aligned"></td></tr> 1660 1661 1662<tr><td><div class="namedescr expandable"><span class="name"> 1663different.StaticArrayPtrCompare</span><span class="lang"> 1664(C)</span><div class="descr"> 1665Pointer to static array is being compared to NULL. May the subscripting is 1666missing.</div></div></td> 1667<td><div class="exampleContainer expandable"> 1668<div class="example"><pre> 1669void test() { 1670 int a[1][1]; 1671 if (a[0] == 0) {}; // warn 1672} 1673</pre></div></div></td> 1674<td class="aligned"></td></tr> 1675 1676 1677<tr><td><div class="namedescr expandable"><span class="name"> 1678different.ConversionToBool</span><span class="lang"> 1679(C, C++)</span><div class="descr"> 1680Odd implicit conversion to boolean. 1681<br>Note: possibly merge with <span class="name"> 1682alpha.core.BoolAssignment</span>.</div></div></td> 1683<td><div class="exampleContainer expandable"> 1684<div class="example"><pre> 1685bool test() { 1686 return 1.; // warn 1687} 1688</pre></div> 1689<div class="example"><pre> 1690bool test() { 1691 return ""; // warn 1692} 1693</pre></div></div></td> 1694<td class="aligned"></td></tr> 1695 1696 1697<tr><td><div class="namedescr expandable"><span class="name"> 1698different.ArrayBound</span><span class="lang"> 1699(C++)</span><div class="descr"> 1700Out-of-bound dynamic array access. 1701<br>Note: possibly an enhancement to <span class="name"> 1702alpha.security.ArrayBoundV2</span>.</div></div></td> 1703<td><div class="exampleContainer expandable"> 1704<div class="example"><pre> 1705void test() { 1706 int *p = new int[1]; 1707 int i = 1; 1708 if(p[i]) {}; // warn 1709 delete[] p; 1710} 1711</pre></div></div></td> 1712<td class="aligned"></td></tr> 1713 1714 1715<tr><td><div class="namedescr expandable"><span class="name"> 1716different.StrcpyInputSize</span><span class="lang"> 1717(C)</span><div class="descr"> 1718Buffer copy without checking the size of input. 1719<br>Note: possibly an enhancement to <span class="name"> 1720alpha.unix.cstring.OutOfBounds</span>.</div></div></td> 1721<td><div class="exampleContainer expandable"> 1722<div class="example"><pre> 1723void test(char* string) { 1724 char buf[24]; 1725 strcpy(buf, string); // warn 1726} 1727</pre></div></div></td> 1728<td class="aligned"></td></tr> 1729 1730 1731<tr><td><div class="namedescr expandable"><span class="name"> 1732different.IntegerOverflow</span><span class="lang"> 1733(C)</span><div class="descr"> 1734Integer overflow. 1735<br>Note: partially handled by Clang core 1736(search for 'overflow in expression' warning in Clang tests). 1737<p>Source: <a href="https://cwe.mitre.org/data/definitions/190.html"> 1738CWE-190</a>.</p></div></div></td> 1739<td><div class="exampleContainer expandable"> 1740<div class="example"><pre> 1741#include <limits.h> 1742 1743int f(int x); 1744 1745void test() { 1746 f(INT_MAX + 1); // warn 1747} 1748</pre></div> 1749<div class="example"><pre> 1750#include <limits.h> 1751 1752int test() { 1753 int x = INT_MAX / 2 + 1; 1754 return x * 2; // warn 1755} 1756</pre></div></div></td> 1757<td class="aligned"></td></tr> 1758 1759 1760<tr><td><div class="namedescr expandable"><span class="name"> 1761different.SignExtension</span><span class="lang"> 1762(C)</span><div class="descr"> 1763Unexpected sign extension might take place. 1764<p>Source: <a href="https://cwe.mitre.org/data/definitions/194.html"> 1765CWE-194</a>.</p></div></div></td> 1766<td><div class="exampleContainer expandable"> 1767<div class="example"><pre> 1768unsigned long long test(long long sll) { 1769 unsigned long long ull = sll; // warn 1770 return ull; 1771} 1772</pre></div> 1773<div class="example"><pre> 1774void f(unsigned int i); 1775 1776void test(int si) { 1777 f(si); // warn 1778} 1779</pre></div> 1780<div class="example"><pre> 1781unsigned int test(int i) { 1782 return i; 1783} 1784</pre></div></div></td> 1785<td class="aligned"></td></tr> 1786 1787 1788<tr><td><div class="namedescr expandable"><span class="name"> 1789different.NumericTruncation</span><span class="lang"> 1790(C)</span><div class="descr"> 1791Numeric truncation might take place. 1792<p>Source: <a href="https://cwe.mitre.org/data/definitions/197.html"> 1793CWE-197</a>.</p></div></div></td> 1794<td><div class="exampleContainer expandable"> 1795<div class="example"><pre> 1796unsigned long test(unsigned long long ull) { 1797 unsigned long ul = ull; // warn 1798 return ul; 1799} 1800</pre></div> 1801<div class="example"><pre> 1802void f(int i); 1803 1804void test(long long sll) { 1805 f(sll); // warn 1806} 1807</pre></div> 1808<div class="example"><pre> 1809int f(); 1810 1811short test(long long sll) { 1812 short ss = f(); 1813 return ss; 1814} 1815</pre></div></div></td> 1816<td class="aligned"></td></tr> 1817 1818 1819<tr><td><div class="namedescr expandable"><span class="name"> 1820different.MissingCopyCtorAssignOp</span><span class="lang"> 1821(C++)</span><div class="descr"> 1822A class has dynamically allocated data members but do not define a copy 1823constructor/assignment operator. 1824<p>Source: Scott Meyers "Effective C++", item 11: Prevent exceptions from 1825leaving destructors.</p></div></div></td> 1826<td><div class="exampleContainer expandable"> 1827<div class="example"><pre> 1828class C { 1829 int *p; // warn 1830public: 1831 C() { p = new int; } 1832 ~C() { delete p; } 1833}; 1834</pre></div></div></td> 1835<td class="aligned"></td></tr> 1836 1837</table> 1838 1839<!-- ============================ WinAPI =================================== --> 1840<h3>WinAPI</h3> 1841<table class="checkers"> 1842<col class="namedescr"><col class="example"><col class="progress"> 1843<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 1844 1845<tr><td><div class="namedescr expandable"><span class="name"> 1846WinAPI.CreateProcess</span><span class="lang"> 1847(C)</span><div class="descr"> 1848<code>CreateProcess()</code>: if the first parameter <code><i> 1849lpApplicationName</i></code> is NULL then the executable name must be in the 1850white space-delimited string pointed to by <code><i>lpCommandLine</code></i>. 1851If the executable or path name has a space in it, there is a risk that a 1852different executable could be run because of the way the function parses 1853spaces. 1854<p>Source: <a href="https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa#security-remarks"> 1855MSDN: CreateProcess function, Security Remarks</a>.</p></div></div></td> 1856<td><div class="exampleContainer expandable"> 1857<div class="example"><pre> 1858#include <windows.h> 1859 1860void test() { 1861 STARTUPINFO si; 1862 PROCESS_INFORMATION pi; 1863 CreateProcess(NULL, TEXT("C:\\Program Files\\App -L -S"), 1864 NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi); 1865 // warn 1866} 1867</pre></div></div></td> 1868<td class="aligned"></td></tr> 1869 1870 1871<tr><td><div class="namedescr expandable"><span class="name"> 1872WinAPI.LoadLibrary</span><span class="lang"> 1873(C)</span><div class="descr"> 1874The <code>SearchPath()</code> function is used to retrieve a path to a DLL for 1875a subsequent <code>LoadLibrary()</code> call. 1876<p>Source: <a href="https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya#security-remarks"> 1877MSDN: LoadLibrary function, Security Remarks</a>.</p></div></div></td> 1878<td><div class="exampleContainer expandable"> 1879<div class="example"><pre> 1880#include <windows.h> 1881 1882HINSTANCE test() { 1883 char filePath[100]; 1884 SearchPath(NULL, "file.dll", NULL, 100, filePath, NULL); 1885 return LoadLibrary(filePath); // warn 1886} 1887</pre></div></div></td> 1888<td class="aligned"></td></tr> 1889 1890 1891<tr><td><div class="namedescr expandable"><span class="name"> 1892WinAPI.WideCharToMultiByte</span><span class="lang"> 1893(C)</span><div class="descr"> 1894Buffer overrun while calling <code>WideCharToMultiByte()</code>. The size of 1895the input buffer equals the number of characters in the Unicode string, while 1896the size of the output buffer equals the number of bytes. 1897<p>Source: <a href="https://docs.microsoft.com/en-us/windows/win32/api/stringapiset/nf-stringapiset-widechartomultibyte"> 1898MSDN: WideCharToMultiByte function</a>.</p></div></div></td> 1899<td><div class="exampleContainer expandable"> 1900<div class="example"><pre> 1901#include <windows.h> 1902 1903void test() { 1904 wchar_t ws[] = L"abc"; 1905 char s[3]; 1906 WideCharToMultiByte(CP_UTF8, 0, ws, -1, s, 1907 3, NULL, NULL); // warn 1908} 1909</pre></div></div></td> 1910<td class="aligned"></td></tr> 1911 1912 1913</table> 1914 1915<!-- =========================== optimization ============================== --> 1916<h3>optimization</h3> 1917<table class="checkers"> 1918<col class="namedescr"><col class="example"><col class="progress"> 1919<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 1920 1921<tr><td><div class="namedescr expandable"><span class="name"> 1922optimization.PassConstObjByValue</span><span class="lang"> 1923(C, C++)</span><div class="descr"> 1924Optimization: It is more effective to pass constant parameter by reference to 1925avoid unnecessary object copying.</div></div></td> 1926<td><div class="exampleContainer expandable"> 1927<div class="example"><pre> 1928struct A {}; 1929 1930void f(const struct A a); // warn 1931</pre></div></div></td> 1932<td class="aligned"></td></tr> 1933 1934 1935<tr><td><div class="namedescr expandable"><span class="name"> 1936optimization.PostfixIncIter</span><span class="lang"> 1937(C++)</span><div class="descr"> 1938Optimization: It is more effective to use prefix increment operator with 1939iterator. 1940<p>Source: Scott Meyers "More Effective C++", item 6: 1941Distinguish between prefix and postfix forms of increment and decrement 1942operators.</p></div></div></td> 1943<td><div class="exampleContainer expandable"> 1944<div class="example"><pre> 1945#include <vector> 1946 1947void test() { 1948 std::vector<int> v; 1949 std::vector<int>::const_iterator it; 1950 for(it = v.begin(); 1951 it != v.end(); it++) {}; // warn 1952} 1953</pre></div></div></td> 1954<td class="aligned"></td></tr> 1955 1956 1957<tr><td><div class="namedescr expandable"><span class="name"> 1958optimization.MultipleCallsStrlen</span><span class="lang"> 1959(C)</span><div class="descr"> 1960Optimization: multiple calls to <code>strlen()</code> for a string in an 1961expression. It is more effective to hold a value returned 1962from <code>strlen()</code> in a temporary variable.</div></div></td> 1963<td><div class="exampleContainer expandable"> 1964<div class="example"><pre> 1965#include <string.h> 1966 1967void test(const char* s) { 1968 if (strlen(s) > 0 && 1969 strlen(s) < 7) {}; // warn 1970} 1971</pre></div></div></td> 1972<td class="aligned"></td></tr> 1973 1974 1975<tr><td><div class="namedescr expandable"><span class="name"> 1976optimization.StrLengthCalculation</span><span class="lang"> 1977(C++)</span><div class="descr"> 1978Optimization: it is more efficient to use <code>string::length()</code> to 1979calculate the length of an <code>std::string</code>.</div></div></td> 1980<td><div class="exampleContainer expandable"> 1981<div class="example"><pre> 1982#include <string> 1983#include <string.h> 1984 1985void test() { 1986 std::string s; 1987 if (strlen(s.c_str()) != 0) {}; // warn 1988} 1989</pre></div></div></td> 1990<td class="aligned"></td></tr> 1991 1992 1993<tr><td><div class="namedescr expandable"><span class="name"> 1994optimization.EmptyContainerDetect</span><span class="lang"> 1995(C++)</span><div class="descr"> 1996Optimization: It is more efficient to use containers <code>empty()</code> 1997method to identify an empty container.</div></div></td> 1998<td><div class="exampleContainer expandable"> 1999<div class="example"><pre> 2000#include <list> 2001 2002void test() { 2003 std::list<int> l; 2004 if (l.size() != 0) {}; // warn 2005} 2006</pre></div></div></td> 2007<td class="aligned"></td></tr> 2008 2009 2010</table> 2011 2012<br> 2013</div> <!-- page --> 2014</div> <!-- content --> 2015</body> 2016</html> 2017