1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 2 "http://www.w3.org/TR/html4/strict.dtd"> 3<html> 4<head> 5 <title>List of potential checkers</title> 6 <link type="text/css" rel="stylesheet" href="content.css"> 7 <link type="text/css" rel="stylesheet" href="menu.css"> 8 <script type="text/javascript" src="scripts/expandcollapse.js"></script> 9 <script type="text/javascript" src="scripts/menu.js"></script> 10</head> 11<body onload="initExpandCollapse()"> 12 13<div id="page"> 14 15<!-- menu --> 16<!--#include virtual="menu.html.incl"--> 17<!-- page content --> 18<div id="content"> 19<h1>List of potential checkers</h1> 20 21<p>This page contains a list of potential checkers to implement in the static analyzer. If you are interested in contributing to the analyzer's development, this is a good resource to help you get started. The specific names of the checkers are subject to review, and are provided here as suggestions.</p> 22 23<!-- ========================= allocation/deallocation ======================= --> 24<h3>memory</h3> 25<table class="checkers"> 26<col class="namedescr"><col class="example"><col class="progress"> 27<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 28 29<tr><td><div class="namedescr expandable"><span class="name"> 30memory.LeakEvalOrder</span><span class="lang"> 31(C, C++)</span><div class="descr"> 32Potential memory leaks caused by an undefined argument evaluation order. 33<p>Source: <a href="http://www.boost.org/doc/libs/1_49_0/libs/smart_ptr/shared_ptr.htm#BestPractices"> 34boost docs: shared_ptr</a>.</p></div></div></td> 35<td><div class="exampleContainer expandable"> 36<div class="example"><pre> 37void f(int, int); 38int g(void *); 39int h() __attribute__((noreturn)); 40 41void test() { 42 // It is possible that 'malloc(1)' is called first, 43 // then 'h()', that is (or calls) noreturn and eventually 44 // 'g()' is never called. 45 f(g(malloc(1)), h()); // warn: 'g()' may never be called. 46} 47</pre></div> 48<div class="example"><pre> 49void f(int, int); 50int g(int *); 51int h() { throw 1; }; 52 53void test() { 54 // It is possible that 'new int' is called first, 55 // then 'h()', that throws an exception and eventually 56 // 'g()' is never called. 57 f(g(new int), h()); // warn: 'g()' may never be called. 58} 59</pre></div></div></td> 60<td class="aligned"></td></tr> 61 62 63<tr><td><div class="namedescr expandable"><span class="name"> 64memory.DstBufferTooSmall</span><span class="lang"> 65(C, C++)</span><div class="descr"> 66Destination buffer passed to memory function is too small. 67<br>Note: <span class="name">security.insecureAPI.strcpy</span> currently warns 68on usage of <code>strcpy</code> and suggests to replace it. 69<br>Note: <span class="name">alpha.unix.CStringChecker</span> contains some similar checks. 70<p>Source: <a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>.</p></div></div></td> 71<td><div class="exampleContainer expandable"> 72<div class="example"><pre> 73void test() { 74 const char* s1 = "abc"; 75 char *s2 = new char; 76 strcpy(s2, s1); // warn 77} 78</pre></div> 79<div class="example"><pre> 80void test() { 81 int* p1 = new int[3]; 82 int* p2 = new int; 83 memcpy(p2, p1, 3); // warn 84} 85</pre></div></div></td> 86<td class="aligned"></td></tr> 87 88 89<tr><td><div class="namedescr expandable"><span class="name"> 90memory.NegativeArraySize</span><span class="lang"> 91(C, C++)</span><div class="descr"> 92'n' is used to specify the buffer size may be negative. 93<br>Note: possibly an enhancement to <span class="name"> 94alpha.security.MallocOverflow</span>. 95<p>Source: <a href="http://cwe.mitre.org/data/definitions/20.html">CWE-20, 96Example 2</a>.</p></div></div></td> 97<td><div class="exampleContainer expandable"> 98<div class="example"><pre> 99void test() { 100 int *p; 101 int n1 = -1; 102 p = new int[n1]; // warn 103} 104</pre></div></div></td> 105<td class="aligned"></td></tr> 106 107<tr><td><div class="namedescr expandable"><span class="name"> 108memory.ZeroAlloc</span><span class="lang"> 109(C, C++)</span><div class="descr"> 110Allocation of zero bytes. 111<br>Note: an enhancement to <span class="name">unix.Malloc</span>. 112<br>Note: <span class="name">unix.API</span> perform C-checks for zero 113allocation. This should be moved to <span class="name">unix.Malloc</span>. 114<p>Source: C++03 3.7.3.1p2; C++11 3.7.4.1p2.</p></div></div></td> 115<td><div class="exampleContainer expandable"> 116<div class="example"><pre> 117#include <stdlib.h> 118 119void test() { 120 int *p = malloc(0); // warn 121 free(p); 122} 123</pre></div> 124<div class="example"><pre> 125void test() { 126 int *p = new int[0]; // warn 127 delete[] p; 128} 129</pre></div></div></td> 130<td class="aligned"><a href="http://reviews.llvm.org/D6178"> 131D6178</a></td></tr> 132 133</table> 134 135<!-- ======================= constructors/destructors ====================== --> 136<h3>constructors/destructors</h3> 137<table class="checkers"> 138<col class="namedescr"><col class="example"><col class="progress"> 139<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 140 141<tr><td><div class="namedescr expandable"><span class="name"> 142ctordtor.ExptInsideDtor</span><span class="lang"> 143(C++)</span><div class="descr"> 144It is dangerous to let an exception leave a destructor. 145Using <code>try..catch</code> solves the problem. 146<p>Source: Scott Meyers "More Effective C++", item 11: Prevent exceptions from 147leaving destructors.</p></div></div></td> 148<td><div class="exampleContainer expandable"> 149<div class="example"><pre> 150class A { 151 A() {} 152 ~A() { throw 1; } // warn 153}; 154</pre></div> 155<div class="example"><pre> 156void f() throw(int); 157 158class A { 159 A() {} 160 ~A() { f(); } // warn 161}; 162</pre></div></div></td> 163<td class="aligned"></td></tr> 164 165 166<tr><td><div class="namedescr expandable"><span class="name"> 167ctordtor.PlacementSelfCopy</span><span class="lang"> 168(C++11)</span><div class="descr"> 169For a placement copy or move, it is almost certainly an error if the 170constructed object is also the object being copied from.</div></div></td> 171<td><div class="exampleContainer expandable"> 172<div class="example"><pre> 173class A {}; 174 175void test(A *dst, A *src) { 176 ::new (dst) A(*dst); // warn (should be 'src') 177} 178</pre></div></div></td> 179<td class="aligned"><!--rdar://problem/13688366--></td></tr> 180 181</table> 182 183<!-- =============================== va_list =============================== --> 184<h3>va_list</h3> 185<table class="checkers"> 186<col class="namedescr"><col class="example"><col class="progress"> 187<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 188 189<tr><td><div class="namedescr expandable"><span class="name"> 190valist.Uninitialized</span><span class="lang"> 191(C)</span><div class="descr"> 192Calls to the <code>va_arg</code>, <code>va_copy</code>, or 193<code>va_end</code> macro must happen after calling <code>va_start</code> and 194before calling <code>va_end</code>.</div></div></td> 195<td><div class="exampleContainer expandable"> 196<div class="example"><pre> 197#include <stdarg.h> 198 199void test(int x, ...) { 200 va_list args; 201 int y = va_arg(args, int); // warn 202} 203</pre></div> 204<div class="example"><pre> 205#include <stdarg.h> 206 207void test(int x, ...) { 208 va_list args; 209 va_start(args, x); 210 va_end(args); 211 int z = va_arg(args, int); // warn 212} 213</pre></div></div></td> 214<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812"> 215PR16811</a></td></tr> 216 217<tr><td><div class="namedescr expandable"><span class="name"> 218valist.Unterminated</span><span class="lang"> 219(C)</span><div class="descr"> 220Every <code>va_start</code> must be matched by a <code>va_end</code>. A va_list 221can only be ended once. 222 223<i>This should be folded into the generalized "ownership checker" 224described on the <a href="open_projects.html"> 225Open Projects</a> page.</i></div></div></td> 226<td><div class="exampleContainer expandable"> 227<div class="example"><pre> 228#include <stdarg.h> 229 230void test(int x, ...) { 231 va_list args; 232 va_start(args, x); 233 int y = x + va_arg(args, int); 234} // warn: missing va_end 235</pre></div></div></td> 236<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812"> 237PR16812</a></td></tr> 238 239</table> 240 241<!-- ============================== exceptions ============================= --> 242<h3>exceptions</h3> 243<table class="checkers"> 244<col class="namedescr"><col class="example"><col class="progress"> 245<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 246 247<tr><td><div class="namedescr expandable"><span class="name"> 248exceptions.ThrowSpecButNotThrow</span><span class="lang"> 249(C++)</span><div class="descr"> 250Function declaration has a <code>throw(<i>type</i>)</code> specifier but the 251function do not throw exceptions.</div></div></td> 252<td><div class="exampleContainer expandable"> 253<div class="example"><pre> 254void test() throw(int) { 255} // warn 256</pre></div></div></td> 257<td class="aligned"></td></tr> 258 259 260<tr><td><div class="namedescr expandable"><span class="name"> 261exceptions.NoThrowSpecButThrows</span><span class="lang"> 262(C++)</span><div class="descr"> 263An exception is throw from a function having a <code>throw()</code> 264specifier.</div></div></td> 265<td><div class="exampleContainer expandable"> 266<div class="example"><pre> 267void test() throw() { 268 throw(1); // warn 269} 270</pre></div></div></td> 271<td class="aligned"></td></tr> 272 273 274<tr><td><div class="namedescr expandable"><span class="name"> 275exceptions.ThrownTypeDiffersSpec</span><span class="lang"> 276(C++)</span><div class="descr"> 277The type of a thrown exception differs from those specified in 278a <code>throw(<i>type</i>)</code> specifier.</div></div></td> 279<td><div class="exampleContainer expandable"> 280<div class="example"><pre> 281struct S{}; 282 283void test() throw(int) { 284 S s; 285 throw (s); // warn 286} 287</pre></div></div></td> 288<td class="aligned"></td></tr> 289 290</table> 291 292<!-- ========================= smart pointers ============================== --> 293<h3>smart pointers</h3> 294<table class="checkers"> 295<col class="namedescr"><col class="example"><col class="progress"> 296<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 297 298<tr><td><div class="namedescr expandable"><span class="name"> 299smartptr.SmartPtrInit</span><span class="lang"> 300(C++)</span><div class="descr"> 301C++03: <code>auto_ptr</code> should store a pointer to an object obtained via 302new as allocated memory will be cleaned using <code>delete</code>.<br> 303C++11: one should use <code>unique_ptr<<i>type</i>[]></code> to keep a 304pointer to memory allocated by <code>new[]</code>.<br> 305C++11: to keep a pointer to memory allocated by <code>new[]</code> in 306a <code>shared_ptr</code> one should use a custom deleter that calls <code> 307delete[].</code>. 308<p>Source: C++03 20.4.5p1; C++11 <code>auto_ptr</code> is deprecated (D.10).</p></div></div></td> 309<td><div class="exampleContainer expandable"> 310<div class="example"><pre> 311#include <stdlib.h> 312#include <memory> 313 314void test() { 315 std::auto_ptr<int> p1(new int); // Ok 316 std::auto_ptr<int> p2(new int[3]); // warn 317} 318</pre></div> 319<div class="example"><pre> 320#include <stdlib.h> 321#include <memory> 322 323void test() { 324 std::auto_ptr<int> p((int *)malloc(sizeof(int))); // warn 325} 326</pre></div></div></td> 327<td class="aligned"></td></tr> 328 329</table> 330 331<!-- ============================== dead code ============================== --> 332<h3>dead code</h3> 333<table class="checkers"> 334<col class="namedescr"><col class="example"><col class="progress"> 335<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 336 337<tr><td><div class="namedescr expandable"><span class="name"> 338deadcode.UnmodifiedVariable</span><span class="lang"> 339(C, C++)</span><div class="descr"> 340A variable is never modified but was not declared const and is not a 341reference.<br><br><i>(opt-in checker)</i></div></div></td> 342<td><div class="exampleContainer expandable"> 343<div class="example"><pre> 344extern int computeDelta(); 345 346int test(bool cond) { 347 int i = 0; 348 if (cond) { 349 const int delta = computeDelta(); 350 // warn: forgot to modify 'i' 351 } 352 return i; 353} 354</pre></div></div></td> 355<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16890">PR16890</a></td></tr> 356 357<tr><td><div class="namedescr expandable"><span class="name"> 358deadcode.IdempotentOperations</span><span class="lang"> 359(C)</span><div class="descr"> 360Warn about idempotent operations.</div></div></td> 361<td><div class="exampleContainer expandable"> 362<div class="example"><pre> 363void test() { 364 int x = 7; 365 x = x; // warn: value is always the same 366} 367</pre></div> 368<div class="example"><pre> 369void test() { 370 int x = 7; 371 x /= x; // warn: value is always 1 372} 373</pre></div> 374<div class="example"><pre> 375void test() { 376 int x = 7, one = 1; 377 x *= one; // warn: right op is always 1 378} 379</pre></div> 380<div class="example"><pre> 381void test() { 382 int x = 7, zero = 0; 383 x = x - zero; 384 // warn: the right operand to '-' is always 0 385} 386</pre></div></div></td> 387<td class="aligned">removed from alpha.deadcode.* at r198476</td></tr> 388 389</table> 390 391<!-- ================================ POSIX ================================ --> 392<h3>POSIX</h3> 393<table class="checkers"> 394<col class="namedescr"><col class="example"><col class="progress"> 395<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 396 397<tr><td><div class="namedescr expandable"><span class="name"> 398posix.Errno</span><span class="lang"> 399(C)</span><div class="descr"> 400Record that <code>errno</code> is non-zero when certain functions 401fail.</div></div></td> 402<td><div class="exampleContainer expandable"> 403<div class="example"><pre> 404#include <stdlib.h> 405 406int readWrapper(int fd, int *count) { 407 int lcount = read(fd, globalBuf, sizeof(globalBuf)); 408 if (lcount < 0) 409 return errno; 410 *count = lcount; 411 return 0; 412} 413 414void use(int fd) { 415 int count; 416 if (!readWrapper(fd, &count)) 417 print("%d", count); // should not warn 418} 419</pre></div></div></td> 420<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=18701">PR18701</a></td></tr> 421 422</table> 423 424<!-- ========================= undefined behavior ========================== --> 425<h3>undefined behavior</h3> 426<table class="checkers"> 427<col class="namedescr"><col class="example"><col class="progress"> 428<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 429 430<tr><td><div class="namedescr expandable"><span class="name"> 431undefbehavior.ExitInDtor</span><span class="lang"> 432(C++)</span><div class="descr"> 433Undefined behavior: <code>std::exit()</code> is called to end the program during 434the destruction of an object with static storage duration. 435<p>Source: C++11 3.6.1p4.</p></div></div></td> 436<td><div class="exampleContainer expandable"> 437<div class="example"><pre> 438#include <cstdlib> 439 440class A { 441public: 442 ~A() { 443 std::exit(1); // warn 444 } 445}; 446</pre></div></div></td> 447<td class="aligned"></td></tr> 448 449 450<tr><td><div class="namedescr expandable"><span class="name"> 451undefbehavior.LocalStaticDestroyed</span><span class="lang"> 452(C++)</span><div class="descr"> 453Undefined behavior: function containing a definition of static local object is 454called during the destruction of an object with static storage duration so that 455flow of control passes through the definition of the previously destroyed 456static local object. 457<p>Source: C++11 3.6.3p2.</p></div></div></td> 458<td><div class="exampleContainer expandable"> 459<div class="example"><pre> 460void f(); 461 462class A { 463public: 464 ~A() { 465 f(); // warn 466 } 467}; 468 469class B {}; 470 471A a; 472 473void f() { 474 static B b; 475} 476</pre></div></div></td> 477<td class="aligned"></td></tr> 478 479 480<tr><td><div class="namedescr expandable"><span class="name"> 481undefbehavior.ZeroAllocDereference</span><span class="lang"> 482(C, C++)</span><div class="descr"> 483The effect of dereferencing a pointer returned as a request for zero size is 484undefined.<br> 485Note: possibly an enhancement to <span class="name"> 486unix.Malloc</span>. 487<p>Source: C++03 3.7.3.1p2; C++11 3.7.4.1p2.</p></div></div></td> 488<td><div class="exampleContainer expandable"> 489<div class="example"><pre> 490#include <stdlib.h> 491 492void test() { 493 int *p = (int *)malloc(0); 494 *p = 1; // warn 495 free(p); 496} 497</pre></div> 498<div class="example"><pre> 499void f(int); 500 501void test() { 502 int *p = new int[0]; 503 f(*p); // warn 504 delete[] p; 505} 506</pre></div></div></td> 507<td class="aligned"><a href="http://reviews.llvm.org/D8273">D8273</a></td></tr> 508 509 510<tr><td><div class="namedescr expandable"><span class="name"> 511undefbehavior.DeadReferenced</span><span class="lang"> 512(C++)</span><div class="descr"> 513Undefined behavior: the following usage of the pointer to the object whose 514lifetime has ended can result in undefined behavior:<br> 515The object will be or was of a class type with a non-trivial destructor and 516<ul><li>the pointer is used as the operand of a delete-expression</li></ul> 517The object will be or was of a non-POD class type (C++11: any class type) and 518<ul><li>the pointer is used to access a non-static data member or call a 519non-static member function of the object</li> 520<li>the pointer is implicitly converted to a pointer to a base class 521type</li> 522<li>the pointer is used as the operand of a <code>static_cast</code> (except 523when the conversion is to <code>void*</code>, or to <code>void*</code> and 524subsequently to <code>char*</code>, or <code>unsigned char*</code>)</li> 525<li>the pointer is used as the operand of a <code>dynamic_cast</code></li></ul> 526<p>Source: C++03 3.8p5, p7; C++11 3.8p5, p7.</p></div></div></td> 527<td><div class="exampleContainer expandable"> 528<div class="example"><pre> 529#include <new> 530 531class A { 532public: 533 ~A(); 534}; 535 536class B : public A {}; 537 538void test() { 539 A *a = new A; 540 new(a) B; 541 delete a; // warn 542} 543</pre></div> 544<div class="example"><pre> 545#include <new> 546 547class A { 548public: 549 ~A(); 550}; 551 552class B {}; 553 554void test() { 555 A *a = new A; 556 new(a) B; 557 a->~A(); 558} 559</pre></div> 560<div class="example"><pre> 561#include <new> 562 563class A { 564public: 565 ~A(); 566}; 567 568class B : public A {}; 569 570class C {}; 571 572void f(A*); 573 574void test() { 575 B *b = new B; 576 new(b) C; 577 f(b); // warn 578} 579</pre></div> 580<div class="example"><pre> 581#include <new> 582 583class A { 584public: 585 ~A(); 586}; 587 588class B : public A {}; 589 590class C {}; 591 592A* test() { 593 B *b = new B; 594 new(b) C; 595 return static_cast<A*>(b); // warn 596} 597</pre></div> 598<div class="example"><pre> 599#include <new> 600 601class A { 602public: 603 ~A(); 604}; 605 606class B : public A {}; 607 608class C {}; 609 610A* test() { 611 B *b = new B; 612 new(b) C; 613 return dynamic_cast<A*>(b); // warn 614} 615</pre></div></div></td> 616<td class="aligned"></td></tr> 617 618 619<tr><td><div class="namedescr expandable"><span class="name"> 620undefbehavior.ObjLocChanges</span><span class="lang"> 621(C++)</span><div class="descr"> 622Undefined behavior: the program must ensure that an object occupies the same 623storage location when the implicit or explicit destructor call takes place. 624<p>Source: C++11 3.8p8.</p></div></div></td> 625<td><div class="exampleContainer expandable"> 626<div class="example"><pre> 627#include <new> 628 629class A {}; 630 631class B { 632public: 633 ~B(); 634}; 635 636void test() { 637 B b; 638 new (&b) A; 639} // warn 640</pre></div> 641<div class="example"><pre> 642#include <new> 643 644class A {}; 645 646class B { 647public: 648 ~B(); 649}; 650 651void test() { 652 B *b = new B; 653 new (b) A; 654 delete b; // warn 655} 656</pre></div></div></td> 657<td class="aligned"></td></tr> 658 659 660<tr><td><div class="namedescr expandable"><span class="name"> 661undefbehavior.ExprEvalOrderUndef</span><span class="lang"> 662(C, C++03)</span><div class="descr"> 663Undefined behavior: a scalar object shall have its stored value modified at 664most once by the evaluation of an expression.<br> 665Note: most cases are currently handled by the Clang core (search for 'multiple 666unsequenced modifications' warning in Clang tests). 667<p>Source: C++03 5p4.</p></div></div></td> 668<td><div class="exampleContainer expandable"> 669<div class="example"><pre> 670int test () { 671 int i = 0; 672 i = ++i + 1; // warn 673 return i; 674} 675</pre></div></div></td> 676<td class="aligned"></td></tr> 677 678 679<tr><td><div class="namedescr expandable"><span class="name"> 680undefbehavior.StaticInitReentered</span><span class="lang"> 681(C++)</span><div class="descr"> 682Undefined behavior: static declaration is re-entered while the object is being 683initialized. 684<p>Source: C++11 6.7p4.</p></div></div></td> 685<td><div class="exampleContainer expandable"> 686<div class="example"><pre> 687int test(int i) { 688 static int s = test(2 * i); // warn 689 return i + 1; 690} 691</pre></div></div></td> 692<td class="aligned"></td></tr> 693 694 695<tr><td><div class="namedescr expandable"><span class="name"> 696undefbehavior.ConstModified</span><span class="lang"> 697(C, C++)</span><div class="descr"> 698Undefined behavior: const object is being modified. 699<p>Source: C++03 7.1.5.1p4, C++11 7.1.6.1p4.</p></div></div></td> 700<td><div class="exampleContainer expandable"> 701<div class="example"><pre> 702void test() { 703 const int *cp = new const int (0); 704 int *p = const_cast<int *>(cp); 705 *p = 1; // warn 706 delete p; 707} 708</pre></div> 709<div class="example"><pre> 710class C { 711public : 712 int i; 713 C(); 714}; 715 716void test() { 717 const C cb; 718 719 C* cp = const_cast<C *>(&cb); 720 cp->i = 1; // warn 721} 722</pre></div></div></td> 723<td class="aligned"></td></tr> 724 725 726<tr><td><div class="namedescr expandable"><span class="name"> 727undefbehavior.DeadDestructed</span><span class="lang"> 728(C++)</span><div class="descr"> 729Undefined behavior: the destructor is invoked for an object whose lifetime 730has ended. 731<p>Source: C++11 12.4p14.</p></div></div></td> 732<td><div class="exampleContainer expandable"> 733<div class="example"><pre> 734class A { 735public: 736 void f(); 737 A(); 738 ~A(); 739}; 740 741void test() { 742 A a; 743 a.~A(); 744} // warn 745</pre></div></div></td> 746<td class="aligned"></td></tr> 747 748 749<tr><td><div class="namedescr expandable"><span class="name"> 750undefbehavior.MethodCallBeforeBaseInit</span><span class="lang"> 751(C++)</span><div class="descr"> 752Undefined behavior: calls member function but base not yet initialized. 753<p>Source: C++03 12.6.2p8; C++11 12.6.2p13.</p></div></div></td> 754<td><div class="exampleContainer expandable"> 755<div class="example"><pre> 756class A { 757public : 758 A(int); 759}; 760 761class B : public A { 762public : 763 int f(); 764 B() : A(f()) {} // warn 765}; 766</pre></div></div></td> 767<td class="aligned"></td></tr> 768 769 770<tr><td><div class="namedescr expandable"><span class="name"> 771undefbehavior.MemberOrBaseRefBeforeCtor</span><span class="lang"> 772(C++)</span><div class="descr"> 773C++ Undefined behavior: non-static member or base class of non-POD class type 774is referred before constructor begins execution.<br> 775C++11 Undefined behavior: non-static member or base class of a class with a 776non-trivial constructor is referred before constructor begins execution. 777<p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td> 778<td><div class="exampleContainer expandable"> 779<div class="example"><pre> 780struct non_POD { 781 int i; 782 non_POD(); 783}; 784 785extern non_POD non_pod; 786 787int *p = &non_pod.i; // warn 788</pre></div> 789<div class="example"><pre> 790struct POD { 791 int i; 792}; 793 794struct non_POD : public POD { 795 POD pod; 796}; 797 798extern non_POD non_pod; 799 800int *p = &non_pod.pod.i; // warn 801</pre></div> 802<div class="example"><pre> 803struct POD { 804 int i; 805}; 806 807struct non_POD : public POD {}; 808 809extern non_POD non_pod; 810 811POD *p = &non_pod; // warn 812</pre></div> 813<div class="example"><pre> 814struct non_POD { 815 int i; 816 non_POD(); 817}; 818 819struct S { 820 int *k; 821 non_POD non_pod; 822 S() : k(&non_pod.i) {} // warn 823}; 824</pre></div></div></td> 825<td class="aligned"></td></tr> 826 827 828<tr><td><div class="namedescr expandable"><span class="name"> 829undefbehavior.MemberRefAfterDtor</span><span class="lang"> 830(C++)</span><div class="descr"> 831C++03: Undefined behavior: non-static member of non-POD class type is referred 832after destructor ends execution.<br> 833C++11: Undefined behavior: non-static member of a class with a non-trivial 834destructor is referred after destructor ends execution. 835<p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td> 836<td><div class="exampleContainer expandable"> 837<div class="example"><pre> 838class C { 839public: 840 C(); 841 void f(); 842}; 843 844void test() { 845 C *c = new C(); 846 c->~C(); 847 c->f(); // warn 848} 849</pre></div></div></td> 850<td class="aligned"></td></tr> 851 852 853<tr><td><div class="namedescr expandable"><span class="name"> 854undefbehavior.CtorForeignCall</span><span class="lang"> 855(C++)</span><div class="descr"> 856Undefined behavior: call to virtual function of an object under construction 857whose type is neither the constructors own class or one of its bases. 858<p>Source: C++11 12.7p4.</p></div></div></td> 859<td><div class="exampleContainer expandable"> 860<div class="example"><pre> 861class A { 862public: 863 virtual void f() {}; 864}; 865 866class B { 867public: 868 B(A* a) { a->f(); } // warn 869}; 870 871class C : public A, B { 872public: 873 C() : B((A*)this) {} 874}; 875</pre></div></div></td> 876<td class="aligned"></td></tr> 877 878 879<tr><td><div class="namedescr expandable"><span class="name"> 880undefbehavior.CtorForeignTypeid</span><span class="lang"> 881(C++)</span><div class="descr"> 882Undefined behavior: the operand of <code>typeid</code> is an object under 883construction whose type is neither the constructors own class or one of its 884bases. 885<p>Source: C++11 12.7p5.</p></div></div></td> 886<td><div class="exampleContainer expandable"> 887<div class="example"><pre> 888#include <typeinfo> 889 890class A {}; 891 892class B { 893public: 894 B(A* a) { 895 (void)typeid(*a); // warn 896 } 897}; 898 899class C : public A, B { 900public: 901 C() : B((A*)this) {} 902}; 903</pre></div></div></td> 904<td class="aligned"></td></tr> 905 906 907<tr><td><div class="namedescr expandable"><span class="name"> 908undefbehavior.CtorForeignCast</span><span class="lang"> 909(C++)</span><div class="descr"> 910Undefined behavior: the operand of <code>dynamic_cast</code> is an object under 911construction whose type is neither the constructors own class or one of its 912bases. 913<p>Source: C++11 12.7p6.</p></div></div></td> 914<td><div class="exampleContainer expandable"> 915<div class="example"><pre> 916#include <typeinfo> 917 918class A { 919public: 920 virtual void f() {}; 921}; 922 923class B { 924public: 925 B(A* a) { 926 (void)dynamic_cast<B*>(a); //warn 927 } 928}; 929 930class C : public A, B { 931public: 932 C() : B((A*)this) {} 933}; 934</pre></div></div></td> 935<td class="aligned"></td></tr> 936 937 938<tr><td><div class="namedescr expandable"><span class="name"> 939undefbehavior.MemberOrBaseRefInCatch</span><span class="lang"> 940(C++)</span><div class="descr"> 941Undefined behavior: referring to any non-static member or base class of an 942object in the handler for a function-try-block of a constructor or destructor 943for that object results in undefined behavior. 944<p>Source: C++11 15.3p10.</p></div></div></td> 945<td><div class="exampleContainer expandable"> 946<div class="example"><pre> 947void f() { throw 1; } 948 949class C { 950 int i; 951public : 952 C() 953 try { 954 f(); 955 } 956 catch (...) { 957 i=2; // warn 958 } 959}; 960</pre></div> 961<div class="example"><pre> 962void f() { throw 1; } 963 964class Base { 965public: 966 int i; 967}; 968 969class C: public Base { 970public : 971 ~C() try { 972 f(); 973 } 974 catch (...) { 975 i=2; // warn 976 } 977}; 978</pre></div></div></td> 979<td class="aligned"></td></tr> 980 981 982<tr><td><div class="namedescr expandable"><span class="name"> 983undefbehavior.ReturnAtCatchEnd</span><span class="lang"> 984(C++)</span><div class="descr"> 985Undefined behavior: a function returns when control reaches the end of a 986handler. This results in undefined behavior in a value-returning function. 987<p>Source: C++11 15.3p10.</p></div></div></td> 988<td><div class="exampleContainer expandable"> 989<div class="example"><pre> 990void f() { throw 1; } 991 992int test() try { 993 f(); 994 return 1; 995} 996catch(int) { 997} // warn 998</pre></div></div></td> 999<td class="aligned"></td></tr> 1000 1001 1002<tr><td><div class="namedescr expandable"><span class="name"> 1003undefbehavior.AutoptrsOwnSameObj</span><span class="lang"> 1004(C++03)</span><div class="descr"> 1005Undefined behavior: if more than one <code>auto_ptr</code> owns the same object 1006at the same time the behavior of the program is undefined. 1007<p>Source: C++03 20.4.5p3; C++11 <code>auto_ptr</code> is deprecated 1008(D.10).</p></div></div></td> 1009<td><div class="exampleContainer expandable"> 1010<div class="example"><pre> 1011#include <memory> 1012 1013void test() { 1014 int *data = new int; 1015 std::auto_ptr<int> p(data); 1016 std::auto_ptr<int> q(data); // warn 1017} 1018</pre></div></div></td> 1019<td class="aligned"></td></tr> 1020 1021 1022<tr><td><div class="namedescr expandable"><span class="name"> 1023undefbehavior.BasicStringOutOfBound</span><span class="lang"> 1024(C++03)</span><div class="descr"> 1025Undefined behavior: out-of-bound <code>basic_string</code> access/modification. 1026<br>Note: possibly an enhancement to <span class="name"> 1027alpha.security.ArrayBoundV2</span>. 1028<p>Source: C++03 21.3.4p1; C++11 behavior is defined 1029(21.4.5p2).</p></div></div></td> 1030<td><div class="exampleContainer expandable"> 1031<div class="example"><pre> 1032#include <string> 1033 1034void test() { 1035 std::basic_string<char> s; 1036 char c = s[10]; // warn 1037} 1038</pre></div> 1039<div class="example"><pre> 1040#include <string> 1041 1042void test() { 1043 std::basic_string<char> s; 1044 s[10] = 0; // warn 1045} 1046</pre></div></div></td> 1047<td class="aligned"></td></tr> 1048 1049 1050<tr><td><div class="namedescr expandable"><span class="name"> 1051undefbehavior.EosDereference</span><span class="lang"> 1052(C++)</span><div class="descr"> 1053Undefined behavior: the result of <code>operator*()</code> on an end of a 1054stream is undefined. 1055<p>Source: C++03 24.5.3p2; C++11 24.6.3p2.</p></div></div></td> 1056<td><div class="exampleContainer expandable"> 1057<div class="example"><pre> 1058#include <vector> 1059 1060int test() { 1061 std::vector<int> v; 1062 return *v.end(); // warn 1063} 1064</pre></div></div></td> 1065<td class="aligned"></td></tr> 1066 1067 1068<tr><td><div class="namedescr expandable"><span class="name"> 1069undefbehavior.QsortNonPODNonTrivial</span><span class="lang"> 1070(C++)</span><div class="descr"> 1071C++03: Undefined behavior: the objects in the array passed to qsort are of 1072non-POD type.<br> 1073C++11: Undefined behavior: the objects in the array passed to qsort are of 1074non-trivial type. 1075<p>Source: C++03 25.4p4; C++11 25.5p4.</p></div></div></td> 1076<td><div class="exampleContainer expandable"> 1077<div class="example"><pre> 1078// C++03 1079#include <cstdlib> 1080 1081 1082struct non_POD { 1083 non_POD(); 1084}; 1085 1086non_POD values[] = { non_POD(), non_POD() }; 1087 1088int compare(const void *a, const void *b); 1089 1090void test() { 1091 qsort(values, 2, sizeof(non_POD), compare); // warn 1092} 1093</pre></div> 1094<div class="example"><pre> 1095// C++11 1096#include <cstdlib> 1097 1098struct S {}; 1099 1100struct trivial_non_POD : public S { 1101 int i; 1102}; 1103 1104struct non_trivial { 1105 int i; 1106 non_trivial(); 1107}; 1108 1109trivial_non_POD tnp[2]; 1110non_trivial nt[2]; 1111 1112int compare1(const void *a, const void *b); 1113 1114int compare2(const void *a, const void *b); 1115 1116void test() { 1117 qsort(tnp, 2, sizeof(trivial_non_POD), compare1); // ok 1118 qsort(nt, 2, sizeof(non_trivial), compare2); // warn 1119} 1120</pre></div></div></td> 1121<td class="aligned"></td></tr> 1122 1123 1124<tr><td><div class="namedescr expandable"><span class="name"> 1125undefbehavior.ThrowWhileCopy</span><span class="lang"> 1126(C++)</span><div class="descr"> 1127Undefined behavior: copy constructor/assignment operator can throw an exception. 1128The effects are undefined if an exception is thrown.</div></div></td> 1129<td><div class="exampleContainer expandable"> 1130<div class="example"><pre> 1131class C { 1132public: 1133 int i, j; 1134 C (const C &c) { 1135 i = c.i; 1136 throw 1; // warn 1137 j = c.j; 1138 }; 1139}; 1140</pre></div> 1141<div class="example"><pre> 1142class C { 1143public: 1144 int i, j; 1145 C &operator=(const C &c) { 1146 i = c.i; 1147 throw 1; // warn 1148 j = c.j; 1149 }; 1150}; 1151</pre></div></div></td> 1152<td class="aligned"></td></tr> 1153 1154 1155<tr><td><div class="namedescr expandable"><span class="name"> 1156undefbehavior.ValarrayArgBound</span><span class="lang"> 1157(C++)</span><div class="descr"> 1158Undefined behavior: the value of the <code><i>n</i></code> argument passed 1159to <code>valarray</code> constructor is greater than the number of values 1160pointed to by the first argument (source). 1161<p>Source: C++03 26.3.2.1p4; C++11 26.6.2.2p4.</p></div></div></td> 1162<td><div class="exampleContainer expandable"> 1163<div class="example"><pre> 1164#include <valarray> 1165 1166struct S { 1167 int i; 1168 S(int ii) : i(ii) {}; 1169}; 1170 1171void test(void) { 1172 S s[] = { S(1), S(2) }; 1173 std::valarray<S> v(s,3); // warn 1174} 1175</pre></div></div></td> 1176<td class="aligned"></td></tr> 1177 1178 1179<tr><td><div class="namedescr expandable"><span class="name"> 1180undefbehavior.ValarrayLengthDiffer</span><span class="lang"> 1181(C++)</span><div class="descr"> 1182Undefined behavior: <code>valarray</code> operands are of different length. 1183<p>Source: C++03 26.3.2.2p1, 26.3.2.6p3, 26.3.3.1p3, 26.3.3.2p3; 1184C++11 defined (26.6.2.3p1), 26.6.2.7p3, 26.6.3.1p3, 118526.6.3.2p3.</p></div></div></td> 1186<td><div class="exampleContainer expandable"> 1187<div class="example"><pre> 1188// C++03 1189#include <valarray> 1190 1191void test(void) { 1192 std::valarray<int> a(0, 1), b(0, 2); 1193 a = b; // warn 1194 b.resize(1); 1195 a = b; // ok 1196} 1197</pre></div> 1198<div class="example"><pre> 1199// C++03, C++11 1200#include <valarray> 1201 1202void test(void) { 1203 std::valarray<int> a(0, 1), b(0, 2); 1204 a *= b; // warn 1205} 1206</pre></div> 1207<div class="example"><pre> 1208// C++03, C++11 1209#include <valarray> 1210 1211void test(void) { 1212 std::valarray<int> a(0, 1), b(0, 2); 1213 a = a + b; // warn 1214} 1215</pre></div> 1216<div class="example"><pre> 1217// C++03, C++11 1218#include <valarray> 1219 1220void test(void) { 1221 std::valarray<int> a(0, 1), b(0, 2); 1222 std::valarray<bool> c(false, 1); 1223 c = a == b; // warn 1224} 1225</pre></div></div></td> 1226<td class="aligned"></td></tr> 1227 1228 1229<tr><td><div class="namedescr expandable"><span class="name"> 1230undefbehavior.ValarrayZeroLength</span><span class="lang"> 1231(C++)</span><div class="descr"> 1232Undefined behavior: calling <code>sum()</code>/<code>min()</code>/<code> 1233max()</code> methods of a zero length <code>valarray<code> the behavior is 1234undefined. 1235<p>Source: C++03 26.3.2.7p2, p3, p4; C++11 26.6.2.8p5, p6, 1236p7.</p></div></div></td> 1237<td><div class="exampleContainer expandable"> 1238<div class="example"><pre> 1239#include <valarray> 1240 1241void test(void) { 1242 std::valarray<int> v(0, 0); 1243 v.sum(); // warn 1244} 1245</pre></div></div></td> 1246<td class="aligned"></td></tr> 1247 1248 1249<tr><td><div class="namedescr expandable"><span class="name"> 1250undefbehavior.ValarrayBadIndirection</span><span class="lang"> 1251(C++)</span><div class="descr"> 1252Undefined behavior: element is specified more than once in an indirection. 1253<p>Source: C++03 26.3.9.2p2, 26.3.9.3p2; C++11 26.6.9.2p2, 125426.6.9.3p2.</p></div></div></td> 1255<td><div class="exampleContainer expandable"> 1256<div class="example"><pre> 1257#include <valarray> 1258 1259void test() { 1260 // '1' is specified more then once 1261 size_t addr[] = {0, 1, 1}; 1262 std::valarray<size_t>indirect(addr, 3); 1263 std::valarray<int> a(0, 5), b(1, 3); 1264 a[indirect] = b; //warn 1265} 1266</pre></div> 1267<div class="example"><pre> 1268#include <valarray> 1269 1270void test() { 1271 // '1' is specified more then once 1272 size_t addr[] = {0, 1, 1}; 1273 std::valarray<size_t>indirect(addr, 3); 1274 std::valarray<int> a(0, 5), b(1, 3); 1275 a[indirect] *= b; //warn 1276} 1277</pre></div></div></td> 1278<td class="aligned"></td></tr> 1279 1280 1281<tr><td><div class="namedescr expandable"><span class="name"> 1282undefbehavior.IosBaseDestroyedBeforeInit</span><span class="lang"> 1283(C++)</span><div class="descr"> 1284Undefined behavior: <code>ios_base</code> object is destroyed before 1285initialization have taken place. <code>basic_ios::init</code> should be call to 1286initialize <code>ios_base</code> members. 1287<p>Source: C++03 27.4.2.7p1, 27.4.4.1p2; C++11 27.5.3.7p1, 128827.5.5.2p2.</p></div></div></td> 1289<td><div class="exampleContainer expandable"> 1290<div class="example"><pre> 1291#include <ios> 1292 1293using namespace std; 1294template <class T, class Traits = std::char_traits<T> > 1295class my_stream1 : public std::basic_ios<T, Traits> { 1296}; 1297 1298template <class T, class Traits = std::char_traits<T> > 1299class my_stream2 : public std::basic_ios<T, Traits> { 1300 class my_streambuf 1301 : public std::basic_streambuf<T, Traits> { 1302 }; 1303public: 1304 my_stream2() { 1305 this->init(new my_streambuf); 1306 } 1307}; 1308 1309void test() { 1310 my_stream1<char> *p1 = new my_stream1<char>; 1311 my_stream2<char> *p2 = new my_stream2<char>; 1312 delete p1; // warn 1313 delete p2; // ok 1314} 1315</pre></div></div></td> 1316<td class="aligned"></td></tr> 1317 1318 1319<tr><td><div class="namedescr expandable"><span class="name"> 1320undefbehavior.IosBaseUsedBeforeInit</span><span class="lang"> 1321(C++11)</span><div class="descr"> 1322Undefined behavior: <code>ios_base</code> object is used before initialization 1323have taken place. <code>basic_ios::init</code> should be call to 1324initialize <code>ios_base</code> members. 1325<p>Source: C++11 27.5.3.7p1, 27.5.5.2p2.</p></div></div></td> 1326<td><div class="exampleContainer expandable"> 1327<div class="example"><pre> 1328#include <ios> 1329 1330using namespace std; 1331template <class T, class Traits = std::char_traits<T> > 1332class my_stream1 : public std::basic_ios<T, Traits> { 1333}; 1334 1335template <class T, class Traits = std::char_traits<T> > 1336class my_stream2 : public std::basic_ios<T, Traits> { 1337 class my_streambuf 1338 : public std::basic_streambuf<T, Traits> { 1339 }; 1340public: 1341 my_stream2() { 1342 this->init(new my_streambuf); 1343 } 1344}; 1345 1346void test() { 1347 my_stream1<char> *p1 = new my_stream1<char>; 1348 my_stream2<char> *p2 = new my_stream2<char>; 1349 p1->narrow('a', 'b'); // warn 1350 p2->narrow('a', 'b'); // ok 1351} 1352</pre></div></div></td> 1353<td class="aligned"></td></tr> 1354 1355 1356<tr><td><div class="namedescr expandable"><span class="name"> 1357undefbehavior.MinusOnePosType</span><span class="lang"> 1358(C++)</span><div class="descr"> 1359Undefined behavior: passing -1 to any <code>streambuf</code>/<code> 1360istream</code>/<code>ostream</code> member that accepts a value of 1361type <code>traits::pos_type</code> result in undefined behavior. 1362<p>Source: C++03 27.4.3.2p3; C++11 27.5.4.2p3.</p></div></div></td> 1363<td><div class="exampleContainer expandable"> 1364<div class="example"><pre> 1365#include <fstream> 1366 1367class my_streambuf : public std::streambuf { 1368 void f() { 1369 seekpos(-1); // warn 1370 } 1371}; 1372</pre></div> 1373<div class="example"><pre> 1374#include <fstream> 1375 1376void test() { 1377 std::filebuf fb; 1378 std::istream in(&fb); 1379 std::filebuf::off_type pos(-1); 1380 in.seekg(pos); // warn 1381} 1382</pre></div></div></td> 1383<td class="aligned"></td></tr> 1384 1385</table> 1386 1387<!-- ============================ different ================================ --> 1388<h3>different</h3> 1389<table class="checkers"> 1390<col class="namedescr"><col class="example"><col class="progress"> 1391<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr> 1392</thead> 1393 1394<tr><td><div class="namedescr expandable"><span class="name"> 1395different.SuccessiveAssign</span><span class="lang"> 1396(C)</span><div class="descr"> 1397Successive assign to a variable.</div></div></td> 1398<td><div class="exampleContainer expandable"> 1399<div class="example"><pre> 1400int test() { 1401 int i; 1402 i=1; 1403 i=2; // warn 1404 return i; 1405} 1406</pre></div></div></td> 1407<td class="aligned"></td></tr> 1408 1409 1410<tr><td><div class="namedescr expandable"><span class="name"> 1411different.NullDerefStmtOrder</span><span class="lang"> 1412(C)</span><div class="descr"> 1413Dereferencing of the null pointer might take place. Checking the pointer for 1414null should be performed first. 1415<br>Note: possibly an enhancement to <span class="name"> 1416core.NullDereference</span>.</div></div></td> 1417<td><div class="exampleContainer expandable"> 1418<div class="example"><pre> 1419struct S { 1420 int x; 1421}; 1422 1423struct S* f(); 1424 1425void test() { 1426 struct S *p1 = f(); 1427 int x1 = p1->x; // warn 1428 if (p1) {}; 1429 1430 struct S *p2 = f(); 1431 int x2 = p2->x; // ok 1432} 1433</pre></div></div></td> 1434<td class="aligned"></td></tr> 1435 1436 1437<tr><td><div class="namedescr expandable"><span class="name"> 1438different.NullDerefCondOrder</span><span class="lang"> 1439(C)</span><div class="descr"> 1440Dereferencing of the null pointer might take place. Checking the pointer for 1441null should be performed first. 1442<br>Note: possibly an enhancement to <span class="name"> 1443core.NullDereference</span>.</div></div></td> 1444<td><div class="exampleContainer expandable"> 1445<div class="example"><pre> 1446struct S {int i;}; 1447 1448struct S* f(); 1449 1450void test() { 1451 struct S *p = f(); 1452 if (p->i && p) {}; // warn 1453} 1454</pre></div></div></td> 1455<td class="aligned"></td></tr> 1456 1457 1458<tr><td><div class="namedescr expandable"><span class="name"> 1459different.MultipleAccessors</span><span class="lang"> 1460(C++)</span><div class="descr"> 1461Identical accessor bodies. Possibly a misprint.</div></div></td> 1462<td><div class="exampleContainer expandable"> 1463<div class="example"><pre> 1464class A { 1465 int i; 1466 int j; 1467public: 1468 int getI() { return i; } 1469 int getJ() { return i; } // warn 1470}; 1471</pre></div> 1472<div class="example"><pre> 1473class A { 1474 int i; 1475 int j; 1476public: 1477 void setI(int& ii) { i = ii; } 1478 void setJ(int& jj) { i = jj; } // warn 1479}; 1480</pre></div></div></td> 1481<td class="aligned"></td></tr> 1482 1483 1484<tr><td><div class="namedescr expandable"><span class="name"> 1485different.AccessorsForPublic</span><span class="lang"> 1486(C++)</span><div class="descr"> 1487Accessors exist for a public class field. Should this field really be 1488public?</div></div></td> 1489<td><div class="exampleContainer expandable"> 1490<div class="example"><pre> 1491class A { 1492public: 1493 int i; // warn 1494 int getI() { return i; } 1495 void setI(int& ii) { i = ii; } 1496}; 1497</pre></div></div></td> 1498<td class="aligned"></td></tr> 1499 1500 1501<tr><td><div class="namedescr expandable"><span class="name"> 1502different.LibFuncResultUnised</span><span class="lang"> 1503(C, C++)</span><div class="descr"> 1504Calling a function ignoring its return value is of no use (create the list of 1505known system/library/API functions falling into this category).</div></div></td> 1506<td><div class="exampleContainer expandable"> 1507<div class="example"><pre> 1508#include <vector> 1509 1510void test() { 1511 std::vector<int> v; 1512 v.empty(); // warn 1513} 1514</pre></div></div></td> 1515<td class="aligned"></td></tr> 1516 1517 1518<tr><td><div class="namedescr expandable"><span class="name"> 1519different.WrongVarForStmt</span><span class="lang"> 1520(C, C++)</span><div class="descr"> 1521Wrong variable is possibly used in the loop/cond-expression of 1522the <code>for</code> statement. Did you mean 1523'proper_variable_name'?</div></div></td> 1524<td><div class="exampleContainer expandable"> 1525<div class="example"><pre> 1526void test() { 1527 int i = 0; 1528 int j = 0; 1529 for (i = 0; i < 3; j += 1); // warn 1530} 1531</pre></div> 1532<div class="example"><pre> 1533void test() { 1534 int i = 0; 1535 int j = 0; 1536 for (int j = 0; i < 3; ++j); // warn 1537} 1538</pre></div></div></td> 1539<td class="aligned"></td></tr> 1540 1541 1542<tr><td><div class="namedescr expandable"><span class="name"> 1543different.FloatingCompare</span><span class="lang"> 1544(C)</span><div class="descr"> 1545Comparing floating point numbers may be not precise.</div></div></td> 1546<td><div class="exampleContainer expandable"> 1547<div class="example"><pre> 1548#include <math.h> 1549 1550double test() { 1551 double b = sin(M_PI / 6.0); 1552 if (b == 0.5) // warn 1553 b = 0; 1554 return b; 1555} 1556</pre></div></div></td> 1557<td class="aligned"></td></tr> 1558 1559 1560<tr><td><div class="namedescr expandable"><span class="name"> 1561different.BitwiseOpBoolArg</span><span class="lang"> 1562(C, C++)</span><div class="descr"> 1563Boolean value met at the left/right part of the bitwise <code>&</code> 1564or <code>|</code> operator. 1565Did you mean <code>&&</code> (<code>||</code>) ?</div></div></td> 1566<td><div class="exampleContainer expandable"> 1567<div class="example"><pre> 1568int f(); 1569 1570void test() { 1571 bool b = true; 1572 if (b & f()) {} // warn 1573} 1574</pre></div></div></td> 1575<td class="aligned"></td></tr> 1576 1577 1578<tr><td><div class="namedescr expandable"><span class="name"> 1579different.LabelInsideSwitch</span><span class="lang"> 1580(C)</span><div class="descr"> 1581Possibly a misprint: label found inside a <code>switch()</code> 1582statement.</div></div></td> 1583<td><div class="exampleContainer expandable"> 1584<div class="example"><pre> 1585void test(int c) { 1586 switch(c){ 1587 case 1: 1588 c += 1; break; 1589 defalt: // warn (did you mean 'default'?) 1590 c -= 1; break; 1591 } 1592} 1593</pre></div></div></td> 1594<td class="aligned"></td></tr> 1595 1596 1597<tr><td><div class="namedescr expandable"><span class="name"> 1598different.IdenticalCondIfIf</span><span class="lang"> 1599(C)</span><div class="descr"> 1600The conditions of two subsequent <code>if</code> statements are 1601identical.</div></div></td> 1602<td><div class="exampleContainer expandable"> 1603<div class="example"><pre> 1604int test(int c) { 1605 if (c > 5) 1606 c += 1; 1607 if (c > 5) // warn 1608 c -= 1; 1609 return c; 1610} 1611</pre></div></div></td> 1612<td class="aligned"></td></tr> 1613 1614 1615<tr><td><div class="namedescr expandable"><span class="name"> 1616different.LogicalOpUselessArg</span><span class="lang"> 1617(C)</span><div class="descr"> 1618The second operand of a <code>&&</code> operator has no impact on 1619expression result.</div></div></td> 1620<td><div class="exampleContainer expandable"> 1621<div class="example"><pre> 1622void test(unsigned a) { 1623 if (a<7 && a<10) {}; // warn 1624} 1625</pre></div></div></td> 1626<td class="aligned"></td></tr> 1627 1628 1629<tr><td><div class="namedescr expandable"><span class="name"> 1630different.SameResLogicalExpr</span><span class="lang"> 1631(C)</span><div class="descr"> 1632An expression is always evaluated to true/false.</div></div></td> 1633<td><div class="exampleContainer expandable"> 1634<div class="example"><pre> 1635void test() { 1636 int i = 0; 1637 if (i != 0) {}; // warn 1638} 1639</pre></div> 1640<div class="example"><pre> 1641void test(int i) { 1642 if (i == 0 && i == 1) {}; // warn 1643} 1644</pre></div> 1645<div class="example"><pre> 1646void test(int i) { 1647 if (i < 0 || i >= 0) {}; // warn 1648} 1649</pre></div></div></td> 1650<td class="aligned"></td></tr> 1651 1652 1653<tr><td><div class="namedescr expandable"><span class="name"> 1654different.OpPrecedenceAssignCmp</span><span class="lang"> 1655(C, C++)</span><div class="descr"> 1656Comparison operation has higher precedence then assignment. Boolean value is 1657assigned to a variable of other type. Parenthesis may bee required around an 1658assignment.</div></div></td> 1659<td><div class="exampleContainer expandable"> 1660<div class="example"><pre> 1661int f(); 1662 1663void test(int x, int y) { 1664 bool b; 1665 if((b = x != y)) {} // ok 1666 if((x = f() != y)) {} // warn 1667} 1668</pre></div></div></td> 1669<td class="aligned"></td></tr> 1670 1671 1672<tr><td><div class="namedescr expandable"><span class="name"> 1673different.OpPrecedenceIifShift</span><span class="lang"> 1674(C, C++)</span><div class="descr"> 1675<code>?:</code> has lower precedence then <code><<</code>. 1676<p>Source: Stephen C. Dewhurst "C++ Gotchas: Avoiding Common Problems in Coding 1677and Design", advise 15.</p></div></div></td> 1678<td><div class="exampleContainer expandable"> 1679<div class="example"><pre> 1680#include <iostream> 1681 1682void test(int a) { 1683 std::cout << a ? "a" : "b"; // warn 1684} 1685</pre></div> 1686<div class="example"><pre> 1687void test(int a) { 1688 a << a > 7 ? 1 : 2; // warn 1689} 1690</pre></div></div></td> 1691<td class="aligned"></td></tr> 1692 1693 1694<tr><td><div class="namedescr expandable"><span class="name"> 1695different.ObjectUnused</span><span class="lang"> 1696(C++)</span><div class="descr"> 1697The object was created but is not being used.</div></div></td> 1698<td><div class="exampleContainer expandable"> 1699<div class="example"><pre> 1700struct S { 1701 int x, y; 1702 S(int xx, int yy) : x(xx), y(yy) {} 1703 S(int xx) { 1704 S(xx, 0); // warn 1705 } 1706}; 1707</pre></div> 1708<div class="example"><pre> 1709#include <exception> 1710 1711void test() { 1712 std::exception(); 1713 // warn (did you mean 'throw std::exception()'?) 1714} 1715</pre></div></div></td> 1716<td class="aligned"></td></tr> 1717 1718 1719<tr><td><div class="namedescr expandable"><span class="name"> 1720different.StaticArrayPtrCompare</span><span class="lang"> 1721(C)</span><div class="descr"> 1722Pointer to static array is being compared to NULL. May the subscripting is 1723missing.</div></div></td> 1724<td><div class="exampleContainer expandable"> 1725<div class="example"><pre> 1726void test() { 1727 int a[1][1]; 1728 if (a[0] == 0) {}; // warn 1729} 1730</pre></div></div></td> 1731<td class="aligned"></td></tr> 1732 1733 1734<tr><td><div class="namedescr expandable"><span class="name"> 1735different.ConversionToBool</span><span class="lang"> 1736(C, C++)</span><div class="descr"> 1737Odd implicit conversion to boolean. 1738<br>Note: possibly merge with <span class="name"> 1739alpha.core.BoolAssignment</span>.</div></div></td> 1740<td><div class="exampleContainer expandable"> 1741<div class="example"><pre> 1742bool test() { 1743 return 1.; // warn 1744} 1745</pre></div> 1746<div class="example"><pre> 1747bool test() { 1748 return ""; // warn 1749} 1750</pre></div></div></td> 1751<td class="aligned"></td></tr> 1752 1753 1754<tr><td><div class="namedescr expandable"><span class="name"> 1755different.ArrayBound</span><span class="lang"> 1756(C++)</span><div class="descr"> 1757Out-of-bound dynamic array access. 1758<br>Note: possibly an enhancement to <span class="name"> 1759alpha.security.ArrayBoundV2</span>.</div></div></td> 1760<td><div class="exampleContainer expandable"> 1761<div class="example"><pre> 1762void test() { 1763 int *p = new int[1]; 1764 int i = 1; 1765 if(p[i]) {}; // warn 1766 delete[] p; 1767} 1768</pre></div></div></td> 1769<td class="aligned"></td></tr> 1770 1771 1772<tr><td><div class="namedescr expandable"><span class="name"> 1773different.StrcpyInputSize</span><span class="lang"> 1774(C)</span><div class="descr"> 1775Buffer copy without checking the size of input. 1776<br>Note: possibly an enhancement to <span class="name"> 1777alpha.unix.cstring.OutOfBounds</span>.</div></div></td> 1778<td><div class="exampleContainer expandable"> 1779<div class="example"><pre> 1780void test(char* string) { 1781 char buf[24]; 1782 strcpy(buf, string); // warn 1783} 1784</pre></div></div></td> 1785<td class="aligned"></td></tr> 1786 1787 1788<tr><td><div class="namedescr expandable"><span class="name"> 1789different.IntegerOverflow</span><span class="lang"> 1790(C)</span><div class="descr"> 1791Integer overflow. 1792<br>Note: partially handled by Clang core 1793(search for 'overflow in expression' warning in Clang tests). 1794<p>Source: <a href="http://cwe.mitre.org/data/definitions/190.html"> 1795CWE-190</a>.</p></div></div></td> 1796<td><div class="exampleContainer expandable"> 1797<div class="example"><pre> 1798#include <limits.h> 1799 1800int f(int x); 1801 1802void test() { 1803 f(INT_MAX + 1); // warn 1804} 1805</pre></div> 1806<div class="example"><pre> 1807#include <limits.h> 1808 1809int test() { 1810 int x = INT_MAX / 2 + 1; 1811 return x * 2; // warn 1812} 1813</pre></div></div></td> 1814<td class="aligned"></td></tr> 1815 1816 1817<tr><td><div class="namedescr expandable"><span class="name"> 1818different.SignExtension</span><span class="lang"> 1819(C)</span><div class="descr"> 1820Unexpected sign extension might take place. 1821<p>Source: <a href="http://cwe.mitre.org/data/definitions/194.html"> 1822CWE-194</a>.</p></div></div></td> 1823<td><div class="exampleContainer expandable"> 1824<div class="example"><pre> 1825unsigned long long test(long long sll) { 1826 unsigned long long ull = sll; // warn 1827 return ull; 1828} 1829</pre></div> 1830<div class="example"><pre> 1831void f(unsigned int i); 1832 1833void test(int si) { 1834 f(si); // warn 1835} 1836</pre></div> 1837<div class="example"><pre> 1838unsigned int test(int i) { 1839 return i; 1840} 1841</pre></div></div></td> 1842<td class="aligned"></td></tr> 1843 1844 1845<tr><td><div class="namedescr expandable"><span class="name"> 1846different.NumericTruncation</span><span class="lang"> 1847(C)</span><div class="descr"> 1848Numeric truncation might take place. 1849<p>Source: <a href="http://cwe.mitre.org/data/definitions/197.html"> 1850CWE-197</a>.</p></div></div></td> 1851<td><div class="exampleContainer expandable"> 1852<div class="example"><pre> 1853unsigned long test(unsigned long long ull) { 1854 unsigned long ul = ull; // warn 1855 return ul; 1856} 1857</pre></div> 1858<div class="example"><pre> 1859void f(int i); 1860 1861void test(long long sll) { 1862 f(sll); // warn 1863} 1864</pre></div> 1865<div class="example"><pre> 1866int f(); 1867 1868short test(long long sll) { 1869 short ss = f(); 1870 return ss; 1871} 1872</pre></div></div></td> 1873<td class="aligned"></td></tr> 1874 1875 1876<tr><td><div class="namedescr expandable"><span class="name"> 1877different.MissingCopyCtorAssignOp</span><span class="lang"> 1878(C++)</span><div class="descr"> 1879A class has dynamically allocated data members but do not define a copy 1880constructor/assignment operator. 1881<p>Source: Scott Meyers "Effective C++", item 11: Prevent exceptions from 1882leaving destructors.</p></div></div></td> 1883<td><div class="exampleContainer expandable"> 1884<div class="example"><pre> 1885class C { 1886 int *p; // warn 1887public: 1888 C() { p = new int; } 1889 ~C() { delete p; } 1890}; 1891</pre></div></div></td> 1892<td class="aligned"></td></tr> 1893 1894</table> 1895 1896<!-- ============================ WinAPI =================================== --> 1897<h3>WinAPI</h3> 1898<table class="checkers"> 1899<col class="namedescr"><col class="example"><col class="progress"> 1900<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 1901 1902<tr><td><div class="namedescr expandable"><span class="name"> 1903WinAPI.CreateProcess</span><span class="lang"> 1904(C)</span><div class="descr"> 1905<code>CreateProcess()</code>: if the first parameter <code><i> 1906lpApplicationName</i></code> is NULL then the executable name must be in the 1907white space-delimited string pointed to by <code><i>lpCommandLine</code></i>. 1908If the executable or path name has a space in it, there is a risk that a 1909different executable could be run because of the way the function parses 1910spaces. 1911<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx"> 1912MSDN: CreateProcess function, Security Remarks</a>.</p></div></div></td> 1913<td><div class="exampleContainer expandable"> 1914<div class="example"><pre> 1915#include <windows.h> 1916 1917void test() { 1918 STARTUPINFO si; 1919 PROCESS_INFORMATION pi; 1920 CreateProcess(NULL, TEXT("C:\\Program Files\\App -L -S"), 1921 NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi); 1922 // warn 1923} 1924</pre></div></div></td> 1925<td class="aligned"></td></tr> 1926 1927 1928<tr><td><div class="namedescr expandable"><span class="name"> 1929WinAPI.LoadLibrary</span><span class="lang"> 1930(C)</span><div class="descr"> 1931The <code>SearchPath()</code> function is used to retrieve a path to a DLL for 1932a subsequent <code>LoadLibrary()</code> call. 1933<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175%28v=vs.85%29.aspx"> 1934MSDN: LoadLibrary function, Security Remarks</a>.</p></div></div></td> 1935<td><div class="exampleContainer expandable"> 1936<div class="example"><pre> 1937#include <windows.h> 1938 1939HINSTANCE test() { 1940 char filePath[100]; 1941 SearchPath(NULL, "file.dll", NULL, 100, filePath, NULL); 1942 return LoadLibrary(filePath); // warn 1943} 1944</pre></div></div></td> 1945<td class="aligned"></td></tr> 1946 1947 1948<tr><td><div class="namedescr expandable"><span class="name"> 1949WinAPI.WideCharToMultiByte</span><span class="lang"> 1950(C)</span><div class="descr"> 1951Buffer overrun while calling <code>WideCharToMultiByte()</code>. The size of 1952the input buffer equals the number of characters in the Unicode string, while 1953the size of the output buffer equals the number of bytes. 1954<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/dd374130%28v=vs.85%29.aspx"> 1955MSDN: WideCharToMultiByte function</a>.</p></div></div></td> 1956<td><div class="exampleContainer expandable"> 1957<div class="example"><pre> 1958#include <windows.h> 1959 1960void test() { 1961 wchar_t ws[] = L"abc"; 1962 char s[3]; 1963 WideCharToMultiByte(CP_UTF8, 0, ws, -1, s, 1964 3, NULL, NULL); // warn 1965} 1966</pre></div></div></td> 1967<td class="aligned"></td></tr> 1968 1969 1970</table> 1971 1972<!-- =========================== optimization ============================== --> 1973<h3>optimization</h3> 1974<table class="checkers"> 1975<col class="namedescr"><col class="example"><col class="progress"> 1976<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 1977 1978<tr><td><div class="namedescr expandable"><span class="name"> 1979optimization.PassConstObjByValue</span><span class="lang"> 1980(C, C++)</span><div class="descr"> 1981Optimization: It is more effective to pass constant parameter by reference to 1982avoid unnecessary object copying.</div></div></td> 1983<td><div class="exampleContainer expandable"> 1984<div class="example"><pre> 1985struct A {}; 1986 1987void f(const struct A a); // warn 1988</pre></div></div></td> 1989<td class="aligned"></td></tr> 1990 1991 1992<tr><td><div class="namedescr expandable"><span class="name"> 1993optimization.PostfixIncIter</span><span class="lang"> 1994(C++)</span><div class="descr"> 1995Optimization: It is more effective to use prefix increment operator with 1996iterator. 1997<p>Source: Scott Meyers "More Effective C++", item 6: 1998Distinguish between prefix and postfix forms of increment and decrement 1999operators.</p></div></div></td> 2000<td><div class="exampleContainer expandable"> 2001<div class="example"><pre> 2002#include <vector> 2003 2004void test() { 2005 std::vector<int> v; 2006 std::vector<int>::const_iterator it; 2007 for(it = v.begin(); 2008 it != v.end(); it++) {}; // warn 2009} 2010</pre></div></div></td> 2011<td class="aligned"></td></tr> 2012 2013 2014<tr><td><div class="namedescr expandable"><span class="name"> 2015optimization.MultipleCallsStrlen</span><span class="lang"> 2016(C)</span><div class="descr"> 2017Optimization: multiple calls to <code>strlen()</code> for a string in an 2018expression. It is more effective to hold a value returned 2019from <code>strlen()</code> in a temporary variable.</div></div></td> 2020<td><div class="exampleContainer expandable"> 2021<div class="example"><pre> 2022#include <string.h> 2023 2024void test(const char* s) { 2025 if (strlen(s) > 0 && 2026 strlen(s) < 7) {}; // warn 2027} 2028</pre></div></div></td> 2029<td class="aligned"></td></tr> 2030 2031 2032<tr><td><div class="namedescr expandable"><span class="name"> 2033optimization.StrLengthCalculation</span><span class="lang"> 2034(C++)</span><div class="descr"> 2035Optimization: it is more efficient to use <code>string::length()</code> to 2036calculate the length of an <code>std::string</code>.</div></div></td> 2037<td><div class="exampleContainer expandable"> 2038<div class="example"><pre> 2039#include <string> 2040#include <string.h> 2041 2042void test() { 2043 std::string s; 2044 if (strlen(s.c_str()) != 0) {}; // warn 2045} 2046</pre></div></div></td> 2047<td class="aligned"></td></tr> 2048 2049 2050<tr><td><div class="namedescr expandable"><span class="name"> 2051optimization.EmptyContainerDetect</span><span class="lang"> 2052(C++)</span><div class="descr"> 2053Optimization: It is more efficient to use containers <code>empty()</code> 2054method to identify an empty container.</div></div></td> 2055<td><div class="exampleContainer expandable"> 2056<div class="example"><pre> 2057#include <list> 2058 2059void test() { 2060 std::list<int> l; 2061 if (l.size() != 0) {}; // warn 2062} 2063</pre></div></div></td> 2064<td class="aligned"></td></tr> 2065 2066 2067</table> 2068 2069<br> 2070</div> <!-- page --> 2071</div> <!-- content --> 2072</body> 2073</html> 2074