1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 2 "http://www.w3.org/TR/html4/strict.dtd"> 3<html> 4<head> 5 <title>List of potential checkers</title> 6 <link type="text/css" rel="stylesheet" href="content.css"> 7 <link type="text/css" rel="stylesheet" href="menu.css"> 8 <script type="text/javascript" src="scripts/expandcollapse.js"></script> 9 <script type="text/javascript" src="scripts/menu.js"></script> 10</head> 11<body onload="initExpandCollapse()"> 12 13<div id="page"> 14 15<!-- menu --> 16<!--#include virtual="menu.html.incl"--> 17<!-- page content --> 18<div id="content"> 19<h1>List of potential checkers</h1> 20 21<p>This page contains a list of potential checkers to implement in the static analyzer. If you are interested in contributing to the analyzer's development, this is a good resource to help you get started. The specific names of the checkers are subject to review, and are provided here as suggestions.</p> 22 23<!-- ========================= allocation/deallocation ======================= --> 24<h3>memory</h3> 25<table class="checkers"> 26<col class="namedescr"><col class="example"><col class="progress"> 27<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 28 29<tr><td><div class="namedescr expandable"><span class="name"> 30memory.LeakEvalOrder</span><span class="lang"> 31(C, C++)</span><div class="descr"> 32Potential memory leaks caused by an undefined argument evaluation order. 33<p>Source: <a href="http://www.boost.org/doc/libs/1_49_0/libs/smart_ptr/shared_ptr.htm#BestPractices"> 34boost docs: shared_ptr</a>.</p></div></div></td> 35<td><div class="exampleContainer expandable"> 36<div class="example"><pre> 37void f(int, int); 38int g(void *); 39int h() __attribute__((noreturn)); 40 41void test() { 42 // It is possible that 'malloc(1)' is called first, 43 // then 'h()', that is (or calls) noreturn and eventually 44 // 'g()' is never called. 45 f(g(malloc(1)), h()); // warn: 'g()' may never be called. 46} 47</pre></div> 48<div class="example"><pre> 49void f(int, int); 50int g(int *); 51int h() { throw 1; }; 52 53void test() { 54 // It is possible that 'new int' is called first, 55 // then 'h()', that throws an exception and eventually 56 // 'g()' is never called. 57 f(g(new int), h()); // warn: 'g()' may never be called. 58} 59</pre></div></div></td> 60<td class="aligned"></td></tr> 61 62 63<tr><td><div class="namedescr expandable"><span class="name"> 64memory.DstBufferTooSmall</span><span class="lang"> 65(C, C++)</span><div class="descr"> 66Destination buffer passed to memory function is too small. 67<br>Note: <span class="name">security.insecureAPI.strcpy</span> currently warns 68on usage of <code>strcpy</code> and suggests to replace it. 69<br>Note: <span class="name">alpha.unix.CStringChecker</span> contains some similar checks. 70<p>Source: <a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>.</p></div></div></td> 71<td><div class="exampleContainer expandable"> 72<div class="example"><pre> 73void test() { 74 const char* s1 = "abc"; 75 char *s2 = new char; 76 strcpy(s2, s1); // warn 77} 78</pre></div> 79<div class="example"><pre> 80void test() { 81 int* p1 = new int[3]; 82 int* p2 = new int; 83 memcpy(p2, p1, 3); // warn 84} 85</pre></div></div></td> 86<td class="aligned"></td></tr> 87 88 89<tr><td><div class="namedescr expandable"><span class="name"> 90memory.NegativeArraySize</span><span class="lang"> 91(C, C++)</span><div class="descr"> 92'n' is used to specify the buffer size may be negative. 93<br>Note: possibly an enhancement to <span class="name"> 94alpha.security.MallocOverflow</span>. 95<p>Source: <a href="http://cwe.mitre.org/data/definitions/20.html">CWE-20, 96Example 2</a>.</p></div></div></td> 97<td><div class="exampleContainer expandable"> 98<div class="example"><pre> 99void test() { 100 int *p; 101 int n1 = -1; 102 p = new int[n1]; // warn 103} 104</pre></div></div></td> 105<td class="aligned"></td></tr> 106 107</table> 108 109<!-- ======================= constructors/destructors ====================== --> 110<h3>constructors/destructors</h3> 111<table class="checkers"> 112<col class="namedescr"><col class="example"><col class="progress"> 113<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 114 115<tr><td><div class="namedescr expandable"><span class="name"> 116ctordtor.ExptInsideDtor</span><span class="lang"> 117(C++)</span><div class="descr"> 118It is dangerous to let an exception leave a destructor. 119Using <code>try..catch</code> solves the problem. 120<p>Source: Scott Meyers "More Effective C++", item 11: Prevent exceptions from 121leaving destructors.</p></div></div></td> 122<td><div class="exampleContainer expandable"> 123<div class="example"><pre> 124class A { 125 A() {} 126 ~A() { throw 1; } // warn 127}; 128</pre></div> 129<div class="example"><pre> 130void f() throw(int); 131 132class A { 133 A() {} 134 ~A() { f(); } // warn 135}; 136</pre></div></div></td> 137<td class="aligned"></td></tr> 138 139 140<tr><td><div class="namedescr expandable"><span class="name"> 141ctordtor.PlacementSelfCopy</span><span class="lang"> 142(C++11)</span><div class="descr"> 143For a placement copy or move, it is almost certainly an error if the 144constructed object is also the object being copied from.</div></div></td> 145<td><div class="exampleContainer expandable"> 146<div class="example"><pre> 147class A {}; 148 149void test(A *dst, A *src) { 150 ::new (dst) A(*dst); // warn (should be 'src') 151} 152</pre></div></div></td> 153<td class="aligned"><!--rdar://problem/13688366--></td></tr> 154 155</table> 156 157<!-- =============================== va_list =============================== --> 158<h3>va_list</h3> 159<table class="checkers"> 160<col class="namedescr"><col class="example"><col class="progress"> 161<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 162 163<tr><td><div class="namedescr expandable"><span class="name"> 164valist.Uninitialized</span><span class="lang"> 165(C)</span><div class="descr"> 166Calls to the <code>va_arg</code>, <code>va_copy</code>, or 167<code>va_end</code> macro must happen after calling <code>va_start</code> and 168before calling <code>va_end</code>.</div></div></td> 169<td><div class="exampleContainer expandable"> 170<div class="example"><pre> 171#include <stdarg.h> 172 173void test(int x, ...) { 174 va_list args; 175 int y = va_arg(args, int); // warn 176} 177</pre></div> 178<div class="example"><pre> 179#include <stdarg.h> 180 181void test(int x, ...) { 182 va_list args; 183 va_start(args, x); 184 va_end(args); 185 int z = va_arg(args, int); // warn 186} 187</pre></div></div></td> 188<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812"> 189PR16811</a></td></tr> 190 191<tr><td><div class="namedescr expandable"><span class="name"> 192valist.Unterminated</span><span class="lang"> 193(C)</span><div class="descr"> 194Every <code>va_start</code> must be matched by a <code>va_end</code>. A va_list 195can only be ended once. 196 197<i>This should be folded into the generalized "ownership checker" 198described on the <a href="open_projects.html"> 199Open Projects</a> page.</i></div></div></td> 200<td><div class="exampleContainer expandable"> 201<div class="example"><pre> 202#include <stdarg.h> 203 204void test(int x, ...) { 205 va_list args; 206 va_start(args, x); 207 int y = x + va_arg(args, int); 208} // warn: missing va_end 209</pre></div></div></td> 210<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812"> 211PR16812</a></td></tr> 212 213</table> 214 215<!-- ============================== exceptions ============================= --> 216<h3>exceptions</h3> 217<table class="checkers"> 218<col class="namedescr"><col class="example"><col class="progress"> 219<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 220 221<tr><td><div class="namedescr expandable"><span class="name"> 222exceptions.ThrowSpecButNotThrow</span><span class="lang"> 223(C++)</span><div class="descr"> 224Function declaration has a <code>throw(<i>type</i>)</code> specifier but the 225function do not throw exceptions.</div></div></td> 226<td><div class="exampleContainer expandable"> 227<div class="example"><pre> 228void test() throw(int) { 229} // warn 230</pre></div></div></td> 231<td class="aligned"></td></tr> 232 233 234<tr><td><div class="namedescr expandable"><span class="name"> 235exceptions.NoThrowSpecButThrows</span><span class="lang"> 236(C++)</span><div class="descr"> 237An exception is throw from a function having a <code>throw()</code> 238specifier.</div></div></td> 239<td><div class="exampleContainer expandable"> 240<div class="example"><pre> 241void test() throw() { 242 throw(1); // warn 243} 244</pre></div></div></td> 245<td class="aligned"></td></tr> 246 247 248<tr><td><div class="namedescr expandable"><span class="name"> 249exceptions.ThrownTypeDiffersSpec</span><span class="lang"> 250(C++)</span><div class="descr"> 251The type of a thrown exception differs from those specified in 252a <code>throw(<i>type</i>)</code> specifier.</div></div></td> 253<td><div class="exampleContainer expandable"> 254<div class="example"><pre> 255struct S{}; 256 257void test() throw(int) { 258 S s; 259 throw (s); // warn 260} 261</pre></div></div></td> 262<td class="aligned"></td></tr> 263 264</table> 265 266<!-- ========================= smart pointers ============================== --> 267<h3>smart pointers</h3> 268<table class="checkers"> 269<col class="namedescr"><col class="example"><col class="progress"> 270<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 271 272<tr><td><div class="namedescr expandable"><span class="name"> 273smartptr.SmartPtrInit</span><span class="lang"> 274(C++)</span><div class="descr"> 275C++03: <code>auto_ptr</code> should store a pointer to an object obtained via 276new as allocated memory will be cleaned using <code>delete</code>.<br> 277C++11: one should use <code>unique_ptr<<i>type</i>[]></code> to keep a 278pointer to memory allocated by <code>new[]</code>.<br> 279C++11: to keep a pointer to memory allocated by <code>new[]</code> in 280a <code>shared_ptr</code> one should use a custom deleter that calls <code> 281delete[].</code>. 282<p>Source: C++03 20.4.5p1; C++11 <code>auto_ptr</code> is deprecated (D.10).</p></div></div></td> 283<td><div class="exampleContainer expandable"> 284<div class="example"><pre> 285#include <stdlib.h> 286#include <memory> 287 288void test() { 289 std::auto_ptr<int> p1(new int); // Ok 290 std::auto_ptr<int> p2(new int[3]); // warn 291} 292</pre></div> 293<div class="example"><pre> 294#include <stdlib.h> 295#include <memory> 296 297void test() { 298 std::auto_ptr<int> p((int *)malloc(sizeof(int))); // warn 299} 300</pre></div></div></td> 301<td class="aligned"></td></tr> 302 303</table> 304 305<!-- ============================== dead code ============================== --> 306<h3>dead code</h3> 307<table class="checkers"> 308<col class="namedescr"><col class="example"><col class="progress"> 309<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 310 311<tr><td><div class="namedescr expandable"><span class="name"> 312deadcode.UnmodifiedVariable</span><span class="lang"> 313(C, C++)</span><div class="descr"> 314A variable is never modified but was not declared const and is not a 315reference.<br><br><i>(opt-in checker)</i></div></div></td> 316<td><div class="exampleContainer expandable"> 317<div class="example"><pre> 318extern int computeDelta(); 319 320int test(bool cond) { 321 int i = 0; 322 if (cond) { 323 const int delta = computeDelta(); 324 // warn: forgot to modify 'i' 325 } 326 return i; 327} 328</pre></div></div></td> 329<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16890">PR16890</a></td></tr> 330 331<tr><td><div class="namedescr expandable"><span class="name"> 332deadcode.IdempotentOperations</span><span class="lang"> 333(C)</span><div class="descr"> 334Warn about idempotent operations.</div></div></td> 335<td><div class="exampleContainer expandable"> 336<div class="example"><pre> 337void test() { 338 int x = 7; 339 x = x; // warn: value is always the same 340} 341</pre></div> 342<div class="example"><pre> 343void test() { 344 int x = 7; 345 x /= x; // warn: value is always 1 346} 347</pre></div> 348<div class="example"><pre> 349void test() { 350 int x = 7, one = 1; 351 x *= one; // warn: right op is always 1 352} 353</pre></div> 354<div class="example"><pre> 355void test() { 356 int x = 7, zero = 0; 357 x = x - zero; 358 // warn: the right operand to '-' is always 0 359} 360</pre></div></div></td> 361<td class="aligned">removed from alpha.deadcode.* at r198476</td></tr> 362 363</table> 364 365<!-- ================================ POSIX ================================ --> 366<h3>POSIX</h3> 367<table class="checkers"> 368<col class="namedescr"><col class="example"><col class="progress"> 369<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 370 371<tr><td><div class="namedescr expandable"><span class="name"> 372posix.Errno</span><span class="lang"> 373(C)</span><div class="descr"> 374Record that <code>errno</code> is non-zero when certain functions 375fail.</div></div></td> 376<td><div class="exampleContainer expandable"> 377<div class="example"><pre> 378#include <stdlib.h> 379 380int readWrapper(int fd, int *count) { 381 int lcount = read(fd, globalBuf, sizeof(globalBuf)); 382 if (lcount < 0) 383 return errno; 384 *count = lcount; 385 return 0; 386} 387 388void use(int fd) { 389 int count; 390 if (!readWrapper(fd, &count)) 391 print("%d", count); // should not warn 392} 393</pre></div></div></td> 394<td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=18701">PR18701</a></td></tr> 395 396</table> 397 398<!-- ========================= undefined behavior ========================== --> 399<h3>undefined behavior</h3> 400<table class="checkers"> 401<col class="namedescr"><col class="example"><col class="progress"> 402<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 403 404<tr><td><div class="namedescr expandable"><span class="name"> 405undefbehavior.ExitInDtor</span><span class="lang"> 406(C++)</span><div class="descr"> 407Undefined behavior: <code>std::exit()</code> is called to end the program during 408the destruction of an object with static storage duration. 409<p>Source: C++11 3.6.1p4.</p></div></div></td> 410<td><div class="exampleContainer expandable"> 411<div class="example"><pre> 412#include <cstdlib> 413 414class A { 415public: 416 ~A() { 417 std::exit(1); // warn 418 } 419}; 420</pre></div></div></td> 421<td class="aligned"></td></tr> 422 423 424<tr><td><div class="namedescr expandable"><span class="name"> 425undefbehavior.LocalStaticDestroyed</span><span class="lang"> 426(C++)</span><div class="descr"> 427Undefined behavior: function containing a definition of static local object is 428called during the destruction of an object with static storage duration so that 429flow of control passes through the definition of the previously destroyed 430static local object. 431<p>Source: C++11 3.6.3p2.</p></div></div></td> 432<td><div class="exampleContainer expandable"> 433<div class="example"><pre> 434void f(); 435 436class A { 437public: 438 ~A() { 439 f(); // warn 440 } 441}; 442 443class B {}; 444 445A a; 446 447void f() { 448 static B b; 449} 450</pre></div></div></td> 451<td class="aligned"></td></tr> 452 453 454<tr><td><div class="namedescr expandable"><span class="name"> 455undefbehavior.ZeroAllocDereference</span><span class="lang"> 456(C, C++)</span><div class="descr"> 457The effect of dereferencing a pointer returned as a request for zero size is 458undefined.<br> 459Note: possibly an enhancement to <span class="name"> 460unix.Malloc</span>. 461<p>Source: C++03 3.7.3.1p2; C++11 3.7.4.1p2.</p></div></div></td> 462<td><div class="exampleContainer expandable"> 463<div class="example"><pre> 464int *p = malloc(0); 465*p = 1; // warn 466</pre></div> 467<div class="example"><pre> 468int *p = new int{}; 469int i = *p; // warn 470</pre></div></div></td> 471<td class="aligned"></td></tr> 472 473 474<tr><td><div class="namedescr expandable"><span class="name"> 475undefbehavior.DeadReferenced</span><span class="lang"> 476(C++)</span><div class="descr"> 477Undefined behavior: the following usage of the pointer to the object whose 478lifetime has ended can result in undefined behavior:<br> 479The object will be or was of a class type with a non-trivial destructor and 480<ul><li>the pointer is used as the operand of a delete-expression</li></ul> 481The object will be or was of a non-POD class type (C++11: any class type) and 482<ul><li>the pointer is used to access a non-static data member or call a 483non-static member function of the object</li> 484<li>the pointer is implicitly converted to a pointer to a base class 485type</li> 486<li>the pointer is used as the operand of a <code>static_cast</code> (except 487when the conversion is to <code>void*</code>, or to <code>void*</code> and 488subsequently to <code>char*</code>, or <code>unsigned char*</code>)</li> 489<li>the pointer is used as the operand of a <code>dynamic_cast</code></li></ul> 490<p>Source: C++03 3.8p5, p7; C++11 3.8p5, p7.</p></div></div></td> 491<td><div class="exampleContainer expandable"> 492<div class="example"><pre> 493#include <new> 494 495class A { 496public: 497 ~A(); 498}; 499 500class B : public A {}; 501 502void test() { 503 A *a = new A; 504 new(a) B; 505 delete a; // warn 506} 507</pre></div> 508<div class="example"><pre> 509#include <new> 510 511class A { 512public: 513 ~A(); 514}; 515 516class B {}; 517 518void test() { 519 A *a = new A; 520 new(a) B; 521 a->~A(); 522} 523</pre></div> 524<div class="example"><pre> 525#include <new> 526 527class A { 528public: 529 ~A(); 530}; 531 532class B : public A {}; 533 534class C {}; 535 536void f(A*); 537 538void test() { 539 B *b = new B; 540 new(b) C; 541 f(b); // warn 542} 543</pre></div> 544<div class="example"><pre> 545#include <new> 546 547class A { 548public: 549 ~A(); 550}; 551 552class B : public A {}; 553 554class C {}; 555 556A* test() { 557 B *b = new B; 558 new(b) C; 559 return static_cast<A*>(b); // warn 560} 561</pre></div> 562<div class="example"><pre> 563#include <new> 564 565class A { 566public: 567 ~A(); 568}; 569 570class B : public A {}; 571 572class C {}; 573 574A* test() { 575 B *b = new B; 576 new(b) C; 577 return dynamic_cast<A*>(b); // warn 578} 579</pre></div></div></td> 580<td class="aligned"></td></tr> 581 582 583<tr><td><div class="namedescr expandable"><span class="name"> 584undefbehavior.ObjLocChanges</span><span class="lang"> 585(C++)</span><div class="descr"> 586Undefined behavior: the program must ensure that an object occupies the same 587storage location when the implicit or explicit destructor call takes place. 588<p>Source: C++11 3.8p8.</p></div></div></td> 589<td><div class="exampleContainer expandable"> 590<div class="example"><pre> 591#include <new> 592 593class A {}; 594 595class B { 596public: 597 ~B(); 598}; 599 600void test() { 601 B b; 602 new (&b) A; 603} // warn 604</pre></div> 605<div class="example"><pre> 606#include <new> 607 608class A {}; 609 610class B { 611public: 612 ~B(); 613}; 614 615void test() { 616 B *b = new B; 617 new (b) A; 618 delete b; // warn 619} 620</pre></div></div></td> 621<td class="aligned"></td></tr> 622 623 624<tr><td><div class="namedescr expandable"><span class="name"> 625undefbehavior.ExprEvalOrderUndef</span><span class="lang"> 626(C, C++03)</span><div class="descr"> 627Undefined behavior: a scalar object shall have its stored value modified at 628most once by the evaluation of an expression.<br> 629Note: most cases are currently handled by the Clang core (search for 'multiple 630unsequenced modifications' warning in Clang tests). 631<p>Source: C++03 5p4.</p></div></div></td> 632<td><div class="exampleContainer expandable"> 633<div class="example"><pre> 634int test () { 635 int i = 0; 636 i = ++i + 1; // warn 637 return i; 638} 639</pre></div></div></td> 640<td class="aligned"></td></tr> 641 642 643<tr><td><div class="namedescr expandable"><span class="name"> 644undefbehavior.StaticInitReentered</span><span class="lang"> 645(C++)</span><div class="descr"> 646Undefined behavior: static declaration is re-entered while the object is being 647initialized. 648<p>Source: C++11 6.7p4.</p></div></div></td> 649<td><div class="exampleContainer expandable"> 650<div class="example"><pre> 651int test(int i) { 652 static int s = test(2 * i); // warn 653 return i + 1; 654} 655</pre></div></div></td> 656<td class="aligned"></td></tr> 657 658 659<tr><td><div class="namedescr expandable"><span class="name"> 660undefbehavior.ConstModified</span><span class="lang"> 661(C, C++)</span><div class="descr"> 662Undefined behavior: const object is being modified. 663<p>Source: C++03 7.1.5.1p4, C++11 7.1.6.1p4.</p></div></div></td> 664<td><div class="exampleContainer expandable"> 665<div class="example"><pre> 666void test() { 667 const int *cp = new const int (0); 668 int *p = const_cast<int *>(cp); 669 *p = 1; // warn 670 delete p; 671} 672</pre></div> 673<div class="example"><pre> 674class C { 675public : 676 int i; 677 C(); 678}; 679 680void test() { 681 const C cb; 682 683 C* cp = const_cast<C *>(&cb); 684 cp->i = 1; // warn 685} 686</pre></div></div></td> 687<td class="aligned"></td></tr> 688 689 690<tr><td><div class="namedescr expandable"><span class="name"> 691undefbehavior.DeadDestructed</span><span class="lang"> 692(C++)</span><div class="descr"> 693Undefined behavior: the destructor is invoked for an object whose lifetime 694has ended. 695<p>Source: C++11 12.4p14.</p></div></div></td> 696<td><div class="exampleContainer expandable"> 697<div class="example"><pre> 698class A { 699public: 700 void f(); 701 A(); 702 ~A(); 703}; 704 705void test() { 706 A a; 707 a.~A(); 708} // warn 709</pre></div></div></td> 710<td class="aligned"></td></tr> 711 712 713<tr><td><div class="namedescr expandable"><span class="name"> 714undefbehavior.MethodCallBeforeBaseInit</span><span class="lang"> 715(C++)</span><div class="descr"> 716Undefined behavior: calls member function but base not yet initialized. 717<p>Source: C++03 12.6.2p8; C++11 12.6.2p13.</p></div></div></td> 718<td><div class="exampleContainer expandable"> 719<div class="example"><pre> 720class A { 721public : 722 A(int); 723}; 724 725class B : public A { 726public : 727 int f(); 728 B() : A(f()) {} // warn 729}; 730</pre></div></div></td> 731<td class="aligned"></td></tr> 732 733 734<tr><td><div class="namedescr expandable"><span class="name"> 735undefbehavior.MemberOrBaseRefBeforeCtor</span><span class="lang"> 736(C++)</span><div class="descr"> 737C++ Undefined behavior: non-static member or base class of non-POD class type 738is referred before constructor begins execution.<br> 739C++11 Undefined behavior: non-static member or base class of a class with a 740non-trivial constructor is referred before constructor begins execution. 741<p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td> 742<td><div class="exampleContainer expandable"> 743<div class="example"><pre> 744struct non_POD { 745 int i; 746 non_POD(); 747}; 748 749extern non_POD non_pod; 750 751int *p = &non_pod.i; // warn 752</pre></div> 753<div class="example"><pre> 754struct POD { 755 int i; 756}; 757 758struct non_POD : public POD { 759 POD pod; 760}; 761 762extern non_POD non_pod; 763 764int *p = &non_pod.pod.i; // warn 765</pre></div> 766<div class="example"><pre> 767struct POD { 768 int i; 769}; 770 771struct non_POD : public POD {}; 772 773extern non_POD non_pod; 774 775POD *p = &non_pod; // warn 776</pre></div> 777<div class="example"><pre> 778struct non_POD { 779 int i; 780 non_POD(); 781}; 782 783struct S { 784 int *k; 785 non_POD non_pod; 786 S() : k(&non_pod.i) {} // warn 787}; 788</pre></div></div></td> 789<td class="aligned"></td></tr> 790 791 792<tr><td><div class="namedescr expandable"><span class="name"> 793undefbehavior.MemberRefAfterDtor</span><span class="lang"> 794(C++)</span><div class="descr"> 795C++03: Undefined behavior: non-static member of non-POD class type is referred 796after destructor ends execution.<br> 797C++11: Undefined behavior: non-static member of a class with a non-trivial 798destructor is referred after destructor ends execution. 799<p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td> 800<td><div class="exampleContainer expandable"> 801<div class="example"><pre> 802class C { 803public: 804 C(); 805 void f(); 806}; 807 808void test() { 809 C *c = new C(); 810 c->~C(); 811 c->f(); // warn 812} 813</pre></div></div></td> 814<td class="aligned"></td></tr> 815 816 817<tr><td><div class="namedescr expandable"><span class="name"> 818undefbehavior.CtorForeignCall</span><span class="lang"> 819(C++)</span><div class="descr"> 820Undefined behavior: call to virtual function of an object under construction 821whose type is neither the constructors own class or one of its bases. 822<p>Source: C++11 12.7p4.</p></div></div></td> 823<td><div class="exampleContainer expandable"> 824<div class="example"><pre> 825class A { 826public: 827 virtual void f() {}; 828}; 829 830class B { 831public: 832 B(A* a) { a->f(); } // warn 833}; 834 835class C : public A, B { 836public: 837 C() : B((A*)this) {} 838}; 839</pre></div></div></td> 840<td class="aligned"></td></tr> 841 842 843<tr><td><div class="namedescr expandable"><span class="name"> 844undefbehavior.CtorForeignTypeid</span><span class="lang"> 845(C++)</span><div class="descr"> 846Undefined behavior: the operand of <code>typeid</code> is an object under 847construction whose type is neither the constructors own class or one of its 848bases. 849<p>Source: C++11 12.7p5.</p></div></div></td> 850<td><div class="exampleContainer expandable"> 851<div class="example"><pre> 852#include <typeinfo> 853 854class A {}; 855 856class B { 857public: 858 B(A* a) { 859 (void)typeid(*a); // warn 860 } 861}; 862 863class C : public A, B { 864public: 865 C() : B((A*)this) {} 866}; 867</pre></div></div></td> 868<td class="aligned"></td></tr> 869 870 871<tr><td><div class="namedescr expandable"><span class="name"> 872undefbehavior.CtorForeignCast</span><span class="lang"> 873(C++)</span><div class="descr"> 874Undefined behavior: the operand of <code>dynamic_cast</code> is an object under 875construction whose type is neither the constructors own class or one of its 876bases. 877<p>Source: C++11 12.7p6.</p></div></div></td> 878<td><div class="exampleContainer expandable"> 879<div class="example"><pre> 880#include <typeinfo> 881 882class A { 883public: 884 virtual void f() {}; 885}; 886 887class B { 888public: 889 B(A* a) { 890 (void)dynamic_cast<B*>(a); //warn 891 } 892}; 893 894class C : public A, B { 895public: 896 C() : B((A*)this) {} 897}; 898</pre></div></div></td> 899<td class="aligned"></td></tr> 900 901 902<tr><td><div class="namedescr expandable"><span class="name"> 903undefbehavior.MemberOrBaseRefInCatch</span><span class="lang"> 904(C++)</span><div class="descr"> 905Undefined behavior: referring to any non-static member or base class of an 906object in the handler for a function-try-block of a constructor or destructor 907for that object results in undefined behavior. 908<p>Source: C++11 15.3p10.</p></div></div></td> 909<td><div class="exampleContainer expandable"> 910<div class="example"><pre> 911void f() { throw 1; } 912 913class C { 914 int i; 915public : 916 C() 917 try { 918 f(); 919 } 920 catch (...) { 921 i=2; // warn 922 } 923}; 924</pre></div> 925<div class="example"><pre> 926void f() { throw 1; } 927 928class Base { 929public: 930 int i; 931}; 932 933class C: public Base { 934public : 935 ~C() try { 936 f(); 937 } 938 catch (...) { 939 i=2; // warn 940 } 941}; 942</pre></div></div></td> 943<td class="aligned"></td></tr> 944 945 946<tr><td><div class="namedescr expandable"><span class="name"> 947undefbehavior.ReturnAtCatchEnd</span><span class="lang"> 948(C++)</span><div class="descr"> 949Undefined behavior: a function returns when control reaches the end of a 950handler. This results in undefined behavior in a value-returning function. 951<p>Source: C++11 15.3p10.</p></div></div></td> 952<td><div class="exampleContainer expandable"> 953<div class="example"><pre> 954void f() { throw 1; } 955 956int test() try { 957 f(); 958 return 1; 959} 960catch(int) { 961} // warn 962</pre></div></div></td> 963<td class="aligned"></td></tr> 964 965 966<tr><td><div class="namedescr expandable"><span class="name"> 967undefbehavior.AutoptrsOwnSameObj</span><span class="lang"> 968(C++03)</span><div class="descr"> 969Undefined behavior: if more than one <code>auto_ptr</code> owns the same object 970at the same time the behavior of the program is undefined. 971<p>Source: C++03 20.4.5p3; C++11 <code>auto_ptr</code> is deprecated 972(D.10).</p></div></div></td> 973<td><div class="exampleContainer expandable"> 974<div class="example"><pre> 975#include <memory> 976 977void test() { 978 int *data = new int; 979 std::auto_ptr<int> p(data); 980 std::auto_ptr<int> q(data); // warn 981} 982</pre></div></div></td> 983<td class="aligned"></td></tr> 984 985 986<tr><td><div class="namedescr expandable"><span class="name"> 987undefbehavior.BasicStringOutOfBound</span><span class="lang"> 988(C++03)</span><div class="descr"> 989Undefined behavior: out-of-bound <code>basic_string</code> access/modification. 990<br>Note: possibly an enhancement to <span class="name"> 991alpha.security.ArrayBoundV2</span>. 992<p>Source: C++03 21.3.4p1; C++11 behavior is defined 993(21.4.5p2).</p></div></div></td> 994<td><div class="exampleContainer expandable"> 995<div class="example"><pre> 996#include <string> 997 998void test() { 999 std::basic_string<char> s; 1000 char c = s[10]; // warn 1001} 1002</pre></div> 1003<div class="example"><pre> 1004#include <string> 1005 1006void test() { 1007 std::basic_string<char> s; 1008 s[10] = 0; // warn 1009} 1010</pre></div></div></td> 1011<td class="aligned"></td></tr> 1012 1013 1014<tr><td><div class="namedescr expandable"><span class="name"> 1015undefbehavior.EosDereference</span><span class="lang"> 1016(C++)</span><div class="descr"> 1017Undefined behavior: the result of <code>operator*()</code> on an end of a 1018stream is undefined. 1019<p>Source: C++03 24.5.3p2; C++11 24.6.3p2.</p></div></div></td> 1020<td><div class="exampleContainer expandable"> 1021<div class="example"><pre> 1022#include <vector> 1023 1024int test() { 1025 std::vector<int> v; 1026 return *v.end(); // warn 1027} 1028</pre></div></div></td> 1029<td class="aligned"></td></tr> 1030 1031 1032<tr><td><div class="namedescr expandable"><span class="name"> 1033undefbehavior.QsortNonPODNonTrivial</span><span class="lang"> 1034(C++)</span><div class="descr"> 1035C++03: Undefined behavior: the objects in the array passed to qsort are of 1036non-POD type.<br> 1037C++11: Undefined behavior: the objects in the array passed to qsort are of 1038non-trivial type. 1039<p>Source: C++03 25.4p4; C++11 25.5p4.</p></div></div></td> 1040<td><div class="exampleContainer expandable"> 1041<div class="example"><pre> 1042// C++03 1043#include <cstdlib> 1044 1045 1046struct non_POD { 1047 non_POD(); 1048}; 1049 1050non_POD values[] = { non_POD(), non_POD() }; 1051 1052int compare(const void *a, const void *b); 1053 1054void test() { 1055 qsort(values, 2, sizeof(non_POD), compare); // warn 1056} 1057</pre></div> 1058<div class="example"><pre> 1059// C++11 1060#include <cstdlib> 1061 1062struct S {}; 1063 1064struct trivial_non_POD : public S { 1065 int i; 1066}; 1067 1068struct non_trivial { 1069 int i; 1070 non_trivial(); 1071}; 1072 1073trivial_non_POD tnp[2]; 1074non_trivial nt[2]; 1075 1076int compare1(const void *a, const void *b); 1077 1078int compare2(const void *a, const void *b); 1079 1080void test() { 1081 qsort(tnp, 2, sizeof(trivial_non_POD), compare1); // ok 1082 qsort(nt, 2, sizeof(non_trivial), compare2); // warn 1083} 1084</pre></div></div></td> 1085<td class="aligned"></td></tr> 1086 1087 1088<tr><td><div class="namedescr expandable"><span class="name"> 1089undefbehavior.ThrowWhileCopy</span><span class="lang"> 1090(C++)</span><div class="descr"> 1091Undefined behavior: copy constructor/assignment operator can throw an exception. 1092The effects are undefined if an exception is thrown.</div></div></td> 1093<td><div class="exampleContainer expandable"> 1094<div class="example"><pre> 1095class C { 1096public: 1097 int i, j; 1098 C (const C &c) { 1099 i = c.i; 1100 throw 1; // warn 1101 j = c.j; 1102 }; 1103}; 1104</pre></div> 1105<div class="example"><pre> 1106class C { 1107public: 1108 int i, j; 1109 C &operator=(const C &c) { 1110 i = c.i; 1111 throw 1; // warn 1112 j = c.j; 1113 }; 1114}; 1115</pre></div></div></td> 1116<td class="aligned"></td></tr> 1117 1118 1119<tr><td><div class="namedescr expandable"><span class="name"> 1120undefbehavior.ValarrayArgBound</span><span class="lang"> 1121(C++)</span><div class="descr"> 1122Undefined behavior: the value of the <code><i>n</i></code> argument passed 1123to <code>valarray</code> constructor is greater than the number of values 1124pointed to by the first argument (source). 1125<p>Source: C++03 26.3.2.1p4; C++11 26.6.2.2p4.</p></div></div></td> 1126<td><div class="exampleContainer expandable"> 1127<div class="example"><pre> 1128#include <valarray> 1129 1130struct S { 1131 int i; 1132 S(int ii) : i(ii) {}; 1133}; 1134 1135void test(void) { 1136 S s[] = { S(1), S(2) }; 1137 std::valarray<S> v(s,3); // warn 1138} 1139</pre></div></div></td> 1140<td class="aligned"></td></tr> 1141 1142 1143<tr><td><div class="namedescr expandable"><span class="name"> 1144undefbehavior.ValarrayLengthDiffer</span><span class="lang"> 1145(C++)</span><div class="descr"> 1146Undefined behavior: <code>valarray</code> operands are of different length. 1147<p>Source: C++03 26.3.2.2p1, 26.3.2.6p3, 26.3.3.1p3, 26.3.3.2p3; 1148C++11 defined (26.6.2.3p1), 26.6.2.7p3, 26.6.3.1p3, 114926.6.3.2p3.</p></div></div></td> 1150<td><div class="exampleContainer expandable"> 1151<div class="example"><pre> 1152// C++03 1153#include <valarray> 1154 1155void test(void) { 1156 std::valarray<int> a(0, 1), b(0, 2); 1157 a = b; // warn 1158 b.resize(1); 1159 a = b; // ok 1160} 1161</pre></div> 1162<div class="example"><pre> 1163// C++03, C++11 1164#include <valarray> 1165 1166void test(void) { 1167 std::valarray<int> a(0, 1), b(0, 2); 1168 a *= b; // warn 1169} 1170</pre></div> 1171<div class="example"><pre> 1172// C++03, C++11 1173#include <valarray> 1174 1175void test(void) { 1176 std::valarray<int> a(0, 1), b(0, 2); 1177 a = a + b; // warn 1178} 1179</pre></div> 1180<div class="example"><pre> 1181// C++03, C++11 1182#include <valarray> 1183 1184void test(void) { 1185 std::valarray<int> a(0, 1), b(0, 2); 1186 std::valarray<bool> c(false, 1); 1187 c = a == b; // warn 1188} 1189</pre></div></div></td> 1190<td class="aligned"></td></tr> 1191 1192 1193<tr><td><div class="namedescr expandable"><span class="name"> 1194undefbehavior.ValarrayZeroLength</span><span class="lang"> 1195(C++)</span><div class="descr"> 1196Undefined behavior: calling <code>sum()</code>/<code>min()</code>/<code> 1197max()</code> methods of a zero length <code>valarray<code> the behavior is 1198undefined. 1199<p>Source: C++03 26.3.2.7p2, p3, p4; C++11 26.6.2.8p5, p6, 1200p7.</p></div></div></td> 1201<td><div class="exampleContainer expandable"> 1202<div class="example"><pre> 1203#include <valarray> 1204 1205void test(void) { 1206 std::valarray<int> v(0, 0); 1207 v.sum(); // warn 1208} 1209</pre></div></div></td> 1210<td class="aligned"></td></tr> 1211 1212 1213<tr><td><div class="namedescr expandable"><span class="name"> 1214undefbehavior.ValarrayBadIndirection</span><span class="lang"> 1215(C++)</span><div class="descr"> 1216Undefined behavior: element is specified more than once in an indirection. 1217<p>Source: C++03 26.3.9.2p2, 26.3.9.3p2; C++11 26.6.9.2p2, 121826.6.9.3p2.</p></div></div></td> 1219<td><div class="exampleContainer expandable"> 1220<div class="example"><pre> 1221#include <valarray> 1222 1223void test() { 1224 // '1' is specified more then once 1225 size_t addr[] = {0, 1, 1}; 1226 std::valarray<size_t>indirect(addr, 3); 1227 std::valarray<int> a(0, 5), b(1, 3); 1228 a[indirect] = b; //warn 1229} 1230</pre></div> 1231<div class="example"><pre> 1232#include <valarray> 1233 1234void test() { 1235 // '1' is specified more then once 1236 size_t addr[] = {0, 1, 1}; 1237 std::valarray<size_t>indirect(addr, 3); 1238 std::valarray<int> a(0, 5), b(1, 3); 1239 a[indirect] *= b; //warn 1240} 1241</pre></div></div></td> 1242<td class="aligned"></td></tr> 1243 1244 1245<tr><td><div class="namedescr expandable"><span class="name"> 1246undefbehavior.IosBaseDestroyedBeforeInit</span><span class="lang"> 1247(C++)</span><div class="descr"> 1248Undefined behavior: <code>ios_base</code> object is destroyed before 1249initialization have taken place. <code>basic_ios::init</code> should be call to 1250initialize <code>ios_base</code> members. 1251<p>Source: C++03 27.4.2.7p1, 27.4.4.1p2; C++11 27.5.3.7p1, 125227.5.5.2p2.</p></div></div></td> 1253<td><div class="exampleContainer expandable"> 1254<div class="example"><pre> 1255#include <ios> 1256 1257using namespace std; 1258template <class T, class Traits = std::char_traits<T> > 1259class my_stream1 : public std::basic_ios<T, Traits> { 1260}; 1261 1262template <class T, class Traits = std::char_traits<T> > 1263class my_stream2 : public std::basic_ios<T, Traits> { 1264 class my_streambuf 1265 : public std::basic_streambuf<T, Traits> { 1266 }; 1267public: 1268 my_stream2() { 1269 this->init(new my_streambuf); 1270 } 1271}; 1272 1273void test() { 1274 my_stream1<char> *p1 = new my_stream1<char>; 1275 my_stream2<char> *p2 = new my_stream2<char>; 1276 delete p1; // warn 1277 delete p2; // ok 1278} 1279</pre></div></div></td> 1280<td class="aligned"></td></tr> 1281 1282 1283<tr><td><div class="namedescr expandable"><span class="name"> 1284undefbehavior.IosBaseUsedBeforeInit</span><span class="lang"> 1285(C++11)</span><div class="descr"> 1286Undefined behavior: <code>ios_base</code> object is used before initialization 1287have taken place. <code>basic_ios::init</code> should be call to 1288initialize <code>ios_base</code> members. 1289<p>Source: C++11 27.5.3.7p1, 27.5.5.2p2.</p></div></div></td> 1290<td><div class="exampleContainer expandable"> 1291<div class="example"><pre> 1292#include <ios> 1293 1294using namespace std; 1295template <class T, class Traits = std::char_traits<T> > 1296class my_stream1 : public std::basic_ios<T, Traits> { 1297}; 1298 1299template <class T, class Traits = std::char_traits<T> > 1300class my_stream2 : public std::basic_ios<T, Traits> { 1301 class my_streambuf 1302 : public std::basic_streambuf<T, Traits> { 1303 }; 1304public: 1305 my_stream2() { 1306 this->init(new my_streambuf); 1307 } 1308}; 1309 1310void test() { 1311 my_stream1<char> *p1 = new my_stream1<char>; 1312 my_stream2<char> *p2 = new my_stream2<char>; 1313 p1->narrow('a', 'b'); // warn 1314 p2->narrow('a', 'b'); // ok 1315} 1316</pre></div></div></td> 1317<td class="aligned"></td></tr> 1318 1319 1320<tr><td><div class="namedescr expandable"><span class="name"> 1321undefbehavior.MinusOnePosType</span><span class="lang"> 1322(C++)</span><div class="descr"> 1323Undefined behavior: passing -1 to any <code>streambuf</code>/<code> 1324istream</code>/<code>ostream</code> member that accepts a value of 1325type <code>traits::pos_type</code> result in undefined behavior. 1326<p>Source: C++03 27.4.3.2p3; C++11 27.5.4.2p3.</p></div></div></td> 1327<td><div class="exampleContainer expandable"> 1328<div class="example"><pre> 1329#include <fstream> 1330 1331class my_streambuf : public std::streambuf { 1332 void f() { 1333 seekpos(-1); // warn 1334 } 1335}; 1336</pre></div> 1337<div class="example"><pre> 1338#include <fstream> 1339 1340void test() { 1341 std::filebuf fb; 1342 std::istream in(&fb); 1343 std::filebuf::off_type pos(-1); 1344 in.seekg(pos); // warn 1345} 1346</pre></div></div></td> 1347<td class="aligned"></td></tr> 1348 1349</table> 1350 1351<!-- ============================ different ================================ --> 1352<h3>different</h3> 1353<table class="checkers"> 1354<col class="namedescr"><col class="example"><col class="progress"> 1355<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr> 1356</thead> 1357 1358<tr><td><div class="namedescr expandable"><span class="name"> 1359different.SuccessiveAssign</span><span class="lang"> 1360(C)</span><div class="descr"> 1361Successive assign to a variable.</div></div></td> 1362<td><div class="exampleContainer expandable"> 1363<div class="example"><pre> 1364int test() { 1365 int i; 1366 i=1; 1367 i=2; // warn 1368 return i; 1369} 1370</pre></div></div></td> 1371<td class="aligned"></td></tr> 1372 1373 1374<tr><td><div class="namedescr expandable"><span class="name"> 1375different.NullDerefStmtOrder</span><span class="lang"> 1376(C)</span><div class="descr"> 1377Dereferencing of the null pointer might take place. Checking the pointer for 1378null should be performed first. 1379<br>Note: possibly an enhancement to <span class="name"> 1380core.NullDereference</span>.</div></div></td> 1381<td><div class="exampleContainer expandable"> 1382<div class="example"><pre> 1383struct S { 1384 int x; 1385}; 1386 1387struct S* f(); 1388 1389void test() { 1390 struct S *p1 = f(); 1391 int x1 = p1->x; // warn 1392 if (p1) {}; 1393 1394 struct S *p2 = f(); 1395 int x2 = p2->x; // ok 1396} 1397</pre></div></div></td> 1398<td class="aligned"></td></tr> 1399 1400 1401<tr><td><div class="namedescr expandable"><span class="name"> 1402different.NullDerefCondOrder</span><span class="lang"> 1403(C)</span><div class="descr"> 1404Dereferencing of the null pointer might take place. Checking the pointer for 1405null should be performed first. 1406<br>Note: possibly an enhancement to <span class="name"> 1407core.NullDereference</span>.</div></div></td> 1408<td><div class="exampleContainer expandable"> 1409<div class="example"><pre> 1410struct S {int i;}; 1411 1412struct S* f(); 1413 1414void test() { 1415 struct S *p = f(); 1416 if (p->i && p) {}; // warn 1417} 1418</pre></div></div></td> 1419<td class="aligned"></td></tr> 1420 1421 1422<tr><td><div class="namedescr expandable"><span class="name"> 1423different.MultipleAccessors</span><span class="lang"> 1424(C++)</span><div class="descr"> 1425Identical accessor bodies. Possibly a misprint.</div></div></td> 1426<td><div class="exampleContainer expandable"> 1427<div class="example"><pre> 1428class A { 1429 int i; 1430 int j; 1431public: 1432 int getI() { return i; } 1433 int getJ() { return i; } // warn 1434}; 1435</pre></div> 1436<div class="example"><pre> 1437class A { 1438 int i; 1439 int j; 1440public: 1441 void setI(int& ii) { i = ii; } 1442 void setJ(int& jj) { i = jj; } // warn 1443}; 1444</pre></div></div></td> 1445<td class="aligned"></td></tr> 1446 1447 1448<tr><td><div class="namedescr expandable"><span class="name"> 1449different.AccessorsForPublic</span><span class="lang"> 1450(C++)</span><div class="descr"> 1451Accessors exist for a public class field. Should this field really be 1452public?</div></div></td> 1453<td><div class="exampleContainer expandable"> 1454<div class="example"><pre> 1455class A { 1456public: 1457 int i; // warn 1458 int getI() { return i; } 1459 void setI(int& ii) { i = ii; } 1460}; 1461</pre></div></div></td> 1462<td class="aligned"></td></tr> 1463 1464 1465<tr><td><div class="namedescr expandable"><span class="name"> 1466different.LibFuncResultUnised</span><span class="lang"> 1467(C, C++)</span><div class="descr"> 1468Calling a function ignoring its return value is of no use (create the list of 1469known system/library/API functions falling into this category).</div></div></td> 1470<td><div class="exampleContainer expandable"> 1471<div class="example"><pre> 1472#include <vector> 1473 1474void test() { 1475 std::vector<int> v; 1476 v.empty(); // warn 1477} 1478</pre></div></div></td> 1479<td class="aligned"></td></tr> 1480 1481 1482<tr><td><div class="namedescr expandable"><span class="name"> 1483different.WrongVarForStmt</span><span class="lang"> 1484(C, C++)</span><div class="descr"> 1485Wrong variable is possibly used in the loop/cond-expression of 1486the <code>for</code> statement. Did you mean 1487'proper_variable_name'?</div></div></td> 1488<td><div class="exampleContainer expandable"> 1489<div class="example"><pre> 1490void test() { 1491 int i = 0; 1492 int j = 0; 1493 for (i = 0; i < 3; j += 1); // warn 1494} 1495</pre></div> 1496<div class="example"><pre> 1497void test() { 1498 int i = 0; 1499 int j = 0; 1500 for (int j = 0; i < 3; ++j); // warn 1501} 1502</pre></div></div></td> 1503<td class="aligned"></td></tr> 1504 1505 1506<tr><td><div class="namedescr expandable"><span class="name"> 1507different.FloatingCompare</span><span class="lang"> 1508(C)</span><div class="descr"> 1509Comparing floating point numbers may be not precise.</div></div></td> 1510<td><div class="exampleContainer expandable"> 1511<div class="example"><pre> 1512#include <math.h> 1513 1514double test() { 1515 double b = sin(M_PI / 6.0); 1516 if (b == 0.5) // warn 1517 b = 0; 1518 return b; 1519} 1520</pre></div></div></td> 1521<td class="aligned"></td></tr> 1522 1523 1524<tr><td><div class="namedescr expandable"><span class="name"> 1525different.BitwiseOpBoolArg</span><span class="lang"> 1526(C, C++)</span><div class="descr"> 1527Boolean value met at the left/right part of the bitwise <code>&</code> 1528or <code>|</code> operator. 1529Did you mean <code>&&</code> (<code>||</code>) ?</div></div></td> 1530<td><div class="exampleContainer expandable"> 1531<div class="example"><pre> 1532int f(); 1533 1534void test() { 1535 bool b = true; 1536 if (b & f()) {} // warn 1537} 1538</pre></div></div></td> 1539<td class="aligned"></td></tr> 1540 1541 1542<tr><td><div class="namedescr expandable"><span class="name"> 1543different.LabelInsideSwitch</span><span class="lang"> 1544(C)</span><div class="descr"> 1545Possibly a misprint: label found inside a <code>switch()</code> 1546statement.</div></div></td> 1547<td><div class="exampleContainer expandable"> 1548<div class="example"><pre> 1549void test(int c) { 1550 switch(c){ 1551 case 1: 1552 c += 1; break; 1553 defalt: // warn (did you mean 'default'?) 1554 c -= 1; break; 1555 } 1556} 1557</pre></div></div></td> 1558<td class="aligned"></td></tr> 1559 1560 1561<tr><td><div class="namedescr expandable"><span class="name"> 1562different.IdenticalCondIfIf</span><span class="lang"> 1563(C)</span><div class="descr"> 1564The conditions of two subsequent <code>if</code> statements are 1565identical.</div></div></td> 1566<td><div class="exampleContainer expandable"> 1567<div class="example"><pre> 1568int test(int c) { 1569 if (c > 5) 1570 c += 1; 1571 if (c > 5) // warn 1572 c -= 1; 1573 return c; 1574} 1575</pre></div></div></td> 1576<td class="aligned"></td></tr> 1577 1578 1579<tr><td><div class="namedescr expandable"><span class="name"> 1580different.LogicalOpUselessArg</span><span class="lang"> 1581(C)</span><div class="descr"> 1582The second operand of a <code>&&</code> operator has no impact on 1583expression result.</div></div></td> 1584<td><div class="exampleContainer expandable"> 1585<div class="example"><pre> 1586void test(unsigned a) { 1587 if (a<7 && a<10) {}; // warn 1588} 1589</pre></div></div></td> 1590<td class="aligned"></td></tr> 1591 1592 1593<tr><td><div class="namedescr expandable"><span class="name"> 1594different.SameResLogicalExpr</span><span class="lang"> 1595(C)</span><div class="descr"> 1596An expression is always evaluated to true/false.</div></div></td> 1597<td><div class="exampleContainer expandable"> 1598<div class="example"><pre> 1599void test() { 1600 int i = 0; 1601 if (i != 0) {}; // warn 1602} 1603</pre></div> 1604<div class="example"><pre> 1605void test(int i) { 1606 if (i == 0 && i == 1) {}; // warn 1607} 1608</pre></div> 1609<div class="example"><pre> 1610void test(int i) { 1611 if (i < 0 || i >= 0) {}; // warn 1612} 1613</pre></div></div></td> 1614<td class="aligned"></td></tr> 1615 1616 1617<tr><td><div class="namedescr expandable"><span class="name"> 1618different.OpPrecedenceAssignCmp</span><span class="lang"> 1619(C, C++)</span><div class="descr"> 1620Comparison operation has higher precedence then assignment. Boolean value is 1621assigned to a variable of other type. Parenthesis may bee required around an 1622assignment.</div></div></td> 1623<td><div class="exampleContainer expandable"> 1624<div class="example"><pre> 1625int f(); 1626 1627void test(int x, int y) { 1628 bool b; 1629 if((b = x != y)) {} // ok 1630 if((x = f() != y)) {} // warn 1631} 1632</pre></div></div></td> 1633<td class="aligned"></td></tr> 1634 1635 1636<tr><td><div class="namedescr expandable"><span class="name"> 1637different.OpPrecedenceIifShift</span><span class="lang"> 1638(C, C++)</span><div class="descr"> 1639<code>?:</code> has lower precedence then <code><<</code>. 1640<p>Source: Stephen C. Dewhurst "C++ Gotchas: Avoiding Common Problems in Coding 1641and Design", advise 15.</p></div></div></td> 1642<td><div class="exampleContainer expandable"> 1643<div class="example"><pre> 1644#include <iostream> 1645 1646void test(int a) { 1647 std::cout << a ? "a" : "b"; // warn 1648} 1649</pre></div> 1650<div class="example"><pre> 1651void test(int a) { 1652 a << a > 7 ? 1 : 2; // warn 1653} 1654</pre></div></div></td> 1655<td class="aligned"></td></tr> 1656 1657 1658<tr><td><div class="namedescr expandable"><span class="name"> 1659different.ObjectUnused</span><span class="lang"> 1660(C++)</span><div class="descr"> 1661The object was created but is not being used.</div></div></td> 1662<td><div class="exampleContainer expandable"> 1663<div class="example"><pre> 1664struct S { 1665 int x, y; 1666 S(int xx, int yy) : x(xx), y(yy) {} 1667 S(int xx) { 1668 S(xx, 0); // warn 1669 } 1670}; 1671</pre></div> 1672<div class="example"><pre> 1673#include <exception> 1674 1675void test() { 1676 std::exception(); 1677 // warn (did you mean 'throw std::exception()'?) 1678} 1679</pre></div></div></td> 1680<td class="aligned"></td></tr> 1681 1682 1683<tr><td><div class="namedescr expandable"><span class="name"> 1684different.StaticArrayPtrCompare</span><span class="lang"> 1685(C)</span><div class="descr"> 1686Pointer to static array is being compared to NULL. May the subscripting is 1687missing.</div></div></td> 1688<td><div class="exampleContainer expandable"> 1689<div class="example"><pre> 1690void test() { 1691 int a[1][1]; 1692 if (a[0] == 0) {}; // warn 1693} 1694</pre></div></div></td> 1695<td class="aligned"></td></tr> 1696 1697 1698<tr><td><div class="namedescr expandable"><span class="name"> 1699different.ConversionToBool</span><span class="lang"> 1700(C, C++)</span><div class="descr"> 1701Odd implicit conversion to boolean. 1702<br>Note: possibly merge with <span class="name"> 1703alpha.core.BoolAssignment</span>.</div></div></td> 1704<td><div class="exampleContainer expandable"> 1705<div class="example"><pre> 1706bool test() { 1707 return 1.; // warn 1708} 1709</pre></div> 1710<div class="example"><pre> 1711bool test() { 1712 return ""; // warn 1713} 1714</pre></div></div></td> 1715<td class="aligned"></td></tr> 1716 1717 1718<tr><td><div class="namedescr expandable"><span class="name"> 1719different.ArrayBound</span><span class="lang"> 1720(C++)</span><div class="descr"> 1721Out-of-bound dynamic array access. 1722<br>Note: possibly an enhancement to <span class="name"> 1723alpha.security.ArrayBoundV2</span>.</div></div></td> 1724<td><div class="exampleContainer expandable"> 1725<div class="example"><pre> 1726void test() { 1727 int *p = new int[1]; 1728 int i = 1; 1729 if(p[i]) {}; // warn 1730 delete[] p; 1731} 1732</pre></div></div></td> 1733<td class="aligned"></td></tr> 1734 1735 1736<tr><td><div class="namedescr expandable"><span class="name"> 1737different.StrcpyInputSize</span><span class="lang"> 1738(C)</span><div class="descr"> 1739Buffer copy without checking the size of input. 1740<br>Note: possibly an enhancement to <span class="name"> 1741alpha.unix.cstring.OutOfBounds</span>.</div></div></td> 1742<td><div class="exampleContainer expandable"> 1743<div class="example"><pre> 1744void test(char* string) { 1745 char buf[24]; 1746 strcpy(buf, string); // warn 1747} 1748</pre></div></div></td> 1749<td class="aligned"></td></tr> 1750 1751 1752<tr><td><div class="namedescr expandable"><span class="name"> 1753different.IntegerOverflow</span><span class="lang"> 1754(C)</span><div class="descr"> 1755Integer overflow. 1756<br>Note: partially handled by Clang core 1757(search for 'overflow in expression' warning in Clang tests). 1758<p>Source: <a href="http://cwe.mitre.org/data/definitions/190.html"> 1759CWE-190</a>.</p></div></div></td> 1760<td><div class="exampleContainer expandable"> 1761<div class="example"><pre> 1762#include <limits.h> 1763 1764int f(int x); 1765 1766void test() { 1767 f(INT_MAX + 1); // warn 1768} 1769</pre></div> 1770<div class="example"><pre> 1771#include <limits.h> 1772 1773int test() { 1774 int x = INT_MAX / 2 + 1; 1775 return x * 2; // warn 1776} 1777</pre></div></div></td> 1778<td class="aligned"></td></tr> 1779 1780 1781<tr><td><div class="namedescr expandable"><span class="name"> 1782different.SignExtension</span><span class="lang"> 1783(C)</span><div class="descr"> 1784Unexpected sign extension might take place. 1785<p>Source: <a href="http://cwe.mitre.org/data/definitions/194.html"> 1786CWE-194</a>.</p></div></div></td> 1787<td><div class="exampleContainer expandable"> 1788<div class="example"><pre> 1789unsigned long long test(long long sll) { 1790 unsigned long long ull = sll; // warn 1791 return ull; 1792} 1793</pre></div> 1794<div class="example"><pre> 1795void f(unsigned int i); 1796 1797void test(int si) { 1798 f(si); // warn 1799} 1800</pre></div> 1801<div class="example"><pre> 1802unsigned int test(int i) { 1803 return i; 1804} 1805</pre></div></div></td> 1806<td class="aligned"></td></tr> 1807 1808 1809<tr><td><div class="namedescr expandable"><span class="name"> 1810different.NumericTruncation</span><span class="lang"> 1811(C)</span><div class="descr"> 1812Numeric truncation might take place. 1813<p>Source: <a href="http://cwe.mitre.org/data/definitions/197.html"> 1814CWE-197</a>.</p></div></div></td> 1815<td><div class="exampleContainer expandable"> 1816<div class="example"><pre> 1817unsigned long test(unsigned long long ull) { 1818 unsigned long ul = ull; // warn 1819 return ul; 1820} 1821</pre></div> 1822<div class="example"><pre> 1823void f(int i); 1824 1825void test(long long sll) { 1826 f(sll); // warn 1827} 1828</pre></div> 1829<div class="example"><pre> 1830int f(); 1831 1832short test(long long sll) { 1833 short ss = f(); 1834 return ss; 1835} 1836</pre></div></div></td> 1837<td class="aligned"></td></tr> 1838 1839 1840<tr><td><div class="namedescr expandable"><span class="name"> 1841different.MissingCopyCtorAssignOp</span><span class="lang"> 1842(C++)</span><div class="descr"> 1843A class has dynamically allocated data members but do not define a copy 1844constructor/assignment operator. 1845<p>Source: Scott Meyers "Effective C++", item 11: Prevent exceptions from 1846leaving destructors.</p></div></div></td> 1847<td><div class="exampleContainer expandable"> 1848<div class="example"><pre> 1849class C { 1850 int *p; // warn 1851public: 1852 C() { p = new int; } 1853 ~C() { delete p; } 1854}; 1855</pre></div></div></td> 1856<td class="aligned"></td></tr> 1857 1858</table> 1859 1860<!-- ============================ WinAPI =================================== --> 1861<h3>WinAPI</h3> 1862<table class="checkers"> 1863<col class="namedescr"><col class="example"><col class="progress"> 1864<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 1865 1866<tr><td><div class="namedescr expandable"><span class="name"> 1867WinAPI.CreateProcess</span><span class="lang"> 1868(C)</span><div class="descr"> 1869<code>CreateProcess()</code>: if the first parameter <code><i> 1870lpApplicationName</i></code> is NULL then the executable name must be in the 1871white space-delimited string pointed to by <code><i>lpCommandLine</code></i>. 1872If the executable or path name has a space in it, there is a risk that a 1873different executable could be run because of the way the function parses 1874spaces. 1875<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx"> 1876MSDN: CreateProcess function, Security Remarks</a>.</p></div></div></td> 1877<td><div class="exampleContainer expandable"> 1878<div class="example"><pre> 1879#include <windows.h> 1880 1881void test() { 1882 STARTUPINFO si; 1883 PROCESS_INFORMATION pi; 1884 CreateProcess(NULL, TEXT("C:\\Program Files\\App -L -S"), 1885 NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi); 1886 // warn 1887} 1888</pre></div></div></td> 1889<td class="aligned"></td></tr> 1890 1891 1892<tr><td><div class="namedescr expandable"><span class="name"> 1893WinAPI.LoadLibrary</span><span class="lang"> 1894(C)</span><div class="descr"> 1895The <code>SearchPath()</code> function is used to retrieve a path to a DLL for 1896a subsequent <code>LoadLibrary()</code> call. 1897<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175%28v=vs.85%29.aspx"> 1898MSDN: LoadLibrary function, Security Remarks</a>.</p></div></div></td> 1899<td><div class="exampleContainer expandable"> 1900<div class="example"><pre> 1901#include <windows.h> 1902 1903HINSTANCE test() { 1904 char filePath[100]; 1905 SearchPath(NULL, "file.dll", NULL, 100, filePath, NULL); 1906 return LoadLibrary(filePath); // warn 1907} 1908</pre></div></div></td> 1909<td class="aligned"></td></tr> 1910 1911 1912<tr><td><div class="namedescr expandable"><span class="name"> 1913WinAPI.WideCharToMultiByte</span><span class="lang"> 1914(C)</span><div class="descr"> 1915Buffer overrun while calling <code>WideCharToMultiByte()</code>. The size of 1916the input buffer equals the number of characters in the Unicode string, while 1917the size of the output buffer equals the number of bytes. 1918<p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/dd374130%28v=vs.85%29.aspx"> 1919MSDN: WideCharToMultiByte function</a>.</p></div></div></td> 1920<td><div class="exampleContainer expandable"> 1921<div class="example"><pre> 1922#include <windows.h> 1923 1924void test() { 1925 wchar_t ws[] = L"abc"; 1926 char s[3]; 1927 WideCharToMultiByte(CP_UTF8, 0, ws, -1, s, 1928 3, NULL, NULL); // warn 1929} 1930</pre></div></div></td> 1931<td class="aligned"></td></tr> 1932 1933 1934</table> 1935 1936<!-- =========================== optimization ============================== --> 1937<h3>optimization</h3> 1938<table class="checkers"> 1939<col class="namedescr"><col class="example"><col class="progress"> 1940<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 1941 1942<tr><td><div class="namedescr expandable"><span class="name"> 1943optimization.PassConstObjByValue</span><span class="lang"> 1944(C, C++)</span><div class="descr"> 1945Optimization: It is more effective to pass constant parameter by reference to 1946avoid unnecessary object copying.</div></div></td> 1947<td><div class="exampleContainer expandable"> 1948<div class="example"><pre> 1949struct A {}; 1950 1951void f(const struct A a); // warn 1952</pre></div></div></td> 1953<td class="aligned"></td></tr> 1954 1955 1956<tr><td><div class="namedescr expandable"><span class="name"> 1957optimization.PostfixIncIter</span><span class="lang"> 1958(C++)</span><div class="descr"> 1959Optimization: It is more effective to use prefix increment operator with 1960iterator. 1961<p>Source: Scott Meyers "More Effective C++", item 6: 1962Distinguish between prefix and postfix forms of increment and decrement 1963operators.</p></div></div></td> 1964<td><div class="exampleContainer expandable"> 1965<div class="example"><pre> 1966#include <vector> 1967 1968void test() { 1969 std::vector<int> v; 1970 std::vector<int>::const_iterator it; 1971 for(it = v.begin(); 1972 it != v.end(); it++) {}; // warn 1973} 1974</pre></div></div></td> 1975<td class="aligned"></td></tr> 1976 1977 1978<tr><td><div class="namedescr expandable"><span class="name"> 1979optimization.MultipleCallsStrlen</span><span class="lang"> 1980(C)</span><div class="descr"> 1981Optimization: multiple calls to <code>strlen()</code> for a string in an 1982expression. It is more effective to hold a value returned 1983from <code>strlen()</code> in a temporary variable.</div></div></td> 1984<td><div class="exampleContainer expandable"> 1985<div class="example"><pre> 1986#include <string.h> 1987 1988void test(const char* s) { 1989 if (strlen(s) > 0 && 1990 strlen(s) < 7) {}; // warn 1991} 1992</pre></div></div></td> 1993<td class="aligned"></td></tr> 1994 1995 1996<tr><td><div class="namedescr expandable"><span class="name"> 1997optimization.StrLengthCalculation</span><span class="lang"> 1998(C++)</span><div class="descr"> 1999Optimization: it is more efficient to use <code>string::length()</code> to 2000calculate the length of an <code>std::string</code>.</div></div></td> 2001<td><div class="exampleContainer expandable"> 2002<div class="example"><pre> 2003#include <string> 2004#include <string.h> 2005 2006void test() { 2007 std::string s; 2008 if (strlen(s.c_str()) != 0) {}; // warn 2009} 2010</pre></div></div></td> 2011<td class="aligned"></td></tr> 2012 2013 2014<tr><td><div class="namedescr expandable"><span class="name"> 2015optimization.EmptyContainerDetect</span><span class="lang"> 2016(C++)</span><div class="descr"> 2017Optimization: It is more efficient to use containers <code>empty()</code> 2018method to identify an empty container.</div></div></td> 2019<td><div class="exampleContainer expandable"> 2020<div class="example"><pre> 2021#include <list> 2022 2023void test() { 2024 std::list<int> l; 2025 if (l.size() != 0) {}; // warn 2026} 2027</pre></div></div></td> 2028<td class="aligned"></td></tr> 2029 2030 2031</table> 2032 2033<br> 2034</div> <!-- page --> 2035</div> <!-- content --> 2036</body> 2037</html> 2038