1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 2 "http://www.w3.org/TR/html4/strict.dtd"> 3 <html> 4 <head> 5 <title>List of potential checkers</title> 6 <link type="text/css" rel="stylesheet" href="content.css"> 7 <link type="text/css" rel="stylesheet" href="menu.css"> 8 <script type="text/javascript" src="scripts/expandcollapse.js"></script> 9 <script type="text/javascript" src="scripts/menu.js"></script> 10 </head> 11 <body onload="initExpandCollapse()"> 12 13 <div id="page"> 14 15 <!-- menu --> 16 <!--#include virtual="menu.html.incl"--> 17 <!-- page content --> 18 <div id="content"> 19 <h1>List of potential checkers</h1> 20 21 <p>This page contains a list of potential checkers to implement in the static analyzer. If you are interested in contributing to the analyzer's development, this is a good resource to help you get started. The specific names of the checkers are subject to review, and are provided here as suggestions.</p> 22 23 <!-- ========================= allocation/deallocation ======================= --> 24 <h3>memory</h3> 25 <table class="checkers"> 26 <col class="namedescr"><col class="example"><col class="progress"> 27 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 28 29 <tr><td><div class="namedescr expandable"><span class="name"> 30 memory.LeakEvalOrder</span><span class="lang"> 31 (C, C++)</span><div class="descr"> 32 Potential memory leaks caused by an undefined argument evaluation order. 33 <p>Source: <a href="http://www.boost.org/doc/libs/1_49_0/libs/smart_ptr/shared_ptr.htm#BestPractices"> 34 boost docs: shared_ptr</a>.</p></div></div></td> 35 <td><div class="exampleContainer expandable"> 36 <div class="example"><pre> 37 void f(int, int); 38 int g(void *); 39 int h() __attribute__((noreturn)); 40 41 void test() { 42 // It is possible that 'malloc(1)' is called first, 43 // then 'h()', that is (or calls) noreturn and eventually 44 // 'g()' is never called. 45 f(g(malloc(1)), h()); // warn: 'g()' may never be called. 46 } 47 </pre></div> 48 <div class="example"><pre> 49 void f(int, int); 50 int g(int *); 51 int h() { throw 1; }; 52 53 void test() { 54 // It is possible that 'new int' is called first, 55 // then 'h()', that throws an exception and eventually 56 // 'g()' is never called. 57 f(g(new int), h()); // warn: 'g()' may never be called. 58 } 59 </pre></div></div></td> 60 <td class="aligned"></td></tr> 61 62 63 <tr><td><div class="namedescr expandable"><span class="name"> 64 memory.DstBufferTooSmall</span><span class="lang"> 65 (C, C++)</span><div class="descr"> 66 Destination buffer passed to memory function is too small. 67 <br>Note: <span class="name">security.insecureAPI.strcpy</span> currently warns 68 on usage of <code>strcpy</code> and suggests to replace it. 69 <br>Note: <span class="name">alpha.unix.CStringChecker</span> contains some similar checks. 70 <p>Source: <a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>.</p></div></div></td> 71 <td><div class="exampleContainer expandable"> 72 <div class="example"><pre> 73 void test() { 74 const char* s1 = "abc"; 75 char *s2 = new char; 76 strcpy(s2, s1); // warn 77 } 78 </pre></div> 79 <div class="example"><pre> 80 void test() { 81 int* p1 = new int[3]; 82 int* p2 = new int; 83 memcpy(p2, p1, 3); // warn 84 } 85 </pre></div></div></td> 86 <td class="aligned"></td></tr> 87 88 89 <tr><td><div class="namedescr expandable"><span class="name"> 90 memory.NegativeArraySize</span><span class="lang"> 91 (C, C++)</span><div class="descr"> 92 'n' is used to specify the buffer size may be negative. 93 <br>Note: possibly an enhancement to <span class="name"> 94 alpha.security.MallocOverflow</span>. 95 <p>Source: <a href="http://cwe.mitre.org/data/definitions/20.html">CWE-20, 96 Example 2</a>.</p></div></div></td> 97 <td><div class="exampleContainer expandable"> 98 <div class="example"><pre> 99 void test() { 100 int *p; 101 int n1 = -1; 102 p = new int[n1]; // warn 103 } 104 </pre></div></div></td> 105 <td class="aligned"></td></tr> 106 107 </table> 108 109 <!-- ======================= constructors/destructors ====================== --> 110 <h3>constructors/destructors</h3> 111 <table class="checkers"> 112 <col class="namedescr"><col class="example"><col class="progress"> 113 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 114 115 <tr><td><div class="namedescr expandable"><span class="name"> 116 ctordtor.ExptInsideDtor</span><span class="lang"> 117 (C++)</span><div class="descr"> 118 It is dangerous to let an exception leave a destructor. 119 Using <code>try..catch</code> solves the problem. 120 <p>Source: Scott Meyers "More Effective C++", item 11: Prevent exceptions from 121 leaving destructors.</p></div></div></td> 122 <td><div class="exampleContainer expandable"> 123 <div class="example"><pre> 124 class A { 125 A() {} 126 ~A() { throw 1; } // warn 127 }; 128 </pre></div> 129 <div class="example"><pre> 130 void f() throw(int); 131 132 class A { 133 A() {} 134 ~A() { f(); } // warn 135 }; 136 </pre></div></div></td> 137 <td class="aligned"></td></tr> 138 139 140 <tr><td><div class="namedescr expandable"><span class="name"> 141 ctordtor.PlacementSelfCopy</span><span class="lang"> 142 (C++11)</span><div class="descr"> 143 For a placement copy or move, it is almost certainly an error if the 144 constructed object is also the object being copied from.</div></div></td> 145 <td><div class="exampleContainer expandable"> 146 <div class="example"><pre> 147 class A {}; 148 149 void test(A *dst, A *src) { 150 ::new (dst) A(*dst); // warn (should be 'src') 151 } 152 </pre></div></div></td> 153 <td class="aligned"><!--rdar://problem/13688366--></td></tr> 154 155 </table> 156 157 <!-- =============================== va_list =============================== --> 158 <h3>va_list</h3> 159 <table class="checkers"> 160 <col class="namedescr"><col class="example"><col class="progress"> 161 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 162 163 <tr><td><div class="namedescr expandable"><span class="name"> 164 valist.Uninitialized</span><span class="lang"> 165 (C)</span><div class="descr"> 166 Calls to the <code>va_arg</code>, <code>va_copy</code>, or 167 <code>va_end</code> macro must happen after calling <code>va_start</code> and 168 before calling <code>va_end</code>.</div></div></td> 169 <td><div class="exampleContainer expandable"> 170 <div class="example"><pre> 171 #include <stdarg.h> 172 173 void test(int x, ...) { 174 va_list args; 175 int y = va_arg(args, int); // warn 176 } 177 </pre></div> 178 <div class="example"><pre> 179 #include <stdarg.h> 180 181 void test(int x, ...) { 182 va_list args; 183 va_start(args, x); 184 va_end(args); 185 int z = va_arg(args, int); // warn 186 } 187 </pre></div></div></td> 188 <td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812"> 189 PR16811</a></td></tr> 190 191 <tr><td><div class="namedescr expandable"><span class="name"> 192 valist.Unterminated</span><span class="lang"> 193 (C)</span><div class="descr"> 194 Every <code>va_start</code> must be matched by a <code>va_end</code>. A va_list 195 can only be ended once. 196 197 <i>This should be folded into the generalized "ownership checker" 198 described on the <a href="open_projects.html"> 199 Open Projects</a> page.</i></div></div></td> 200 <td><div class="exampleContainer expandable"> 201 <div class="example"><pre> 202 #include <stdarg.h> 203 204 void test(int x, ...) { 205 va_list args; 206 va_start(args, x); 207 int y = x + va_arg(args, int); 208 } // warn: missing va_end 209 </pre></div></div></td> 210 <td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812"> 211 PR16812</a></td></tr> 212 213 </table> 214 215 <!-- ============================== exceptions ============================= --> 216 <h3>exceptions</h3> 217 <table class="checkers"> 218 <col class="namedescr"><col class="example"><col class="progress"> 219 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 220 221 <tr><td><div class="namedescr expandable"><span class="name"> 222 exceptions.ThrowSpecButNotThrow</span><span class="lang"> 223 (C++)</span><div class="descr"> 224 Function declaration has a <code>throw(<i>type</i>)</code> specifier but the 225 function do not throw exceptions.</div></div></td> 226 <td><div class="exampleContainer expandable"> 227 <div class="example"><pre> 228 void test() throw(int) { 229 } // warn 230 </pre></div></div></td> 231 <td class="aligned"></td></tr> 232 233 234 <tr><td><div class="namedescr expandable"><span class="name"> 235 exceptions.NoThrowSpecButThrows</span><span class="lang"> 236 (C++)</span><div class="descr"> 237 An exception is throw from a function having a <code>throw()</code> 238 specifier.</div></div></td> 239 <td><div class="exampleContainer expandable"> 240 <div class="example"><pre> 241 void test() throw() { 242 throw(1); // warn 243 } 244 </pre></div></div></td> 245 <td class="aligned"></td></tr> 246 247 248 <tr><td><div class="namedescr expandable"><span class="name"> 249 exceptions.ThrownTypeDiffersSpec</span><span class="lang"> 250 (C++)</span><div class="descr"> 251 The type of a thrown exception differs from those specified in 252 a <code>throw(<i>type</i>)</code> specifier.</div></div></td> 253 <td><div class="exampleContainer expandable"> 254 <div class="example"><pre> 255 struct S{}; 256 257 void test() throw(int) { 258 S s; 259 throw (s); // warn 260 } 261 </pre></div></div></td> 262 <td class="aligned"></td></tr> 263 264 </table> 265 266 <!-- ========================= smart pointers ============================== --> 267 <h3>smart pointers</h3> 268 <table class="checkers"> 269 <col class="namedescr"><col class="example"><col class="progress"> 270 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 271 272 <tr><td><div class="namedescr expandable"><span class="name"> 273 smartptr.SmartPtrInit</span><span class="lang"> 274 (C++)</span><div class="descr"> 275 C++03: <code>auto_ptr</code> should store a pointer to an object obtained via 276 new as allocated memory will be cleaned using <code>delete</code>.<br> 277 C++11: one should use <code>unique_ptr<<i>type</i>[]></code> to keep a 278 pointer to memory allocated by <code>new[]</code>.<br> 279 C++11: to keep a pointer to memory allocated by <code>new[]</code> in 280 a <code>shared_ptr</code> one should use a custom deleter that calls <code> 281 delete[].</code>. 282 <p>Source: C++03 20.4.5p1; C++11 <code>auto_ptr</code> is deprecated (D.10).</p></div></div></td> 283 <td><div class="exampleContainer expandable"> 284 <div class="example"><pre> 285 #include <stdlib.h> 286 #include <memory> 287 288 void test() { 289 std::auto_ptr<int> p1(new int); // Ok 290 std::auto_ptr<int> p2(new int[3]); // warn 291 } 292 </pre></div> 293 <div class="example"><pre> 294 #include <stdlib.h> 295 #include <memory> 296 297 void test() { 298 std::auto_ptr<int> p((int *)malloc(sizeof(int))); // warn 299 } 300 </pre></div></div></td> 301 <td class="aligned"></td></tr> 302 303 </table> 304 305 <!-- ============================== dead code ============================== --> 306 <h3>dead code</h3> 307 <table class="checkers"> 308 <col class="namedescr"><col class="example"><col class="progress"> 309 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 310 311 <tr><td><div class="namedescr expandable"><span class="name"> 312 deadcode.UnmodifiedVariable</span><span class="lang"> 313 (C, C++)</span><div class="descr"> 314 A variable is never modified but was not declared const and is not a 315 reference.<br><br><i>(opt-in checker)</i></div></div></td> 316 <td><div class="exampleContainer expandable"> 317 <div class="example"><pre> 318 extern int computeDelta(); 319 320 int test(bool cond) { 321 int i = 0; 322 if (cond) { 323 const int delta = computeDelta(); 324 // warn: forgot to modify 'i' 325 } 326 return i; 327 } 328 </pre></div></div></td> 329 <td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16890">PR16890</a></td></tr> 330 331 <tr><td><div class="namedescr expandable"><span class="name"> 332 deadcode.IdempotentOperations</span><span class="lang"> 333 (C)</span><div class="descr"> 334 Warn about idempotent operations.</div></div></td> 335 <td><div class="exampleContainer expandable"> 336 <div class="example"><pre> 337 void test() { 338 int x = 7; 339 x = x; // warn: value is always the same 340 } 341 </pre></div> 342 <div class="example"><pre> 343 void test() { 344 int x = 7; 345 x /= x; // warn: value is always 1 346 } 347 </pre></div> 348 <div class="example"><pre> 349 void test() { 350 int x = 7, one = 1; 351 x *= one; // warn: right op is always 1 352 } 353 </pre></div> 354 <div class="example"><pre> 355 void test() { 356 int x = 7, zero = 0; 357 x = x - zero; 358 // warn: the right operand to '-' is always 0 359 } 360 </pre></div></div></td> 361 <td class="aligned">removed from alpha.deadcode.* at r198476</td></tr> 362 363 </table> 364 365 <!-- ================================ POSIX ================================ --> 366 <h3>POSIX</h3> 367 <table class="checkers"> 368 <col class="namedescr"><col class="example"><col class="progress"> 369 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 370 371 <tr><td><div class="namedescr expandable"><span class="name"> 372 posix.Errno</span><span class="lang"> 373 (C)</span><div class="descr"> 374 Record that <code>errno</code> is non-zero when certain functions 375 fail.</div></div></td> 376 <td><div class="exampleContainer expandable"> 377 <div class="example"><pre> 378 #include <stdlib.h> 379 380 int readWrapper(int fd, int *count) { 381 int lcount = read(fd, globalBuf, sizeof(globalBuf)); 382 if (lcount < 0) 383 return errno; 384 *count = lcount; 385 return 0; 386 } 387 388 void use(int fd) { 389 int count; 390 if (!readWrapper(fd, &count)) 391 print("%d", count); // should not warn 392 } 393 </pre></div></div></td> 394 <td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=18701">PR18701</a></td></tr> 395 396 </table> 397 398 <!-- ========================= undefined behavior ========================== --> 399 <h3>undefined behavior</h3> 400 <table class="checkers"> 401 <col class="namedescr"><col class="example"><col class="progress"> 402 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 403 404 <tr><td><div class="namedescr expandable"><span class="name"> 405 undefbehavior.ExitInDtor</span><span class="lang"> 406 (C++)</span><div class="descr"> 407 Undefined behavior: <code>std::exit()</code> is called to end the program during 408 the destruction of an object with static storage duration. 409 <p>Source: C++11 3.6.1p4.</p></div></div></td> 410 <td><div class="exampleContainer expandable"> 411 <div class="example"><pre> 412 #include <cstdlib> 413 414 class A { 415 public: 416 ~A() { 417 std::exit(1); // warn 418 } 419 }; 420 </pre></div></div></td> 421 <td class="aligned"></td></tr> 422 423 424 <tr><td><div class="namedescr expandable"><span class="name"> 425 undefbehavior.LocalStaticDestroyed</span><span class="lang"> 426 (C++)</span><div class="descr"> 427 Undefined behavior: function containing a definition of static local object is 428 called during the destruction of an object with static storage duration so that 429 flow of control passes through the definition of the previously destroyed 430 static local object. 431 <p>Source: C++11 3.6.3p2.</p></div></div></td> 432 <td><div class="exampleContainer expandable"> 433 <div class="example"><pre> 434 void f(); 435 436 class A { 437 public: 438 ~A() { 439 f(); // warn 440 } 441 }; 442 443 class B {}; 444 445 A a; 446 447 void f() { 448 static B b; 449 } 450 </pre></div></div></td> 451 <td class="aligned"></td></tr> 452 453 454 <tr><td><div class="namedescr expandable"><span class="name"> 455 undefbehavior.ZeroAllocDereference</span><span class="lang"> 456 (C, C++)</span><div class="descr"> 457 The effect of dereferencing a pointer returned as a request for zero size is 458 undefined.<br> 459 Note: possibly an enhancement to <span class="name"> 460 unix.Malloc</span>. 461 <p>Source: C++03 3.7.3.1p2; C++11 3.7.4.1p2.</p></div></div></td> 462 <td><div class="exampleContainer expandable"> 463 <div class="example"><pre> 464 int *p = malloc(0); 465 *p = 1; // warn 466 </pre></div> 467 <div class="example"><pre> 468 int *p = new int{}; 469 int i = *p; // warn 470 </pre></div></div></td> 471 <td class="aligned"></td></tr> 472 473 474 <tr><td><div class="namedescr expandable"><span class="name"> 475 undefbehavior.DeadReferenced</span><span class="lang"> 476 (C++)</span><div class="descr"> 477 Undefined behavior: the following usage of the pointer to the object whose 478 lifetime has ended can result in undefined behavior:<br> 479 The object will be or was of a class type with a non-trivial destructor and 480 <ul><li>the pointer is used as the operand of a delete-expression</li></ul> 481 The object will be or was of a non-POD class type (C++11: any class type) and 482 <ul><li>the pointer is used to access a non-static data member or call a 483 non-static member function of the object</li> 484 <li>the pointer is implicitly converted to a pointer to a base class 485 type</li> 486 <li>the pointer is used as the operand of a <code>static_cast</code> (except 487 when the conversion is to <code>void*</code>, or to <code>void*</code> and 488 subsequently to <code>char*</code>, or <code>unsigned char*</code>)</li> 489 <li>the pointer is used as the operand of a <code>dynamic_cast</code></li></ul> 490 <p>Source: C++03 3.8p5, p7; C++11 3.8p5, p7.</p></div></div></td> 491 <td><div class="exampleContainer expandable"> 492 <div class="example"><pre> 493 #include <new> 494 495 class A { 496 public: 497 ~A(); 498 }; 499 500 class B : public A {}; 501 502 void test() { 503 A *a = new A; 504 new(a) B; 505 delete a; // warn 506 } 507 </pre></div> 508 <div class="example"><pre> 509 #include <new> 510 511 class A { 512 public: 513 ~A(); 514 }; 515 516 class B {}; 517 518 void test() { 519 A *a = new A; 520 new(a) B; 521 a->~A(); 522 } 523 </pre></div> 524 <div class="example"><pre> 525 #include <new> 526 527 class A { 528 public: 529 ~A(); 530 }; 531 532 class B : public A {}; 533 534 class C {}; 535 536 void f(A*); 537 538 void test() { 539 B *b = new B; 540 new(b) C; 541 f(b); // warn 542 } 543 </pre></div> 544 <div class="example"><pre> 545 #include <new> 546 547 class A { 548 public: 549 ~A(); 550 }; 551 552 class B : public A {}; 553 554 class C {}; 555 556 A* test() { 557 B *b = new B; 558 new(b) C; 559 return static_cast<A*>(b); // warn 560 } 561 </pre></div> 562 <div class="example"><pre> 563 #include <new> 564 565 class A { 566 public: 567 ~A(); 568 }; 569 570 class B : public A {}; 571 572 class C {}; 573 574 A* test() { 575 B *b = new B; 576 new(b) C; 577 return dynamic_cast<A*>(b); // warn 578 } 579 </pre></div></div></td> 580 <td class="aligned"></td></tr> 581 582 583 <tr><td><div class="namedescr expandable"><span class="name"> 584 undefbehavior.ObjLocChanges</span><span class="lang"> 585 (C++)</span><div class="descr"> 586 Undefined behavior: the program must ensure that an object occupies the same 587 storage location when the implicit or explicit destructor call takes place. 588 <p>Source: C++11 3.8p8.</p></div></div></td> 589 <td><div class="exampleContainer expandable"> 590 <div class="example"><pre> 591 #include <new> 592 593 class A {}; 594 595 class B { 596 public: 597 ~B(); 598 }; 599 600 void test() { 601 B b; 602 new (&b) A; 603 } // warn 604 </pre></div> 605 <div class="example"><pre> 606 #include <new> 607 608 class A {}; 609 610 class B { 611 public: 612 ~B(); 613 }; 614 615 void test() { 616 B *b = new B; 617 new (b) A; 618 delete b; // warn 619 } 620 </pre></div></div></td> 621 <td class="aligned"></td></tr> 622 623 624 <tr><td><div class="namedescr expandable"><span class="name"> 625 undefbehavior.ExprEvalOrderUndef</span><span class="lang"> 626 (C, C++03)</span><div class="descr"> 627 Undefined behavior: a scalar object shall have its stored value modified at 628 most once by the evaluation of an expression.<br> 629 Note: most cases are currently handled by the Clang core (search for 'multiple 630 unsequenced modifications' warning in Clang tests). 631 <p>Source: C++03 5p4.</p></div></div></td> 632 <td><div class="exampleContainer expandable"> 633 <div class="example"><pre> 634 int test () { 635 int i = 0; 636 i = ++i + 1; // warn 637 return i; 638 } 639 </pre></div></div></td> 640 <td class="aligned"></td></tr> 641 642 643 <tr><td><div class="namedescr expandable"><span class="name"> 644 undefbehavior.StaticInitReentered</span><span class="lang"> 645 (C++)</span><div class="descr"> 646 Undefined behavior: static declaration is re-entered while the object is being 647 initialized. 648 <p>Source: C++11 6.7p4.</p></div></div></td> 649 <td><div class="exampleContainer expandable"> 650 <div class="example"><pre> 651 int test(int i) { 652 static int s = test(2 * i); // warn 653 return i + 1; 654 } 655 </pre></div></div></td> 656 <td class="aligned"></td></tr> 657 658 659 <tr><td><div class="namedescr expandable"><span class="name"> 660 undefbehavior.ConstModified</span><span class="lang"> 661 (C, C++)</span><div class="descr"> 662 Undefined behavior: const object is being modified. 663 <p>Source: C++03 7.1.5.1p4, C++11 7.1.6.1p4.</p></div></div></td> 664 <td><div class="exampleContainer expandable"> 665 <div class="example"><pre> 666 void test() { 667 const int *cp = new const int (0); 668 int *p = const_cast<int *>(cp); 669 *p = 1; // warn 670 delete p; 671 } 672 </pre></div> 673 <div class="example"><pre> 674 class C { 675 public : 676 int i; 677 C(); 678 }; 679 680 void test() { 681 const C cb; 682 683 C* cp = const_cast<C *>(&cb); 684 cp->i = 1; // warn 685 } 686 </pre></div></div></td> 687 <td class="aligned"></td></tr> 688 689 690 <tr><td><div class="namedescr expandable"><span class="name"> 691 undefbehavior.DeadDestructed</span><span class="lang"> 692 (C++)</span><div class="descr"> 693 Undefined behavior: the destructor is invoked for an object whose lifetime 694 has ended. 695 <p>Source: C++11 12.4p14.</p></div></div></td> 696 <td><div class="exampleContainer expandable"> 697 <div class="example"><pre> 698 class A { 699 public: 700 void f(); 701 A(); 702 ~A(); 703 }; 704 705 void test() { 706 A a; 707 a.~A(); 708 } // warn 709 </pre></div></div></td> 710 <td class="aligned"></td></tr> 711 712 713 <tr><td><div class="namedescr expandable"><span class="name"> 714 undefbehavior.MethodCallBeforeBaseInit</span><span class="lang"> 715 (C++)</span><div class="descr"> 716 Undefined behavior: calls member function but base not yet initialized. 717 <p>Source: C++03 12.6.2p8; C++11 12.6.2p13.</p></div></div></td> 718 <td><div class="exampleContainer expandable"> 719 <div class="example"><pre> 720 class A { 721 public : 722 A(int); 723 }; 724 725 class B : public A { 726 public : 727 int f(); 728 B() : A(f()) {} // warn 729 }; 730 </pre></div></div></td> 731 <td class="aligned"></td></tr> 732 733 734 <tr><td><div class="namedescr expandable"><span class="name"> 735 undefbehavior.MemberOrBaseRefBeforeCtor</span><span class="lang"> 736 (C++)</span><div class="descr"> 737 C++ Undefined behavior: non-static member or base class of non-POD class type 738 is referred before constructor begins execution.<br> 739 C++11 Undefined behavior: non-static member or base class of a class with a 740 non-trivial constructor is referred before constructor begins execution. 741 <p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td> 742 <td><div class="exampleContainer expandable"> 743 <div class="example"><pre> 744 struct non_POD { 745 int i; 746 non_POD(); 747 }; 748 749 extern non_POD non_pod; 750 751 int *p = &non_pod.i; // warn 752 </pre></div> 753 <div class="example"><pre> 754 struct POD { 755 int i; 756 }; 757 758 struct non_POD : public POD { 759 POD pod; 760 }; 761 762 extern non_POD non_pod; 763 764 int *p = &non_pod.pod.i; // warn 765 </pre></div> 766 <div class="example"><pre> 767 struct POD { 768 int i; 769 }; 770 771 struct non_POD : public POD {}; 772 773 extern non_POD non_pod; 774 775 POD *p = &non_pod; // warn 776 </pre></div> 777 <div class="example"><pre> 778 struct non_POD { 779 int i; 780 non_POD(); 781 }; 782 783 struct S { 784 int *k; 785 non_POD non_pod; 786 S() : k(&non_pod.i) {} // warn 787 }; 788 </pre></div></div></td> 789 <td class="aligned"></td></tr> 790 791 792 <tr><td><div class="namedescr expandable"><span class="name"> 793 undefbehavior.MemberRefAfterDtor</span><span class="lang"> 794 (C++)</span><div class="descr"> 795 C++03: Undefined behavior: non-static member of non-POD class type is referred 796 after destructor ends execution.<br> 797 C++11: Undefined behavior: non-static member of a class with a non-trivial 798 destructor is referred after destructor ends execution. 799 <p>Source: C++03 12.7p1; C++11 12.7p1.</p></div></div></td> 800 <td><div class="exampleContainer expandable"> 801 <div class="example"><pre> 802 class C { 803 public: 804 C(); 805 void f(); 806 }; 807 808 void test() { 809 C *c = new C(); 810 c->~C(); 811 c->f(); // warn 812 } 813 </pre></div></div></td> 814 <td class="aligned"></td></tr> 815 816 817 <tr><td><div class="namedescr expandable"><span class="name"> 818 undefbehavior.CtorForeignCall</span><span class="lang"> 819 (C++)</span><div class="descr"> 820 Undefined behavior: call to virtual function of an object under construction 821 whose type is neither the constructors own class or one of its bases. 822 <p>Source: C++11 12.7p4.</p></div></div></td> 823 <td><div class="exampleContainer expandable"> 824 <div class="example"><pre> 825 class A { 826 public: 827 virtual void f() {}; 828 }; 829 830 class B { 831 public: 832 B(A* a) { a->f(); } // warn 833 }; 834 835 class C : public A, B { 836 public: 837 C() : B((A*)this) {} 838 }; 839 </pre></div></div></td> 840 <td class="aligned"></td></tr> 841 842 843 <tr><td><div class="namedescr expandable"><span class="name"> 844 undefbehavior.CtorForeignTypeid</span><span class="lang"> 845 (C++)</span><div class="descr"> 846 Undefined behavior: the operand of <code>typeid</code> is an object under 847 construction whose type is neither the constructors own class or one of its 848 bases. 849 <p>Source: C++11 12.7p5.</p></div></div></td> 850 <td><div class="exampleContainer expandable"> 851 <div class="example"><pre> 852 #include <typeinfo> 853 854 class A {}; 855 856 class B { 857 public: 858 B(A* a) { 859 (void)typeid(*a); // warn 860 } 861 }; 862 863 class C : public A, B { 864 public: 865 C() : B((A*)this) {} 866 }; 867 </pre></div></div></td> 868 <td class="aligned"></td></tr> 869 870 871 <tr><td><div class="namedescr expandable"><span class="name"> 872 undefbehavior.CtorForeignCast</span><span class="lang"> 873 (C++)</span><div class="descr"> 874 Undefined behavior: the operand of <code>dynamic_cast</code> is an object under 875 construction whose type is neither the constructors own class or one of its 876 bases. 877 <p>Source: C++11 12.7p6.</p></div></div></td> 878 <td><div class="exampleContainer expandable"> 879 <div class="example"><pre> 880 #include <typeinfo> 881 882 class A { 883 public: 884 virtual void f() {}; 885 }; 886 887 class B { 888 public: 889 B(A* a) { 890 (void)dynamic_cast<B*>(a); //warn 891 } 892 }; 893 894 class C : public A, B { 895 public: 896 C() : B((A*)this) {} 897 }; 898 </pre></div></div></td> 899 <td class="aligned"></td></tr> 900 901 902 <tr><td><div class="namedescr expandable"><span class="name"> 903 undefbehavior.MemberOrBaseRefInCatch</span><span class="lang"> 904 (C++)</span><div class="descr"> 905 Undefined behavior: referring to any non-static member or base class of an 906 object in the handler for a function-try-block of a constructor or destructor 907 for that object results in undefined behavior. 908 <p>Source: C++11 15.3p10.</p></div></div></td> 909 <td><div class="exampleContainer expandable"> 910 <div class="example"><pre> 911 void f() { throw 1; } 912 913 class C { 914 int i; 915 public : 916 C() 917 try { 918 f(); 919 } 920 catch (...) { 921 i=2; // warn 922 } 923 }; 924 </pre></div> 925 <div class="example"><pre> 926 void f() { throw 1; } 927 928 class Base { 929 public: 930 int i; 931 }; 932 933 class C: public Base { 934 public : 935 ~C() try { 936 f(); 937 } 938 catch (...) { 939 i=2; // warn 940 } 941 }; 942 </pre></div></div></td> 943 <td class="aligned"></td></tr> 944 945 946 <tr><td><div class="namedescr expandable"><span class="name"> 947 undefbehavior.ReturnAtCatchEnd</span><span class="lang"> 948 (C++)</span><div class="descr"> 949 Undefined behavior: a function returns when control reaches the end of a 950 handler. This results in undefined behavior in a value-returning function. 951 <p>Source: C++11 15.3p10.</p></div></div></td> 952 <td><div class="exampleContainer expandable"> 953 <div class="example"><pre> 954 void f() { throw 1; } 955 956 int test() try { 957 f(); 958 return 1; 959 } 960 catch(int) { 961 } // warn 962 </pre></div></div></td> 963 <td class="aligned"></td></tr> 964 965 966 <tr><td><div class="namedescr expandable"><span class="name"> 967 undefbehavior.AutoptrsOwnSameObj</span><span class="lang"> 968 (C++03)</span><div class="descr"> 969 Undefined behavior: if more than one <code>auto_ptr</code> owns the same object 970 at the same time the behavior of the program is undefined. 971 <p>Source: C++03 20.4.5p3; C++11 <code>auto_ptr</code> is deprecated 972 (D.10).</p></div></div></td> 973 <td><div class="exampleContainer expandable"> 974 <div class="example"><pre> 975 #include <memory> 976 977 void test() { 978 int *data = new int; 979 std::auto_ptr<int> p(data); 980 std::auto_ptr<int> q(data); // warn 981 } 982 </pre></div></div></td> 983 <td class="aligned"></td></tr> 984 985 986 <tr><td><div class="namedescr expandable"><span class="name"> 987 undefbehavior.BasicStringOutOfBound</span><span class="lang"> 988 (C++03)</span><div class="descr"> 989 Undefined behavior: out-of-bound <code>basic_string</code> access/modification. 990 <br>Note: possibly an enhancement to <span class="name"> 991 alpha.security.ArrayBoundV2</span>. 992 <p>Source: C++03 21.3.4p1; C++11 behavior is defined 993 (21.4.5p2).</p></div></div></td> 994 <td><div class="exampleContainer expandable"> 995 <div class="example"><pre> 996 #include <string> 997 998 void test() { 999 std::basic_string<char> s; 1000 char c = s[10]; // warn 1001 } 1002 </pre></div> 1003 <div class="example"><pre> 1004 #include <string> 1005 1006 void test() { 1007 std::basic_string<char> s; 1008 s[10] = 0; // warn 1009 } 1010 </pre></div></div></td> 1011 <td class="aligned"></td></tr> 1012 1013 1014 <tr><td><div class="namedescr expandable"><span class="name"> 1015 undefbehavior.EosDereference</span><span class="lang"> 1016 (C++)</span><div class="descr"> 1017 Undefined behavior: the result of <code>operator*()</code> on an end of a 1018 stream is undefined. 1019 <p>Source: C++03 24.5.3p2; C++11 24.6.3p2.</p></div></div></td> 1020 <td><div class="exampleContainer expandable"> 1021 <div class="example"><pre> 1022 #include <vector> 1023 1024 int test() { 1025 std::vector<int> v; 1026 return *v.end(); // warn 1027 } 1028 </pre></div></div></td> 1029 <td class="aligned"></td></tr> 1030 1031 1032 <tr><td><div class="namedescr expandable"><span class="name"> 1033 undefbehavior.QsortNonPODNonTrivial</span><span class="lang"> 1034 (C++)</span><div class="descr"> 1035 C++03: Undefined behavior: the objects in the array passed to qsort are of 1036 non-POD type.<br> 1037 C++11: Undefined behavior: the objects in the array passed to qsort are of 1038 non-trivial type. 1039 <p>Source: C++03 25.4p4; C++11 25.5p4.</p></div></div></td> 1040 <td><div class="exampleContainer expandable"> 1041 <div class="example"><pre> 1042 // C++03 1043 #include <cstdlib> 1044 1045 1046 struct non_POD { 1047 non_POD(); 1048 }; 1049 1050 non_POD values[] = { non_POD(), non_POD() }; 1051 1052 int compare(const void *a, const void *b); 1053 1054 void test() { 1055 qsort(values, 2, sizeof(non_POD), compare); // warn 1056 } 1057 </pre></div> 1058 <div class="example"><pre> 1059 // C++11 1060 #include <cstdlib> 1061 1062 struct S {}; 1063 1064 struct trivial_non_POD : public S { 1065 int i; 1066 }; 1067 1068 struct non_trivial { 1069 int i; 1070 non_trivial(); 1071 }; 1072 1073 trivial_non_POD tnp[2]; 1074 non_trivial nt[2]; 1075 1076 int compare1(const void *a, const void *b); 1077 1078 int compare2(const void *a, const void *b); 1079 1080 void test() { 1081 qsort(tnp, 2, sizeof(trivial_non_POD), compare1); // ok 1082 qsort(nt, 2, sizeof(non_trivial), compare2); // warn 1083 } 1084 </pre></div></div></td> 1085 <td class="aligned"></td></tr> 1086 1087 1088 <tr><td><div class="namedescr expandable"><span class="name"> 1089 undefbehavior.ThrowWhileCopy</span><span class="lang"> 1090 (C++)</span><div class="descr"> 1091 Undefined behavior: copy constructor/assignment operator can throw an exception. 1092 The effects are undefined if an exception is thrown.</div></div></td> 1093 <td><div class="exampleContainer expandable"> 1094 <div class="example"><pre> 1095 class C { 1096 public: 1097 int i, j; 1098 C (const C &c) { 1099 i = c.i; 1100 throw 1; // warn 1101 j = c.j; 1102 }; 1103 }; 1104 </pre></div> 1105 <div class="example"><pre> 1106 class C { 1107 public: 1108 int i, j; 1109 C &operator=(const C &c) { 1110 i = c.i; 1111 throw 1; // warn 1112 j = c.j; 1113 }; 1114 }; 1115 </pre></div></div></td> 1116 <td class="aligned"></td></tr> 1117 1118 1119 <tr><td><div class="namedescr expandable"><span class="name"> 1120 undefbehavior.ValarrayArgBound</span><span class="lang"> 1121 (C++)</span><div class="descr"> 1122 Undefined behavior: the value of the <code><i>n</i></code> argument passed 1123 to <code>valarray</code> constructor is greater than the number of values 1124 pointed to by the first argument (source). 1125 <p>Source: C++03 26.3.2.1p4; C++11 26.6.2.2p4.</p></div></div></td> 1126 <td><div class="exampleContainer expandable"> 1127 <div class="example"><pre> 1128 #include <valarray> 1129 1130 struct S { 1131 int i; 1132 S(int ii) : i(ii) {}; 1133 }; 1134 1135 void test(void) { 1136 S s[] = { S(1), S(2) }; 1137 std::valarray<S> v(s,3); // warn 1138 } 1139 </pre></div></div></td> 1140 <td class="aligned"></td></tr> 1141 1142 1143 <tr><td><div class="namedescr expandable"><span class="name"> 1144 undefbehavior.ValarrayLengthDiffer</span><span class="lang"> 1145 (C++)</span><div class="descr"> 1146 Undefined behavior: <code>valarray</code> operands are of different length. 1147 <p>Source: C++03 26.3.2.2p1, 26.3.2.6p3, 26.3.3.1p3, 26.3.3.2p3; 1148 C++11 defined (26.6.2.3p1), 26.6.2.7p3, 26.6.3.1p3, 1149 26.6.3.2p3.</p></div></div></td> 1150 <td><div class="exampleContainer expandable"> 1151 <div class="example"><pre> 1152 // C++03 1153 #include <valarray> 1154 1155 void test(void) { 1156 std::valarray<int> a(0, 1), b(0, 2); 1157 a = b; // warn 1158 b.resize(1); 1159 a = b; // ok 1160 } 1161 </pre></div> 1162 <div class="example"><pre> 1163 // C++03, C++11 1164 #include <valarray> 1165 1166 void test(void) { 1167 std::valarray<int> a(0, 1), b(0, 2); 1168 a *= b; // warn 1169 } 1170 </pre></div> 1171 <div class="example"><pre> 1172 // C++03, C++11 1173 #include <valarray> 1174 1175 void test(void) { 1176 std::valarray<int> a(0, 1), b(0, 2); 1177 a = a + b; // warn 1178 } 1179 </pre></div> 1180 <div class="example"><pre> 1181 // C++03, C++11 1182 #include <valarray> 1183 1184 void test(void) { 1185 std::valarray<int> a(0, 1), b(0, 2); 1186 std::valarray<bool> c(false, 1); 1187 c = a == b; // warn 1188 } 1189 </pre></div></div></td> 1190 <td class="aligned"></td></tr> 1191 1192 1193 <tr><td><div class="namedescr expandable"><span class="name"> 1194 undefbehavior.ValarrayZeroLength</span><span class="lang"> 1195 (C++)</span><div class="descr"> 1196 Undefined behavior: calling <code>sum()</code>/<code>min()</code>/<code> 1197 max()</code> methods of a zero length <code>valarray<code> the behavior is 1198 undefined. 1199 <p>Source: C++03 26.3.2.7p2, p3, p4; C++11 26.6.2.8p5, p6, 1200 p7.</p></div></div></td> 1201 <td><div class="exampleContainer expandable"> 1202 <div class="example"><pre> 1203 #include <valarray> 1204 1205 void test(void) { 1206 std::valarray<int> v(0, 0); 1207 v.sum(); // warn 1208 } 1209 </pre></div></div></td> 1210 <td class="aligned"></td></tr> 1211 1212 1213 <tr><td><div class="namedescr expandable"><span class="name"> 1214 undefbehavior.ValarrayBadIndirection</span><span class="lang"> 1215 (C++)</span><div class="descr"> 1216 Undefined behavior: element is specified more than once in an indirection. 1217 <p>Source: C++03 26.3.9.2p2, 26.3.9.3p2; C++11 26.6.9.2p2, 1218 26.6.9.3p2.</p></div></div></td> 1219 <td><div class="exampleContainer expandable"> 1220 <div class="example"><pre> 1221 #include <valarray> 1222 1223 void test() { 1224 // '1' is specified more then once 1225 size_t addr[] = {0, 1, 1}; 1226 std::valarray<size_t>indirect(addr, 3); 1227 std::valarray<int> a(0, 5), b(1, 3); 1228 a[indirect] = b; //warn 1229 } 1230 </pre></div> 1231 <div class="example"><pre> 1232 #include <valarray> 1233 1234 void test() { 1235 // '1' is specified more then once 1236 size_t addr[] = {0, 1, 1}; 1237 std::valarray<size_t>indirect(addr, 3); 1238 std::valarray<int> a(0, 5), b(1, 3); 1239 a[indirect] *= b; //warn 1240 } 1241 </pre></div></div></td> 1242 <td class="aligned"></td></tr> 1243 1244 1245 <tr><td><div class="namedescr expandable"><span class="name"> 1246 undefbehavior.IosBaseDestroyedBeforeInit</span><span class="lang"> 1247 (C++)</span><div class="descr"> 1248 Undefined behavior: <code>ios_base</code> object is destroyed before 1249 initialization have taken place. <code>basic_ios::init</code> should be call to 1250 initialize <code>ios_base</code> members. 1251 <p>Source: C++03 27.4.2.7p1, 27.4.4.1p2; C++11 27.5.3.7p1, 1252 27.5.5.2p2.</p></div></div></td> 1253 <td><div class="exampleContainer expandable"> 1254 <div class="example"><pre> 1255 #include <ios> 1256 1257 using namespace std; 1258 template <class T, class Traits = std::char_traits<T> > 1259 class my_stream1 : public std::basic_ios<T, Traits> { 1260 }; 1261 1262 template <class T, class Traits = std::char_traits<T> > 1263 class my_stream2 : public std::basic_ios<T, Traits> { 1264 class my_streambuf 1265 : public std::basic_streambuf<T, Traits> { 1266 }; 1267 public: 1268 my_stream2() { 1269 this->init(new my_streambuf); 1270 } 1271 }; 1272 1273 void test() { 1274 my_stream1<char> *p1 = new my_stream1<char>; 1275 my_stream2<char> *p2 = new my_stream2<char>; 1276 delete p1; // warn 1277 delete p2; // ok 1278 } 1279 </pre></div></div></td> 1280 <td class="aligned"></td></tr> 1281 1282 1283 <tr><td><div class="namedescr expandable"><span class="name"> 1284 undefbehavior.IosBaseUsedBeforeInit</span><span class="lang"> 1285 (C++11)</span><div class="descr"> 1286 Undefined behavior: <code>ios_base</code> object is used before initialization 1287 have taken place. <code>basic_ios::init</code> should be call to 1288 initialize <code>ios_base</code> members. 1289 <p>Source: C++11 27.5.3.7p1, 27.5.5.2p2.</p></div></div></td> 1290 <td><div class="exampleContainer expandable"> 1291 <div class="example"><pre> 1292 #include <ios> 1293 1294 using namespace std; 1295 template <class T, class Traits = std::char_traits<T> > 1296 class my_stream1 : public std::basic_ios<T, Traits> { 1297 }; 1298 1299 template <class T, class Traits = std::char_traits<T> > 1300 class my_stream2 : public std::basic_ios<T, Traits> { 1301 class my_streambuf 1302 : public std::basic_streambuf<T, Traits> { 1303 }; 1304 public: 1305 my_stream2() { 1306 this->init(new my_streambuf); 1307 } 1308 }; 1309 1310 void test() { 1311 my_stream1<char> *p1 = new my_stream1<char>; 1312 my_stream2<char> *p2 = new my_stream2<char>; 1313 p1->narrow('a', 'b'); // warn 1314 p2->narrow('a', 'b'); // ok 1315 } 1316 </pre></div></div></td> 1317 <td class="aligned"></td></tr> 1318 1319 1320 <tr><td><div class="namedescr expandable"><span class="name"> 1321 undefbehavior.MinusOnePosType</span><span class="lang"> 1322 (C++)</span><div class="descr"> 1323 Undefined behavior: passing -1 to any <code>streambuf</code>/<code> 1324 istream</code>/<code>ostream</code> member that accepts a value of 1325 type <code>traits::pos_type</code> result in undefined behavior. 1326 <p>Source: C++03 27.4.3.2p3; C++11 27.5.4.2p3.</p></div></div></td> 1327 <td><div class="exampleContainer expandable"> 1328 <div class="example"><pre> 1329 #include <fstream> 1330 1331 class my_streambuf : public std::streambuf { 1332 void f() { 1333 seekpos(-1); // warn 1334 } 1335 }; 1336 </pre></div> 1337 <div class="example"><pre> 1338 #include <fstream> 1339 1340 void test() { 1341 std::filebuf fb; 1342 std::istream in(&fb); 1343 std::filebuf::off_type pos(-1); 1344 in.seekg(pos); // warn 1345 } 1346 </pre></div></div></td> 1347 <td class="aligned"></td></tr> 1348 1349 </table> 1350 1351 <!-- ============================ different ================================ --> 1352 <h3>different</h3> 1353 <table class="checkers"> 1354 <col class="namedescr"><col class="example"><col class="progress"> 1355 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr> 1356 </thead> 1357 1358 <tr><td><div class="namedescr expandable"><span class="name"> 1359 different.SuccessiveAssign</span><span class="lang"> 1360 (C)</span><div class="descr"> 1361 Successive assign to a variable.</div></div></td> 1362 <td><div class="exampleContainer expandable"> 1363 <div class="example"><pre> 1364 int test() { 1365 int i; 1366 i=1; 1367 i=2; // warn 1368 return i; 1369 } 1370 </pre></div></div></td> 1371 <td class="aligned"></td></tr> 1372 1373 1374 <tr><td><div class="namedescr expandable"><span class="name"> 1375 different.NullDerefStmtOrder</span><span class="lang"> 1376 (C)</span><div class="descr"> 1377 Dereferencing of the null pointer might take place. Checking the pointer for 1378 null should be performed first. 1379 <br>Note: possibly an enhancement to <span class="name"> 1380 core.NullDereference</span>.</div></div></td> 1381 <td><div class="exampleContainer expandable"> 1382 <div class="example"><pre> 1383 struct S { 1384 int x; 1385 }; 1386 1387 struct S* f(); 1388 1389 void test() { 1390 struct S *p1 = f(); 1391 int x1 = p1->x; // warn 1392 if (p1) {}; 1393 1394 struct S *p2 = f(); 1395 int x2 = p2->x; // ok 1396 } 1397 </pre></div></div></td> 1398 <td class="aligned"></td></tr> 1399 1400 1401 <tr><td><div class="namedescr expandable"><span class="name"> 1402 different.NullDerefCondOrder</span><span class="lang"> 1403 (C)</span><div class="descr"> 1404 Dereferencing of the null pointer might take place. Checking the pointer for 1405 null should be performed first. 1406 <br>Note: possibly an enhancement to <span class="name"> 1407 core.NullDereference</span>.</div></div></td> 1408 <td><div class="exampleContainer expandable"> 1409 <div class="example"><pre> 1410 struct S {int i;}; 1411 1412 struct S* f(); 1413 1414 void test() { 1415 struct S *p = f(); 1416 if (p->i && p) {}; // warn 1417 } 1418 </pre></div></div></td> 1419 <td class="aligned"></td></tr> 1420 1421 1422 <tr><td><div class="namedescr expandable"><span class="name"> 1423 different.MultipleAccessors</span><span class="lang"> 1424 (C++)</span><div class="descr"> 1425 Identical accessor bodies. Possibly a misprint.</div></div></td> 1426 <td><div class="exampleContainer expandable"> 1427 <div class="example"><pre> 1428 class A { 1429 int i; 1430 int j; 1431 public: 1432 int getI() { return i; } 1433 int getJ() { return i; } // warn 1434 }; 1435 </pre></div> 1436 <div class="example"><pre> 1437 class A { 1438 int i; 1439 int j; 1440 public: 1441 void setI(int& ii) { i = ii; } 1442 void setJ(int& jj) { i = jj; } // warn 1443 }; 1444 </pre></div></div></td> 1445 <td class="aligned"></td></tr> 1446 1447 1448 <tr><td><div class="namedescr expandable"><span class="name"> 1449 different.AccessorsForPublic</span><span class="lang"> 1450 (C++)</span><div class="descr"> 1451 Accessors exist for a public class field. Should this field really be 1452 public?</div></div></td> 1453 <td><div class="exampleContainer expandable"> 1454 <div class="example"><pre> 1455 class A { 1456 public: 1457 int i; // warn 1458 int getI() { return i; } 1459 void setI(int& ii) { i = ii; } 1460 }; 1461 </pre></div></div></td> 1462 <td class="aligned"></td></tr> 1463 1464 1465 <tr><td><div class="namedescr expandable"><span class="name"> 1466 different.LibFuncResultUnised</span><span class="lang"> 1467 (C, C++)</span><div class="descr"> 1468 Calling a function ignoring its return value is of no use (create the list of 1469 known system/library/API functions falling into this category).</div></div></td> 1470 <td><div class="exampleContainer expandable"> 1471 <div class="example"><pre> 1472 #include <vector> 1473 1474 void test() { 1475 std::vector<int> v; 1476 v.empty(); // warn 1477 } 1478 </pre></div></div></td> 1479 <td class="aligned"></td></tr> 1480 1481 1482 <tr><td><div class="namedescr expandable"><span class="name"> 1483 different.WrongVarForStmt</span><span class="lang"> 1484 (C, C++)</span><div class="descr"> 1485 Wrong variable is possibly used in the loop/cond-expression of 1486 the <code>for</code> statement. Did you mean 1487 'proper_variable_name'?</div></div></td> 1488 <td><div class="exampleContainer expandable"> 1489 <div class="example"><pre> 1490 void test() { 1491 int i = 0; 1492 int j = 0; 1493 for (i = 0; i < 3; j += 1); // warn 1494 } 1495 </pre></div> 1496 <div class="example"><pre> 1497 void test() { 1498 int i = 0; 1499 int j = 0; 1500 for (int j = 0; i < 3; ++j); // warn 1501 } 1502 </pre></div></div></td> 1503 <td class="aligned"></td></tr> 1504 1505 1506 <tr><td><div class="namedescr expandable"><span class="name"> 1507 different.FloatingCompare</span><span class="lang"> 1508 (C)</span><div class="descr"> 1509 Comparing floating point numbers may be not precise.</div></div></td> 1510 <td><div class="exampleContainer expandable"> 1511 <div class="example"><pre> 1512 #include <math.h> 1513 1514 double test() { 1515 double b = sin(M_PI / 6.0); 1516 if (b == 0.5) // warn 1517 b = 0; 1518 return b; 1519 } 1520 </pre></div></div></td> 1521 <td class="aligned"></td></tr> 1522 1523 1524 <tr><td><div class="namedescr expandable"><span class="name"> 1525 different.BitwiseOpBoolArg</span><span class="lang"> 1526 (C, C++)</span><div class="descr"> 1527 Boolean value met at the left/right part of the bitwise <code>&</code> 1528 or <code>|</code> operator. 1529 Did you mean <code>&&</code> (<code>||</code>) ?</div></div></td> 1530 <td><div class="exampleContainer expandable"> 1531 <div class="example"><pre> 1532 int f(); 1533 1534 void test() { 1535 bool b = true; 1536 if (b & f()) {} // warn 1537 } 1538 </pre></div></div></td> 1539 <td class="aligned"></td></tr> 1540 1541 1542 <tr><td><div class="namedescr expandable"><span class="name"> 1543 different.LabelInsideSwitch</span><span class="lang"> 1544 (C)</span><div class="descr"> 1545 Possibly a misprint: label found inside a <code>switch()</code> 1546 statement.</div></div></td> 1547 <td><div class="exampleContainer expandable"> 1548 <div class="example"><pre> 1549 void test(int c) { 1550 switch(c){ 1551 case 1: 1552 c += 1; break; 1553 defalt: // warn (did you mean 'default'?) 1554 c -= 1; break; 1555 } 1556 } 1557 </pre></div></div></td> 1558 <td class="aligned"></td></tr> 1559 1560 1561 <tr><td><div class="namedescr expandable"><span class="name"> 1562 different.IdenticalCondIfIf</span><span class="lang"> 1563 (C)</span><div class="descr"> 1564 The conditions of two subsequent <code>if</code> statements are 1565 identical.</div></div></td> 1566 <td><div class="exampleContainer expandable"> 1567 <div class="example"><pre> 1568 int test(int c) { 1569 if (c > 5) 1570 c += 1; 1571 if (c > 5) // warn 1572 c -= 1; 1573 return c; 1574 } 1575 </pre></div></div></td> 1576 <td class="aligned"></td></tr> 1577 1578 1579 <tr><td><div class="namedescr expandable"><span class="name"> 1580 different.LogicalOpUselessArg</span><span class="lang"> 1581 (C)</span><div class="descr"> 1582 The second operand of a <code>&&</code> operator has no impact on 1583 expression result.</div></div></td> 1584 <td><div class="exampleContainer expandable"> 1585 <div class="example"><pre> 1586 void test(unsigned a) { 1587 if (a<7 && a<10) {}; // warn 1588 } 1589 </pre></div></div></td> 1590 <td class="aligned"></td></tr> 1591 1592 1593 <tr><td><div class="namedescr expandable"><span class="name"> 1594 different.SameResLogicalExpr</span><span class="lang"> 1595 (C)</span><div class="descr"> 1596 An expression is always evaluated to true/false.</div></div></td> 1597 <td><div class="exampleContainer expandable"> 1598 <div class="example"><pre> 1599 void test() { 1600 int i = 0; 1601 if (i != 0) {}; // warn 1602 } 1603 </pre></div> 1604 <div class="example"><pre> 1605 void test(int i) { 1606 if (i == 0 && i == 1) {}; // warn 1607 } 1608 </pre></div> 1609 <div class="example"><pre> 1610 void test(int i) { 1611 if (i < 0 || i >= 0) {}; // warn 1612 } 1613 </pre></div></div></td> 1614 <td class="aligned"></td></tr> 1615 1616 1617 <tr><td><div class="namedescr expandable"><span class="name"> 1618 different.OpPrecedenceAssignCmp</span><span class="lang"> 1619 (C, C++)</span><div class="descr"> 1620 Comparison operation has higher precedence then assignment. Boolean value is 1621 assigned to a variable of other type. Parenthesis may bee required around an 1622 assignment.</div></div></td> 1623 <td><div class="exampleContainer expandable"> 1624 <div class="example"><pre> 1625 int f(); 1626 1627 void test(int x, int y) { 1628 bool b; 1629 if((b = x != y)) {} // ok 1630 if((x = f() != y)) {} // warn 1631 } 1632 </pre></div></div></td> 1633 <td class="aligned"></td></tr> 1634 1635 1636 <tr><td><div class="namedescr expandable"><span class="name"> 1637 different.OpPrecedenceIifShift</span><span class="lang"> 1638 (C, C++)</span><div class="descr"> 1639 <code>?:</code> has lower precedence then <code><<</code>. 1640 <p>Source: Stephen C. Dewhurst "C++ Gotchas: Avoiding Common Problems in Coding 1641 and Design", advise 15.</p></div></div></td> 1642 <td><div class="exampleContainer expandable"> 1643 <div class="example"><pre> 1644 #include <iostream> 1645 1646 void test(int a) { 1647 std::cout << a ? "a" : "b"; // warn 1648 } 1649 </pre></div> 1650 <div class="example"><pre> 1651 void test(int a) { 1652 a << a > 7 ? 1 : 2; // warn 1653 } 1654 </pre></div></div></td> 1655 <td class="aligned"></td></tr> 1656 1657 1658 <tr><td><div class="namedescr expandable"><span class="name"> 1659 different.ObjectUnused</span><span class="lang"> 1660 (C++)</span><div class="descr"> 1661 The object was created but is not being used.</div></div></td> 1662 <td><div class="exampleContainer expandable"> 1663 <div class="example"><pre> 1664 struct S { 1665 int x, y; 1666 S(int xx, int yy) : x(xx), y(yy) {} 1667 S(int xx) { 1668 S(xx, 0); // warn 1669 } 1670 }; 1671 </pre></div> 1672 <div class="example"><pre> 1673 #include <exception> 1674 1675 void test() { 1676 std::exception(); 1677 // warn (did you mean 'throw std::exception()'?) 1678 } 1679 </pre></div></div></td> 1680 <td class="aligned"></td></tr> 1681 1682 1683 <tr><td><div class="namedescr expandable"><span class="name"> 1684 different.StaticArrayPtrCompare</span><span class="lang"> 1685 (C)</span><div class="descr"> 1686 Pointer to static array is being compared to NULL. May the subscripting is 1687 missing.</div></div></td> 1688 <td><div class="exampleContainer expandable"> 1689 <div class="example"><pre> 1690 void test() { 1691 int a[1][1]; 1692 if (a[0] == 0) {}; // warn 1693 } 1694 </pre></div></div></td> 1695 <td class="aligned"></td></tr> 1696 1697 1698 <tr><td><div class="namedescr expandable"><span class="name"> 1699 different.ConversionToBool</span><span class="lang"> 1700 (C, C++)</span><div class="descr"> 1701 Odd implicit conversion to boolean. 1702 <br>Note: possibly merge with <span class="name"> 1703 alpha.core.BoolAssignment</span>.</div></div></td> 1704 <td><div class="exampleContainer expandable"> 1705 <div class="example"><pre> 1706 bool test() { 1707 return 1.; // warn 1708 } 1709 </pre></div> 1710 <div class="example"><pre> 1711 bool test() { 1712 return ""; // warn 1713 } 1714 </pre></div></div></td> 1715 <td class="aligned"></td></tr> 1716 1717 1718 <tr><td><div class="namedescr expandable"><span class="name"> 1719 different.ArrayBound</span><span class="lang"> 1720 (C++)</span><div class="descr"> 1721 Out-of-bound dynamic array access. 1722 <br>Note: possibly an enhancement to <span class="name"> 1723 alpha.security.ArrayBoundV2</span>.</div></div></td> 1724 <td><div class="exampleContainer expandable"> 1725 <div class="example"><pre> 1726 void test() { 1727 int *p = new int[1]; 1728 int i = 1; 1729 if(p[i]) {}; // warn 1730 delete[] p; 1731 } 1732 </pre></div></div></td> 1733 <td class="aligned"></td></tr> 1734 1735 1736 <tr><td><div class="namedescr expandable"><span class="name"> 1737 different.StrcpyInputSize</span><span class="lang"> 1738 (C)</span><div class="descr"> 1739 Buffer copy without checking the size of input. 1740 <br>Note: possibly an enhancement to <span class="name"> 1741 alpha.unix.cstring.OutOfBounds</span>.</div></div></td> 1742 <td><div class="exampleContainer expandable"> 1743 <div class="example"><pre> 1744 void test(char* string) { 1745 char buf[24]; 1746 strcpy(buf, string); // warn 1747 } 1748 </pre></div></div></td> 1749 <td class="aligned"></td></tr> 1750 1751 1752 <tr><td><div class="namedescr expandable"><span class="name"> 1753 different.IntegerOverflow</span><span class="lang"> 1754 (C)</span><div class="descr"> 1755 Integer overflow. 1756 <br>Note: partially handled by Clang core 1757 (search for 'overflow in expression' warning in Clang tests). 1758 <p>Source: <a href="http://cwe.mitre.org/data/definitions/190.html"> 1759 CWE-190</a>.</p></div></div></td> 1760 <td><div class="exampleContainer expandable"> 1761 <div class="example"><pre> 1762 #include <limits.h> 1763 1764 int f(int x); 1765 1766 void test() { 1767 f(INT_MAX + 1); // warn 1768 } 1769 </pre></div> 1770 <div class="example"><pre> 1771 #include <limits.h> 1772 1773 int test() { 1774 int x = INT_MAX / 2 + 1; 1775 return x * 2; // warn 1776 } 1777 </pre></div></div></td> 1778 <td class="aligned"></td></tr> 1779 1780 1781 <tr><td><div class="namedescr expandable"><span class="name"> 1782 different.SignExtension</span><span class="lang"> 1783 (C)</span><div class="descr"> 1784 Unexpected sign extension might take place. 1785 <p>Source: <a href="http://cwe.mitre.org/data/definitions/194.html"> 1786 CWE-194</a>.</p></div></div></td> 1787 <td><div class="exampleContainer expandable"> 1788 <div class="example"><pre> 1789 unsigned long long test(long long sll) { 1790 unsigned long long ull = sll; // warn 1791 return ull; 1792 } 1793 </pre></div> 1794 <div class="example"><pre> 1795 void f(unsigned int i); 1796 1797 void test(int si) { 1798 f(si); // warn 1799 } 1800 </pre></div> 1801 <div class="example"><pre> 1802 unsigned int test(int i) { 1803 return i; 1804 } 1805 </pre></div></div></td> 1806 <td class="aligned"></td></tr> 1807 1808 1809 <tr><td><div class="namedescr expandable"><span class="name"> 1810 different.NumericTruncation</span><span class="lang"> 1811 (C)</span><div class="descr"> 1812 Numeric truncation might take place. 1813 <p>Source: <a href="http://cwe.mitre.org/data/definitions/197.html"> 1814 CWE-197</a>.</p></div></div></td> 1815 <td><div class="exampleContainer expandable"> 1816 <div class="example"><pre> 1817 unsigned long test(unsigned long long ull) { 1818 unsigned long ul = ull; // warn 1819 return ul; 1820 } 1821 </pre></div> 1822 <div class="example"><pre> 1823 void f(int i); 1824 1825 void test(long long sll) { 1826 f(sll); // warn 1827 } 1828 </pre></div> 1829 <div class="example"><pre> 1830 int f(); 1831 1832 short test(long long sll) { 1833 short ss = f(); 1834 return ss; 1835 } 1836 </pre></div></div></td> 1837 <td class="aligned"></td></tr> 1838 1839 1840 <tr><td><div class="namedescr expandable"><span class="name"> 1841 different.MissingCopyCtorAssignOp</span><span class="lang"> 1842 (C++)</span><div class="descr"> 1843 A class has dynamically allocated data members but do not define a copy 1844 constructor/assignment operator. 1845 <p>Source: Scott Meyers "Effective C++", item 11: Prevent exceptions from 1846 leaving destructors.</p></div></div></td> 1847 <td><div class="exampleContainer expandable"> 1848 <div class="example"><pre> 1849 class C { 1850 int *p; // warn 1851 public: 1852 C() { p = new int; } 1853 ~C() { delete p; } 1854 }; 1855 </pre></div></div></td> 1856 <td class="aligned"></td></tr> 1857 1858 </table> 1859 1860 <!-- ============================ WinAPI =================================== --> 1861 <h3>WinAPI</h3> 1862 <table class="checkers"> 1863 <col class="namedescr"><col class="example"><col class="progress"> 1864 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 1865 1866 <tr><td><div class="namedescr expandable"><span class="name"> 1867 WinAPI.CreateProcess</span><span class="lang"> 1868 (C)</span><div class="descr"> 1869 <code>CreateProcess()</code>: if the first parameter <code><i> 1870 lpApplicationName</i></code> is NULL then the executable name must be in the 1871 white space-delimited string pointed to by <code><i>lpCommandLine</code></i>. 1872 If the executable or path name has a space in it, there is a risk that a 1873 different executable could be run because of the way the function parses 1874 spaces. 1875 <p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx"> 1876 MSDN: CreateProcess function, Security Remarks</a>.</p></div></div></td> 1877 <td><div class="exampleContainer expandable"> 1878 <div class="example"><pre> 1879 #include <windows.h> 1880 1881 void test() { 1882 STARTUPINFO si; 1883 PROCESS_INFORMATION pi; 1884 CreateProcess(NULL, TEXT("C:\\Program Files\\App -L -S"), 1885 NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi); 1886 // warn 1887 } 1888 </pre></div></div></td> 1889 <td class="aligned"></td></tr> 1890 1891 1892 <tr><td><div class="namedescr expandable"><span class="name"> 1893 WinAPI.LoadLibrary</span><span class="lang"> 1894 (C)</span><div class="descr"> 1895 The <code>SearchPath()</code> function is used to retrieve a path to a DLL for 1896 a subsequent <code>LoadLibrary()</code> call. 1897 <p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175%28v=vs.85%29.aspx"> 1898 MSDN: LoadLibrary function, Security Remarks</a>.</p></div></div></td> 1899 <td><div class="exampleContainer expandable"> 1900 <div class="example"><pre> 1901 #include <windows.h> 1902 1903 HINSTANCE test() { 1904 char filePath[100]; 1905 SearchPath(NULL, "file.dll", NULL, 100, filePath, NULL); 1906 return LoadLibrary(filePath); // warn 1907 } 1908 </pre></div></div></td> 1909 <td class="aligned"></td></tr> 1910 1911 1912 <tr><td><div class="namedescr expandable"><span class="name"> 1913 WinAPI.WideCharToMultiByte</span><span class="lang"> 1914 (C)</span><div class="descr"> 1915 Buffer overrun while calling <code>WideCharToMultiByte()</code>. The size of 1916 the input buffer equals the number of characters in the Unicode string, while 1917 the size of the output buffer equals the number of bytes. 1918 <p>Source: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/dd374130%28v=vs.85%29.aspx"> 1919 MSDN: WideCharToMultiByte function</a>.</p></div></div></td> 1920 <td><div class="exampleContainer expandable"> 1921 <div class="example"><pre> 1922 #include <windows.h> 1923 1924 void test() { 1925 wchar_t ws[] = L"abc"; 1926 char s[3]; 1927 WideCharToMultiByte(CP_UTF8, 0, ws, -1, s, 1928 3, NULL, NULL); // warn 1929 } 1930 </pre></div></div></td> 1931 <td class="aligned"></td></tr> 1932 1933 1934 </table> 1935 1936 <!-- =========================== optimization ============================== --> 1937 <h3>optimization</h3> 1938 <table class="checkers"> 1939 <col class="namedescr"><col class="example"><col class="progress"> 1940 <thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead> 1941 1942 <tr><td><div class="namedescr expandable"><span class="name"> 1943 optimization.PassConstObjByValue</span><span class="lang"> 1944 (C, C++)</span><div class="descr"> 1945 Optimization: It is more effective to pass constant parameter by reference to 1946 avoid unnecessary object copying.</div></div></td> 1947 <td><div class="exampleContainer expandable"> 1948 <div class="example"><pre> 1949 struct A {}; 1950 1951 void f(const struct A a); // warn 1952 </pre></div></div></td> 1953 <td class="aligned"></td></tr> 1954 1955 1956 <tr><td><div class="namedescr expandable"><span class="name"> 1957 optimization.PostfixIncIter</span><span class="lang"> 1958 (C++)</span><div class="descr"> 1959 Optimization: It is more effective to use prefix increment operator with 1960 iterator. 1961 <p>Source: Scott Meyers "More Effective C++", item 6: 1962 Distinguish between prefix and postfix forms of increment and decrement 1963 operators.</p></div></div></td> 1964 <td><div class="exampleContainer expandable"> 1965 <div class="example"><pre> 1966 #include <vector> 1967 1968 void test() { 1969 std::vector<int> v; 1970 std::vector<int>::const_iterator it; 1971 for(it = v.begin(); 1972 it != v.end(); it++) {}; // warn 1973 } 1974 </pre></div></div></td> 1975 <td class="aligned"></td></tr> 1976 1977 1978 <tr><td><div class="namedescr expandable"><span class="name"> 1979 optimization.MultipleCallsStrlen</span><span class="lang"> 1980 (C)</span><div class="descr"> 1981 Optimization: multiple calls to <code>strlen()</code> for a string in an 1982 expression. It is more effective to hold a value returned 1983 from <code>strlen()</code> in a temporary variable.</div></div></td> 1984 <td><div class="exampleContainer expandable"> 1985 <div class="example"><pre> 1986 #include <string.h> 1987 1988 void test(const char* s) { 1989 if (strlen(s) > 0 && 1990 strlen(s) < 7) {}; // warn 1991 } 1992 </pre></div></div></td> 1993 <td class="aligned"></td></tr> 1994 1995 1996 <tr><td><div class="namedescr expandable"><span class="name"> 1997 optimization.StrLengthCalculation</span><span class="lang"> 1998 (C++)</span><div class="descr"> 1999 Optimization: it is more efficient to use <code>string::length()</code> to 2000 calculate the length of an <code>std::string</code>.</div></div></td> 2001 <td><div class="exampleContainer expandable"> 2002 <div class="example"><pre> 2003 #include <string> 2004 #include <string.h> 2005 2006 void test() { 2007 std::string s; 2008 if (strlen(s.c_str()) != 0) {}; // warn 2009 } 2010 </pre></div></div></td> 2011 <td class="aligned"></td></tr> 2012 2013 2014 <tr><td><div class="namedescr expandable"><span class="name"> 2015 optimization.EmptyContainerDetect</span><span class="lang"> 2016 (C++)</span><div class="descr"> 2017 Optimization: It is more efficient to use containers <code>empty()</code> 2018 method to identify an empty container.</div></div></td> 2019 <td><div class="exampleContainer expandable"> 2020 <div class="example"><pre> 2021 #include <list> 2022 2023 void test() { 2024 std::list<int> l; 2025 if (l.size() != 0) {}; // warn 2026 } 2027 </pre></div></div></td> 2028 <td class="aligned"></td></tr> 2029 2030 2031 </table> 2032 2033 <br> 2034 </div> <!-- page --> 2035 </div> <!-- content --> 2036 </body> 2037 </html> 2038
