| blob | cff0284777bc78a33058092cde0e96040000cc1b |
3 <html>
4 <head>
12 </style>
13 </head>
17 <!--#include virtual="menu.html.incl"-->
22 Default Checkers</a>. These are checkers with known issues or limitations that
23 keep them from being on by default. They are likely to have false positives.
24 Bug reports are welcome but will likely not be investigated for some time.
25 Patches welcome!
26 <ul>
37 </ul>
39 <!-- ============================= clone alpha ============================= -->
46 <tbody>
50 Reports similar pieces of code.</div></div></a></td>
53 void log();
55 int max(int a, int b) { // warn
56 log();
57 if (a > b)
58 return a;
59 return b;
60 }
62 int maxClone(int x, int y) { // similar code here
63 log();
64 if (x > y)
65 return x;
66 return y;
67 }
68 </pre></div></div></td></tr>
69 </tbody></table>
71 <!-- ============================= core alpha ============================= -->
77 <tbody>
84 void test() {
85 BOOL b = -1; // warn
86 }
87 </pre></div></div></td></tr>
90 <tr><td><a id="alpha.core.CallAndMessageUnInitRefArg"><div class="namedescr expandable"><span class="name">
93 Check for uninitialized arguments in function calls and Objective-C
94 message expressions.</div></div></a></td>
97 void test(void) {
98 int t;
99 int &p = t;
100 int &s = p;
101 int &q = s;
102 foo(q); // warn
103 }
106 void test(void) {
107 int x;
108 foo(&x); // warn
109 }
110 </pre></div></div></td></tr>
116 Check when casting a malloc'ed type T, whether the size is a multiple of the
119 checks enabled).</div></div></a></td>
122 void test() {
123 int *x = (int *)malloc(11); // warn
124 }
125 </pre></div></div></td></tr>
131 Check for cast from non-struct pointer to struct pointer.</div></div></a></td>
134 // C
135 struct s {};
137 void test(int *p) {
138 struct s *ps = (struct s *) p; // warn
139 }
142 // C++
143 class c {};
145 void test(int *p) {
146 c *pc = (c *) p; // warn
147 }
148 </pre></div></div></td></tr>
154 Loss of sign or precision in implicit conversions</div></div></a></td>
157 void test(unsigned U, signed S) {
159 if (U < S) {
160 }
161 }
162 if (S < -10) {
163 if (U < S) { // warn (loss of sign)
164 }
165 }
166 }
169 void test() {
171 short X = A; // warn (loss of precision)
172 }
173 </pre></div></div></td></tr>
176 <tr><td><a id="alpha.core.DynamicTypeChecker"><div class="namedescr expandable"><span class="name">
179 Check for cases where the dynamic and the static type of an
180 object are unrelated.</div></div></a></td>
183 id date = [NSDate date];
185 // Warning: Object has a dynamic type 'NSDate *' which is
186 // incompatible with static type 'NSNumber *'"
187 NSNumber *number = date;
188 [number doubleValue];
189 </pre></div></div></td></tr>
195 Check for assignment of a fixed address to a pointer.</div></div></a></td>
198 void test() {
199 int *p;
200 p = (int *) 0x10000; // warn
201 }
202 </pre></div></div></td></tr>
208 Warn about suspicious uses of identical expressions.</div></div></a></td>
211 // C
212 void test() {
213 int a = 5;
214 int b = a | 4 | a; // warn: identical expr on both sides
215 }
218 // C++
219 bool f(void);
221 void test(bool b) {
222 int i = 10;
223 if (f()) { // warn: true and false branches are identical
224 do {
225 i--;
226 } while (f());
227 } else {
228 do {
229 i--;
230 } while (f());
231 }
232 }
233 </pre></div></div></td></tr>
239 Check for pointer arithmetic on locations other than array
240 elements.</div></div></a></td>
243 void test() {
244 int x;
245 int *p;
246 p = &x + 1; // warn
247 }
248 </pre></div></div></td></tr>
254 Check for pointer subtractions on two pointers pointing to different memory
255 chunks.</div></div></a></td>
258 void test() {
259 int x, y;
260 int d = &y - &x; // warn
261 }
262 </pre></div></div></td></tr>
268 Warn about unintended use of <code>sizeof()</code> on pointer
269 expressions.</div></div></a></td>
272 struct s {};
274 int test(struct s *p) {
275 return sizeof(p);
276 // warn: sizeof(ptr) can produce an unexpected result
277 }
278 </pre></div></div></td></tr>
281 <tr><td><a id="alpha.core.StackAddressAsyncEscape"><div class="namedescr expandable"><span class="name">
284 Check that addresses to stack memory do not escape the function that involves
285 <code>dispatch_after</code> or <code>dispatch_async</code>. This checker is
286 a part of core.StackAddressEscape, but is
287 <a href=https://reviews.llvm.org/D41042>temporarily disabled</a> until some
288 false positives are fixed.</div></div></a></td>
291 dispatch_block_t test_block_inside_block_async_leak() {
292 int x = 123;
293 void (^inner)(void) = ^void(void) {
294 int y = x;
295 ++y;
296 };
297 void (^outer)(void) = ^void(void) {
298 int z = x;
299 ++z;
300 inner();
301 };
302 return outer; // warn: address of stack-allocated block is captured by a
303 // returned block
304 }
305 </pre></div></div></td></tr>
308 <tr><td><a id="alpha.core.TestAfterDivZero"><div class="namedescr expandable"><span class="name">
311 Check for division by variable that is later compared against 0.
312 Either the comparison is useless or there is division by zero.
313 </div></div></a></td>
316 void test(int x) {
317 var = 77 / x;
318 if (x == 0) { } // warn
319 }
320 </pre></div></div></td></tr>
323 </tbody></table>
325 <!-- =========================== cplusplus alpha =========================== -->
329 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
330 <tbody>
333 <tr><td><a id="alpha.cplusplus.ArrayDelete"><div class="namedescr expandable"><span class="name">
336 Reports destructions of arrays of polymorphic objects that are destructed as
337 their base class
338 </div></div></a></td>
341 Base *create() {
342 Base *x = new Derived[10]; // note: Casting from 'Derived' to 'Base' here
343 return x;
344 }
346 void sink(Base *x) {
347 delete[] x; // warn: Deleting an array of 'Derived' objects as their base class 'Base' undefined
348 }
350 </pre></div></div></td></tr>
353 <tr><td><a id="alpha.cplusplus.DeleteWithNonVirtualDtor"><div class="namedescr expandable"><span class="name">
356 Reports destructions of polymorphic objects with a non-virtual destructor in
357 their base class
358 </div></div></a></td>
361 NonVirtual *create() {
362 NonVirtual *x = new NVDerived(); // note: Casting from 'NVDerived' to
363 // 'NonVirtual' here
364 return x;
365 }
367 void sink(NonVirtual *x) {
368 delete x; // warn: destruction of a polymorphic object with no virtual
369 // destructor
370 }
371 </pre></div></div></td></tr>
373 <tr><td><a id="alpha.cplusplus.EnumCastOutOfRange"><div class="namedescr expandable"><span class="name">
376 Check for integer to enumeration casts that could result in undefined values.
377 </div></div></a></td>
380 enum TestEnum {
381 A = 0
382 };
384 void foo() {
385 TestEnum t = static_cast<TestEnum>(-1);
386 // warn: the value provided to the cast expression is not in
387 the valid range of values for the enum
388 }
389 </pre></div></div></td></tr>
392 <tr><td><a id="alpha.cplusplus.InvalidatedIterator"><div class="namedescr expandable"><span class="name">
395 Check for use of invalidated iterators.
396 </div></div></a></td>
399 void bad_copy_assign_operator_list1(std::list<int> &L1,
400 const std::list<int> &L2) {
401 auto i0 = L1.cbegin();
402 L1 = L2;
403 *i0; // warn: invalidated iterator accessed
404 }
405 </pre></div></div></td></tr>
408 <tr><td><a id="alpha.cplusplus.IteratorRange"><div class="namedescr expandable"><span class="name">
411 Check for iterators used outside their valid ranges.
412 </div></div></a></td>
415 void simple_bad_end(const std::vector<int> &v) {
416 auto i = v.end();
417 *i; // warn: iterator accessed outside of its range
418 }
419 </pre></div></div></td></tr>
422 <tr><td><a id="alpha.cplusplus.MismatchedIterator"><div class="namedescr expandable"><span class="name">
425 Check for use of iterators of different containers where iterators of the same
426 container are expected.
427 </div></div></a></td>
430 void bad_insert3(std::vector<int> &v1, std::vector<int> &v2) {
431 v2.insert(v1.cbegin(), v2.cbegin(), v2.cend()); // warn: container accessed
432 // using foreign
433 // iterator argument
434 v1.insert(v1.cbegin(), v1.cbegin(), v2.cend()); // warn: iterators of
435 // different containers
436 // used where the same
437 // container is
438 // expected
439 v1.insert(v1.cbegin(), v2.cbegin(), v1.cend()); // warn: iterators of
440 // different containers
441 // used where the same
442 // container is
443 // expected
444 }
445 </pre></div></div></td></tr>
451 Method calls on a moved-from object and copying a moved-from object will be
452 reported.
453 </div></div></a></td>
456 struct A {
457 void foo() {}
458 };
460 void f() {
461 A a;
462 A b = std::move(a); // note: 'a' became 'moved-from' here
463 a.foo(); // warn: method call on a 'moved-from' object 'a'
464 }
465 </pre></div></div></td></tr>
468 </tbody></table>
471 <!-- =========================== dead code alpha =========================== -->
475 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
477 <tbody>
478 <tr><td><a id="alpha.deadcode.UnreachableCode"><div class="namedescr expandable"><span class="name">
481 Check unreachable code.</div></div></a></td>
484 // C
485 int test() {
486 int x = 1;
487 while(x);
488 return x; // warn
489 }
492 // C++
493 void test() {
494 int a = 2;
496 while (a > 1)
497 a--;
499 if (a > 1)
500 a++; // warn
501 }
504 // Objective-C
505 void test(id x) {
506 return;
507 [x retain]; // warn
508 }
509 </pre></div></div></td></tr>
510 </tbody></table>
512 <!-- =========================== llvm alpha =========================== -->
516 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
518 <tbody>
522 Check code for LLVM codebase conventions:
523 <ul>
524 <li>A <code>StringRef</code> should not be bound to a temporary std::string
525 whose lifetime is shorter than the <code>StringRef</code>'s.</li>
526 <li>Clang AST nodes should not have fields that can allocate memory.</li>
527 </ul>
528 </div></div></a></td>
531 <!-- TODO: Add examples, as currently it's hard to get this checker working. -->
532 </pre></div></div></td></tr>
534 </tbody></table>
537 <!-- ============================== OS X alpha ============================== -->
541 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
543 <tbody>
544 <tr><td><a id="alpha.osx.cocoa.DirectIvarAssignment"><div class="namedescr expandable"><span class="name">
547 Check that Objective C properties follow the following rule: the property
548 should be set with the setter, not though a direct assignment.</div></div></a></td>
551 @interface MyClass : NSObject {}
552 @property (readonly) id A;
553 - (void) foo;
554 @end
556 @implementation MyClass
557 - (void) foo {
558 _A = 0; // warn
559 }
560 @end
561 </pre></div></div></td></tr>
564 <tr><td><a id="alpha.osx.cocoa.DirectIvarAssignmentForAnnotatedFunctions"><div class="namedescr expandable"><span class="name">
567 Check for direct assignments to instance variables in the methods annotated
568 with <code>objc_no_direct_instance_variable_assignment</code>.</div></div></a></td>
571 @interface MyClass : NSObject {}
572 @property (readonly) id A;
573 - (void) fAnnotated __attribute__((
575 - (void) fNotAnnotated;
576 @end
578 @implementation MyClass
579 - (void) fAnnotated {
580 _A = 0; // warn
581 }
582 - (void) fNotAnnotated {
583 _A = 0; // no warn
584 }
585 @end
586 </pre></div></div></td></tr>
589 <tr><td><a id="alpha.osx.cocoa.InstanceVariableInvalidation"><div class="namedescr expandable"><span class="name">
592 Check that the invalidatable instance variables are invalidated in the methods
593 annotated with <code>objc_instance_variable_invalidator</code>.</div></div></a></td>
596 @protocol Invalidation <NSObject>
597 - (void) invalidate
599 @end
601 @interface InvalidationImpObj : NSObject <Invalidation>
602 @end
604 @interface SubclassInvalidationImpObj : InvalidationImpObj {
605 InvalidationImpObj *var;
606 }
607 - (void)invalidate;
608 @end
610 @implementation SubclassInvalidationImpObj
611 - (void) invalidate {}
612 @end
613 // warn: var needs to be invalidated or set to nil
614 </pre></div></div></td></tr>
617 <tr><td><a id="alpha.osx.cocoa.MissingInvalidationMethod"><div class="namedescr expandable"><span class="name">
620 Check that the invalidation methods are present in classes that contain
621 invalidatable instance variables.</div></div></a></td>
624 @protocol Invalidation <NSObject>
625 - (void)invalidate
627 @end
629 @interface NeedInvalidation : NSObject <Invalidation>
630 @end
632 @interface MissingInvalidationMethodDecl : NSObject {
633 NeedInvalidation *Var; // warn
634 }
635 @end
637 @implementation MissingInvalidationMethodDecl
638 @end
639 </pre></div></div></td></tr>
642 <tr><td><a id="alpha.osx.cocoa.localizability.PluralMisuseChecker"><div class="namedescr expandable"><span class="name">
645 Warns against using one vs. many plural pattern in code
646 when generating localized strings.
647 </div></div></a></td>
650 NSString *reminderText =
652 if (reminderCount == 1) {
653 // Warning: Plural cases are not supported across all languages.
654 // Use a .stringsdict file instead
655 reminderText =
657 } else if (reminderCount >= 2) {
658 // Warning: Plural cases are not supported across all languages.
659 // Use a .stringsdict file instead
660 reminderText =
661 [NSString stringWithFormat:
663 reminderCount];
664 }
665 </pre></div></div></td></tr>
667 </tbody></table>
669 <!-- =========================== security alpha =========================== -->
673 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
675 <tbody>
679 Warn about buffer overflows (older checker).</div></div></a></td>
682 void test() {
684 char c = s[1]; // warn
685 }
688 struct seven_words {
689 int c[7];
690 };
692 void test() {
693 struct seven_words a, *p;
694 p = &a;
695 p[0] = a;
696 p[1] = a;
697 p[2] = a; // warn
698 }
701 // note: requires unix.Malloc or
702 // alpha.unix.MallocWithAnnotations checks enabled.
703 void test() {
704 int *p = malloc(12);
705 p[3] = 4; // warn
706 }
709 void test() {
710 char a[2];
711 int *b = (int*)a;
712 b[1] = 3; // warn
713 }
714 </pre></div></div></td></tr>
717 <tr><td><a id="alpha.security.ArrayBoundV2"><div class="namedescr expandable"><span class="name">
720 Warn about buffer overflows (newer checker).</div></div></a></td>
723 void test() {
725 char c = s[1]; // warn
726 }
729 void test() {
730 int buf[100];
731 int *p = buf;
732 p = p + 99;
733 p[1] = 1; // warn
734 }
737 // note: compiler has internal check for this.
738 // Use -Wno-array-bounds to suppress compiler warning.
739 void test() {
740 int buf[100][100];
741 buf[0][-1] = 1; // warn
742 }
745 // note: requires alpha.security.taint check turned on.
746 void test() {
748 int x = getchar();
749 char c = s[x]; // warn: index is tainted
750 }
751 </pre></div></div></td></tr>
754 <tr><td><a id="alpha.security.MallocOverflow"><div class="namedescr expandable"><span class="name">
757 Check for overflows in the arguments to <code>malloc()</code>.</div></div></a></td>
760 void test(int n) {
761 void *p = malloc(n * sizeof(int)); // warn
762 }
763 </pre></div></div></td></tr>
766 <tr><td><a id="alpha.security.MmapWriteExec"><div class="namedescr expandable"><span class="name">
769 Warn on <code>mmap()<code> calls that are both writable and executable.
770 </div></div></a></td>
773 void test(int n) {
774 void *c = mmap(NULL, 32, PROT_READ | PROT_WRITE | PROT_EXEC,
775 MAP_PRIVATE | MAP_ANON, -1, 0);
776 // warn: Both PROT_WRITE and PROT_EXEC flags are set. This can lead to
777 // exploitable memory regions, which could be overwritten with malicious
778 // code
779 }
780 </pre></div></div></td></tr>
783 <tr><td><a id="alpha.security.ReturnPtrRange"><div class="namedescr expandable"><span class="name">
786 Check for an out-of-bound pointer being returned to callers.</div></div></a></td>
789 static int A[10];
791 int *test() {
792 int *p = A + 10;
793 return p; // warn
794 }
797 int test(void) {
798 int x;
799 return x; // warn: undefined or garbage returned
800 }
801 </pre></div></div></td></tr>
804 <tr><td><a id="alpha.security.taint.TaintPropagation"><div class="namedescr expandable"><span class="name">
807 Generate taint information used by other checkers.</div></div></a></td>
810 void test() {
811 char x = getchar(); // 'x' marked as tainted
812 system(&x); // warn: untrusted data is passed to a system call
813 }
816 // note: compiler internally checks if the second param to
817 // sprintf is a string literal or not.
818 // Use -Wno-format-security to suppress compiler warning.
819 void test() {
820 char s[10], buf[10];
823 sprintf(buf, s); // warn: untrusted data as a format string
824 }
827 void test() {
828 size_t ts;
830 int *p = (int *)malloc(ts * sizeof(int));
831 // warn: untrusted data as buffer size
832 }
833 </pre></div></div></td></tr>
835 </tbody></table>
837 <!-- ============================= unix alpha ============================= -->
841 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
842 <tbody>
845 <tr><td><a id="alpha.unix.BlockInCriticalSection"><div class="namedescr expandable"><span class="name">
848 Check for calls to blocking functions inside a critical section. Applies to:
849 <div class=functions>
850 lock<br>
851 unlock<br>
852 sleep<br>
853 getc<br>
854 fgets<br>
855 read<br>
856 revc<br>
857 pthread_mutex_lock<br>
858 pthread_mutex_unlock<br>
859 mtx_lock<br>
860 mtx_timedlock<br>
861 mtx_trylock<br>
862 mtx_unlock<br>
863 lock_guard<br>
864 unique_lock</div>
865 </div></div></a></td>
868 void test() {
869 std::mutex m;
870 m.lock();
871 sleep(3); // warn: a blocking function sleep is called inside a critical
872 // section
873 m.unlock();
874 }
875 </pre></div></div></td></tr>
881 Check improper use of <code>chroot</code>.</div></div></a></td>
884 void f();
886 void test() {
889 }
890 </pre></div></div></td></tr>
896 Simple lock -> unlock checker; applies to:<div class=functions>
897 pthread_mutex_lock<br>
898 pthread_rwlock_rdlock<br>
899 pthread_rwlock_wrlock<br>
900 lck_mtx_lock<br>
901 lck_rw_lock_exclusive<br>
902 lck_rw_lock_shared<br>
903 pthread_mutex_trylock<br>
904 pthread_rwlock_tryrdlock<br>
905 pthread_rwlock_tryrwlock<br>
906 lck_mtx_try_lock<br>
907 lck_rw_try_lock_exclusive<br>
908 lck_rw_try_lock_shared<br>
909 pthread_mutex_unlock<br>
910 pthread_rwlock_unlock<br>
911 lck_mtx_unlock<br>
912 lck_rw_done</div></div></div></a></td>
915 pthread_mutex_t mtx;
917 void test() {
918 pthread_mutex_lock(&mtx);
919 pthread_mutex_lock(&mtx);
920 // warn: this lock has already been acquired
921 }
924 lck_mtx_t lck1, lck2;
926 void test() {
927 lck_mtx_lock(&lck1);
928 lck_mtx_lock(&lck2);
929 lck_mtx_unlock(&lck1);
930 // warn: this was not the most recently acquired lock
931 }
934 lck_mtx_t lck1, lck2;
936 void test() {
937 if (lck_mtx_try_lock(&lck1) == 0)
938 return;
940 lck_mtx_lock(&lck2);
941 lck_mtx_unlock(&lck1);
942 // warn: this was not the most recently acquired lock
943 }
944 </pre></div></div></td></tr>
950 Check for misuses of stream APIs:<div class=functions>
951 fopen<br>
952 fclose</div>(demo checker, the subject of the demo
956 2012 LLVM Developers' Meeting).</a></div></div></a></td>
959 void test() {
961 } // warn: opened file is never closed
964 void test() {
967 if (F)
968 fclose(F);
970 fclose(F); // warn: closing a previously closed file stream
971 }
972 </pre></div></div></td></tr>
978 Check stream handling functions:<div class=functions>fopen<br>
979 tmpfile<br>
980 fclose<br>
981 fread<br>
982 fwrite<br>
983 fseek<br>
984 ftell<br>
985 rewind<br>
986 fgetpos<br>
987 fsetpos<br>
988 clearerr<br>
989 feof<br>
990 ferror<br>
991 fileno</div></div></div></a></td>
994 void test() {
996 } // warn: opened file is never closed
999 void test() {
1001 fseek(p, 1, SEEK_SET); // warn: stream pointer might be NULL
1002 fclose(p);
1003 }
1006 void test() {
1009 if (p)
1010 fseek(p, 1, 3);
1011 // warn: third arg should be SEEK_SET, SEEK_END, or SEEK_CUR
1013 fclose(p);
1014 }
1017 void test() {
1019 fclose(p);
1020 fclose(p); // warn: already closed
1021 }
1024 void test() {
1025 FILE *p = tmpfile();
1026 ftell(p); // warn: stream pointer might be NULL
1027 fclose(p);
1028 }
1029 </pre></div></div></td></tr>
1032 <tr><td><a id="alpha.unix.cstring.BufferOverlap"><div class="namedescr expandable"><span class="name">
1035 Checks for overlap in two buffer arguments; applies to:<div class=functions>
1036 memcpy<br>
1037 mempcpy</div></div></div></a></td>
1040 void test() {
1041 int a[4] = {0};
1042 memcpy(a + 2, a + 1, 8); // warn
1043 }
1044 </pre></div></div></td></tr>
1047 <tr><td><a id="alpha.unix.cstring.NotNullTerminated"><div class="namedescr expandable"><span class="name">
1050 Check for arguments which are not null-terminated strings; applies
1051 to:<div class=functions>
1052 strlen<br>
1053 strnlen<br>
1054 strcpy<br>
1055 strncpy<br>
1056 strcat<br>
1057 strncat</div></div></div></td>
1060 void test() {
1061 int y = strlen((char *)&test); // warn
1062 }
1063 </pre></div></div></a></td></tr>
1066 <tr><td><a id="alpha.unix.cstring.OutOfBounds"><div class="namedescr expandable"><span class="name">
1069 Check for out-of-bounds access in string functions; applies
1070 to:<div class=functions>
1071 strncopy<br>
1072 strncat</div></div></div></a></td>
1075 void test(char *y) {
1076 char x[4];
1077 if (strlen(y) == 4)
1078 strncpy(x, y, 5); // warn
1079 }
1080 </pre></div></div></td></tr>
1082 </tbody></table>
1084 <!-- =========================== nondeterminism alpha =========================== -->
1088 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
1090 <tbody>
1091 <tr><td><a id="alpha.nondeterminism.PointerIteration"><div class="namedescr expandable"><span class="name">
1094 Check for non-determinism caused by iterating unordered containers of pointers.</div></div></a></td>
1097 // C++
1098 void test() {
1099 int a = 1, b = 2;
1100 std::unordered_set<int *> UnorderedPtrSet = {&a, &b};
1102 for (auto i : UnorderedPtrSet) // warn
1103 f(i);
1104 }
1105 </pre></div></div></td></tr>
1106 <tr><td><a id="alpha.nondeterminism.PointerSorting"><div class="namedescr expandable"><span class="name">
1109 Check for non-determinism caused by sorting of pointers.</div></div></a></td>
1112 // C++
1113 void test() {
1114 int a = 1, b = 2;
1115 std::vector<int *> V = {&a, &b};
1116 std::sort(V.begin(), V.end()); // warn
1117 }
1118 </pre></div></div></td></tr>
1119 </tbody></table>
1121 </div> <!-- page -->
1122 </div> <!-- content -->
1123 </body>
1124 </html>