| blob | 181ce1b9de591b3d0133ef8fe10bd6d45524fd0f |
3 <html>
4 <head>
12 </style>
13 </head>
17 <!--#include virtual="menu.html.incl"-->
22 Default Checkers</a>. These are checkers with known issues or limitations that
23 keep them from being on by default. They are likely to have false positives.
24 Bug reports are welcome but will likely not be investigated for some time.
25 Patches welcome!
26 <ul>
37 </ul>
39 <!-- ============================= clone alpha ============================= -->
46 <tbody>
50 Reports similar pieces of code.</div></div></a></td>
53 void log();
55 int max(int a, int b) { // warn
56 log();
57 if (a > b)
58 return a;
59 return b;
60 }
62 int maxClone(int x, int y) { // similar code here
63 log();
64 if (x > y)
65 return x;
66 return y;
67 }
68 </pre></div></div></td></tr>
69 </tbody></table>
71 <!-- ============================= core alpha ============================= -->
77 <tbody>
84 void test() {
85 BOOL b = -1; // warn
86 }
87 </pre></div></div></td></tr>
90 <tr><td><a id="alpha.core.CallAndMessageUnInitRefArg"><div class="namedescr expandable"><span class="name">
93 Check for uninitialized arguments in function calls and Objective-C
94 message expressions.</div></div></a></td>
97 void test(void) {
98 int t;
99 int &p = t;
100 int &s = p;
101 int &q = s;
102 foo(q); // warn
103 }
106 void test(void) {
107 int x;
108 foo(&x); // warn
109 }
110 </pre></div></div></td></tr>
116 Check when casting a malloc'ed type T, whether the size is a multiple of the
119 checks enabled).</div></div></a></td>
122 void test() {
123 int *x = (int *)malloc(11); // warn
124 }
125 </pre></div></div></td></tr>
131 Check for cast from non-struct pointer to struct pointer.</div></div></a></td>
134 // C
135 struct s {};
137 void test(int *p) {
138 struct s *ps = (struct s *) p; // warn
139 }
142 // C++
143 class c {};
145 void test(int *p) {
146 c *pc = (c *) p; // warn
147 }
148 </pre></div></div></td></tr>
154 Loss of sign or precision in implicit conversions</div></div></a></td>
157 void test(unsigned U, signed S) {
159 if (U < S) {
160 }
161 }
162 if (S < -10) {
163 if (U < S) { // warn (loss of sign)
164 }
165 }
166 }
169 void test() {
171 short X = A; // warn (loss of precision)
172 }
173 </pre></div></div></td></tr>
176 <tr><td><a id="alpha.core.DynamicTypeChecker"><div class="namedescr expandable"><span class="name">
179 Check for cases where the dynamic and the static type of an
180 object are unrelated.</div></div></a></td>
183 id date = [NSDate date];
185 // Warning: Object has a dynamic type 'NSDate *' which is
186 // incompatible with static type 'NSNumber *'"
187 NSNumber *number = date;
188 [number doubleValue];
189 </pre></div></div></td></tr>
195 Check for assignment of a fixed address to a pointer.</div></div></a></td>
198 void test() {
199 int *p;
200 p = (int *) 0x10000; // warn
201 }
202 </pre></div></div></td></tr>
208 Warn about suspicious uses of identical expressions.</div></div></a></td>
211 // C
212 void test() {
213 int a = 5;
214 int b = a | 4 | a; // warn: identical expr on both sides
215 }
218 // C++
219 bool f(void);
221 void test(bool b) {
222 int i = 10;
223 if (f()) { // warn: true and false branches are identical
224 do {
225 i--;
226 } while (f());
227 } else {
228 do {
229 i--;
230 } while (f());
231 }
232 }
233 </pre></div></div></td></tr>
239 Check for pointer arithmetic on locations other than array
240 elements.</div></div></a></td>
243 void test() {
244 int x;
245 int *p;
246 p = &x + 1; // warn
247 }
248 </pre></div></div></td></tr>
254 Check for pointer subtractions on two pointers pointing to different memory
255 chunks.</div></div></a></td>
258 void test() {
259 int x, y;
260 int d = &y - &x; // warn
261 }
262 </pre></div></div></td></tr>
268 Warn about unintended use of <code>sizeof()</code> on pointer
269 expressions.</div></div></a></td>
272 struct s {};
274 int test(struct s *p) {
275 return sizeof(p);
276 // warn: sizeof(ptr) can produce an unexpected result
277 }
278 </pre></div></div></td></tr>
281 <tr><td><a id="alpha.core.StackAddressAsyncEscape"><div class="namedescr expandable"><span class="name">
284 Check that addresses to stack memory do not escape the function that involves
285 <code>dispatch_after</code> or <code>dispatch_async</code>. This checker is
286 a part of core.StackAddressEscape, but is
287 <a href=https://reviews.llvm.org/D41042>temporarily disabled</a> until some
288 false positives are fixed.</div></div></a></td>
291 dispatch_block_t test_block_inside_block_async_leak() {
292 int x = 123;
293 void (^inner)(void) = ^void(void) {
294 int y = x;
295 ++y;
296 };
297 void (^outer)(void) = ^void(void) {
298 int z = x;
299 ++z;
300 inner();
301 };
302 return outer; // warn: address of stack-allocated block is captured by a
303 // returned block
304 }
305 </pre></div></div></td></tr>
308 <tr><td><a id="alpha.core.TestAfterDivZero"><div class="namedescr expandable"><span class="name">
311 Check for division by variable that is later compared against 0.
312 Either the comparison is useless or there is division by zero.
313 </div></div></a></td>
316 void test(int x) {
317 var = 77 / x;
318 if (x == 0) { } // warn
319 }
320 </pre></div></div></td></tr>
323 </tbody></table>
325 <!-- =========================== cplusplus alpha =========================== -->
329 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
330 <tbody>
333 <tr><td><a id="alpha.cplusplus.DeleteWithNonVirtualDtor"><div class="namedescr expandable"><span class="name">
336 Reports destructions of polymorphic objects with a non-virtual destructor in
337 their base class
338 </div></div></a></td>
341 NonVirtual *create() {
342 NonVirtual *x = new NVDerived(); // note: conversion from derived to base
343 // happened here
344 return x;
345 }
347 void sink(NonVirtual *x) {
348 delete x; // warn: destruction of a polymorphic object with no virtual
349 // destructor
350 }
351 </pre></div></div></td></tr>
353 <tr><td><a id="alpha.cplusplus.EnumCastOutOfRange"><div class="namedescr expandable"><span class="name">
356 Check for integer to enumeration casts that could result in undefined values.
357 </div></div></a></td>
360 enum TestEnum {
361 A = 0
362 };
364 void foo() {
365 TestEnum t = static_cast<TestEnum>(-1);
366 // warn: the value provided to the cast expression is not in
367 the valid range of values for the enum
368 }
369 </pre></div></div></td></tr>
372 <tr><td><a id="alpha.cplusplus.InvalidatedIterator"><div class="namedescr expandable"><span class="name">
375 Check for use of invalidated iterators.
376 </div></div></a></td>
379 void bad_copy_assign_operator_list1(std::list<int> &L1,
380 const std::list<int> &L2) {
381 auto i0 = L1.cbegin();
382 L1 = L2;
383 *i0; // warn: invalidated iterator accessed
384 }
385 </pre></div></div></td></tr>
388 <tr><td><a id="alpha.cplusplus.IteratorRange"><div class="namedescr expandable"><span class="name">
391 Check for iterators used outside their valid ranges.
392 </div></div></a></td>
395 void simple_bad_end(const std::vector<int> &v) {
396 auto i = v.end();
397 *i; // warn: iterator accessed outside of its range
398 }
399 </pre></div></div></td></tr>
402 <tr><td><a id="alpha.cplusplus.MismatchedIterator"><div class="namedescr expandable"><span class="name">
405 Check for use of iterators of different containers where iterators of the same
406 container are expected.
407 </div></div></a></td>
410 void bad_insert3(std::vector<int> &v1, std::vector<int> &v2) {
411 v2.insert(v1.cbegin(), v2.cbegin(), v2.cend()); // warn: container accessed
412 // using foreign
413 // iterator argument
414 v1.insert(v1.cbegin(), v1.cbegin(), v2.cend()); // warn: iterators of
415 // different containers
416 // used where the same
417 // container is
418 // expected
419 v1.insert(v1.cbegin(), v2.cbegin(), v1.cend()); // warn: iterators of
420 // different containers
421 // used where the same
422 // container is
423 // expected
424 }
425 </pre></div></div></td></tr>
431 Method calls on a moved-from object and copying a moved-from object will be
432 reported.
433 </div></div></a></td>
436 struct A {
437 void foo() {}
438 };
440 void f() {
441 A a;
442 A b = std::move(a); // note: 'a' became 'moved-from' here
443 a.foo(); // warn: method call on a 'moved-from' object 'a'
444 }
445 </pre></div></div></td></tr>
448 </tbody></table>
451 <!-- =========================== dead code alpha =========================== -->
455 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
457 <tbody>
458 <tr><td><a id="alpha.deadcode.UnreachableCode"><div class="namedescr expandable"><span class="name">
461 Check unreachable code.</div></div></a></td>
464 // C
465 int test() {
466 int x = 1;
467 while(x);
468 return x; // warn
469 }
472 // C++
473 void test() {
474 int a = 2;
476 while (a > 1)
477 a--;
479 if (a > 1)
480 a++; // warn
481 }
484 // Objective-C
485 void test(id x) {
486 return;
487 [x retain]; // warn
488 }
489 </pre></div></div></td></tr>
490 </tbody></table>
492 <!-- =========================== llvm alpha =========================== -->
496 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
498 <tbody>
502 Check code for LLVM codebase conventions:
503 <ul>
504 <li>A <code>StringRef</code> should not be bound to a temporary std::string
505 whose lifetime is shorter than the <code>StringRef</code>'s.</li>
506 <li>Clang AST nodes should not have fields that can allocate memory.</li>
507 </ul>
508 </div></div></a></td>
511 <!-- TODO: Add examples, as currently it's hard to get this checker working. -->
512 </pre></div></div></td></tr>
514 </tbody></table>
517 <!-- ============================== OS X alpha ============================== -->
521 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
523 <tbody>
524 <tr><td><a id="alpha.osx.cocoa.DirectIvarAssignment"><div class="namedescr expandable"><span class="name">
527 Check that Objective C properties follow the following rule: the property
528 should be set with the setter, not though a direct assignment.</div></div></a></td>
531 @interface MyClass : NSObject {}
532 @property (readonly) id A;
533 - (void) foo;
534 @end
536 @implementation MyClass
537 - (void) foo {
538 _A = 0; // warn
539 }
540 @end
541 </pre></div></div></td></tr>
544 <tr><td><a id="alpha.osx.cocoa.DirectIvarAssignmentForAnnotatedFunctions"><div class="namedescr expandable"><span class="name">
547 Check for direct assignments to instance variables in the methods annotated
548 with <code>objc_no_direct_instance_variable_assignment</code>.</div></div></a></td>
551 @interface MyClass : NSObject {}
552 @property (readonly) id A;
553 - (void) fAnnotated __attribute__((
555 - (void) fNotAnnotated;
556 @end
558 @implementation MyClass
559 - (void) fAnnotated {
560 _A = 0; // warn
561 }
562 - (void) fNotAnnotated {
563 _A = 0; // no warn
564 }
565 @end
566 </pre></div></div></td></tr>
569 <tr><td><a id="alpha.osx.cocoa.InstanceVariableInvalidation"><div class="namedescr expandable"><span class="name">
572 Check that the invalidatable instance variables are invalidated in the methods
573 annotated with <code>objc_instance_variable_invalidator</code>.</div></div></a></td>
576 @protocol Invalidation <NSObject>
577 - (void) invalidate
579 @end
581 @interface InvalidationImpObj : NSObject <Invalidation>
582 @end
584 @interface SubclassInvalidationImpObj : InvalidationImpObj {
585 InvalidationImpObj *var;
586 }
587 - (void)invalidate;
588 @end
590 @implementation SubclassInvalidationImpObj
591 - (void) invalidate {}
592 @end
593 // warn: var needs to be invalidated or set to nil
594 </pre></div></div></td></tr>
597 <tr><td><a id="alpha.osx.cocoa.MissingInvalidationMethod"><div class="namedescr expandable"><span class="name">
600 Check that the invalidation methods are present in classes that contain
601 invalidatable instance variables.</div></div></a></td>
604 @protocol Invalidation <NSObject>
605 - (void)invalidate
607 @end
609 @interface NeedInvalidation : NSObject <Invalidation>
610 @end
612 @interface MissingInvalidationMethodDecl : NSObject {
613 NeedInvalidation *Var; // warn
614 }
615 @end
617 @implementation MissingInvalidationMethodDecl
618 @end
619 </pre></div></div></td></tr>
622 <tr><td><a id="alpha.osx.cocoa.localizability.PluralMisuseChecker"><div class="namedescr expandable"><span class="name">
625 Warns against using one vs. many plural pattern in code
626 when generating localized strings.
627 </div></div></a></td>
630 NSString *reminderText =
632 if (reminderCount == 1) {
633 // Warning: Plural cases are not supported across all languages.
634 // Use a .stringsdict file instead
635 reminderText =
637 } else if (reminderCount >= 2) {
638 // Warning: Plural cases are not supported across all languages.
639 // Use a .stringsdict file instead
640 reminderText =
641 [NSString stringWithFormat:
643 reminderCount];
644 }
645 </pre></div></div></td></tr>
647 </tbody></table>
649 <!-- =========================== security alpha =========================== -->
653 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
655 <tbody>
659 Warn about buffer overflows (older checker).</div></div></a></td>
662 void test() {
664 char c = s[1]; // warn
665 }
668 struct seven_words {
669 int c[7];
670 };
672 void test() {
673 struct seven_words a, *p;
674 p = &a;
675 p[0] = a;
676 p[1] = a;
677 p[2] = a; // warn
678 }
681 // note: requires unix.Malloc or
682 // alpha.unix.MallocWithAnnotations checks enabled.
683 void test() {
684 int *p = malloc(12);
685 p[3] = 4; // warn
686 }
689 void test() {
690 char a[2];
691 int *b = (int*)a;
692 b[1] = 3; // warn
693 }
694 </pre></div></div></td></tr>
697 <tr><td><a id="alpha.security.ArrayBoundV2"><div class="namedescr expandable"><span class="name">
700 Warn about buffer overflows (newer checker).</div></div></a></td>
703 void test() {
705 char c = s[1]; // warn
706 }
709 void test() {
710 int buf[100];
711 int *p = buf;
712 p = p + 99;
713 p[1] = 1; // warn
714 }
717 // note: compiler has internal check for this.
718 // Use -Wno-array-bounds to suppress compiler warning.
719 void test() {
720 int buf[100][100];
721 buf[0][-1] = 1; // warn
722 }
725 // note: requires alpha.security.taint check turned on.
726 void test() {
728 int x = getchar();
729 char c = s[x]; // warn: index is tainted
730 }
731 </pre></div></div></td></tr>
734 <tr><td><a id="alpha.security.MallocOverflow"><div class="namedescr expandable"><span class="name">
737 Check for overflows in the arguments to <code>malloc()</code>.</div></div></a></td>
740 void test(int n) {
741 void *p = malloc(n * sizeof(int)); // warn
742 }
743 </pre></div></div></td></tr>
746 <tr><td><a id="alpha.security.MmapWriteExec"><div class="namedescr expandable"><span class="name">
749 Warn on <code>mmap()<code> calls that are both writable and executable.
750 </div></div></a></td>
753 void test(int n) {
754 void *c = mmap(NULL, 32, PROT_READ | PROT_WRITE | PROT_EXEC,
755 MAP_PRIVATE | MAP_ANON, -1, 0);
756 // warn: Both PROT_WRITE and PROT_EXEC flags are set. This can lead to
757 // exploitable memory regions, which could be overwritten with malicious
758 // code
759 }
760 </pre></div></div></td></tr>
763 <tr><td><a id="alpha.security.ReturnPtrRange"><div class="namedescr expandable"><span class="name">
766 Check for an out-of-bound pointer being returned to callers.</div></div></a></td>
769 static int A[10];
771 int *test() {
772 int *p = A + 10;
773 return p; // warn
774 }
777 int test(void) {
778 int x;
779 return x; // warn: undefined or garbage returned
780 }
781 </pre></div></div></td></tr>
784 <tr><td><a id="alpha.security.taint.TaintPropagation"><div class="namedescr expandable"><span class="name">
787 Generate taint information used by other checkers.</div></div></a></td>
790 void test() {
791 char x = getchar(); // 'x' marked as tainted
792 system(&x); // warn: untrusted data is passed to a system call
793 }
796 // note: compiler internally checks if the second param to
797 // sprintf is a string literal or not.
798 // Use -Wno-format-security to suppress compiler warning.
799 void test() {
800 char s[10], buf[10];
803 sprintf(buf, s); // warn: untrusted data as a format string
804 }
807 void test() {
808 size_t ts;
810 int *p = (int *)malloc(ts * sizeof(int));
811 // warn: untrusted data as buffer size
812 }
813 </pre></div></div></td></tr>
815 </tbody></table>
817 <!-- ============================= unix alpha ============================= -->
821 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
822 <tbody>
825 <tr><td><a id="alpha.unix.BlockInCriticalSection"><div class="namedescr expandable"><span class="name">
828 Check for calls to blocking functions inside a critical section. Applies to:
829 <div class=functions>
830 lock<br>
831 unlock<br>
832 sleep<br>
833 getc<br>
834 fgets<br>
835 read<br>
836 revc<br>
837 pthread_mutex_lock<br>
838 pthread_mutex_unlock<br>
839 mtx_lock<br>
840 mtx_timedlock<br>
841 mtx_trylock<br>
842 mtx_unlock<br>
843 lock_guard<br>
844 unique_lock</div>
845 </div></div></a></td>
848 void test() {
849 std::mutex m;
850 m.lock();
851 sleep(3); // warn: a blocking function sleep is called inside a critical
852 // section
853 m.unlock();
854 }
855 </pre></div></div></td></tr>
861 Check improper use of <code>chroot</code>.</div></div></a></td>
864 void f();
866 void test() {
869 }
870 </pre></div></div></td></tr>
876 Simple lock -> unlock checker; applies to:<div class=functions>
877 pthread_mutex_lock<br>
878 pthread_rwlock_rdlock<br>
879 pthread_rwlock_wrlock<br>
880 lck_mtx_lock<br>
881 lck_rw_lock_exclusive<br>
882 lck_rw_lock_shared<br>
883 pthread_mutex_trylock<br>
884 pthread_rwlock_tryrdlock<br>
885 pthread_rwlock_tryrwlock<br>
886 lck_mtx_try_lock<br>
887 lck_rw_try_lock_exclusive<br>
888 lck_rw_try_lock_shared<br>
889 pthread_mutex_unlock<br>
890 pthread_rwlock_unlock<br>
891 lck_mtx_unlock<br>
892 lck_rw_done</div></div></div></a></td>
895 pthread_mutex_t mtx;
897 void test() {
898 pthread_mutex_lock(&mtx);
899 pthread_mutex_lock(&mtx);
900 // warn: this lock has already been acquired
901 }
904 lck_mtx_t lck1, lck2;
906 void test() {
907 lck_mtx_lock(&lck1);
908 lck_mtx_lock(&lck2);
909 lck_mtx_unlock(&lck1);
910 // warn: this was not the most recently acquired lock
911 }
914 lck_mtx_t lck1, lck2;
916 void test() {
917 if (lck_mtx_try_lock(&lck1) == 0)
918 return;
920 lck_mtx_lock(&lck2);
921 lck_mtx_unlock(&lck1);
922 // warn: this was not the most recently acquired lock
923 }
924 </pre></div></div></td></tr>
930 Check for misuses of stream APIs:<div class=functions>
931 fopen<br>
932 fclose</div>(demo checker, the subject of the demo
936 2012 LLVM Developers' Meeting).</a></div></div></a></td>
939 void test() {
941 } // warn: opened file is never closed
944 void test() {
947 if (F)
948 fclose(F);
950 fclose(F); // warn: closing a previously closed file stream
951 }
952 </pre></div></div></td></tr>
958 Check stream handling functions:<div class=functions>fopen<br>
959 tmpfile<br>
960 fclose<br>
961 fread<br>
962 fwrite<br>
963 fseek<br>
964 ftell<br>
965 rewind<br>
966 fgetpos<br>
967 fsetpos<br>
968 clearerr<br>
969 feof<br>
970 ferror<br>
971 fileno</div></div></div></a></td>
974 void test() {
976 } // warn: opened file is never closed
979 void test() {
981 fseek(p, 1, SEEK_SET); // warn: stream pointer might be NULL
982 fclose(p);
983 }
986 void test() {
989 if (p)
990 fseek(p, 1, 3);
991 // warn: third arg should be SEEK_SET, SEEK_END, or SEEK_CUR
993 fclose(p);
994 }
997 void test() {
999 fclose(p);
1000 fclose(p); // warn: already closed
1001 }
1004 void test() {
1005 FILE *p = tmpfile();
1006 ftell(p); // warn: stream pointer might be NULL
1007 fclose(p);
1008 }
1009 </pre></div></div></td></tr>
1012 <tr><td><a id="alpha.unix.cstring.BufferOverlap"><div class="namedescr expandable"><span class="name">
1015 Checks for overlap in two buffer arguments; applies to:<div class=functions>
1016 memcpy<br>
1017 mempcpy</div></div></div></a></td>
1020 void test() {
1021 int a[4] = {0};
1022 memcpy(a + 2, a + 1, 8); // warn
1023 }
1024 </pre></div></div></td></tr>
1027 <tr><td><a id="alpha.unix.cstring.NotNullTerminated"><div class="namedescr expandable"><span class="name">
1030 Check for arguments which are not null-terminated strings; applies
1031 to:<div class=functions>
1032 strlen<br>
1033 strnlen<br>
1034 strcpy<br>
1035 strncpy<br>
1036 strcat<br>
1037 strncat</div></div></div></td>
1040 void test() {
1041 int y = strlen((char *)&test); // warn
1042 }
1043 </pre></div></div></a></td></tr>
1046 <tr><td><a id="alpha.unix.cstring.OutOfBounds"><div class="namedescr expandable"><span class="name">
1049 Check for out-of-bounds access in string functions; applies
1050 to:<div class=functions>
1051 strncopy<br>
1052 strncat</div></div></div></a></td>
1055 void test(char *y) {
1056 char x[4];
1057 if (strlen(y) == 4)
1058 strncpy(x, y, 5); // warn
1059 }
1060 </pre></div></div></td></tr>
1062 </tbody></table>
1064 <!-- =========================== nondeterminism alpha =========================== -->
1068 <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
1070 <tbody>
1071 <tr><td><a id="alpha.nondeterminism.PointerIteration"><div class="namedescr expandable"><span class="name">
1074 Check for non-determinism caused by iterating unordered containers of pointers.</div></div></a></td>
1077 // C++
1078 void test() {
1079 int a = 1, b = 2;
1080 std::unordered_set<int *> UnorderedPtrSet = {&a, &b};
1082 for (auto i : UnorderedPtrSet) // warn
1083 f(i);
1084 }
1085 </pre></div></div></td></tr>
1086 <tr><td><a id="alpha.nondeterminism.PointerSorting"><div class="namedescr expandable"><span class="name">
1089 Check for non-determinism caused by sorting of pointers.</div></div></a></td>
1092 // C++
1093 void test() {
1094 int a = 1, b = 2;
1095 std::vector<int *> V = {&a, &b};
1096 std::sort(V.begin(), V.end()); // warn
1097 }
1098 </pre></div></div></td></tr>
1099 </tbody></table>
1101 </div> <!-- page -->
1102 </div> <!-- content -->
1103 </body>
1104 </html>