| blob | 501a2b306dfaddf399739d580096ff06940be109 |
3 <html>
4 <head>
12 </style>
13 </head>
17 <!--#include virtual="menu.html.incl"-->
21 The analyzer performs checks that are categorized into families or "checkers". The
22 default set of checkers covers a variety of checks targeted at finding security
23 and API usage bugs, dead code, and other logic errors. See the
26 Experimental (Alpha) Checkers</a>.
29 <ul>
30 <li><a href="http://www.mobileorchard.com/bug-finding-with-clang-5-resources-to-get-you-started/">Bug Finding With Clang: 5 Resources To Get You Started</a></li>
31 <li><a href="https://fruitstandsoftware.mrrooni.com/blog/blog/2008/08/04/finding-memory-leaks-with-the-llvmclang-static-analyzer/">Finding Memory Leaks With The LLVM/Clang Static Analyzer</a></li>
32 <li><a href="https://weblog.rogueamoeba.com/2008/07/14/the-clang-static-analyzer/">Under the Microscope - The Clang Static Analyzer</a></li>
33 <li><a href="https://www.mikeash.com/pyblog/friday-qa-2009-03-06-using-the-clang-static-analyzer.html">Mike Ash - Using the Clang Static Analyzer</a></li>
34 </ul>
37 <ul>
38 <li><a href="#core_checkers">Core Checkers</a> model core language features and perform general-purpose checks such as division by zero, null pointer dereference, usage of uninitialized values, etc.</li>
43 <li><a href="#osx_checkers">OS X Checkers</a> perform Objective-C-specific checks and check the use of Apple's SDKs (OS X and iOS)</li>
44 <li><a href="#security_checkers">Security Checkers</a> check for insecure API usage and perform checks based on the CERT Secure Coding Standards</li>
46 </ul>
48 <!-- =========================== core =========================== -->
54 <tbody>
58 Check for logical errors for function calls and Objective-C message expressions
59 (e.g., uninitialized arguments, null function pointers).</div></div></a></td>
62 // C
63 struct S {
64 int x;
65 };
67 void f(struct S s);
69 void test() {
70 struct S s;
71 f(s); // warn: passed-by-value arg contain uninitialized data
72 }
73 </pre></div>
75 // C
76 void test() {
77 void (*foo)(void);
78 foo(); // warn: function pointer is uninitialized
79 }
80 </pre></div>
82 // C
83 void test() {
84 void (*foo)(void);
85 foo = 0;
86 foo(); // warn: function pointer is null
87 }
88 </pre></div>
90 // C++
91 class C {
92 public:
93 void f();
94 };
96 void test() {
97 C *pc;
98 pc->f(); // warn: object pointer is uninitialized
99 }
100 </pre></div>
102 // C++
103 class C {
104 public:
105 void f();
106 };
108 void test() {
109 C *pc = 0;
110 pc->f(); // warn: object pointer is null
111 }
112 </pre></div>
114 // Objective-C
115 @interface MyClass : NSObject
116 @property (readwrite,assign) id x;
117 - (long double)longDoubleM;
118 @end
120 void test() {
121 MyClass *obj1;
122 long double ld1 = [obj1 longDoubleM];
123 // warn: receiver is uninitialized
124 }
125 </pre></div>
127 // Objective-C
128 @interface MyClass : NSObject
129 @property (readwrite,assign) id x;
130 - (long double)longDoubleM;
131 @end
133 void test() {
134 MyClass *obj1;
135 id i = obj1.x; // warn: uninitialized object pointer
136 }
137 </pre></div>
139 // Objective-C
140 @interface Subscriptable : NSObject
141 - (id)objectAtIndexedSubscript:(unsigned int)index;
142 @end
144 @interface MyClass : Subscriptable
145 @property (readwrite,assign) id x;
146 - (long double)longDoubleM;
147 @end
149 void test() {
150 MyClass *obj1;
151 id i = obj1[0]; // warn: uninitialized object pointer
152 }
153 </pre></div></div></td></tr>
162 void test(int z) {
163 if (z == 0)
164 int x = 1 / z; // warn
165 }
166 </pre></div>
168 void test() {
169 int x = 1;
170 int y = x % 0; // warn
171 }
172 </pre></div></div></td></tr>
178 Check for null pointers passed as arguments to a function whose arguments are
182 int f(int *p) __attribute__((nonnull));
184 void test(int *p) {
185 if (!p)
186 f(p); // warn
187 }
188 </pre></div></div></td></tr>
194 Check for dereferences of null pointers.</div></div></a></td>
197 // C
198 void test(int *p) {
199 if (p)
200 return;
202 int x = p[0]; // warn
203 }
204 </pre></div>
206 // C
207 void test(int *p) {
208 if (!p)
209 *p = 0; // warn
210 }
211 </pre></div>
213 // C++
214 class C {
215 public:
216 int x;
217 };
219 void test() {
220 C *pc = 0;
221 int k = pc->x; // warn
222 }
223 </pre></div>
225 // Objective-C
226 @interface MyClass {
227 @public
228 int x;
229 }
230 @end
232 void test() {
233 MyClass *obj = 0;
235 }
236 </pre></div></div></td></tr>
242 Check that addresses of stack memory do not escape the function.</div></div></a></td>
245 char const *p;
247 void test() {
248 char const str[] = "string";
249 p = str; // warn
250 }
251 </pre></div>
253 void* test() {
254 return __builtin_alloca(12); // warn
255 }
256 </pre></div>
258 void test() {
259 static int *x;
260 int y;
261 x = &y; // warn
262 }
263 </pre></div></div></td></tr>
266 <tr><td><a id="core.UndefinedBinaryOperatorResult"><div class="namedescr expandable"><span class="name">
269 Check for undefined results of binary operators.</div></div></a></td>
272 void test() {
273 int x;
274 int y = x + 1; // warn: left operand is garbage
275 }
276 </pre></div></div></td></tr>
282 Check for declarations of VLA of undefined or zero size.</div></div></a></td>
285 void test() {
286 int x;
287 int vla1[x]; // warn: garbage as size
288 }
289 </pre></div>
291 void test() {
292 int x = 0;
293 int vla2[x]; // warn: zero size
294 }
295 </pre></div></div></td></tr>
298 <tr><td><a id="core.uninitialized.ArraySubscript"><div class="namedescr expandable"><span class="name">
301 Check for uninitialized values used as array subscripts.</div></div></a></td>
304 void test() {
305 int i, a[10];
306 int x = a[i]; // warn: array subscript is undefined
307 }
308 </pre></div></div></td></tr>
314 Check for assigning uninitialized values.</div></div></a></td>
317 void test() {
318 int x;
319 x |= 1; // warn: left expression is uninitialized
320 }
321 </pre></div></div></td></tr>
327 Check for uninitialized values used as branch conditions.</div></div></a></td>
330 void test() {
331 int x;
332 if (x) // warn
333 return;
334 }
335 </pre></div></div></td></tr>
338 <tr><td><a id="core.uninitialized.CapturedBlockVariable"><div class="namedescr expandable"><span class="name">
341 Check for blocks that capture uninitialized values.</div></div></a></td>
344 void test() {
345 int x;
346 ^{ int y = x; }(); // warn
347 }
348 </pre></div></div></td></tr>
351 <tr><td><a id="core.uninitialized.UndefReturn"><div class="namedescr expandable"><span class="name">
354 Check for uninitialized values being returned to the caller.</div></div></a></td>
357 int test() {
358 int x;
359 return x; // warn
360 }
361 </pre></div></div></td></tr>
363 </tbody></table>
365 <!-- =========================== C++ =========================== -->
371 <tbody>
375 Check for double-free, use-after-free and offset problems involving C++ <code>
379 void f(int *p);
381 void testUseMiddleArgAfterDelete(int *p) {
382 delete p;
383 f(p); // warn: use after free
384 }
385 </pre></div>
387 class SomeClass {
388 public:
389 void f();
390 };
392 void test() {
393 SomeClass *c = new SomeClass;
394 delete c;
395 c->f(); // warn: use after free
396 }
397 </pre></div>
399 void test() {
400 int *p = (int *)__builtin_alloca(sizeof(int));
401 delete p; // warn: deleting memory allocated by alloca
402 }
403 </pre></div>
405 void test() {
406 int *p = new int;
407 delete p;
408 delete p; // warn: attempt to free released
409 }
410 </pre></div>
412 void test() {
413 int i;
414 delete &i; // warn: delete address of local
415 }
416 </pre></div>
418 void test() {
419 int *p = new int[1];
420 delete[] (++p);
421 // warn: argument to 'delete[]' is offset by 4 bytes
422 // from the start of memory allocated by 'new[]'
423 }
424 </pre></div></div></td></tr>
433 void test() {
434 int *p = new int;
435 } // warn
436 </pre></div></div></td></tr>
438 </tbody></table>
440 <!-- =========================== dead code =========================== -->
446 <tbody>
450 Check for values stored to variables that are never read afterwards.</div></div></a></td>
453 void test() {
454 int x;
455 x = 1; // warn
456 }
457 </pre></div></div></td></tr>
459 </tbody></table>
461 <!-- =========================== nullability =========================== -->
467 <tbody>
468 <tr><td><a id="nullability.NullPassedToNonnull"><div class="namedescr expandable"><span class="name">
471 Warns when a null pointer is passed to a pointer which has a
472 _Nonnull type.</div></div></a></td>
475 if (name != nil)
476 return;
477 // Warning: nil passed to a callee that requires a non-null 1st parameter
478 NSString *greeting = [@"Hello " stringByAppendingString:name];
479 </pre></div></div></td></tr>
482 <tr><td><a id="nullability.NullReturnedFromNonnull"><div class="namedescr expandable"><span class="name">
485 Warns when a null pointer is returned from a function that has
486 _Nonnull return type.</div></div></a></td>
489 - (nonnull id)firstChild {
490 id result = nil;
492 result = _children[0];
494 // Warning: nil returned from a method that is expected
495 // to return a non-null value
496 return result;
497 }
498 </pre></div></div></td></tr>
501 <tr><td><a id="nullability.NullableDereferenced"><div class="namedescr expandable"><span class="name">
504 Warns when a nullable pointer is dereferenced.</div></div></a></td>
507 struct LinkedList {
508 int data;
509 struct LinkedList *next;
510 };
512 struct LinkedList * _Nullable getNext(struct LinkedList *l);
514 void updateNextData(struct LinkedList *list, int newData) {
515 struct LinkedList *next = getNext(list);
516 // Warning: Nullable pointer is dereferenced
518 }
519 </pre></div></div></td></tr>
522 <tr><td><a id="nullability.NullablePassedToNonnull"><div class="namedescr expandable"><span class="name">
525 Warns when a nullable pointer is passed to a pointer which has a _Nonnull type.</div></div></a></td>
528 typedef struct Dummy { int val; } Dummy;
529 Dummy *_Nullable returnsNullable();
530 void takesNonnull(Dummy *_Nonnull);
532 void test() {
533 Dummy *p = returnsNullable();
534 takesNonnull(p); // warn
535 }
536 </pre></div></div></td></tr>
538 </tbody></table>
540 <!-- =========================== optin =========================== -->
546 <tr><td><a id="cplusplus.UninitializedObject"><div class="namedescr expandable"><span class="name">
549 This checker reports uninitialized fields in objects created after a constructor
550 call. It doesn't only find direct uninitialized fields, but rather makes a deep
551 inspection of the object, analyzing all of it's fields subfields. <br>
552 The checker regards inherited fields as direct fields, so one will recieve
553 warnings for uninitialized inherited data members as well. <br>
554 <br>
555 It has several options:
556 <ul>
557 <li>
558 "<code>Pedantic</code>" (boolean). If its not set or is set to false, the
559 checker won't emit warnings for objects that don't have at least one
560 initialized field. This may be set with <br>
562 </li>
563 <li>
564 "<code>NotesAsWarnings</code>" (boolean). If set to true, the checker will
565 emit a warning for each uninitalized field, as opposed to emitting one
566 warning per constructor call, and listing the uninitialized fields that
567 belongs to it in notes. Defaults to false. <br>
569 </li>
570 <li>
571 "<code>CheckPointeeInitialization</code>" (boolean). If set to false, the
572 checker will not analyze the pointee of pointer/reference fields, and will
573 only check whether the object itself is initialized. Defaults to false. <br>
575 </li>
576 <li>
577 "<code>IgnoreRecordsWithField</code>" (string). If supplied, the checker
578 will not analyze structures that have a field with a name or type name that
581 <code>-analyzer-config cplusplus.UninitializedObject:IgnoreRecordsWithField="[Tt]ag|[Kk]ind"</code>.
582 </li>
583 </ul></div></div></a></td>
586 // With Pedantic and CheckPointeeInitialization set to true
588 struct A {
589 struct B {
590 int x; // note: uninitialized field 'this->b.x'
592 int y; // note: uninitialized field 'this->b.y'
594 };
595 int *iptr; // note: uninitialized pointer 'this->iptr'
596 B b;
597 B *bptr;
598 char *cptr; // note: uninitialized pointee 'this->cptr'
600 A (B *bptr, char *cptr) : bptr(bptr), cptr(cptr) {}
601 };
603 void f() {
604 A::B b;
605 char c;
606 A a(&b, &c); // warning: 6 uninitialized fields
607 // after the constructor call
608 }
611 // With Pedantic set to false and
612 // CheckPointeeInitialization set to true
613 // (every field is uninitialized)
615 struct A {
616 struct B {
617 int x;
618 int y;
619 };
620 int *iptr;
621 B b;
622 B *bptr;
623 char *cptr;
625 A (B *bptr, char *cptr) : bptr(bptr), cptr(cptr) {}
626 };
628 void f() {
629 A::B b;
630 char c;
631 A a(&b, &c); // no warning
632 }
635 // With Pedantic and CheckPointeeInitialization set to false
636 // (pointees are regarded as initialized)
638 struct A {
639 struct B {
640 int x; // note: uninitialized field 'this->b.x'
641 int y; // note: uninitialized field 'this->b.y'
642 };
643 int *iptr; // note: uninitialized pointer 'this->iptr'
644 B b;
645 B *bptr;
646 char *cptr;
648 A (B *bptr, char *cptr) : bptr(bptr), cptr(cptr) {}
649 };
651 void f() {
652 A::B b;
653 char c;
654 A a(&b, &c); // warning: 3 uninitialized fields
655 // after the constructor call
656 }
657 </pre></div></div></td></tr>
660 <tbody>
661 <tr><td><a id="optin.cplusplus.VirtualCall"><div class="namedescr expandable"><span class="name">
664 Check virtual member function calls during construction or
665 destruction.</div></div></a></td>
668 class A {
669 public:
670 A() {
671 f(); // warn
672 }
673 virtual void f();
674 };
677 class A {
678 public:
679 ~A() {
680 this->f(); // warn
681 }
682 virtual void f();
683 };
684 </pre></div></div></td></tr>
690 Checks MPI code</div></div></a></td>
693 void test() {
694 double buf = 0;
695 MPI_Request sendReq1;
696 MPI_Ireduce(MPI_IN_PLACE, &buf, 1, MPI_DOUBLE, MPI_SUM,
697 0, MPI_COMM_WORLD, &sendReq1);
698 } // warn: request 'sendReq1' has no matching wait.
701 void test() {
702 double buf = 0;
703 MPI_Request sendReq;
707 MPI_Wait(&sendReq, MPI_STATUS_IGNORE);
708 }
711 void missingNonBlocking() {
712 int rank = 0;
713 MPI_Comm_rank(MPI_COMM_WORLD, &rank);
716 }
717 </pre></div></div></td></tr>
720 <tr><td><a id="optin.osx.cocoa.localizability.EmptyLocalizationContextChecker"><div class="namedescr expandable"><span class="name">
723 Check that NSLocalizedString macros include a comment for context.</div></div></a></td>
726 - (void)test {
727 NSString *string = NSLocalizedString(@"LocalizedString", nil); // warn
729 NSString *string3 = NSLocalizedStringWithDefaultValue(
731 }
732 </pre></div></div></td></tr>
735 <tr><td><a id="optin.osx.cocoa.localizability.NonLocalizedStringChecker"><div class="namedescr expandable"><span class="name">
738 Warns about uses of non-localized NSStrings passed to UI methods
739 expecting localized NSStrings</div></div></a></td>
742 NSString *alarmText =
744 if (!isEnabled) {
745 alarmText = @"Disabled";
746 }
747 UILabel *alarmStateLabel = [[UILabel alloc] init];
749 // Warning: User-facing text should use localized string macro
750 [alarmStateLabel setText:alarmText];
751 </pre></div></div></td></tr>
753 </tbody></table>
755 <!-- =========================== OS X =========================== -->
761 <tbody>
766 dispatch_once</div></div></div></a></td>
769 void test() {
770 dispatch_once_t pred = 0;
771 dispatch_once(&pred, ^(){}); // warn: dispatch_once uses local
772 }
773 </pre></div></div></td></tr>
776 <tr><td><a id="osx.NumberObjectConversion"><div class="namedescr expandable"><span class="name">
779 Check for erroneous conversions of objects representing numbers
780 into numbers</div></div></a></td>
783 NSNumber *photoCount = [albumDescriptor objectForKey:@"PhotoCount"];
784 // Warning: Comparing a pointer value of type 'NSNumber *'
785 // to a scalar integer value
787 [self displayPhotos];
788 }
789 </pre></div></div></td></tr>
796 SecKeychainItemCopyContent<br>
797 SecKeychainFindGenericPassword<br>
798 SecKeychainFindInternetPassword<br>
799 SecKeychainItemFreeContent<br>
800 SecKeychainItemCopyAttributesAndData<br>
801 SecKeychainItemFreeAttributesAndData</div></div></div></a></td>
804 void test() {
805 unsigned int *ptr = 0;
806 UInt32 length;
808 SecKeychainItemFreeContent(ptr, &length);
809 // warn: trying to free data which has not been allocated
810 }
811 </pre></div>
813 void test() {
814 unsigned int *ptr = 0;
815 UInt32 *length = 0;
816 void *outData;
818 OSStatus st =
819 SecKeychainItemCopyContent(2, ptr, ptr, length, outData);
820 // warn: data is not released
821 }
822 </pre></div>
824 void test() {
825 unsigned int *ptr = 0;
826 UInt32 *length = 0;
827 void *outData;
829 OSStatus st =
832 SecKeychainItemFreeContent(ptr, outData);
833 // warn: only call free if a non-NULL buffer was returned
834 }
835 </pre></div>
837 void test() {
838 unsigned int *ptr = 0;
839 UInt32 *length = 0;
840 void *outData;
842 OSStatus st =
846 // warn: release data before another call to the allocator
848 if (st == noErr)
849 SecKeychainItemFreeContent(ptr, outData);
850 }
851 </pre></div>
853 void test() {
854 SecKeychainItemRef itemRef = 0;
855 SecKeychainAttributeInfo *info = 0;
856 SecItemClass *itemClass = 0;
857 SecKeychainAttributeList *attrList = 0;
858 UInt32 *length = 0;
859 void *outData = 0;
861 OSStatus st =
862 SecKeychainItemCopyAttributesAndData(itemRef, info,
863 itemClass, &attrList,
864 length, &outData);
866 SecKeychainItemFreeContent(attrList, outData);
867 // warn: deallocator doesn't match the allocator
868 }
869 </pre></div></div></td></tr>
878 void test(id x) {
879 if (!x)
880 @synchronized(x) {} // warn: nil value used as mutex
881 }
882 </pre></div>
884 void test() {
885 id y;
886 @synchronized(y) {} // warn: uninitialized value used as mutex
887 }
888 </pre></div></div></td></tr>
898 @interface MyClass : NSObject
899 @end
901 void test(void) {
902 [MyClass release]; // warn
903 }
904 </pre></div></div></td></tr>
910 Warn about Objective-C classes that lack a correct implementation
912 </div></div></a></td>
915 @interface MyObject : NSObject {
916 id _myproperty;
917 }
918 @end
920 @implementation MyObject // warn: lacks 'dealloc'
921 @end
924 @interface MyObject : NSObject {}
925 @property(assign) id myproperty;
926 @end
928 @implementation MyObject // warn: does not send 'dealloc' to super
929 - (void)dealloc {
930 self.myproperty = 0;
931 }
932 @end
935 @interface MyObject : NSObject {
936 id _myproperty;
937 }
938 @property(retain) id myproperty;
939 @end
941 @implementation MyObject
942 @synthesize myproperty = _myproperty;
943 // warn: var was retained but wasn't released
944 - (void)dealloc {
945 [super dealloc];
946 }
947 @end
950 @interface MyObject : NSObject {
951 id _myproperty;
952 }
953 @property(assign) id myproperty;
954 @end
956 @implementation MyObject
957 @synthesize myproperty = _myproperty;
958 // warn: var wasn't retained but was released
959 - (void)dealloc {
960 [_myproperty release];
961 [super dealloc];
962 }
963 @end
964 </pre></div></div></td></tr>
967 <tr><td><a id="osx.cocoa.IncompatibleMethodTypes"><div class="namedescr expandable"><span class="name">
970 Check for an incompatible type signature when overriding an Objective-C method.</div></div></a></td>
973 @interface MyClass1 : NSObject
974 - (int)foo;
975 @end
977 @implementation MyClass1
978 - (int)foo { return 1; }
979 @end
981 @interface MyClass2 : MyClass1
982 - (float)foo;
983 @end
985 @implementation MyClass2
986 - (float)foo { return 1.0; } // warn
987 @end
988 </pre></div></div></td></tr>
991 <tr><td><a id="osx.cocoa.MissingSuperCall"><div class="namedescr expandable"><span class="name">
994 Warn about Objective-C methods that lack a necessary call to super. (Note: The
996 attribute. The checker exists to check methods in the Cocoa frameworks
997 that haven't yet adopted this attribute.)</div></div></a></td>
999 @interface Test : UIViewController
1000 @end
1001 @implementation test
1002 - (void)viewDidLoad {} // warn
1003 @end
1004 </pre></div></td></tr>
1007 <tr><td><a id="osx.cocoa.NSAutoreleasePool"><div class="namedescr expandable"><span class="name">
1010 Warn for suboptimal uses of NSAutoreleasePool in Objective-C
1014 void test() {
1015 NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
1016 [pool release]; // warn
1017 }
1018 </pre></div></div></td></tr>
1027 @interface A : NSObject
1028 - (void)foo:(NSError **)error;
1029 @end
1031 @implementation A
1032 - (void)foo:(NSError **)error {
1033 // warn: method accepting NSError** should have a non-void
1034 // return value
1035 }
1036 @end
1037 </pre></div>
1039 @interface A : NSObject
1040 - (BOOL)foo:(NSError **)error;
1041 @end
1043 @implementation A
1044 - (BOOL)foo:(NSError **)error {
1045 *error = 0; // warn: potential null dereference
1046 return 0;
1047 }
1048 @end
1049 </pre></div></div></td></tr>
1056 - caseInsensitiveCompare:<br>
1057 - compare:<br>
1058 - compare:options:<br>
1059 - compare:options:range:<br>
1060 - compare:options:range:locale:<br>
1061 - componentsSeparatedByCharactersInSet:<br>
1062 - initWithFormat:</div></div></div></a></td>
1065 NSComparisonResult test(NSString *s) {
1066 NSString *aString = nil;
1067 return [s caseInsensitiveCompare:aString];
1068 // warn: argument to 'NSString' method
1069 // 'caseInsensitiveCompare:' cannot be nil
1070 }
1071 </pre></div></div></td></tr>
1077 Check for type errors when using Objective-C generics</div></div></a></td>
1081 NSMutableArray *birthDates = names;
1083 // Warning: Conversion from value of type 'NSDate *'
1084 // to incompatible type 'NSString *'
1085 [birthDates addObject: [NSDate date]];
1086 </pre></div></div></td></tr>
1092 Check for leaks and violations of the Cocoa Memory Management rules.</div></div></a></td>
1095 void test() {
1096 NSString *s = [[NSString alloc] init]; // warn
1097 }
1098 </pre></div>
1100 CFStringRef test(char *bytes) {
1101 return CFStringCreateWithCStringNoCopy(
1103 }
1104 </pre></div></div></td></tr>
1111 method.</div></div></a></td>
1114 @interface MyObj : NSObject {
1115 id x;
1116 }
1117 - (id)init;
1118 @end
1120 @implementation MyObj
1121 - (id)init {
1122 [super init];
1123 x = 0; // warn: instance variable used while 'self' is not
1124 // initialized
1125 return 0;
1126 }
1127 @end
1128 </pre></div>
1130 @interface MyObj : NSObject
1131 - (id)init;
1132 @end
1134 @implementation MyObj
1135 - (id)init {
1136 [super init];
1137 return self; // warn: returning uninitialized 'self'
1138 }
1139 @end
1140 </pre></div></div></td></tr>
1146 Warn about improper use of '[super dealloc]' in Objective-C</div></div></a></td>
1149 @interface SuperDeallocThenReleaseIvarClass : NSObject {
1150 NSObject *_ivar;
1151 }
1152 @end
1154 @implementation SuperDeallocThenReleaseIvarClass
1155 - (void)dealloc {
1156 [super dealloc];
1157 [_ivar release]; // warn
1158 }
1159 @end
1160 </pre></div></div></td></tr>
1166 Warn about private ivars that are never used.</div></div></a></td>
1169 @interface MyObj : NSObject {
1170 @private
1171 id x; // warn
1172 }
1173 @end
1175 @implementation MyObj
1176 @end
1177 </pre></div></div></td></tr>
1180 <tr><td><a id="osx.cocoa.VariadicMethodTypes"><div class="namedescr expandable"><span class="name">
1183 Check for passing non-Objective-C types to variadic collection initialization
1184 methods that expect only Objective-C types.</div></div></a></td>
1187 void test() {
1189 // warn: argument should be an ObjC pointer type, not 'char *'
1190 }
1191 </pre></div></div></td></tr>
1194 <tr><td><a id="osx.coreFoundation.CFError"><div class="namedescr expandable"><span class="name">
1200 void test(CFErrorRef *error) {
1201 // warn: function accepting CFErrorRef* should have a
1202 // non-void return
1203 }
1204 </pre></div>
1206 int foo(CFErrorRef *error) {
1207 *error = 0; // warn: potential null dereference
1208 return 0;
1209 }
1210 </pre></div></div></td></tr>
1213 <tr><td><a id="osx.coreFoundation.CFNumber"><div class="namedescr expandable"><span class="name">
1219 CFNumberRef test(unsigned char x) {
1222 }
1223 </pre></div></div></td></tr>
1226 <tr><td><a id="osx.coreFoundation.CFRetainRelease"><div class="namedescr expandable"><span class="name">
1233 void test(CFTypeRef p) {
1234 if (!p)
1235 CFRetain(p); // warn
1236 }
1237 </pre></div>
1239 void test(int x, CFTypeRef p) {
1240 if (p)
1241 return;
1243 CFRelease(p); // warn
1244 }
1245 </pre></div></div></td></tr>
1248 <tr><td><a id="osx.coreFoundation.containers.OutOfBounds"><div class="namedescr expandable"><span class="name">
1254 void test() {
1256 CFArrayGetValueAtIndex(A, 0); // warn
1257 }
1258 </pre></div></div></td></tr>
1261 <tr><td><a id="osx.coreFoundation.containers.PointerSizedValues"><div class="namedescr expandable"><span class="name">
1265 created with non-pointer-size values.</div></div></a></td>
1268 void test() {
1269 int x[] = { 1 };
1271 &kCFTypeArrayCallBacks); // warn
1272 }
1273 </pre></div></div></td></tr>
1275 </tbody></table>
1277 <!-- =========================== security =========================== -->
1283 <tbody>
1284 <tr><td><a id="security.FloatLoopCounter"><div class="namedescr expandable"><span class="name">
1287 Warn on using a floating point value as a loop counter (CERT: FLP30-C,
1288 FLP30-CPP).</div></div></a></td>
1291 void test() {
1293 }
1294 </pre></div></div></td></tr>
1297 <tr><td><a id="security.insecureAPI.UncheckedReturn"><div class="namedescr expandable"><span class="name">
1301 setuid<br>
1302 setgid<br>
1303 seteuid<br>
1304 setegid<br>
1305 setreuid<br>
1306 setregid</div></div></div></a></td>
1309 void test() {
1310 setuid(1); // warn
1311 }
1312 </pre></div></div></td></tr>
1315 <tr><td><a id="security.insecureAPI.bcmp"><div class="namedescr expandable"><span class="name">
1321 void test() {
1322 bcmp(ptr0, ptr1, n); // warn
1323 }
1324 </pre></div></div></td></tr>
1326 <tr><td><a id="security.insecureAPI.bcopy"><div class="namedescr expandable"><span class="name">
1332 void test() {
1333 bcopy(src, dst, n); // warn
1334 }
1335 </pre></div></div></td></tr>
1337 <tr><td><a id="security.insecureAPI.bzero"><div class="namedescr expandable"><span class="name">
1343 void test() {
1344 bzero(ptr, n); // warn
1345 }
1346 </pre></div></div></td></tr>
1349 <tr><td><a id="security.insecureAPI.getpw"><div class="namedescr expandable"><span class="name">
1355 void test() {
1356 char buff[1024];
1357 getpw(2, buff); // warn
1358 }
1359 </pre></div></div></td></tr>
1362 <tr><td><a id="security.insecureAPI.gets"><div class="namedescr expandable"><span class="name">
1368 void test() {
1369 char buff[1024];
1370 gets(buff); // warn
1371 }
1372 </pre></div></div></td></tr>
1375 <tr><td><a id="security.insecureAPI.mkstemp"><div class="namedescr expandable"><span class="name">
1380 X's in the format string.</div></div></a></td>
1383 void test() {
1384 mkstemp("XX"); // warn
1385 }
1386 </pre></div></div></td></tr>
1389 <tr><td><a id="security.insecureAPI.mktemp"><div class="namedescr expandable"><span class="name">
1395 void test() {
1396 char *x = mktemp("/tmp/zxcv"); // warn: insecure, use mkstemp
1397 }
1398 </pre></div></div></td></tr>
1401 <tr><td><a id="security.insecureAPI.rand"><div class="namedescr expandable"><span class="name">
1406 drand48<br>
1407 erand48<br>
1408 jrand48<br>
1409 lcong48<br>
1410 lrand48<br>
1411 mrand48<br>
1412 nrand48<br>
1413 random<br>
1414 rand_r</div></div></div></a></td>
1417 void test() {
1418 random(); // warn
1419 }
1420 </pre></div></div></td></tr>
1423 <tr><td><a id="security.insecureAPI.strcpy"><div class="namedescr expandable"><span class="name">
1426 Warn on uses of the <code>strcpy</code> and <code>strcat</code> functions.</div></div></a></td>
1429 void test() {
1430 char x[4];
1431 char *y = "abcd";
1433 strcpy(x, y); // warn
1434 }
1435 </pre></div></div></td></tr>
1438 <tr><td><a id="security.insecureAPI.vfork"><div class="namedescr expandable"><span class="name">
1444 void test() {
1445 vfork(); // warn
1446 }
1447 </pre></div></div></td></tr>
1450 <tr><td><a id="security.insecureAPI.decodeValueOfObjCType"><div class="namedescr expandable"><span class="name">
1454 The safe alternative is <code>-[NSCoder decodeValueOfObjCType:at:size:]</code>.</div></div></a></td>
1457 void test(NSCoder *decoder) {
1458 // This would be a vulnerability on 64-bit platforms
1459 // but not on 32-bit platforms.
1460 NSUInteger x;
1461 [decoder decodeValueOfObjCType:"I" at:&x]; // warn
1462 }
1463 </pre></div></div></td></tr>
1465 </tbody></table>
1467 <!-- =========================== unix =========================== -->
1473 <tbody>
1478 open<br>
1479 pthread_once<br>
1480 calloc<br>
1481 malloc<br>
1482 realloc<br>
1483 alloca<br></a></td>
1486 // Currently the check is performed for apple targets only.
1487 void test(const char *path) {
1488 int fd = open(path, O_CREAT);
1489 // warn: call to 'open' requires a third argument when the
1490 // 'O_CREAT' flag is set
1491 }
1492 </pre></div>
1494 void f();
1496 void test() {
1498 pthread_once(&pred, f);
1499 // warn: call to 'pthread_once' uses the local variable
1500 }
1501 </pre></div>
1503 void test() {
1505 }
1506 </pre></div>
1508 void test() {
1510 }
1511 </pre></div>
1513 void test() {
1514 void *p = malloc(1);
1516 }
1517 </pre></div>
1519 void test() {
1521 }
1522 </pre></div>
1524 void test() {
1526 }
1527 </pre></div></div></td></tr>
1533 Check for memory leaks, double free, and use-after-free and offset problems
1537 void test() {
1538 int *p = malloc(1);
1539 free(p);
1540 free(p); // warn: attempt to free released memory
1541 }
1542 </pre></div>
1544 void test() {
1545 int *p = malloc(sizeof(int));
1546 free(p);
1547 *p = 1; // warn: use after free
1548 }
1549 </pre></div>
1551 void test() {
1552 int *p = malloc(1);
1553 if (p)
1554 return; // warn: memory is never released
1555 }
1556 </pre></div>
1558 void test() {
1559 int a[] = { 1 };
1560 free(a); // warn: argument is not allocated by malloc
1561 }
1562 </pre></div>
1564 void test() {
1565 int *p = malloc(sizeof(char));
1566 p = p - 1;
1567 free(p); // warn: argument to free() is offset by -4 bytes
1568 }
1569 </pre></div></div></td></tr>
1579 void test() {
1580 long *p = malloc(sizeof(short));
1581 // warn: result is converted to 'long *', which is
1582 // incompatible with operand type 'short'
1583 free(p);
1584 }
1585 </pre></div></div></td></tr>
1588 <tr><td><a id="unix.MismatchedDeallocator"><div class="namedescr expandable"><span class="name">
1591 Check for mismatched deallocators (e.g. passing a pointer allocating
1595 // C, C++
1596 void test() {
1597 int *p = (int *)malloc(sizeof(int));
1598 delete p; // warn
1599 }
1600 </pre></div>
1602 // C, C++
1603 void __attribute((ownership_returns(malloc))) *user_malloc(size_t);
1605 void test() {
1606 int *p = (int *)user_malloc(sizeof(int));
1607 delete p; // warn
1608 }
1609 </pre></div>
1611 // C, C++
1612 void test() {
1613 int *p = new int;
1614 free(p); // warn
1615 }
1616 </pre></div>
1618 // C, C++
1619 void test() {
1620 int *p = new int[1];
1621 realloc(p, sizeof(long)); // warn
1622 }
1623 </pre></div>
1625 // C, C++
1627 struct SimpleSmartPointer {
1628 T *ptr;
1630 explicit SimpleSmartPointer(T *p = 0) : ptr(p) {}
1631 ~SimpleSmartPointer() {
1632 delete ptr; // warn
1633 }
1634 };
1636 void test() {
1638 }
1639 </pre></div>
1641 // C++
1642 void test() {
1643 int *p = (int *)operator new(0);
1644 delete[] p; // warn
1645 }
1646 </pre></div>
1648 // Objective-C, C++
1649 void test(NSUInteger dataLength) {
1650 int *p = new int;
1651 NSData *d = [NSData dataWithBytesNoCopy:p
1652 length:sizeof(int) freeWhenDone:1];
1653 // warn +dataWithBytesNoCopy:length:freeWhenDone: cannot take
1654 // ownership of memory allocated by 'new'
1655 }
1656 </pre></div></div></td></tr>
1662 Check for proper usage of vfork</div></div></a></td>
1665 int test(int x) {
1666 pid_t pid = vfork(); // warn
1667 if (pid != 0)
1668 return 0;
1670 switch (x) {
1671 case 0:
1672 pid = 1;
1674 _exit(1);
1675 break;
1676 case 1:
1677 x = 0; // warn: this assignment is prohibited
1678 break;
1679 case 2:
1680 foo(); // warn: this function call is prohibited
1681 break;
1682 default:
1683 return 0; // warn: return is prohibited
1684 }
1686 while(1);
1687 }
1688 </pre></div></div></td></tr>
1697 </div></div></a></td>
1700 void test() {
1701 char dest[3];
1702 strncat(dest, "***", sizeof(dest));
1703 // warn: potential buffer overflow
1704 }
1705 </pre></div></div></td></tr>
1712 strlen<br>
1713 strnlen<br>
1714 strcpy<br>
1715 strncpy<br>
1716 strcat<br>
1717 strncat<br>
1718 strcmp<br>
1719 strncmp<br>
1720 strcasecmp<br>
1721 strncasecmp</div></div></div></a></td>
1723 int test() {
1724 return strlen(0); // warn
1725 }
1726 </pre></div></td></tr>
1728 </tbody></table>
1732 </body>
1733 </html>