Difference between revisions of "CDT/Archive/designs/StaticAnalysis/CheckerIdeas"

Revision as of 18:50, 31 May 2013

This page is collection of ideas for checker that can be implemented for C/C++ Static Analysis in CDT (Codan). Feel free to add your own ideas or links.

Checkers

Unused #include

#include <stdio.h>
int main() { return 1; }

Malloc called without sizeof consideration

 int * arr = (int *)malloc(20); // should be malloc(20*sizeof(int))

Assigned to itself

 x = x;

Result of comparison is constant

(x==x)
(!x && x)

Redundant comparison operations

(!(!x))
(x!=0 || 0!=x)

Comparison is used on "boolean" values

0<x<3
 !x>5

Consequent re-assignment without usage (sub-case of Value is never used after assignment)

x=1;
x=2;

Value is never used after assignment

int x;
x=23;
return;

Unused local variable

local variable is not used in function

Undeclared variable

This is compiler error - catch early and have a quick fix so Ctrl-1 work like in java, I so like java quick fixes and code generation!

{ x = 5; }

Quick fix

{ int x = 5; }

Buffer over flow

This code is unsafe

char x[10];
char y[15];
memcpy(x,y,20);

Also this code

char x[10];
x[11] = 'a';
b = x[11];

Invalid value assignment to enum

enum ee { a, b };
ee dd;
dd = 7;

Reduce scope

When a variable or a function has a greater scope than where it is used, that scope may be reduced.

For example: a variable with file scope that is only used in one function, can be declared static with function scope.

Or, a function that is only used in one file, may be declared with the static keyword, and its declaration removed from header files included by other files.

Variable with same name in higher scope

int a;
void foo( void )
{
 int a;
}

Missing "break" in "switch"

finding missing "break" when one "case" ends and another starts, or the "switch" ends. Unless /* no break */

switch {
case 1:
 // <- here (before next "case")
case 2:
 /* no break */ // <- This is OK
case 3:
 // <- here (end of "switch")
}

Missing "default" in "switch"

switch {
case 1: 
case 2:
case 3:
 // <- here (no default)
}

Condition always TRUE / FALSE

if( 1 > 2 ) // Always FALSE
if( 1 < 2 ) // Always TRUE

-> or .

Spotting erroneous use of -> where . was intended.

Spotting erroneous use of . where -> was intended.

Static callback functions

Functions whose pointer is passed around must be declared static.

Names differ within the first 32 characters

Flag the names which do not differ within the first 32/24/16 characters

myModulePrefix_HandleReceivedDoThisMessage(...)
myModulePrefix_HandleReceivedDoThatMessage(...)

Enforce use of types defined in a specific header file

types.h - specific header file

typedef char Int8;
typedef short Int16;
typedef long Int32;
typedef int Bool;

stuff.c

#include "types.h"
void f(void)
{
 Int8 x; /* Ok */
 char y; /* Flag: char should be substituted with Int8 */  
}

if (a) ... else if (a) pattern

if (count == 3) {}
else if (count == 8) {}
else if (count == 3) {} //second check

char array string checking for empty

const char *str = "Hello";
if (str != '\0'){} //Wrong
// if (*str != '\0') should be used

Wrong var incrementing/decrementing

for ( i = 0; i < 18; i++)
   for (j = 0; j < 4; i++){} //Possible that wrong var incremented.

Double used var for cycles

for (i = 0; i < 2; i++)
{
    //some code
    for(i = 0; i < num; i++) {}
}

Links

• http://www.aristeia.com/ddjpaper1.html
• http://www.misra.org.uk/Publications/tabid/57/Default.aspx#label-c2