Ted Kremenek | 591b907 | 2009-06-08 21:21:24 +0000 | [diff] [blame] | 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" |
| 2 | "http://www.w3.org/TR/html4/strict.dtd"> |
| 3 | <html> |
| 4 | <head> |
| 5 | <title>Available Checks</title> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 6 | <link type="text/css" rel="stylesheet" href="menu.css"> |
| 7 | <link type="text/css" rel="stylesheet" href="content.css"> |
Ted Kremenek | f4aed5f | 2010-02-12 21:05:44 +0000 | [diff] [blame] | 8 | <script type="text/javascript" src="scripts/menu.js"></script> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 9 | <style type="text/css"> |
| 10 | tr:first-child { width:20%; } |
| 11 | </style> |
Ted Kremenek | 591b907 | 2009-06-08 21:21:24 +0000 | [diff] [blame] | 12 | </head> |
| 13 | <body> |
| 14 | |
Ted Kremenek | 8bebc6e | 2010-02-09 23:05:59 +0000 | [diff] [blame] | 15 | <div id="page"> |
Ted Kremenek | 591b907 | 2009-06-08 21:21:24 +0000 | [diff] [blame] | 16 | <!--#include virtual="menu.html.incl"--> |
| 17 | |
| 18 | <div id="content"> |
| 19 | |
| 20 | <h1>Available Checks</h1> |
| 21 | |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 22 | <h3>The list of the checks the analyzer performs by default</h3> |
| 23 | <p> |
| 24 | <table border="0" cellpadding="3" cellspacing="3" width="100%"> |
| 25 | <!-- <tr> |
| 26 | <th><h4>Checker Name</h4></th> |
| 27 | <th><h4>Description</h4></th> |
| 28 | </tr>--> |
| 29 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 30 | <td><b>core.AdjustedReturnValue</b></td><td>Check to see if the return value of a function call is different than the caller expects (e.g., from calls through function pointers).</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 31 | </tr> |
| 32 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 33 | <td><b>core.AttributeNonNull</b></td><td>Check for null pointers passed as arguments to a function whose arguments are marked with the 'nonnull' attribute.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 34 | </tr> |
| 35 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 36 | <td><b>core.CallAndMessage</b></td><td>Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers).</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 37 | </tr> |
| 38 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 39 | <td><b>core.DivideZero</b></td><td>Check for division by zero.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 40 | </tr> |
| 41 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 42 | <td><b>core.NullDereference</b></td><td>Check for dereferences of null pointers.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 43 | </tr> |
| 44 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 45 | <td><b>core.StackAddressEscape</b></td><td>Check that addresses to stack memory do not escape the function.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 46 | </tr> |
| 47 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 48 | <td><b>core.UndefinedBinaryOperatorResult</b></td><td>Check for undefined results of binary operators.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 49 | </tr> |
| 50 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 51 | <td><b>core.VLASize</b></td><td>Check for declarations of VLA of undefined or zero size.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 52 | </tr> |
| 53 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 54 | <td><b>core.builtin.BuiltinFunctions</b></td><td>Evaluate compiler builtin functions (e.g., alloca()).</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 55 | </tr> |
| 56 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 57 | <td><b>core.builtin.NoReturnFunctions</b></td><td>Evaluate "panic" functions that are known to not return to the caller.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 58 | </tr> |
| 59 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 60 | <td><b>core.uninitialized.ArraySubscript</b></td><td>Check for uninitialized values used as array subscripts.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 61 | </tr> |
| 62 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 63 | <td><b>core.uninitialized.Assign</b></td><td>Check for assigning uninitialized values.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 64 | </tr> |
| 65 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 66 | <td><b>core.uninitialized.Branch</b></td><td>Check for uninitialized values used as branch conditions.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 67 | </tr> |
| 68 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 69 | <td><b>core.uninitialized.CapturedBlockVariable</b></td><td>Check for blocks that capture uninitialized values.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 70 | </tr> |
| 71 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 72 | <td><b>core.uninitialized.UndefReturn</b></td><td>Check for uninitialized values being returned to the caller.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 73 | </tr> |
| 74 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 75 | <td><b>deadcode.DeadStores</b></td><td>Check for values stored to variables that are never read afterwards.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 76 | </tr> |
Anna Zaks | 30a0908 | 2012-05-09 17:57:16 +0000 | [diff] [blame] | 77 | <!-- |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 78 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 79 | <td><b>deadcode.IdempotentOperations</b></td><td>Warn about idempotent operations.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 80 | </tr> |
Anna Zaks | 30a0908 | 2012-05-09 17:57:16 +0000 | [diff] [blame] | 81 | --> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 82 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 83 | <td><b>osx.API</b></td><td>Check for proper uses of various Mac OS X APIs.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 84 | </tr> |
| 85 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 86 | <td><b>osx.AtomicCAS</b></td><td>Evaluate calls to OSAtomic functions.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 87 | </tr> |
| 88 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 89 | <td><b>osx.SecKeychainAPI</b></td><td>Check for proper uses of Secure Keychain APIs.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 90 | </tr> |
| 91 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 92 | <td><b>osx.cocoa.AtSync</b></td><td>Check for null pointers used as mutexes for @synchronized.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 93 | </tr> |
| 94 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 95 | <td><b>osx.cocoa.ClassRelease</b></td><td>Check for sending 'retain', 'release', or 'autorelease' directly to a Class.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 96 | </tr> |
| 97 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 98 | <td><b>osx.cocoa.IncompatibleMethodTypes</b></td><td>Warn about Objective-C method signatures with type incompatibilities.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 99 | </tr> |
| 100 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 101 | <td><b>osx.cocoa.NSAutoreleasePool</b></td><td>Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 102 | </tr> |
| 103 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 104 | <td><b>osx.cocoa.NSError</b></td><td>Check usage of NSError** parameters.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 105 | </tr> |
| 106 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 107 | <td><b>osx.cocoa.NilArg</b></td><td>Check for prohibited nil arguments to ObjC method calls.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 108 | </tr> |
| 109 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 110 | <td><b>osx.cocoa.RetainCount</b></td><td>Check for leaks and improper reference count management.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 111 | </tr> |
| 112 | <tr> |
Anna Zaks | 30a0908 | 2012-05-09 17:57:16 +0000 | [diff] [blame] | 113 | <td><b>osx.cocoa.SelfInit</b></td><td>Check that 'self' is properly initialized inside an initializer method.</td> |
| 114 | </tr> |
| 115 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 116 | <td><b>osx.cocoa.UnusedIvars</b></td><td>Warn about private ivars that are never used.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 117 | </tr> |
| 118 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 119 | <td><b>osx.cocoa.VariadicMethodTypes</b></td><td>Check for passing non-Objective-C types to variadic methods that expect only Objective-C types.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 120 | </tr> |
| 121 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 122 | <td><b>osx.coreFoundation.CFError</b></td><td>Check usage of CFErrorRef* parameters.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 123 | </tr> |
| 124 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 125 | <td><b>osx.coreFoundation.CFNumber</b></td><td>Check for proper uses of CFNumberCreate.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 126 | </tr> |
| 127 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 128 | <td><b>osx.coreFoundation.CFRetainRelease</b></td><td>Check for null arguments to CFRetain/CFRelease.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 129 | </tr> |
Anna Zaks | 30a0908 | 2012-05-09 17:57:16 +0000 | [diff] [blame] | 130 | <td><b>osx.coreFoundation.containers.OutOfBounds</b></td><td>Checks for index out-of-bounds when using 'CFArray' API.</td> |
| 131 | </tr> |
| 132 | <tr> |
| 133 | <td><b>osx.coreFoundation.containers.PointerSizedValues</b></td><td>Warns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values.</td> |
| 134 | </tr> |
| 135 | <tr> |
| 136 | <td><b>security.FloatLoopCounter</b></td><td>Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP).</td> |
| 137 | </tr> |
| 138 | <tr> |
| 139 | <td><b>security.insecureAPI.UncheckedReturn</b></td><td>Warn on uses of functions whose return values must be always checked.</td> |
| 140 | </tr> |
| 141 | <tr> |
| 142 | <td><b>security.insecureAPI.getpw</b></td><td>Warn on uses of the 'getpw' function.</td> |
| 143 | </tr> |
| 144 | <tr> |
| 145 | <td><b>security.insecureAPI.gets</b></td><td>Warn on uses of the 'gets' function.</td> |
| 146 | </tr> |
| 147 | <tr> |
| 148 | <td><b>security.insecureAPI.mkstemp</b></td><td>Warn when 'mkstemp' is passed fewer than 6 X's in the format string.</td> |
| 149 | </tr> |
| 150 | <tr> |
| 151 | <td><b>security.insecureAPI.mktemp</b></td><td>Warn on uses of the 'mktemp' function.</td> |
| 152 | </tr> |
| 153 | <tr> |
| 154 | <td><b>security.insecureAPI.rand</b></td><td>Warn on uses of the 'rand', 'random', and related functions.</td> |
| 155 | </tr> |
| 156 | <tr> |
| 157 | <td><b>security.insecureAPI.strcpy</b></td><td>Warn on uses of the 'strcpy' and 'strcat' functions.</td> |
| 158 | </tr> |
| 159 | <tr> |
| 160 | <td><b>security.insecureAPI.vfork</b></td><td>Warn on uses of the 'vfork' function.</td> |
| 161 | </tr> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 162 | <tr> |
Benjamin Kramer | 665a8dc | 2012-01-15 15:26:07 +0000 | [diff] [blame] | 163 | <td><b>unix.API</b></td><td>Check calls to various UNIX/Posix functions.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 164 | </tr> |
Anna Zaks | 30a0908 | 2012-05-09 17:57:16 +0000 | [diff] [blame] | 165 | <tr> |
| 166 | <td><b>unix.Malloc</b></td><td>Check for memory leaks, double free, and use-after-free problems.</td> |
| 167 | </tr> |
| 168 | <tr> |
| 169 | <td><b>unix.MallocSizeof</b></td><td>Check for dubious malloc arguments involving sizeof.</td> |
| 170 | </tr> |
| 171 | <tr> |
| 172 | <td><b>unix.cstring.BadSizeArg</b></td><td>Check the size argument passed into C string functions for common erroneous patterns.</td> |
| 173 | </tr> |
| 174 | <tr> |
| 175 | <td><b>unix.cstring.NullArg</b></td><td>Check for null pointers being passed as arguments to C string functions.</td> |
Anna Zaks | 0e5df1a | 2011-11-05 05:20:54 +0000 | [diff] [blame] | 176 | </table> |
| 177 | |
| 178 | <p>In addition to these the analyzer contains numerous experimental (beta) checkers.</p> |
| 179 | |
| 180 | <h3>Writeups with examples of some of the bugs that the analyzer finds</h3> |
Ted Kremenek | 591b907 | 2009-06-08 21:21:24 +0000 | [diff] [blame] | 181 | |
| 182 | <ul> |
| 183 | <li><a href="http://www.mobileorchard.com/bug-finding-with-clang-5-resources-to-get-you-started/">Bug Finding With Clang: 5 Resources To Get You Started</a></li> |
| 184 | <li><a href="http://fruitstandsoftware.com/blog/index.php/2008/08/finding-memory-leaks-with-the-llvmclang-static-analyzer/#comment-2">Finding Memory Leaks With The LLVM/Clang Static Analyzer</a></li> |
| 185 | <li><a href="http://www.therareair.com/howto-static-analyze-your-objective-c-code-using-the-clang-static-analyzer-tool-gallery/">HOWTO: Static Analyze Your Objective-C Code Using the Clang Static Analyzer Tool Gallery</a></li> |
| 186 | <li><a href="http://www.rogueamoeba.com/utm/2008/07/14/the-clang-static-analyzer/">Under the Microscope - The Clang Static Analyzer</a></li> |
| 187 | <li><a href="http://www.mikeash.com/?page=pyblog/friday-qa-2009-03-06-using-the-clang-static-analyzer.html">Mike Ash - Using the Clang Static Analyzer</a></li> |
| 188 | </ul> |
| 189 | |
| 190 | |
| 191 | </div> |
Ted Kremenek | 8bebc6e | 2010-02-09 23:05:59 +0000 | [diff] [blame] | 192 | </div> |
Ted Kremenek | 591b907 | 2009-06-08 21:21:24 +0000 | [diff] [blame] | 193 | </body> |
| 194 | </html> |
| 195 | |