head 1.1;
branch 1.1.1;
access;
symbols
netbsd-11-0-RC4:1.1.1.5
netbsd-11-0-RC3:1.1.1.5
netbsd-11-0-RC2:1.1.1.5
netbsd-11-0-RC1:1.1.1.5
perseant-exfatfs-base-20250801:1.1.1.5
netbsd-11:1.1.1.5.0.10
netbsd-11-base:1.1.1.5
netbsd-10-1-RELEASE:1.1.1.5
perseant-exfatfs-base-20240630:1.1.1.5
perseant-exfatfs:1.1.1.5.0.8
perseant-exfatfs-base:1.1.1.5
netbsd-8-3-RELEASE:1.1.1.2
netbsd-9-4-RELEASE:1.1.1.4
netbsd-10-0-RELEASE:1.1.1.5
netbsd-10-0-RC6:1.1.1.5
netbsd-10-0-RC5:1.1.1.5
netbsd-10-0-RC4:1.1.1.5
netbsd-10-0-RC3:1.1.1.5
netbsd-10-0-RC2:1.1.1.5
netbsd-10-0-RC1:1.1.1.5
netbsd-10:1.1.1.5.0.6
netbsd-10-base:1.1.1.5
netbsd-9-3-RELEASE:1.1.1.4
cjep_sun2x:1.1.1.5.0.4
cjep_sun2x-base:1.1.1.5
cjep_staticlib_x-base1:1.1.1.5
netbsd-9-2-RELEASE:1.1.1.4
cjep_staticlib_x:1.1.1.5.0.2
cjep_staticlib_x-base:1.1.1.5
netbsd-9-1-RELEASE:1.1.1.4
phil-wifi-20200421:1.1.1.5
phil-wifi-20200411:1.1.1.5
phil-wifi-20200406:1.1.1.5
netbsd-8-2-RELEASE:1.1.1.2
netbsd-9-0-RELEASE:1.1.1.4
netbsd-9-0-RC2:1.1.1.4
netbsd-9-0-RC1:1.1.1.4
netbsd-9:1.1.1.4.0.2
netbsd-9-base:1.1.1.4
phil-wifi-20190609:1.1.1.4
netbsd-8-1-RELEASE:1.1.1.2
netbsd-8-1-RC1:1.1.1.2
pgoyette-compat-merge-20190127:1.1.1.3.2.1
pgoyette-compat-20190127:1.1.1.4
pgoyette-compat-20190118:1.1.1.4
pgoyette-compat-1226:1.1.1.4
pgoyette-compat-1126:1.1.1.4
pgoyette-compat-1020:1.1.1.4
pgoyette-compat-0930:1.1.1.4
pgoyette-compat-0906:1.1.1.4
netbsd-7-2-RELEASE:1.1.1.1
pgoyette-compat-0728:1.1.1.4
clang-337282:1.1.1.4
netbsd-8-0-RELEASE:1.1.1.2
phil-wifi:1.1.1.3.0.4
phil-wifi-base:1.1.1.3
pgoyette-compat-0625:1.1.1.3
netbsd-8-0-RC2:1.1.1.2
pgoyette-compat-0521:1.1.1.3
pgoyette-compat-0502:1.1.1.3
pgoyette-compat-0422:1.1.1.3
netbsd-8-0-RC1:1.1.1.2
pgoyette-compat-0415:1.1.1.3
pgoyette-compat-0407:1.1.1.3
pgoyette-compat-0330:1.1.1.3
pgoyette-compat-0322:1.1.1.3
pgoyette-compat-0315:1.1.1.3
netbsd-7-1-2-RELEASE:1.1.1.1
pgoyette-compat:1.1.1.3.0.2
pgoyette-compat-base:1.1.1.3
netbsd-7-1-1-RELEASE:1.1.1.1
clang-319952:1.1.1.3
matt-nb8-mediatek:1.1.1.2.0.10
matt-nb8-mediatek-base:1.1.1.2
clang-309604:1.1.1.3
perseant-stdc-iso10646:1.1.1.2.0.8
perseant-stdc-iso10646-base:1.1.1.2
netbsd-8:1.1.1.2.0.6
netbsd-8-base:1.1.1.2
prg-localcount2-base3:1.1.1.2
prg-localcount2-base2:1.1.1.2
prg-localcount2-base1:1.1.1.2
prg-localcount2:1.1.1.2.0.4
prg-localcount2-base:1.1.1.2
pgoyette-localcount-20170426:1.1.1.2
bouyer-socketcan-base1:1.1.1.2
pgoyette-localcount-20170320:1.1.1.2
netbsd-7-1:1.1.1.1.0.14
netbsd-7-1-RELEASE:1.1.1.1
netbsd-7-1-RC2:1.1.1.1
clang-294123:1.1.1.2
netbsd-7-nhusb-base-20170116:1.1.1.1
bouyer-socketcan:1.1.1.2.0.2
bouyer-socketcan-base:1.1.1.2
clang-291444:1.1.1.2
pgoyette-localcount-20170107:1.1.1.1
netbsd-7-1-RC1:1.1.1.1
pgoyette-localcount-20161104:1.1.1.1
netbsd-7-0-2-RELEASE:1.1.1.1
localcount-20160914:1.1.1.1
netbsd-7-nhusb:1.1.1.1.0.12
netbsd-7-nhusb-base:1.1.1.1
clang-280599:1.1.1.1
pgoyette-localcount-20160806:1.1.1.1
pgoyette-localcount-20160726:1.1.1.1
pgoyette-localcount:1.1.1.1.0.10
pgoyette-localcount-base:1.1.1.1
netbsd-7-0-1-RELEASE:1.1.1.1
clang-261930:1.1.1.1
netbsd-7-0:1.1.1.1.0.8
netbsd-7-0-RELEASE:1.1.1.1
netbsd-7-0-RC3:1.1.1.1
netbsd-7-0-RC2:1.1.1.1
netbsd-7-0-RC1:1.1.1.1
clang-237755:1.1.1.1
clang-232565:1.1.1.1
clang-227398:1.1.1.1
tls-maxphys-base:1.1.1.1
tls-maxphys:1.1.1.1.0.6
netbsd-7:1.1.1.1.0.4
netbsd-7-base:1.1.1.1
clang-215315:1.1.1.1
tls-earlyentropy:1.1.1.1.0.2
tls-earlyentropy-base:1.1.1.1
clang-209886:1.1.1.1
LLVM:1.1.1;
locks; strict;
comment @# @;
1.1
date 2014.05.30.18.14.50; author joerg; state Exp;
branches
1.1.1.1;
next ;
commitid 8q0kdlBlCn09GACx;
1.1.1.1
date 2014.05.30.18.14.50; author joerg; state Exp;
branches
1.1.1.1.2.1
1.1.1.1.6.1
1.1.1.1.10.1;
next 1.1.1.2;
commitid 8q0kdlBlCn09GACx;
1.1.1.2
date 2017.01.11.10.33.02; author joerg; state Exp;
branches;
next 1.1.1.3;
commitid CNnUNfII1jgNmxBz;
1.1.1.3
date 2017.08.01.19.34.47; author joerg; state Exp;
branches
1.1.1.3.2.1
1.1.1.3.4.1;
next 1.1.1.4;
commitid pMuDy65V0VicSx1A;
1.1.1.4
date 2018.07.17.18.31.57; author joerg; state Exp;
branches;
next 1.1.1.5;
commitid wDzL46ALjrCZgwKA;
1.1.1.5
date 2019.11.13.22.23.15; author joerg; state dead;
branches;
next ;
commitid QD8YATxuNG34YJKB;
1.1.1.1.2.1
date 2014.05.30.18.14.50; author tls; state dead;
branches;
next 1.1.1.1.2.2;
commitid t01A1TLTYxkpGMLx;
1.1.1.1.2.2
date 2014.08.10.07.08.26; author tls; state Exp;
branches;
next ;
commitid t01A1TLTYxkpGMLx;
1.1.1.1.6.1
date 2014.05.30.18.14.50; author tls; state dead;
branches;
next 1.1.1.1.6.2;
commitid jTnpym9Qu0o4R1Nx;
1.1.1.1.6.2
date 2014.08.19.23.49.30; author tls; state Exp;
branches;
next ;
commitid jTnpym9Qu0o4R1Nx;
1.1.1.1.10.1
date 2017.03.20.06.53.41; author pgoyette; state Exp;
branches;
next ;
commitid jjw7cAwgyKq7RfKz;
1.1.1.3.2.1
date 2018.07.28.04.34.21; author pgoyette; state Exp;
branches;
next ;
commitid 1UP1xAIUxv1ZgRLA;
1.1.1.3.4.1
date 2019.06.10.21.46.49; author christos; state Exp;
branches;
next 1.1.1.3.4.2;
commitid jtc8rnCzWiEEHGqB;
1.1.1.3.4.2
date 2020.04.13.07.50.43; author martin; state dead;
branches;
next ;
commitid X01YhRUPVUDaec4C;
desc
@@
1.1
log
@Initial revision
@
text
@
Alpha Checks
Alpha Checkers
Experimental checkers in addition to the
Default Checkers. These are checkers with known issues or limitations that
keep them from being on by default. They are likely to have false positives.
Bug reports are welcome but will likely not be investigated for some time.
Patches welcome!
Warn about assigning non-{0,1} values to boolean variables.
void test() {
BOOL b = -1; // warn
}
alpha.core.CastSize
(C)
Check when casting a malloc'ed type T, whether the size is a multiple of the
size of T (Works only with unix.Malloc
or alpha.unix.MallocWithAnnotations
checks enabled).
Check for cast from non-struct pointer to struct pointer.
// C
struct s {};
void test(int *p) {
struct s *ps = (struct s *) p; // warn
}
// C++
class c {};
void test(int *p) {
c *pc = (c *) p; // warn
}
alpha.core.FixedAddr
(C)
Check for assignment of a fixed address to a pointer.
void test() {
int *p;
p = (int *) 0x10000; // warn
}
alpha.core.IdenticalExpr
(C, C++)
Warn about suspicious uses of identical expressions.
// C
void test() {
int a = 5;
int b = a | 4 | a; // warn: identical expr on both sides
}
// C++
bool f(void);
void test(bool b) {
int i = 10;
if (f()) { // warn: true and false branches are identical
do {
i--;
} while (f());
} else {
do {
i--;
} while (f());
}
}
alpha.core.PointerArithm
(C)
Check for pointer arithmetic on locations other than array
elements.
void test() {
int x;
int *p;
p = &x + 1; // warn
}
alpha.core.PointerSub
(C)
Check for pointer subtractions on two pointers pointing to different memory
chunks.
void test() {
int x, y;
int d = &y - &x; // warn
}
alpha.core.SizeofPtr
(C)
Warn about unintended use of sizeof() on pointer
expressions.
struct s {};
int test(struct s *p) {
return sizeof(p);
// warn: sizeof(ptr) can produce an unexpected result
}
C++ Alpha Checkers
Name, Description
Example
alpha.cplusplus.NewDeleteLeaks
(C++)
Check for memory leaks. Traces memory managed by new/
delete.
void test() {
int *p = new int;
} // warn
alpha.cplusplus.VirtualCall
(C++)
Check virtual member function calls during construction or
destruction.
class A {
public:
A() {
f(); // warn
}
virtual void f();
};
class A {
public:
~A() {
this->f(); // warn
}
virtual void f();
};
Dead Code Alpha Checkers
Name, Description
Example
alpha.deadcode.UnreachableCode
(C, C++, ObjC)
Check unreachable code.
// C
int test() {
int x = 1;
while(x);
return x; // warn
}
// C++
void test() {
int a = 2;
while (a > 1)
a--;
if (a > 1)
a++; // warn
}
Check for an out-of-bound pointer being returned to callers.
static int A[10];
int *test() {
int *p = A + 10;
return p; // warn
}
int test(void) {
int x;
return x; // warn: undefined or garbage returned
}
alpha.security.taint.TaintPropagation
(C)
Generate taint information used by other checkers.
void test() {
char x = getchar(); // 'x' marked as tainted
system(&x); // warn: untrusted data is passed to a system call
}
// note: compiler internally checks if the second param to
// sprintf is a string literal or not.
// Use -Wno-format-security to suppress compiler warning.
void test() {
char s[10], buf[10];
fscanf(stdin, "%s", s); // 's' marked as tainted
sprintf(buf, s); // warn: untrusted data as a format string
}
void test() {
size_t ts;
scanf("%zd", &ts); // 'ts' marked as tainted
int *p = (int *)malloc(ts * sizeof(int));
// warn: untrusted data as bufer size
}
Unix Alpha Checkers
Name, Description
Example
alpha.unix.Chroot
(C)
Check improper use of chroot.
void f();
void test() {
chroot("/usr/local");
f(); // warn: no call of chdir("/") immediately after chroot
}
alpha.unix.MallocWithAnnotations
(C)
Check for memory leaks, double free, and use-after-free problems. Assumes that
all user-defined functions which might free a pointer are
annotated.
pthread_mutex_t mtx;
void test() {
pthread_mutex_lock(&mtx);
pthread_mutex_lock(&mtx);
// warn: this lock has already been acquired
}
lck_mtx_t lck1, lck2;
void test() {
lck_mtx_lock(&lck1);
lck_mtx_lock(&lck2);
lck_mtx_unlock(&lck1);
// warn: this was not the most recently acquired lock
}
lck_mtx_t lck1, lck2;
void test() {
if (lck_mtx_try_lock(&lck1) == 0)
return;
lck_mtx_lock(&lck2);
lck_mtx_unlock(&lck1);
// warn: this was not the most recently acquired lock
}
void log();
int max(int a, int b) { // warn
log();
if (a > b)
return a;
return b;
}
int maxClone(int x, int y) { // similar code here
log();
if (x > y)
return x;
return y;
}
Check for uninitialized arguments in function calls and Objective-C
message expressions.
void test(void) {
int t;
int &p = t;
int &s = p;
int &q = s;
foo(q); // warn
}
void test(void) {
int x;
foo(&x); // warn
}
a93 41
alpha.core.Conversion
(C, C++, ObjC)
Loss of sign or precision in implicit conversions
void test(unsigned U, signed S) {
if (S > 10) {
if (U < S) {
}
}
if (S < -10) {
if (U < S) { // warn (loss of sign)
}
}
}
void test() {
long long A = 1LL << 60;
short X = A; // warn (loss of precision)
}
alpha.core.DynamicTypeChecker
(ObjC)
Check for cases where the dynamic and the static type of an
object are unrelated.
id date = [NSDate date];
// Warning: Object has a dynamic type 'NSDate *' which is
// incompatible with static type 'NSNumber *'"
NSNumber *number = date;
[number doubleValue];
a180 15
alpha.core.TestAfterDivZero
(C, C++, ObjC)
Check for division by variable that is later compared against 0.
Either the comparison is useless or there is division by zero.
void test(int x) {
var = 77 / x;
if (x == 0) { } // warn
}
Warns against using one vs. many plural pattern in code
when generating localized strings.
NSString *reminderText =
NSLocalizedString(@@"None", @@"Indicates no reminders");
if (reminderCount == 1) {
// Warning: Plural cases are not supported accross all languages.
// Use a .stringsdict file instead
reminderText =
NSLocalizedString(@@"1 Reminder", @@"Indicates single reminder");
} else if (reminderCount >= 2) {
// Warning: Plural cases are not supported accross all languages.
// Use a .stringsdict file instead
reminderText =
[NSString stringWithFormat:
NSLocalizedString(@@"%@@ Reminders", @@"Indicates multiple reminders"),
reminderCount];
}
d678 46
@
1.1.1.3.4.1
log
@Sync with HEAD
@
text
@d554 1
a554 1
// Warning: Plural cases are not supported across all languages.
d559 1
a559 1
// Warning: Plural cases are not supported across all languages.
d715 1
a715 1
// warn: untrusted data as buffer size
d803 1
a803 1
,Video)
@
1.1.1.3.4.2
log
@Mostly merge changes from HEAD upto 20200411
@
text
@@
1.1.1.3.2.1
log
@Sync with HEAD
@
text
@d554 1
a554 1
// Warning: Plural cases are not supported across all languages.
d559 1
a559 1
// Warning: Plural cases are not supported across all languages.
d715 1
a715 1
// warn: untrusted data as buffer size
d803 1
a803 1
,Video)
@
1.1.1.4
log
@Import clang r337282 from trunk
@
text
@d554 1
a554 1
// Warning: Plural cases are not supported across all languages.
d559 1
a559 1
// Warning: Plural cases are not supported across all languages.
d715 1
a715 1
// warn: untrusted data as buffer size
d803 1
a803 1
,Video)
@
1.1.1.5
log
@Mark old LLVM instance as dead.
@
text
@@
1.1.1.1.6.1
log
@file alpha_checks.html was added on branch tls-maxphys on 2014-08-19 23:49:30 +0000
@
text
@d1 848
@
1.1.1.1.6.2
log
@Rebase to HEAD as of a few days ago.
@
text
@a0 848
Alpha Checks
Alpha Checkers
Experimental checkers in addition to the
Default Checkers. These are checkers with known issues or limitations that
keep them from being on by default. They are likely to have false positives.
Bug reports are welcome but will likely not be investigated for some time.
Patches welcome!
Warn about assigning non-{0,1} values to boolean variables.
void test() {
BOOL b = -1; // warn
}
alpha.core.CastSize
(C)
Check when casting a malloc'ed type T, whether the size is a multiple of the
size of T (Works only with unix.Malloc
or alpha.unix.MallocWithAnnotations
checks enabled).
Check for cast from non-struct pointer to struct pointer.
// C
struct s {};
void test(int *p) {
struct s *ps = (struct s *) p; // warn
}
// C++
class c {};
void test(int *p) {
c *pc = (c *) p; // warn
}
alpha.core.FixedAddr
(C)
Check for assignment of a fixed address to a pointer.
void test() {
int *p;
p = (int *) 0x10000; // warn
}
alpha.core.IdenticalExpr
(C, C++)
Warn about suspicious uses of identical expressions.
// C
void test() {
int a = 5;
int b = a | 4 | a; // warn: identical expr on both sides
}
// C++
bool f(void);
void test(bool b) {
int i = 10;
if (f()) { // warn: true and false branches are identical
do {
i--;
} while (f());
} else {
do {
i--;
} while (f());
}
}
alpha.core.PointerArithm
(C)
Check for pointer arithmetic on locations other than array
elements.
void test() {
int x;
int *p;
p = &x + 1; // warn
}
alpha.core.PointerSub
(C)
Check for pointer subtractions on two pointers pointing to different memory
chunks.
void test() {
int x, y;
int d = &y - &x; // warn
}
alpha.core.SizeofPtr
(C)
Warn about unintended use of sizeof() on pointer
expressions.
struct s {};
int test(struct s *p) {
return sizeof(p);
// warn: sizeof(ptr) can produce an unexpected result
}
C++ Alpha Checkers
Name, Description
Example
alpha.cplusplus.NewDeleteLeaks
(C++)
Check for memory leaks. Traces memory managed by new/
delete.
void test() {
int *p = new int;
} // warn
alpha.cplusplus.VirtualCall
(C++)
Check virtual member function calls during construction or
destruction.
class A {
public:
A() {
f(); // warn
}
virtual void f();
};
class A {
public:
~A() {
this->f(); // warn
}
virtual void f();
};
Dead Code Alpha Checkers
Name, Description
Example
alpha.deadcode.UnreachableCode
(C, C++, ObjC)
Check unreachable code.
// C
int test() {
int x = 1;
while(x);
return x; // warn
}
// C++
void test() {
int a = 2;
while (a > 1)
a--;
if (a > 1)
a++; // warn
}
Check for an out-of-bound pointer being returned to callers.
static int A[10];
int *test() {
int *p = A + 10;
return p; // warn
}
int test(void) {
int x;
return x; // warn: undefined or garbage returned
}
alpha.security.taint.TaintPropagation
(C)
Generate taint information used by other checkers.
void test() {
char x = getchar(); // 'x' marked as tainted
system(&x); // warn: untrusted data is passed to a system call
}
// note: compiler internally checks if the second param to
// sprintf is a string literal or not.
// Use -Wno-format-security to suppress compiler warning.
void test() {
char s[10], buf[10];
fscanf(stdin, "%s", s); // 's' marked as tainted
sprintf(buf, s); // warn: untrusted data as a format string
}
void test() {
size_t ts;
scanf("%zd", &ts); // 'ts' marked as tainted
int *p = (int *)malloc(ts * sizeof(int));
// warn: untrusted data as bufer size
}
Unix Alpha Checkers
Name, Description
Example
alpha.unix.Chroot
(C)
Check improper use of chroot.
void f();
void test() {
chroot("/usr/local");
f(); // warn: no call of chdir("/") immediately after chroot
}
alpha.unix.MallocWithAnnotations
(C)
Check for memory leaks, double free, and use-after-free problems. Assumes that
all user-defined functions which might free a pointer are
annotated.
pthread_mutex_t mtx;
void test() {
pthread_mutex_lock(&mtx);
pthread_mutex_lock(&mtx);
// warn: this lock has already been acquired
}
lck_mtx_t lck1, lck2;
void test() {
lck_mtx_lock(&lck1);
lck_mtx_lock(&lck2);
lck_mtx_unlock(&lck1);
// warn: this was not the most recently acquired lock
}
lck_mtx_t lck1, lck2;
void test() {
if (lck_mtx_try_lock(&lck1) == 0)
return;
lck_mtx_lock(&lck2);
lck_mtx_unlock(&lck1);
// warn: this was not the most recently acquired lock
}
Checks for overlap in two buffer arguments; applies to:
memcpy
mempcpy
void test() {
int a[4] = {0};
memcpy(a + 2, a + 1, 8); // warn
}
alpha.unix.cstring.NotNullTerminated
(C)
Check for arguments which are not null-terminated strings; applies
to:
strlen
strnlen
strcpy
strncpy
strcat
strncat
void test() {
int y = strlen((char *)&test); // warn
}
alpha.unix.cstring.OutOfBounds
(C)
Check for out-of-bounds access in string functions; applies
to:
strncopy
strncat
void test(char *y) {
char x[4];
if (strlen(y) == 4)
strncpy(x, y, 5); // warn
}
@
1.1.1.1.2.1
log
@file alpha_checks.html was added on branch tls-earlyentropy on 2014-08-10 07:08:26 +0000
@
text
@d1 848
@
1.1.1.1.2.2
log
@Rebase.
@
text
@a0 848
Alpha Checks
Alpha Checkers
Experimental checkers in addition to the
Default Checkers. These are checkers with known issues or limitations that
keep them from being on by default. They are likely to have false positives.
Bug reports are welcome but will likely not be investigated for some time.
Patches welcome!
Warn about assigning non-{0,1} values to boolean variables.
void test() {
BOOL b = -1; // warn
}
alpha.core.CastSize
(C)
Check when casting a malloc'ed type T, whether the size is a multiple of the
size of T (Works only with unix.Malloc
or alpha.unix.MallocWithAnnotations
checks enabled).
Check for cast from non-struct pointer to struct pointer.
// C
struct s {};
void test(int *p) {
struct s *ps = (struct s *) p; // warn
}
// C++
class c {};
void test(int *p) {
c *pc = (c *) p; // warn
}
alpha.core.FixedAddr
(C)
Check for assignment of a fixed address to a pointer.
void test() {
int *p;
p = (int *) 0x10000; // warn
}
alpha.core.IdenticalExpr
(C, C++)
Warn about suspicious uses of identical expressions.
// C
void test() {
int a = 5;
int b = a | 4 | a; // warn: identical expr on both sides
}
// C++
bool f(void);
void test(bool b) {
int i = 10;
if (f()) { // warn: true and false branches are identical
do {
i--;
} while (f());
} else {
do {
i--;
} while (f());
}
}
alpha.core.PointerArithm
(C)
Check for pointer arithmetic on locations other than array
elements.
void test() {
int x;
int *p;
p = &x + 1; // warn
}
alpha.core.PointerSub
(C)
Check for pointer subtractions on two pointers pointing to different memory
chunks.
void test() {
int x, y;
int d = &y - &x; // warn
}
alpha.core.SizeofPtr
(C)
Warn about unintended use of sizeof() on pointer
expressions.
struct s {};
int test(struct s *p) {
return sizeof(p);
// warn: sizeof(ptr) can produce an unexpected result
}
C++ Alpha Checkers
Name, Description
Example
alpha.cplusplus.NewDeleteLeaks
(C++)
Check for memory leaks. Traces memory managed by new/
delete.
void test() {
int *p = new int;
} // warn
alpha.cplusplus.VirtualCall
(C++)
Check virtual member function calls during construction or
destruction.
class A {
public:
A() {
f(); // warn
}
virtual void f();
};
class A {
public:
~A() {
this->f(); // warn
}
virtual void f();
};
Dead Code Alpha Checkers
Name, Description
Example
alpha.deadcode.UnreachableCode
(C, C++, ObjC)
Check unreachable code.
// C
int test() {
int x = 1;
while(x);
return x; // warn
}
// C++
void test() {
int a = 2;
while (a > 1)
a--;
if (a > 1)
a++; // warn
}
Check for an out-of-bound pointer being returned to callers.
static int A[10];
int *test() {
int *p = A + 10;
return p; // warn
}
int test(void) {
int x;
return x; // warn: undefined or garbage returned
}
alpha.security.taint.TaintPropagation
(C)
Generate taint information used by other checkers.
void test() {
char x = getchar(); // 'x' marked as tainted
system(&x); // warn: untrusted data is passed to a system call
}
// note: compiler internally checks if the second param to
// sprintf is a string literal or not.
// Use -Wno-format-security to suppress compiler warning.
void test() {
char s[10], buf[10];
fscanf(stdin, "%s", s); // 's' marked as tainted
sprintf(buf, s); // warn: untrusted data as a format string
}
void test() {
size_t ts;
scanf("%zd", &ts); // 'ts' marked as tainted
int *p = (int *)malloc(ts * sizeof(int));
// warn: untrusted data as bufer size
}
Unix Alpha Checkers
Name, Description
Example
alpha.unix.Chroot
(C)
Check improper use of chroot.
void f();
void test() {
chroot("/usr/local");
f(); // warn: no call of chdir("/") immediately after chroot
}
alpha.unix.MallocWithAnnotations
(C)
Check for memory leaks, double free, and use-after-free problems. Assumes that
all user-defined functions which might free a pointer are
annotated.
pthread_mutex_t mtx;
void test() {
pthread_mutex_lock(&mtx);
pthread_mutex_lock(&mtx);
// warn: this lock has already been acquired
}
lck_mtx_t lck1, lck2;
void test() {
lck_mtx_lock(&lck1);
lck_mtx_lock(&lck2);
lck_mtx_unlock(&lck1);
// warn: this was not the most recently acquired lock
}
lck_mtx_t lck1, lck2;
void test() {
if (lck_mtx_try_lock(&lck1) == 0)
return;
lck_mtx_lock(&lck2);
lck_mtx_unlock(&lck1);
// warn: this was not the most recently acquired lock
}