Release Notes for Cppcheck 2.13

New checks:
- passedByValueCallback for functions which take a parameter by value but are used as callbacks (subset of passedByValue)
- returnImplicitInt for C functions without return type (previously reported as a debug message)
- iterateByValue for iterating by value in a range-based for loop when a const reference could be used

Changed interface:
- Final report of active checkers is reported as a normal information message instead.... read more

New checks:
- uselessOverride finds overriding functions that either duplicate code from or delegate back to the base class implementation
- knownPointerToBool finds pointer to bool conversions that are always true or false

Improved checking:
- truncLongCastAssignment and truncLongCastReturn check additional types, including float/double/long double
- duplInheritedMember also reports duplicated member functions
- constParameter/constVariable checks find more instances of pointers/references that can be const, e.g. when calling library functions... read more

New checks:

• pop_back on empty container is UB

Improved checking:

• Improve useStlAlgorithm check to handle many more conditions in the loop for any_of, all_of and none_of algorithms
• ValueFlow can evaluate the return value of functions even when conditionals are used
• ValueFlow will now forward the container sizes being returned from a function
• ValueFlow can infer possible values from possible symbolic values
• Improve valueflow after pushing to container ... read more

Cppcheck has been added in the Gartner "Application Security Testing" Peer Insights listing.

The Gartner Peer Insights lists various tools and show reviews. The reviews are verified by Gartner. A user that use the tool professionally can write a review.

Please help us getting reviews. If you work at a company that uses Cppcheck then please review us. Both open source Cppcheck and Cppcheck Premium users are welcome to review. The link below takes you to the review form:
https://gtnr.io/J81zesfzL

Analysis:
- Many improvements and fixes in checkers.
- Windows binaries currently default to the "win32A" and "win64" platform respectively. Starting with Cppcheck 2.13 they will default to 'native' instead. Please specify '--platform=win32A' or '--platform=win64' explicitly if you rely on this.
- New check: use memset/memcpy instead of loop

CLI:
- if the file provided via "--file-list" cannot be opened it will now error out
- add command-line option "--disable=<id>" to individually disable checks... read more</id>

Analysis

• restored check for negative allocation (new[]) and negative VLA sizes from cppcheck 1.87 (LCppC backport)
• replaced hardcoded check for pipe() buffer size by library configuration option (LCppC backport)
• on Windows the callstack is now being written to the output specific via "--exception-handling"
• make it possible to disable the various exception handling parts via the CMake options "NO_UNIX_SIGNAL_HANDLING", "NO_UNIX_BACKTRACE_SUPPORT" and "NO_WINDOWS_SEH"
• detect more redundant calls of std::string::c_str(), std::string::substr(), and unnecessary copies of containers
• Add a match function to addon similiar to Token::Match used internally by cppcheck:
  • | for either-or tokens(ie struct|class to match either struct or class)
  • !! to negate a token
  • It supports the %any%, %assign%, %comp%, %name%, %op%, %or%, %oror%, and %var% keywords
  • It supports (*), {*}, [*], and <*> to match links
  • @ can be added to bind the token to a name
  • ** can be used to match until a token
• Add math functions which can be used in library function definition. This enables evaluation of more math functions in ValueFlow
• Further improve lifetime analysis with this pointers
• Propagate condition values from outer function calls
• Add debug intrinsics debug_valueflow and debug_valuetype to show more detail including source backtraces... read more

• Lifetime analysis can now track lifetime across user-defined constructors when they are inline and using member initializer list.
• SymbolDatabase can now deduce iterator types from how they are specified in the library files.
• ValueFlow can evaluate class member functions that return known values.
• Improve duplicateValueTenary to not warn when used as an lvalue or when one branch has side effects
• Fix variableScope to not warn when variables are used in lambda functions
• Fix unassignedVariable warnings when using structured bindings
• Fix redundantInitialization warning when variable is used in a lambda
• Fix variableScope warnings when using if/while init-statement
• Improve lifetime analysis when returning variadic template expressions
• Detect more statements with constStatement
• Detect variableScope for more types
• Improvements to unreadVariable
• Detect more instances of C style casts
• Warn if the return value of new is discarded
• The pre-ValueFlow uninitialized checker now uses a different ID as legacyUninitvar
• Extended library format to exclude specific function argument values

Today, Cppcheck-2.7 is released

Add support for container views. The view attribute has been added to the <container> library tag to specify the class is a view. The lifetime analysis has been updated to use this new attribute to find dangling lifetime containers.

Various checker improvements.

Fixed false positives.

Today a tool with the name Cppcheck Premium is launched.

It integrates the open source Cppcheck tool and a premium addon into a package.

You will get:
* Open source Cppcheck command line tool.
* Analysis; Extra checking for memory errors, diagnoses one of the bugs reported in CVE-2019-15048.
* Security: Binaries and installer are signed using an organization certificate. (This removes the "Unknown Publisher" warning).
* Currently, Cppcheck Premium only includes a Windows installer. Feel free to contact us if you want Linux binaries.... read more

New checks in core cppcheck:
* missing return in function
* writing overlapping data, detect undefined behavior
* compared value is out of possible type range
* [perf] Copy elision optimization can't be applied for return std::move(local)
* file can not be opened for read and write access at the same time on different streams

Various improvements:
* Color output for diagnostics are added for unix-based platforms.
* Added symbolic analysis for ValueFlow. A simple delta is used to compute the difference between two unknown variable.
* Rules using the "define" tokenlist can also match #include as well.
* Library <function> tags can now use <container> tag, so free functions that accept containers such as std::size, std::empty, std::begin, std::end, etc. can specify the yields or action for the container.
* Library <smart-pointer> tag can specify a <unique> tag for smart pointers that have unique ownership. Cppcheck now warns about dangling references to smart pointers with unique ownership.
* Fixed problems when --cppcheck-build-dir is used, that should now work better. It is recommended to use --cppcheck-build-dir to speedup Cppcheck analysis.
* htmlreport can now output author information (using git blame)
* More warnings about variables that is not const but can be const... read more

A new Cppcheck release

Parser:
* various fixes
* checked that all features in c++11, c++14, c++17 are supported
* c++20 support is improved but not complete yet

Core:
* improved library files, better knowledge about APIs
* improved checks to detect more bugs
* fixed checks to avoid unwanted warnings

Changed output:
* try to use relative paths when using compile databases, if compile database is accessed with relative path
* updated XML; The file0 attribute is moved from <location> to <error>... read more</error></location>

There has been questions before about how well Cppcheck handles the latest C++ standard language features. And unfortunately I feel I could not answer that very well.

Lately I have been investigating C++20 (and below) support. Cppcheck-2.4.1 has pretty good support overall for C++17 (and lower) and it also handle a few C++20 features. We have improved the parser and I now feel that latest Cppcheck development build support all C++17 language features and a couple of additional C++20 features. The improved parser will be available in Cppcheck-2.5.... read more

We have made a fix release with this little fix:

The windows installer was fixed, there was a missing file for the Misra addon.

Fixed false negatives and false positives

New check; Detect one definition rule violations

Various improvements:
* MISRA improvements
* ImportProject fixes
* Various bug hunting improvements
* Fixes when importing AST from clang

Improved C++ parser
- types
- wrong operands in ast
- better simplification of templates
Improved clang import, various fixes.
Improved value flow analysis

Fixed false positives

Improved configuration in library files
- boost.cfg
- googletest.cfg
- qt.cfg
- windows.cfg
- wxwidgets.cfg

Added several Misra rules:
- 6.1
- 6.2
- 7.2
- 7.4
- 9.2
- 10.2
- 15.4

Added platforms:
- elbrus e1c+
- pic
- pic8
- mips

New checks:
* incorrect usage of mutexes and lock guards
* Dereference end iterator
* Iterating a known empty container
* outOfBounds check for iterators to containers

Removed 'operator=' check that ensures reference to self is returned. That is not about safety.

Improved parser
* various ast fixes

Clang parser
* The Clang import feature in Cppcheck should be considered to be experimental for now. There are problems.... read more

I have launched one more Kickstarter project. Its goal is to improve the Clang import feature in Cppcheck.

There are two tasks:
* Comparison of Clang/Cppcheck syntax tree. This will help us ensure that Cppcheck and Clang import work properly.
* The Cppcheck SymbolDatabase has a few fields for Variables that are not set properly by Clang import.

Link to project:
https://www.kickstarter.com/projects/3300446/cppcheck-clang-import

I launched a Kickstarter project today.

https://www.kickstarter.com/projects/3300446/cppcheck-variable-constraints

I will add configuration of variable constraints. With such configuration, Cppcheck will get both better precision and better soundness.

To start with I only plan to use the constraints in the bug hunting analysis. However in the long run, the constraints can be used in traditional analysis also.

This is a minor release.

We have tweaked build scripts.
* When you use USE_Z3=yes, we will handle new versions of z3 better. If you have an old z3 library and get compilation problems you will need to add a z3_version.h in externals.
* The cmake scripts was updated.

There was a couple of bug fixes.

New check:
* for "expression % 1" the result is always 0.

As of today:
* there has been 601,753 downloads on sourceforge; https://sourceforge.net/projects/cppcheck/files/cppcheck/stats/timeline?dates=2007-02-09+to+2020-05-25
* there has been 398,248 downloads from github; https://somsubhra.com/github-release-stats/?username=danmar&repository=cppcheck

The download count is now above 1 million!

Those statistics are not complete. But those are the known downloads. For instance we do not know how many have downloaded through apt-get or how many grabbed the source code directly from github and compiled that - the github download count is only for the windows installers.

Overview

The command line is not changed drastically. Your old cppcheck scripts should work as before.

Compiling: There is a new dependency Z3. When compiling with the Makefile it is highly recommended to use "USE_Z3=yes".

Improved clang-tidy integration

Several fixes to;

• improve parsing
• detect more bugs with existing checks
• fix false alarms

Clang import

Clang is a C/C++ compiler that has a very robust and well made parser.... read more

I launched a new Kickstarter project today.

https://www.kickstarter.com/projects/3300446/diagnose-buffer-overflow-cve

Thousands of software vulnerabilities are found in released software each year.

I will investigate the reported vulnerabilities and pick a buffer overflow that is not diagnosed by Cppcheck yet. Then I will fix Cppcheck so it detects such overflows.

This is a small step, but in the long run it should be possible to detect most buffer overflows by using Cppcheck.

I launched a new Kickstarter project today.

https://www.kickstarter.com/projects/3300446/add-all-missing-10x-misra-rules

If this is funded 4 MISRA rules will be added in the misra addon.

Cppcheck-1.90 has been released.

New check:
* alias to vector element invalid after vector is changed

Improved checking:
* improved value flow analysis for struct members
* improved value flow analysis for pointer alias

CERT:
* Added ENV33-C: Do not call system()

MISRA:
* Added rule 2.7
* Added rule 3.2
* Added rule 4.2
* Added rule 14.2
* Added rule 21.1
* Added rule 21.12

Addons:
* Add --recursive option. You can check dump files recursively.

I have launched one more Kickstarter project.

This project is about "Software verification". A new analysis mode that will be added in Cppcheck later.

It will make it possible to detect much more bugs.

Here is the link:
https://www.kickstarter.com/projects/3300446/software-verification-1