cppcheck / News: Recent posts

Release Notes for Cppcheck 2.17

New checks:
- staticFunction: detect functions that should have internal linkage since they
are not used outside of their translation unit (C code only).
- Check null pointer return from memory/resource allocation functions (nullPointerOutOfMemory,
nullPointerArithmeticOutOfMemory, nullPointerOutOfResources, ctunullpointerOutOfMemory,
ctunullpointerOutOfResources).... read more

The Cppcheck manual has been recommending that users that wants to run MISRA C provide a rule texts file.

You need to download and use the files provided by MISRA:
https://gitlab.com/MISRA/MISRA-C/MISRA-C-2012/tools

See chapter 3.2.2 here: https://misra.org.uk/terms-of-sale/

You shall have no right to copy, adapt, reverse engineer, decompile, disassemble or modify the Documents or any of them in whole or in part.... read more

Release Notes for Cppcheck 2.16.0

Improved checking:
- constVariable; checking multidimensional arrays
- constVariablePointer; nested array access
- deallocuse

Changed interface:
- SARIF output. Use --output-format=sarif to activate this.
- Add option --output-format=<format>. Allowed formats are sarif and xml.</format>

Deprecations:
- The previously deprecated support for Python 2.7 has been removed. please use Python 3 instead.
- The maximum value for --max-ctu-depth is currently capped at 10. This limitation will be removed in a future release.... read more

Release Notes for Cppcheck 2.15

New checks:

• suspiciousFloatingPointCast flags unnecessary floating point casts that cause loss of precision

GUI:

• Added misra/cert/autosar reports
• Fixed "Recheck"
• Add "inline suppressions" option in project file
• Make it possible to define extra defines when importing a project

Changed interface:

• Added command-line option --cpp-header-probe (and --no-cpp-header-probe) to probe headers and extension-less files for Emacs marker (see https://trac.cppcheck.net/ticket/10692 for more details)... read more

Fixes:

• Build: fix USE_MATCHCOMPILER CMake option validation, it works as it should again
• Improve Checking: implement evaluation order checker for c++11 and later
• GUI: Do not show messages during analysis that are inactivated in the toolbar
• Cppcheck Premium: update mapping of checkers in cppcheck
• Cppcheck Premium: GUI option to enable misra c++ 2023
• Cppcheck Premium: show misra c++ 2023 option in --help output

Release Notes for Cppcheck 2.14.0

Summary:
- Fixed 23 "crash" tickets
- Fixed 69 "false positive" tickets
- Fixed 36 "improve check" tickets

New checks:
- eraseIteratorOutOfBounds: warns when erase() is called on an iterator that is out of bounds
- returnByReference: warns when a large class member is returned by value from a getter function

GUI:
-Make it possible to suppress warnings in all files in a folder... read more

Release Notes for Cppcheck 2.13

New checks:
- passedByValueCallback for functions which take a parameter by value but are used as callbacks (subset of passedByValue)
- returnImplicitInt for C functions without return type (previously reported as a debug message)
- iterateByValue for iterating by value in a range-based for loop when a const reference could be used

Changed interface:
- Final report of active checkers is reported as a normal information message instead.... read more

New checks:
- uselessOverride finds overriding functions that either duplicate code from or delegate back to the base class implementation
- knownPointerToBool finds pointer to bool conversions that are always true or false

Improved checking:
- truncLongCastAssignment and truncLongCastReturn check additional types, including float/double/long double
- duplInheritedMember also reports duplicated member functions
- constParameter/constVariable checks find more instances of pointers/references that can be const, e.g. when calling library functions... read more

New checks:

• pop_back on empty container is UB

Improved checking:

• Improve useStlAlgorithm check to handle many more conditions in the loop for any_of, all_of and none_of algorithms
• ValueFlow can evaluate the return value of functions even when conditionals are used
• ValueFlow will now forward the container sizes being returned from a function
• ValueFlow can infer possible values from possible symbolic values
• Improve valueflow after pushing to container ... read more

Cppcheck has been added in the Gartner "Application Security Testing" Peer Insights listing.

The Gartner Peer Insights lists various tools and show reviews. The reviews are verified by Gartner. A user that use the tool professionally can write a review.

Please help us getting reviews. If you work at a company that uses Cppcheck then please review us. Both open source Cppcheck and Cppcheck Premium users are welcome to review. The link below takes you to the review form:
https://gtnr.io/J81zesfzL

Analysis:
- Many improvements and fixes in checkers.
- Windows binaries currently default to the "win32A" and "win64" platform respectively. Starting with Cppcheck 2.13 they will default to 'native' instead. Please specify '--platform=win32A' or '--platform=win64' explicitly if you rely on this.
- New check: use memset/memcpy instead of loop

CLI:
- if the file provided via "--file-list" cannot be opened it will now error out
- add command-line option "--disable=<id>" to individually disable checks... read more</id>

Analysis

• restored check for negative allocation (new[]) and negative VLA sizes from cppcheck 1.87 (LCppC backport)
• replaced hardcoded check for pipe() buffer size by library configuration option (LCppC backport)
• on Windows the callstack is now being written to the output specific via "--exception-handling"
• make it possible to disable the various exception handling parts via the CMake options "NO_UNIX_SIGNAL_HANDLING", "NO_UNIX_BACKTRACE_SUPPORT" and "NO_WINDOWS_SEH"
• detect more redundant calls of std::string::c_str(), std::string::substr(), and unnecessary copies of containers
• Add a match function to addon similiar to Token::Match used internally by cppcheck:
  • | for either-or tokens(ie struct|class to match either struct or class)
  • !! to negate a token
  • It supports the %any%, %assign%, %comp%, %name%, %op%, %or%, %oror%, and %var% keywords
  • It supports (*), {*}, [*], and <*> to match links
  • @ can be added to bind the token to a name
  • ** can be used to match until a token
• Add math functions which can be used in library function definition. This enables evaluation of more math functions in ValueFlow
• Further improve lifetime analysis with this pointers
• Propagate condition values from outer function calls
• Add debug intrinsics debug_valueflow and debug_valuetype to show more detail including source backtraces... read more

• Lifetime analysis can now track lifetime across user-defined constructors when they are inline and using member initializer list.
• SymbolDatabase can now deduce iterator types from how they are specified in the library files.
• ValueFlow can evaluate class member functions that return known values.
• Improve duplicateValueTenary to not warn when used as an lvalue or when one branch has side effects
• Fix variableScope to not warn when variables are used in lambda functions
• Fix unassignedVariable warnings when using structured bindings
• Fix redundantInitialization warning when variable is used in a lambda
• Fix variableScope warnings when using if/while init-statement
• Improve lifetime analysis when returning variadic template expressions
• Detect more statements with constStatement
• Detect variableScope for more types
• Improvements to unreadVariable
• Detect more instances of C style casts
• Warn if the return value of new is discarded
• The pre-ValueFlow uninitialized checker now uses a different ID as legacyUninitvar
• Extended library format to exclude specific function argument values

Today, Cppcheck-2.7 is released

Add support for container views. The view attribute has been added to the <container> library tag to specify the class is a view. The lifetime analysis has been updated to use this new attribute to find dangling lifetime containers.

Various checker improvements.

Fixed false positives.

Today a tool with the name Cppcheck Premium is launched.

It integrates the open source Cppcheck tool and a premium addon into a package.

You will get:
* Open source Cppcheck command line tool.
* Analysis; Extra checking for memory errors, diagnoses one of the bugs reported in CVE-2019-15048.
* Security: Binaries and installer are signed using an organization certificate. (This removes the "Unknown Publisher" warning).
* Currently, Cppcheck Premium only includes a Windows installer. Feel free to contact us if you want Linux binaries.... read more

New checks in core cppcheck:
* missing return in function
* writing overlapping data, detect undefined behavior
* compared value is out of possible type range
* [perf] Copy elision optimization can't be applied for return std::move(local)
* file can not be opened for read and write access at the same time on different streams

Various improvements:
* Color output for diagnostics are added for unix-based platforms.
* Added symbolic analysis for ValueFlow. A simple delta is used to compute the difference between two unknown variable.
* Rules using the "define" tokenlist can also match #include as well.
* Library <function> tags can now use <container> tag, so free functions that accept containers such as std::size, std::empty, std::begin, std::end, etc. can specify the yields or action for the container.
* Library <smart-pointer> tag can specify a <unique> tag for smart pointers that have unique ownership. Cppcheck now warns about dangling references to smart pointers with unique ownership.
* Fixed problems when --cppcheck-build-dir is used, that should now work better. It is recommended to use --cppcheck-build-dir to speedup Cppcheck analysis.
* htmlreport can now output author information (using git blame)
* More warnings about variables that is not const but can be const... read more

A new Cppcheck release

Parser:
* various fixes
* checked that all features in c++11, c++14, c++17 are supported
* c++20 support is improved but not complete yet

Core:
* improved library files, better knowledge about APIs
* improved checks to detect more bugs
* fixed checks to avoid unwanted warnings

Changed output:
* try to use relative paths when using compile databases, if compile database is accessed with relative path
* updated XML; The file0 attribute is moved from <location> to <error>... read more</error></location>

There has been questions before about how well Cppcheck handles the latest C++ standard language features. And unfortunately I feel I could not answer that very well.

Lately I have been investigating C++20 (and below) support. Cppcheck-2.4.1 has pretty good support overall for C++17 (and lower) and it also handle a few C++20 features. We have improved the parser and I now feel that latest Cppcheck development build support all C++17 language features and a couple of additional C++20 features. The improved parser will be available in Cppcheck-2.5.... read more

We have made a fix release with this little fix:

The windows installer was fixed, there was a missing file for the Misra addon.

Fixed false negatives and false positives

New check; Detect one definition rule violations

Various improvements:
* MISRA improvements
* ImportProject fixes
* Various bug hunting improvements
* Fixes when importing AST from clang

Improved C++ parser
- types
- wrong operands in ast
- better simplification of templates
Improved clang import, various fixes.
Improved value flow analysis

Fixed false positives

Improved configuration in library files
- boost.cfg
- googletest.cfg
- qt.cfg
- windows.cfg
- wxwidgets.cfg

Added several Misra rules:
- 6.1
- 6.2
- 7.2
- 7.4
- 9.2
- 10.2
- 15.4

Added platforms:
- elbrus e1c+
- pic
- pic8
- mips

New checks:
* incorrect usage of mutexes and lock guards
* Dereference end iterator
* Iterating a known empty container
* outOfBounds check for iterators to containers

Removed 'operator=' check that ensures reference to self is returned. That is not about safety.

Improved parser
* various ast fixes

Clang parser
* The Clang import feature in Cppcheck should be considered to be experimental for now. There are problems.... read more

I have launched one more Kickstarter project. Its goal is to improve the Clang import feature in Cppcheck.

There are two tasks:
* Comparison of Clang/Cppcheck syntax tree. This will help us ensure that Cppcheck and Clang import work properly.
* The Cppcheck SymbolDatabase has a few fields for Variables that are not set properly by Clang import.

Link to project:
https://www.kickstarter.com/projects/3300446/cppcheck-clang-import

I launched a Kickstarter project today.

https://www.kickstarter.com/projects/3300446/cppcheck-variable-constraints

I will add configuration of variable constraints. With such configuration, Cppcheck will get both better precision and better soundness.

To start with I only plan to use the constraints in the bug hunting analysis. However in the long run, the constraints can be used in traditional analysis also.

This is a minor release.

We have tweaked build scripts.
* When you use USE_Z3=yes, we will handle new versions of z3 better. If you have an old z3 library and get compilation problems you will need to add a z3_version.h in externals.
* The cmake scripts was updated.

There was a couple of bug fixes.

New check:
* for "expression % 1" the result is always 0.