cppcheck Wiki

# Checks #

A current list of all implemented of all checks can also be retrieved from the command line application:

# get list of checks
cppcheck --doc

# get list of error messages
cppcheck --errorlist

## 64-bit portability ##
Check if there is 64-bit portability issues:
- assign address to/from int/long
- casting address from/to integer when returning from function

## Assert ##
Warn if there are side effects in assert statements (since this cause different behaviour in debug/release builds).

## AssignIf ##
Match assignments and conditions:
- Mismatching assignment and comparison => comparison is always true/false
- Mismatching lhs and rhs in comparison => comparison is always true/false
- Detect matching 'if' and 'else if' conditions
- Mismatching bitand (a &= 0xf0; a &= 1; => a = 0)

## Auto Variables ##
A pointer to a variable is only valid as long as the variable is in scope.
Check:
- returning a pointer to auto or temporary variable
- assigning address of an variable to an effective parameter of a function
- returning reference to local/temporary variable
- returning address of function parameter
- suspicious assignment of pointer argument
- useless assignment of function argument pointer parameter

## Boolean ##
Boolean type checks
- using increment on boolean
- comparison of a boolean with a non-zero integer
- comparison of a boolean expression with an integer other than 0 or 1
- comparison of a function returning boolean value using relational operator
- comparison of a boolean value with boolean value using relational operator
- using bool in bitwise expression
- pointer addition in condition (either dereference is forgot or pointer overflow is required to make the condition false)
- Assigning bool value to pointer or float

## Boost usage ##
Check for invalid usage of Boost:
- container modification during BOOST_FOREACH

## Bounds checking ##
Out out of bounds checking:
- Array index out of bounds detection by value flow analysis
- Dangerous usage of strncat()
- char constant passed as size to function like memset()
- strncpy() leaving string unterminated
- Accessing array with negative index
- Unsafe usage of main(argv, argc) arguments
- Accessing array with index variable before checking its value
- Check for large enough arrays being passed to functions
- Allocating memory with a negative size

## Check function usage ##
Check function usage:
- return value of certain functions not used
- invalid input values for functions
- Warn if a function is called whose usage is discouraged
- memset() third argument is zero
- memset() with a value out of range as the 2nd parameter
- memset() with a float as the 2nd parameter

## Class ##
Check the code for each class.
- Missing constructors and copy constructors
- Constructors which should be explicit
- Are all variables initialized by the constructors?
- Are all variables assigned by 'operator='?
- Warn if memset, memcpy etc are used on a class
- Warn if memory for classes is allocated with malloc()
- If it's a base class, check that the destructor is virtual
- Are there unused private functions?
- 'operator=' should return reference to self
- 'operator=' should check for assignment to self
- Constness for member functions
- Order of initializations
- Suggest usage of initialization list
- Initialization of a member with itself
- Suspicious subtraction from 'this'
- Call of pure virtual function in constructor/destructor
- Duplicated inherited data members
- If 'copy constructor' defined, 'operator=' also should be defined and vice versa

## Condition ##
Match conditions with assignments and other conditions:
- Mismatching assignment and comparison => comparison is always true/false
- Mismatching lhs and rhs in comparison => comparison is always true/false
- Detect usage of | where & should be used
- Detect matching 'if' and 'else if' conditions
- Mismatching bitand (a &= 0xf0; a &= 1; => a = 0)
- Opposite inner condition is always false
- Identical condition after early exit is always false
- Condition that is always true/false
- Mutual exclusion over || always evaluating to true
- Comparisons of modulo results that are always true/false.
- Known variable values => condition is always true/false
- Invalid test for overflow (for example 'ptr+u < ptr'). Condition is always false unless there is overflow, and overflow is UB.

## Exception Safety ##
Checking exception safety
- Throwing exceptions in destructors
- Throwing exception during invalid state
- Throwing a copy of a caught exception instead of rethrowing the original exception
- Exception caught by value instead of by reference
- Throwing exception in noexcept, nothrow(), noexcept function
- Throwing exception in nothrow() function
- Throwing exception in __attribute__((nothrow)) or function
- Throwing exception in __declspec(nothrow) function
- Unhandled exception specification when calling function foo()

## IO using format string ##
Check format string input/output operations.
- Bad usage of the function 'sprintf' (overlapping data)
- Missing or wrong width specifiers in 'scanf' format string
- Use a file that has been closed
- File input/output without positioning results in undefined behaviour
- Read to a file that has only been opened for writing (or vice versa)
- Repositioning operation on a file opened in append mode
- Using fflush() on an input stream
- Invalid usage of output stream. For example: 'std::cout << std::cout;'
- Wrong number of arguments given to 'printf' or 'scanf;'

## Leaks (auto variables) ##
Detect when a auto variable is allocated but not deallocated or deallocated twice. deallocated.

## Memory leaks (address not taken) ##
Not taking the address to allocated memory

## Memory leaks (class variables) ##
If the constructor allocate memory then the destructor must deallocate it.

## Memory leaks (function variables) ##
Is there any allocated memory when a function goes out of scope

## Memory leaks (struct members) ##
Don't forget to deallocate struct members

## Non reentrant functions ##
Warn if any of these non reentrant functions are used:
- crypt
- ctermid
- ecvt
- fcvt
- fgetgrent
- fgetpwent
- fgetspent
- gcvt
- getgrent
- getgrgid
- getgrnam
- gethostbyaddr
- gethostbyname
- gethostbyname2
- gethostent
- getlogin
- getnetbyaddr
- getnetbyname
- getnetgrent
- getprotobyname
- getpwent
- getpwnam
- getpwuid
- getrpcbyname
- getrpcbynumber
- getrpcent
- getservbyname
- getservbyport
- getservent
- getspent
- getspnam
- gmtime
- localtime
- readdir
- strtok
- tempnam
- ttyname

## Null pointer ##
Null pointers
- null pointer dereferencing
- undefined null pointer arithmetic
## Obsolete functions ##
Warn if any of these obsolete functions are used:
- asctime_r
- bcmp
- bcopy
- bsd_signal
- bzero
- ctime_r
- ecvt
- fcvt
- ftime
- gcvt
- getcontext
- gethostbyaddr
- gethostbyname
- getwd
- index
- makecontext
- pthread_attr_getstackaddr
- pthread_attr_setstackaddr
- rand_r
- rindex
- scalbln
- swapcontext
- tmpnam
- tmpnam_r
- ualarm
- usleep
- utime
- vfork
- wcswcs

## Other ##
Other checks
- Assigning bool value to pointer (converting bool value to address)
- division with zero
- scoped object destroyed immediately after construction
- assignment in an assert statement
- incorrect length arguments for 'substr' and 'strncmp'
- free() or delete of an invalid memory location
- double free() or double closedir()
- bitwise operation with negative right operand
- provide wrong dimensioned array to pipe() system command (--std=posix)
- cast the return values of getc(),fgetc() and getchar() to character and compare it to EOF
- race condition with non-interlocked access after InterlockedDecrement() call
- expression 'x = x++;' depends on order of evaluation of side effects invalid input values for functions
- either division by zero or useless condition
- access of moved or forwarded variable. memset() with a value out of range as the 2nd parameter
- redundant data copying for const variable
- subsequent assignment or copying to a variable or buffer
- passing memset() with a float as the 2nd parameter by value
- Passing NULL pointer to function with variable number of arguments leads to UB.
- Find dead code which is inaccessible due to the counter-conditions check in nested if statements
- C-style pointer cast in C++ code cpp file
- casting between incompatible pointer types
- [Incomplete statement](IncompleteStatement)
- [check redundant if
- [[CheckUnsignedDivision|unsigned division]]
- passing parameter by value
- [[IncompleteStatement|Incomplete statement]]
- [[charvar|check how signed char variables are used](CharVar) used]]
- variable scope can be limited
- condition that is always true/false
- unusual pointer arithmetic. For example: "abc" + 'd'
- redundant assignment, increment, or assignment in a switch statement
- redundant pre/post operation in a switch statement
- redundant bitwise operation in a switch statement
- redundant strcpy in a switch statement
- assignment of a variable to itself
- Suspicious case labels in switch()
- assignment of a variable to itself Suspicious equality comparisons
- mutual exclusion over || always evaluating to true
- Comparison of values leading always to true or false
- Clarify calculation with parentheses
- suspicious condition (assignment+comparison)
- suspicious condition (runtime comparison of '\0' string literals)
- suspicious condition (string literals as boolean)
- suspicious comparison of a string literal with a char* char- variable
- duplicate break statement
- unreachable code
- testing if unsigned variable is negative/positive negative
- testing is unsigned variable is positive
- Suspicious use of ; at the end of 'if/for/while' statement.
- Comparisons of modulo results that are always true/false.
- Array filled incompletely using memset/memcpy/memmove.
- redundant get and set function of user id (--std=posix).
- Passing NULL pointer to function with variable number of arguments leads to UB on some platforms.
- NaN (not a number) value used in arithmetic expression.
- comma in return statement (the comma can easily be misread as a semicolon).
- prefer erfc, expm1 or log1p to avoid loss of precision.
- identical code in both branches of if/else or ternary operator.
- redundant pointer operation on pointer like &*some_ptr.
- find unused 'goto' labels.
- function declaration and definition argument names different.
- function declaration and definition argument order different.

## STL usage ##
Check for invalid usage of STL:
- out of bounds errors
- misuse of iterators when iterating through a container
- mismatching containers in calls
- dereferencing an erased iterator
- for vectors: using iterator/pointer after push_back has been used
- optimisation: use empty() instead of size() to guarantee fast code
- suspicious condition when using find
- redundant condition
- common mistakes when using string::c_str()
- using auto pointer (auto_ptr)
- useless calls of string and STL functions
- dereferencing an invalid iterator
- reading from empty STL container

## Sizeof ##
sizeof() usage checks
- sizeof for array given as function argument
- sizeof for numeric given as function argument
- using sizeof(pointer) instead of the size of pointed data
- look for 'sizeof sizeof ..'
- look for calculations inside sizeof()
- look for suspicious calculations with sizeof()
- using 'sizeof(void)' which is undefined

## String ##
Detect misusage of C-style strings:
- overlapping buffers passed to sprintf as source and destination
- incorrect length arguments for 'substr' and 'strncmp'
- suspicious condition (runtime comparison of string literals)
- suspicious condition (string literals as boolean)
- suspicious comparison of a string literal with a char* variable
- suspicious comparison of '\0' with a char* variable

## Type ##
Type checks
- bitwise shift by too many bits (only enabled when --platform is used)
- signed integer overflow (only enabled when --platform is used)
- dangerous sign conversion, when signed value can be negative
- possible loss of information when assigning int result to long variable
- possible loss of information when returning int result as long return value
- float conversion overflow

## Uninitialized variables ##
Uninitialized variables
- using uninitialized local variables
- using allocated and data before it has been initialized
- using dead pointer

## Unused functions ##
Check for functions that are never called

## UnusedVar ##
UnusedVar checks
- unused variable
- allocated but unused variable
- unred variable
- unassigned variable
- unused struct member

## Using postfix operators ##
Warn if using postfix operators ++ or -- rather than prefix operator

## Vaarg ##
Check for misusage of variable argument lists:
- Wrong parameter passed to va_start()
- Reference passed to va_start()
- Missing va_end()
- Using va_list before it is opened
- Subsequent calls to va_start/va_copy()

Name