A new version of cppcheck 2.6, a static code analyzer, has been released that allows you to detect various classes of errors in C and C++ code, including when using non-standard syntax typical for embedded systems. A collection of plug-ins is provided through which cppcheck is integrated with various development, continuous integration and testing systems, as well as features such as checking code compliance with code style. To parse the code, both your own parser and an external parser from Clang can be used. It also includes a donate-cpu.py script to provide local resources to do the work of collaborating on code reviews of Debian packages. The source texts of the project are distributed under the GPLv3 license.
The development of cppcheck is focused on identifying problems related to undefined behavior and the use of constructs that are dangerous from a security point of view. The goal is also to minimize false positives. Issues identified include: pointers to non-existent objects, divide-by-zero, integer overflows, incorrect bit shift operations, incorrect conversions, memory handling issues, incorrect use of STL, null pointer dereference, application of checks after actual buffer access, buffer overruns , use of uninitialized variables.
In the new version:
- The following checks have been added to the analyzer core:
- the absence of a return statement in the function body;
- records of overlapping data, definitions of undefined behavior;
- the value being compared is outside the value representation of the type;
- copy optimization is not applied for return std::move(local);
- the file cannot be opened simultaneously for reading and for writing in different streams (stream);
- for Unix platforms added support for displaying diagnostic messages in different colors;
- added symbolic analysis for ValueFlow. A simple delta is used when calculating the differences between two unknown variables;
- the rules used for the list of "define" tokens can also match #include;
- library tag can now contain the tag , and, accordingly, free functions that can accept containers such as std::size, std::empty, std::begin, std::end, etc. can specify yeld or action for containers;
- library tag can now contain the tag for smart pointers that have unique ownership. Now a warning is issued about "dangling" links to such smart pointers;
- fixed issues with handling --cppcheck-build-dir parameter;
- htmlreport can now display information about the author (using git blame);
- extended issuance of warnings about variables that are not constant, but could be;
- accumulated errors and shortcomings of the analyzer have been fixed.
Additionally, checks from Misra C 2012 have been fully implemented, including Amendment 1 and Amendment 2, except rules 1.1 , 1.2 and 17.3. Checks 1.1 and 1.2 must be performed by the compiler. Checking 17.3 can be done by a compiler like GCC.
Source: opennet.ru