| core.DivideZero | Check for division by zero | void test(int z) { if (z == 0) int x = 1 / z; // warn } | Robustness |
| core.NonNullParamChecker | Check for null pointers passed as arguments to a function whose arguments are references or marked with the ‘nonnull’ attribute | int f(int *p) __attribute__((nonnull)); void test(int *p) { if (!p) f(p); // warn } | Robustness |
| core.NullDereference | Check for dereferences of null pointers | void test(int *p) { if (p) return; int x = p[0]; // warn } | Robustness |
| core.StackAddressEscape | Check that addresses to stack memory do not escape the function | char const *p; void test() { char const str[] = “string”; p = str; // warn } | Robustness |
| core.uninitialized.ArraySubscript | Check for uninitialized values used as array subscripts | void test() { int i, a[10]; int x = a[i]; // warn: array subscript is undefined } | Robustness |
| cplusplus.NewDelete | Check for double-free and use-after-free problems. Traces memory managed by new/delete. | void f(int *p); void testUseMiddleArgAfterDelete(int *p) { delete p; f(p); // warn: use after free } | Robustness |
| cplusplus.NewDeleteLeaks | Check for memory leaks. Traces memory managed by new/delete. | void test() { int *p = new int; } // warn | Resource Utilization |
| cplusplus.SelfAssignment | Checks C++ copy and move assignment operators for self assignment | | Resource Utilization |
| optin.cplusplus.VirtualCall | Check virtual function calls during construction or destruction | | Robustness |
| osx.coreFoundation.CFRetainRelease | Check for null arguments to CFRetain/CFRelease/CFMakeCollectable | void test(CFTypeRef p) { if (!p) CFRetain(p); // warn } | Robustness |
| osx.coreFoundation.containers.OutOfBounds | Checks for index out-of-bounds when using ‘CFArray’ API | void test() { CFArrayRef A = CFArrayCreate(0, 0, 0, &kCFTypeArrayCallBacks); CFArrayGetValueAtIndex(A, 0); // warn } | Robustness |
| osx.coreFoundation.containers.PointerSizedValues | Warns if ‘CFArray’, ‘CFDictionary’, ‘CFSet’ are created with non-pointer-size values | void test() { int x[] = { 1 }; CFArrayRef A = CFArrayCreate(0, (const void **)x, 1, &kCFTypeArrayCallBacks); // warn } | Robustness |
| osx.NumberObjectConversion | Check for erroneous conversions of objects representing numbers into numbers | NSNumber *photoCount = [albumDescriptor objectForKey:@”PhotoCount”]; // Warning: Comparing a pointer value of type ‘NSNumber *’ // to a scalar integer value if (photoCount > 0) { [self displayPhotos]; } | Robustness |
| security.FloatLoopCounter | Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP) | void test() { for (float x = 0.1f; x <= 1.0f; x += 0.1f) {} // warn } | Robustness |
| security.insecureAPI.UncheckedReturn | Warn on uses of functions whose return values must be always checked | void test() { setuid(1); // warn } | Maintainability |
| unix.Malloc | Check for memory leaks, double free, and use-after-free problems. Traces memory managed by malloc()/free(). | void test() { int *p = malloc(1); free(p); free(p); // warn: attempt to free released memory } | Robustness |
| unix.MismatchedDeallocator | Check for mismatched deallocators. | // C, C++ void test() { int *p = (int *)malloc(sizeof(int)); delete p; // warn } | Robustness |
| alpha.valist.Uninitialized | Experimental: Check for usages of uninitialized (or already released) va_lists. | | Robustness |
| alpha.valist.Unterminated | Experimental: Check for va_lists which are not released by a va_end call. | | Robustness |
