| arrayIndexOutOfBounds | Array ‘array[2]’ index array[1][1] out of bounds. | Robustness |
| assignBoolToPointer | Boolean value assigned to pointer. | Robustness |
| autoVariables | Dangerous assignment – the function parameter is assigned the address of a local auto-variable. Local auto-variables are reserved from the stack which is freed when the function ends. So the pointer to a local variable is invalid after the function ends. | Robustness |
| autovarInvalidDeallocation | The deallocation of an auto-variable results in undefined behaviour. You should only free memory that has been allocated dynamically. | Robustness |
| boostForeachError | BOOST_FOREACH caches the end() iterator. It’s undefined behavior if you modify the container inside. | Robustness |
| bufferAccessOutOfBounds | Buffer is accessed out of bounds: buffer | Resource Utilization |
| coutCerrMisusage | Invalid usage of output stream: ‘<< std::cout'. | Robustness |
| deadpointer | Dead pointer usage. Pointer ‘pointer’ is dead if it has been assigned ‘&x’ at line 0. | Robustness |
| deallocDealloc | Deallocating a deallocated pointer: varname | Robustness |
| deallocret | Returning/dereferencing ‘p’ after it is deallocated / released | Robustness |
| deallocuse | Dereferencing ‘varname’ after it is deallocated / released | Robustness |
| doubleFree | Memory pointed to by ‘varname’ is freed twice. | Resource Utilization |
| eraseDereference | The iterator ‘iter’ is invalid before being assigned. Dereferencing or comparing it with another iterator is invalid operation. | Robustness |
| floatConversionOverflow | Undefined behaviour: float (1e+100) conversion overflow. | Resource Utilization |
| insecureCmdLineArgs | Buffer overrun possible for long command line arguments. | Resource Utilization |
| integerOverflow | Signed integer overflow for expression ”. | Resource Utilization |
| invalidFunctionArg | Invalid func_name() argument nr 1 | Understandability |
| invalidFunctionArgBool | Invalid func_name() argument nr 1. A non-boolean value is required. | Understandability |
| invalidIterator1 | Invalid iterator: iterator | Understandability |
| invalidIterator2 | After push_back|push_front|insert() the iterator ‘iterator’ may be invalid. | Understandability |
| invalidPointer | Invalid pointer ‘pointer’ after push_back(). | Understandability |
| invalidScanfFormatWidth | Width 5 given in format string (no. 10) is larger than destination buffer ‘[0]’ use %-1s to prevent overflowing it. | Resource Utilization |
| IOWithoutPositioning | Read and write operations without a call to a positioning function (fseek fsetpos or rewind) or fflush in between result in undefined behaviour. | Resource Utilization |
| iterators | Same iterator is used with different containers ‘container1’ and ‘container2’. | Resource Utilization |
| leakNoVarFunctionCall | Allocation with funcName funcName doesn’t release it. | Resource Utilization |
| leakReturnValNotUsed | Return value of allocation function ‘funcName’ is not stored. | Maintainability |
| mallocOnClassError | Memory for class instance allocated with malloc() but class a std::string. This is unsafe since no constructor is called and class members remain uninitialized. Consider using ‘new’ instead. | Resource Utilization |
| memleak | Memory leak: varname | Resource Utilization |
| memleakOnRealloc | Common realloc mistake: ‘varname’ nulled but not freed upon failure | Resource Utilization |
| memsetClass | Using ‘memfunc’ on class that contains a classname is unsafe because constructor destructor and copy operator calls are omitted. These are necessary for this non-POD type to ensure that a valid object is created. | Resource Utilization |
| memsetClassReference | Using ‘memfunc’ on class that contains a reference. | Resource Utilization |
| mismatchAllocDealloc | Mismatching allocation and deallocation: varname | Resource Utilization |
| mismatchingContainers | Iterators of different containers are used together. | Robustness |
| mismatchSize | The allocated size sz is not a multiple of the underlying type’s size. | Resource Utilization |
| negativeArraySize | Declaration of array ” with negative size is undefined behaviour | Maintainability |
| negativeIndex | Array index -1 is out of bounds. | Maintainability |
| negativeMemoryAllocationSize | Memory allocation size is negative.Negative allocation size has no specified behaviour. | Resource Utilization |
| nullPointer | Null pointer dereference | Robustness |
| nullPointerArithmetic | Overflow in pointer arithmetic NULL pointer is subtracted. | Robustness |
| operatorEqMissingReturnStatement | No ‘return’ statement in non-void function causes undefined behavior. | Robustness |
| outOfBounds | index is out of bounds: Supplied size 2 is larger than actual size 1. | Robustness |
| pointerArithBool | Converting pointer arithmetic result to bool. The boolean result is always true unless there is pointer arithmetic overflow and overflow is undefined behaviour. Probably a dereference is forgotten. | Maintainability |
| preprocessorErrorDirective | #error message | Understandability |
| raceAfterInterlockedDecrement | Race condition: non-interlocked access after InterlockedDecrement(). Use InterlockedDecrement() return value instead. | Robustness |
| readWriteOnlyFile | Read operation on a file that was opened only for writing. | Maintainability |
| resourceLeak | Resource leak: varname | Resource Utilization |
| returnAddressOfAutoVariable | Address of an auto-variable returned. | Robustness |
| returnAddressOfFunctionParameter | Address of the function parameter ‘parameter’ becomes invalid after the function exits because function parameters are stored on the stack which is freed when the function exits. Thus the returned value is invalid. | Robustness |
| returnLocalVariable | Pointer to local array variable returned. | Robustness |
| returnReference | Reference to auto variable returned. | Robustness |
| returnTempReference | Reference to temporary returned. | Robustness |
| selfInitialization | Member variable ‘var’ is initialized by itself. | Robustness |
| shiftNegative | Shifting by a negative value is undefined behaviour | Robustness |
| shiftTooManyBits | Shifting 32-bit value by 64 bits is undefined behaviour | Robustness |
| shiftTooManyBitsSigned | Shifting signed 32-bit value by 31 bits is undefined behaviour | Robustness |
| sprintfOverlappingData | The variable ‘varname’ is used both as a parameter and as destination in s[n]printf(). The origin and destination buffers overlap. Quote from glibc (C-library) documentation (http://www.gnu.org/software/libc/manual/html_mono/libc.html#Formatted-Output-Functions): If copying takes place between objects that overlap as a result of a call to sprintf() or snprintf() the results are undefined.”” | Robustness |
| stlBoundaries | Iterator compared with operator<. This is dangerous since the order of items in the container is not guaranteed. One should use operator!= instead to compare iterators. | Robustness |
| stlcstr | Dangerous usage of c_str(). The c_str() return value is only valid until its string is deleted. | Robustness |
| stlOutOfBounds | When i==foo.size() foo[i] is out of bounds. | Robustness |
| stringLiteralWrite | Modifying string literal directly or indirectly is undefined behaviour. | Robustness |
| strPlusChar | Unusual pointer arithmetic. A value of type ‘char’ is added to a string literal. | Robustness |
| throwInNoexceptFunction | Exception thrown in function declared not to throw exceptions. | Understandability |
| uninitdata | Memory is allocated but not initialized: varname | Resource Utilization |
| uninitstring | Dangerous usage of ‘varname’ (strncpy doesn’t always null-terminate it). | Robustness |
| uninitStructMember | Uninitialized struct member: a.b | Robustness |
| uninitvar | Uninitialized variable: varname | Robustness |
| unknownEvaluationOrder | Expression ‘x = x++;’ depends on order of evaluation of side effects | Robustness |
| useAutoPointerArray | Object pointed by an ‘auto_ptr’ is destroyed using operator ‘delete’. This means that you should only use ‘auto_ptr’ for pointers obtained with operator ‘new’. This excludes arrays which are allocated by operator ‘new[]’ and must be deallocated by operator ‘delete[]’. | Robustness |
| useAutoPointerContainer | An element of container must be able to be copied but ‘auto_ptr’ does not fulfill this requirement. You should consider to use ‘shared_ptr’ or ‘unique_ptr’. It is suitable for use in containers because they no longer copy their values they move them. | Robustness |
| useAutoPointerMalloc | Object pointed by an ‘auto_ptr’ is destroyed using operator ‘delete’. You should not use ‘auto_ptr’ for pointers obtained with function ‘malloc’. This means that you should only use ‘auto_ptr’ for pointers obtained with operator ‘new’. This excludes use C library allocation functions (for example ‘malloc’) which must be deallocated by the appropriate C library function. | Robustness |
| useClosedFile | Used file that is not opened. | Robustness |
| va_end_missing | va_list ‘vl’ was opened but not closed by va_end(). | Resource Utilization |
| va_list_usedBeforeStarted | va_list ‘vl’ used before va_start() was called. | Maintainability |
| va_start_referencePassed | Using reference ‘arg1’ as parameter for va_start() results in undefined behaviour. | Robustness |
| va_start_subsequentCalls | va_start() or va_copy() called subsequently on ‘vl’ without va_end() in between. | Maintainability |
| virtualDestructor | Class ‘Base’ which is inherited by class ‘Derived’ does not have a virtual destructor. If you destroy instances of the derived class by deleting a pointer that points to the base class only the destructor of the base class is executed. Thus dynamic memory that is managed by the derived class could leak. This can be avoided by adding a virtual destructor to the base class. | Resource Utilization |
| writeReadOnlyFile | Write operation on a file that was opened only for reading. | Robustness |
| wrongPipeParameterSize | The pipe()/pipe2() system command takes an argument which is an array of exactly two integers.12The variable ‘varname’ is an array of size dimension which does not match. | Maintainability |
| wrongPrintfScanfArgNum | printf format string requires 3 parameters but only 2 are given. | Maintainability |
| zerodiv | Division by zero. | Robustness |
