| accessForwarded | Access of forwarded variable v. | Robustness |
| accessMoved | Access of moved variable v. | Robustness |
| argumentSize | The array ‘array’ is too small the function ‘function’ expects a bigger one. | Maintainability |
| arrayIndexOutOfBoundsCond | Array ‘x[10]’ accessed at index 20 which is out of bounds. Otherwise condition ‘y==20’ is redundant. | Robustness |
| assertWithSideEffect | Non-pure function: ‘function’ is called inside assert statement. Assert statements are removed from release builds so the code inside assert statement is not executed. If the code is needed also in release builds this is a bug. | Robustness |
| assignmentInAssert | Variable ‘var’ is modified insert assert statement. Assert statements are removed from release builds so the code inside assert statement is not executed. If the code is needed also in release builds this is a bug. | Robustness |
| badBitmaskCheck | Result of operator ‘|’ is always true if one operand is non-zero. Did you intend to use ‘&’? | Accuracy |
| bufferNotZeroTerminated | The buffer ‘buffer’ is not null-terminated after the call to strncpy(). This will cause bugs later in the code if the code assumes the buffer is null-terminated. | Robustness |
| charBitOp | When using ‘char’ variables in bit operations sign extension can generate unexpected results. For example:12 char c = 0x80;12 int i = 0 | c;12 if (i & 0x8000)12 printf(not expected”) | Robustness |
| charLiteralWithCharPtrCompare | Char literal compared with pointer ‘foo’. Did you intend to dereference it? | Accuracy |
| checkCastIntToCharAndBack | When saving func_name() return value in char variable there is loss of precision. When func_name() returns EOF this value is truncated. Comparing the char variable with EOF can have unexpected results. For instance a loop while (EOF != (c = func_name()) | Robustness |
| clarifyStatement | A statement like ‘*A++;’ might not do what you intended. Postfix ‘operator++’ is executed before ‘operator*’. Thus the dereference is meaningless. Did you intend to write ‘(*A)++;’? | Robustness |
| compareBoolExpressionWithInt | Comparison of a boolean expression with an integer other than 0 or 1. | Accuracy |
| comparisonFunctionIsAlwaysTrueOrFalse | The function isless is designed to compare two variables. Calling this function with one variable (varName) for both parameters leads to a statement which is always false. | Accuracy |
| constStatement | Redundant code: Found a statement that begins with type constant. | Maintainability |
| copyCtorAndEqOperator | The class ‘class’ has ‘operator=’ but lack of ‘copy constructor’. | Maintainability |
| derefInvalidIterator | Make sure to check that the iterator is valid before dereferencing it – not after. | Maintainability |
| divideSizeof | Division of result of sizeof() on pointer type. sizeof() returns the size of the pointer not the size of the memory area it points to. | Robustness |
| duplInheritedMember | The class ‘class’ defines member variable with name ‘variable’ also defined in its parent class ‘class’. | Understandability |
| exceptDeallocThrow | Exception thrown in invalid state ‘p’ points at deallocated memory. | Robustness |
| exceptThrowInDestructor | The class Class is not safe because its destructor throws an exception. If Class is used and an exception is thrown that is caught in an outer scope the program will terminate. | Robustness |
| funcArgOrderDifferent | Function ‘function’ argument order different: declaration ” definition ” | Accuracy |
| ignoredReturnValue | Return value of function malloc() is not used. | Maintainability |
| incompleteArrayFill | The array ‘buffer’ is filled incompletely. The function ‘memset()’ needs the size given in bytes but an element of the given array is larger than one byte. Did you forget to multiply the size with ‘sizeof(*buffer)’? | Resource Utilization |
| incorrectLogicOperator | Logical disjunction always evaluates to true: foo > 3 && foo < 4. Are these conditions necessary? Did you intend to use && instead? Are the numbers correct? Are you comparing the correct variables? | Understandability |
| incorrectStringBooleanError | Conversion of string literal Hello World” to bool always evaluates to true.” | Understandability |
| incorrectStringCompare | String literal Hello World” doesn’t match length argument for substr().” | Understandability |
| invalidLengthModifierError | ‘I’ in format string (no. 1) is a length modifier and cannot be used without a conversion specifier. | Understandability |
| invalidPrintfArgType_float | %f in format string (no. 1) requires ‘double’ but the argument type is Unknown. | Maintainability |
| invalidPrintfArgType_int | %X in format string (no. 1) requires ‘unsigned int’ but the argument type is Unknown. | Maintainability |
| invalidPrintfArgType_n | %n in format string (no. 1) requires ‘int *’ but the argument type is Unknown. | Maintainability |
| invalidPrintfArgType_p | %p in format string (no. 1) requires an address but the argument type is Unknown. | Maintainability |
| invalidPrintfArgType_s | %s in format string (no. 1) requires ‘char *’ but the argument type is Unknown. | Maintainability |
| invalidPrintfArgType_sint | %i in format string (no. 1) requires ‘int’ but the argument type is Unknown. | Maintainability |
| invalidPrintfArgType_uint | %u in format string (no. 1) requires ‘unsigned int’ but the argument type is Unknown. | Maintainability |
| invalidscanf | scanf() without field width limits can crash with huge input data. Add a field width specifier to fix this problem.1212Sample program that can crash:1212#include 12int main()12{12 char c[5];12 scanf(%s” c) | Robustness |
| invalidScanfArgType_float | %f in format string (no. 1) requires ‘float *’ but the argument type is Unknown. | Maintainability |
| invalidScanfArgType_int | %d in format string (no. 1) requires ‘int *’ but the argument type is Unknown. | Maintainability |
| invalidScanfArgType_s | %s in format string (no. 1) requires a ‘char *’ but the argument type is Unknown. | Maintainability |
| invalidTestForOverflow | Invalid test for overflow ‘x + u < x'. Condition is always false unless there is overflow and overflow is UB. | Accuracy |
| leakUnsafeArgAlloc | Unsafe allocation. If funcName() throws memory could be leaked. Use make_shared() instead. | Resource Utilization |
| literalWithCharPtrCompare | String literal compared with variable ‘foo’. Did you intend to use strcmp() instead? | Robustness |
| mallocOnClassWarning | Memory for class instance allocated with malloc() but class provides constructors. This is unsafe since no constructor is called and class members remain uninitialized. Consider using ‘new’ instead. | Resource Utilization |
| memsetValueOutOfRange | The 2nd memset() argument ‘varname’ doesn’t fit into an ‘unsigned char’. The 2nd parameter is passed as an ‘int’ but the function fills the block of memory using the ‘unsigned char’ conversion of this value. | Resource Utilization |
| memsetZeroBytes | memset() called to fill 0 bytes. The second and third arguments might be inverted. The function memset ( void * ptr int value size_t num ) sets the first num bytes of the block of memory pointed by ptr to the specified value. | Resource Utilization |
| moduloAlwaysTrueFalse | Comparison of modulo result is predetermined because it is always less than 1. | Understandability |
| multiplySizeof | Multiplying sizeof() with sizeof() indicates a logic error. | Understandability |
| nullPointerDefaultArg | Possible null pointer dereference if the default parameter value is used: pointer | Robustness |
| nullPointerRedundantCheck | Either the condition is redundant or there is possible null pointer dereference: pointer. | Robustness |
| operatorEqToSelf | operator=’ should check for assignment to self to ensure that each block of dynamically allocated memory is owned and managed by only one instance of the class. | Robustness |
| operatorEqVarError | Member variable ‘classname::’ is not assigned a value in ‘classname::operator=’. | Robustness |
| oppositeInnerCondition | Opposite conditions in nested ‘if’ blocks lead to a dead code block. | Maintainability |
| pointerSize | Size of pointer ‘varname’ used instead of size of its data. This is likely to lead to a buffer overflow. You probably intend to write ‘sizeof(*varname)’. | Robustness |
| possibleBufferAccessOutOfBounds | Possible buffer overflow if strlen(source) is larger than or equal to sizeof(destination). The source buffer is larger than the destination buffer so there is the potential for overflowing the destination buffer. | Robustness |
| publicAllocationError | Possible leak in public function. The pointer ‘varname’ is not deallocated before it is allocated. | Resource Utilization |
| redundantAssignInSwitch | Variable ‘var’ is reassigned a value before the old one has been used. ‘break;’ missing? | Maintainability |
| redundantCopyInSwitch | Buffer ‘var’ is being written before its old content has been used. ‘break;’ missing? | Maintainability |
| seekOnAppendedFile | Repositioning operation performed on a file opened in append mode has no effect. | Maintainability |
| selfAssignment | Redundant assignment of ‘varname’ to itself. | Maintainability |
| signConversion | Suspicious code: sign conversion of var in calculation even though var can have a negative value | Accuracy |
| signedCharArrayIndex | Signed ‘char’ type used as array index. If the value can be greater than 127 there will be a buffer underflow because of sign extension. | Robustness |
| sizeArgumentAsChar | The size argument is given as a char constant. | Maintainability |
| sizeofCalculation | Found calculation inside sizeof(). | Understandability |
| sizeofDivisionMemfunc | Division by result of sizeof(). memset() expects a size in bytes did you intend to multiply instead? | Accuracy |
| sizeofsizeof | Calling sizeof for ‘sizeof looks like a suspicious code and most likely there should be just one ‘sizeof’. The current code is equivalent to ‘sizeof(size_t)’ | Maintainability |
| sizeofwithnumericparameter | It is unusual to use a constant value with sizeof. For example ‘sizeof(10)’ returns 4 (in 32-bit systems) or 8 (in 64-bit systems) instead of 10. ‘sizeof(‘A’)’ and ‘sizeof(char)’ can return different results. | Robustness |
| sizeofwithsilentarraypointer | Using ‘sizeof’ for array given as function argument returns the size of a pointer. It does not return the size of the whole array in bytes as might be expected. For example this code:12 int f(char a[100]) {12 return sizeof(a);12 }12returns 4 (in 32-bit systems) or 8 (in 64-bit systems) instead of 100 (the size of the array in bytes). | Accuracy |
| staticStringCompare | The compared strings ‘str1’ and ‘str2’ are always unequal. Therefore the comparison is unnecessary and looks suspicious. | Understandability |
| stlIfFind | Suspicious condition. The result of find() is an iterator but it is not properly checked. | Robustness |
| StlMissingComparison | The iterator incrementing is suspicious – it is incremented at line and then at line . The loop might unintentionally skip an element in the container. There is no comparison between these increments to prevent that the iterator is incremented beyond the end. | Robustness |
| stringCompare | The compared strings ‘varname1’ and ‘varname2’ are identical. This could be a logic bug. | Maintainability |
| strncatUsage | At most strncat appends the 3rd parameter’s amount of characters and adds a terminating null byte.12The safe way to use strncat is to subtract one from the remaining space in the buffer and use it as 3rd parameter.Source: http://www.cplusplus.com/reference/cstring/strncat/12Source: http://www.opensource.apple.com/source/Libc/Libc-167/gen.subproj/i386.subproj/strncat.c | Robustness |
| suspiciousCase | Using an operator like ‘||’ in a case label is suspicious. Did you intend to use a bitwise operator multiple case labels or if/else instead? | Accuracy |
| suspiciousEqualityComparison | Found suspicious equality comparison. Did you intend to assign a value instead? | Accuracy |
| suspiciousSemicolon | Suspicious use of ; at the end of ” statement. | Accuracy |
| terminateStrncpy | If the source string’s size fits or exceeds the given size strncpy() does not add a zero at the end of the buffer. This causes bugs later in the code if the code assumes buffer is null-terminated. | Robustness |
| thisSubtraction | Suspicious pointer subtraction. Did you intend to write ‘->’? | Accuracy |
| uninitMemberVar | Member variable ‘classname::varname’ is not initialized in the constructor. | Robustness |
| unusedLabelSwitch | Label ” is not used. Should this be a ‘case’ of the enclosing switch()? | Understandability |
| useAutoPointerCopy | std::auto_ptr’ has semantics of strict ownership meaning that the ‘auto_ptr’ instance is the sole entity responsible for the object’s lifetime. If an ‘auto_ptr’ is copied the source looses the reference. | Robustness |
| uselessAssignmentPtrArg | Assignment of function parameter has no effect outside the function. Did you forget dereferencing it? | Accuracy |
| uselessCallsCompare | std::string::find()’ returns zero when given itself as parameter (str.find(str)). As it is currently the code is inefficient. It is possible either the string searched (‘str’) or searched for (‘str’) is wrong. | Efficiency |
| uselessCallsEmpty | Ineffective call of function ’empty()’. Did you intend to call ‘clear()’ instead? | Resource Utilization |
| uselessCallsRemove | The return value of std::remove() is ignored. This function returns an iterator to the end of the range containing those elements that should be kept. Elements past new end remain valid but with unspecified values. Use the erase method of the container to delete them. | Resource Utilization |
| va_start_wrongParameter | ‘arg1’ given to va_start() is not last named argument of the function. Did you intend to pass ‘arg2’? | Accuracy |
| wrongmathcall | Passing value ‘#’ to #() leads to implementation-defined result. | Understandability |
| wrongPrintfScanfParameterPositionError | printf: referencing parameter 2 while 1 arguments given | Understandability |
| zerodivcond | Either the condition is redundant or there is division by zero at line 0. | Robustness |
