alpha.clone.CloneCheckerExperimental: Reports similar pieces of code.void log(); int max(int a, int b) { // warn log(); if (a > b) return a; return b; } int maxClone(int x, int y) { // similar code here log(); if (x > y) return x; return y; }Maintainability
alpha.core.CallAndMessageUnInitRefArgExperimental: Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers, and pointer to undefined variables)void test(void) { int t; int &p = t; int &s = p; int &q = s; foo(q); // warn }Accuracy
alpha.core.CastSizeExperimental: Check when casting a malloc’ed type T, whether the size is a multiple of the size of Tvoid test() { int *x = (int *)malloc(11); // warn }Accuracy
alpha.core.CastToStructExperimental: Check for cast from non-struct pointer to struct pointerstruct s {}; void test(int *p) { struct s *ps = (struct s *) p; // warn }Accuracy
alpha.core.ConversionExperimental: Loss of sign/precision in implicit conversionsvoid test(unsigned U, signed S) { if (S > 10) { if (U < S) { } } if (S < -10) { if (U < S) { // warn (loss of sign) } } }Accuracy
alpha.core.FixedAddrExperimental: Check for assignment of a fixed address to a pointervoid test() { int *p; p = (int *) 0x10000; // warn }Maintainability
alpha.core.IdenticalExprExperimental: Warn about unintended use of identical expressions in operators// C void test() { int a = 5; int b = a | 4 | a; // warn: identical expr on both sides }Accuracy
alpha.core.PointerArithmExperimental: Check for pointer arithmetic on locations other than array elementsvoid test() { int x; int *p; p = &x + 1; // warn }Maintainability
alpha.core.PointerSubExperimental: Check for pointer subtractions on two pointers pointing to different memory chunksvoid test() { int x, y; int d = &y – &x; // warn }Accuracy
alpha.core.SizeofPtrExperimental: Warn about unintended use of sizeof() on pointer expressionsstruct s {}; int test(struct s *p) { return sizeof(p); // warn: sizeof(ptr) can produce an unexpected result }Accuracy
alpha.core.TestAfterDivZeroExperimental: Check for division by variable that is later compared against 0. Either the comparison is useless or there is division by zero.void test(int x) { var = 77 / x; if (x == 0) { } // warn }Robustness
alpha.cplusplus.IteratorPastEndExperimental: Check iterators used past endclass A { public: A() { f(); // warn } virtual void f(); }Robustness
alpha.deadcode.UnreachableCodeExperimental: Check unreachable codeint test() { int x = 1; while(x); return x; // warn }Maintainability Warn about buffer overflows (older checker)void test() { char *s = “”; char c = s[1]; // warn }Robustness Warn about buffer overflowsvoid test() { int buf[100]; int *p = buf; p = p + 99; p[1] = 1; // warn }Robustness Check for overflows in the arguments to malloc()void test(int n) { void *p = malloc(n * sizeof(int)); // warn }Robustness Check for an out-of-bound pointer being returned to callersstatic int A[10]; int *test() { int *p = A + 10; return p; // warn }Robustness Generate taint information used by other checkersvoid test() { char x = getchar(); // ‘x’ marked as tainted system(&x); // warn: untrusted data is passed to a system call }Robustness
alpha.unix.BlockInCriticalSectionExperimental: Check for calls to blocking functions inside a critical sectionRobustness
alpha.unix.ChrootExperimental: Check improper use of chrootvoid f(); void test() { chroot(“/usr/local”); f(); // warn: no call of chdir(“/”) immediately after chroot }Robustness
alpha.unix.cstring.BufferOverlapExperimental: Checks for overlap in two buffer argumentsvoid test() { int a[4] = {0}; memcpy(a + 2, a + 1, 8); // warn }Maintainability
alpha.unix.cstring.NotNullTerminatedExperimental: Check for arguments which are not null-terminating stringsvoid test() { int y = strlen((char *)&test); // warn }Accuracy
alpha.unix.cstring.OutOfBoundsExperimental: Check for out-of-bounds access in string functionsvoid test(char *y) { char x[4]; if (strlen(y) == 4) strncpy(x, y, 5); // warn }Robustness
alpha.unix.PthreadLockExperimental: Simple lock -> unlock checkerpthread_mutex_t mtx; void test() { pthread_mutex_lock(&mtx); pthread_mutex_lock(&mtx); // warn: this lock has already been acquired }Robustness
alpha.unix.SimpleStreamExperimental: Check for misuses of stream APIsvoid test() { FILE *F = fopen(“myfile.txt”, “w”); } // warn: opened file is never closedResource Utilization
alpha.unix.StreamExperimental: Check stream handling functionsvoid test() { FILE *p = fopen(“foo”, “r”); } // warn: opened file is never closedResource Utilization
core.CallAndMessageCheck for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers)struct S { int x; }; void f(struct S s); void test() { struct S s; f(s); // warn: passed-by-value arg contain uninitialized data }Accuracy
core.UndefinedBinaryOperatorResultCheck for undefined results of binary operatorsvoid test() { int x; int y = x + 1; // warn: left operand is garbage }Accuracy
core.uninitialized.AssignCheck for assigning uninitialized valuesvoid test() { int x; x |= 1; // warn: left expression is unitialized }Accuracy
core.uninitialized.BranchCheck for uninitialized values used as branch conditionsvoid test() { int x; if (x) // warn return; }Accuracy
core.uninitialized.CapturedBlockVariableCheck for blocks that capture uninitialized valuesvoid test() { int x; ^{ int y = x; }(); // warn }Accuracy
core.uninitialized.UndefReturnCheck for uninitialized values being returned to the callerint test() { int x; return x; // warn }Accuracy
core.VLASizeCheck for declarations of variable length arrays of undefined or zero sizevoid test() { int x; int vla1[x]; // warn: garbage as size }Accuracy
osx.coreFoundation.CFErrorCheck usage of CFErrorRef* parametersvoid test(CFErrorRef *error) { // warn: function accepting CFErrorRef* should have a // non-void return }Understandability
osx.coreFoundation.CFNumberCheck for proper uses of CFNumber APIsCFNumberRef test(unsigned char x) { return CFNumberCreate(0, kCFNumberSInt16Type, &x); // warn: 8 bit integer is used to initialize a 16 bit integer }Understandability
osx.SecKeychainAPICheck for proper uses of Secure Keychain APIsvoid test() { unsigned int *ptr = 0; UInt32 length; SecKeychainItemFreeContent(ptr, &length); // warn: trying to free data which has not been allocated }Robustness
security.insecureAPI.getpwWarn on uses of the ‘getpw’ functionvoid test() { char buff[1024]; getpw(2, buff); // warn }Maintainability
security.insecureAPI.getsWarn on uses of the ‘gets’ functionvoid test() { char buff[1024]; gets(buff); // warn }Maintainability
security.insecureAPI.mkstempWarn when ‘mkstemp’ is passed fewer than 6 X’s in the format stringvoid test() { mkstemp(“XX”); // warn }Maintainability
security.insecureAPI.mktempWarn on uses of the ‘mktemp’ functionvoid test() { char *x = mktemp(“/tmp/zxcv”); // warn: insecure, use mkstemp }Maintainability
security.insecureAPI.randWarn on uses of the ‘rand’, ‘random’, and related functionsvoid test() { random(); // warn }Maintainability
security.insecureAPI.strcpyWarn on uses of the ‘strcpy’ and ‘strcat’ functions – can lead to buffer overflow.void test() { char x[4]; char *y = “abcd”; strcpy(x, y); // warn }Robustness
security.insecureAPI.vforkWarn on uses of the ‘vfork’ functionvoid test() { vfork(); // warn }Maintainability
unix.APICheck calls to various UNIX/Posix functions// Currently the check is performed for apple targets only. void test(const char *path) { int fd = open(path, O_CREAT); // warn: call to ‘open’ requires a third argument when the // ‘O_CREAT’ flag is set }Maintainability
unix.cstring.BadSizeArgCheck the size argument passed into C string functions for common erroneous patternsvoid test() { char dest[3]; strncat(dest, “***”, sizeof(dest)); // warn: potential buffer overflow }Robustness
unix.cstring.NullArgCheck for null pointers being passed as arguments to C string functionsint test() { return strlen(0); // warn }Robustness
unix.MallocSizeofCheck for dubious malloc arguments involving sizeofvoid test() { long *p = malloc(sizeof(short)); // warn: result is converted to ‘long *’, which is // incompatible with operand type ‘short’ free(p); }Accuracy
unix.VforkCheck for proper usage of vforkint test(int x) { pid_t pid = vfork(); // warn if (pid != 0) return 0; switch (x) { case 0: pid = 1; execl(“”, “”, 0); _exit(1); break; case 1: x = 0; // warn: this assignment is prohibited break; case 2: foo(); // warn: this function call is prohibited break; default: return 0; // warn: return is prohibited } while(1); }Maintainability
Returning Local AddressFunction should not return address of local variable because once function exits, all local variables are destroyed. This will affect robustness of code. The solution would be to dynamically allocate memory to a variable to hold the address and pass it to the function as a parameterint* foo(int a,int b)
int sum = a + b;

return ∑ /* Non-complaint */

int* foo(int a, int b, int* sum)
*sum = a + b;
return sum; /* Complaint */