Static analysis of C/C++ code

Overview

Cppcheck

GitHub Actions Linux Build Status Windows Build Status OSS-Fuzz Coverity Scan Build Status License
Github Action Status Linux Build Status Windows Build Status OSS-Fuzz Coverity Scan Build Status License

About the name

The original name of this program was "C++check", but it was later changed to "Cppcheck".

Despite the name, Cppcheck is designed for both C and C++.

Manual

A manual is available online.

Donate CPU

Cppcheck is a hobby project with limited resources. You can help us by donating CPU (1 core or as many as you like). It is simple:

  1. Download (and extract) Cppcheck source code.
  2. Run script: python cppcheck/tools/donate-cpu.py.

The script will analyse debian source code and upload the results to a cppcheck server. We need these results both to improve Cppcheck and to detect regressions.

You can stop the script whenever you like with Ctrl C.

Compiling

Any C++11 compiler should work. For compilers with partial C++11 support it may work. If your compiler has the C++11 features that are available in Visual Studio 2013 / GCC 4.6 then it will work.

To build the GUI, you need Qt.

When building the command line tool, PCRE is optional. It is used if you build with rules.

There are multiple compilation choices:

  • qmake - cross platform build tool
  • cmake - cross platform build tool
  • Windows: Visual Studio (VS 2013 and above)
  • Windows: Qt Creator + mingw
  • gnu make
  • g++ 4.6 (or later)
  • clang++

cmake

Example, compiling Cppcheck with cmake:

mkdir build
cd build
cmake ..
cmake --build .

If you want to compile the GUI you can use the flag. -DBUILD_GUI=ON

For rules support (requires pcre) use the flag. -DHAVE_RULES=ON

For release builds it is recommended that you use: -DUSE_MATCHCOMPILER=ON

Using cmake you can generate project files for Visual Studio,XCode,etc.

qmake

You can use the gui/gui.pro file to build the GUI.

cd gui
qmake
make

Visual Studio

Use the cppcheck.sln file. The file is configured for Visual Studio 2019, but the platform toolset can be changed easily to older or newer versions. The solution contains platform targets for both x86 and x64.

To compile with rules, select "Release-PCRE" or "Debug-PCRE" configuration. pcre.lib (pcre64.lib for x64 builds) and pcre.h are expected to be in /externals then. A current version of PCRE for Visual Studio can be obtained using vcpkg.

Visual Studio (from command line)

If you do not wish to use the Visual Studio IDE, you can compile cppcheck from the command line the following command.

msbuild cppcheck.sln

VS Code (on Windows)

Install MSYS2 to get GNU toolchain with g++ and gdb (https://www.msys2.org/). Create a settings.json file in the .vscode folder with the following content (adjust path as necessary):

{
    "terminal.integrated.shell.windows": "C:\\msys64\\usr\\bin\\bash.exe",
    "terminal.integrated.shellArgs.windows": [
        "--login",
    ],
    "terminal.integrated.env.windows": {
        "CHERE_INVOKING": "1",
        "MSYSTEM": "MINGW64",
    }
}

Run "make" in the terminal to build cppcheck.

For debugging create a launch.json file in the .vscode folder with the following content, which covers configuration for debugging cppcheck and misra.py:

{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "cppcheck",
            "type": "cppdbg",
            "request": "launch",
            "program": "${workspaceFolder}/cppcheck.exe",
            "args": [
                "--dump",
                "${workspaceFolder}/addons/test/misra/misra-test.c"
            ],
            "stopAtEntry": false,
            "cwd": "${workspaceFolder}",
            "environment": [],
            "externalConsole": true,
            "MIMode": "gdb",
            "miDebuggerPath": "C:/msys64/mingw64/bin/gdb.exe",
            "setupCommands": [
                {
                    "description": "Enable pretty-printing for gdb",
                    "text": "-enable-pretty-printing",
                    "ignoreFailures": true
                }
            ]
        },
        {
            "name": "misra.py",
            "type": "python",
            "request": "launch",
            "program": "${workspaceFolder}/addons/misra.py",
            "console": "integratedTerminal",
            "args": [
                "${workspaceFolder}/addons/test/misra/misra-test.c.dump"
            ]
        }
    ]
}

Qt Creator + MinGW

The PCRE dll is needed to build the CLI. It can be downloaded here: http://software-download.name/pcre-library-windows/

GNU make

Simple, unoptimized build (no dependencies):

make

The recommended release build is:

make MATCHCOMPILER=yes FILESDIR=/usr/share/cppcheck HAVE_RULES=yes CXXFLAGS="-O2 -DNDEBUG -Wall -Wno-sign-compare -Wno-unused-function"

Flags:

  1. MATCHCOMPILER=yes Python is used to optimise cppcheck. The Token::Match patterns are converted into C++ code at compile time.

  2. FILESDIR=/usr/share/cppcheck Specify folder where cppcheck files are installed (addons, cfg, platform)

  3. HAVE_RULES=yes Enable rules (PCRE is required if this is used)

  4. CXXFLAGS="-O2 -DNDEBUG -Wall -Wno-sign-compare -Wno-unused-function" Enables most compiler optimizations, disables cppcheck-internal debugging code and enables basic compiler warnings.

g++ (for experts)

If you just want to build Cppcheck without dependencies then you can use this command:

g++ -o cppcheck -std=c++11 -Iexternals -Iexternals/simplecpp -Iexternals/tinyxml2 -Iexternals/picojson -Ilib cli/*.cpp lib/*.cpp externals/simplecpp/simplecpp.cpp externals/tinyxml2/*.cpp

If you want to use --rule and --rule-file then dependencies are needed:

g++ -o cppcheck -std=c++11 -lpcre -DHAVE_RULES -Ilib -Iexternals -Iexternals/simplecpp -Iexternals/tinyxml2 cli/*.cpp lib/*.cpp externals/simplecpp/simplecpp.cpp externals/tinyxml2/*.cpp

MinGW

mingw32-make LDFLAGS=-lshlwapi

Other Compiler/IDE

  1. Create an empty project file / makefile.
  2. Add all cpp files in the cppcheck cli and lib folders to the project file / makefile.
  3. Add all cpp files in the externals folders to the project file / makefile.
  4. Compile.

Cross compiling Win32 (CLI) version of Cppcheck in Linux

sudo apt-get install mingw32
make CXX=i586-mingw32msvc-g++ LDFLAGS="-lshlwapi" RDYNAMIC=""
mv cppcheck cppcheck.exe

Packages

You can install Cppcheck with yum/apt/brew/etc.

The official rpms are built with these files: https://src.fedoraproject.org/rpms/cppcheck/tree/master

Webpage

https://cppcheck.sourceforge.io/

Comments
  • Addition of a document type definition for library configurations

    Addition of a document type definition for library configurations

    A document type definition can help to work with corresponding files because it describes the involved data structures to some degree. Such a DTD can be added so that further improvements will become easier for the safe data exchange around library configurations for static source code analysis.

    A DTD format was standardised as a basis for XML documents. Some technical challenges and limitations were noticed so that another standard like W3C XML Schema evolved. Such a XML schema definition can also be added so that corresponding file handling might become more consistent.

    • Would you like to try this approach out?
    • How are the chances to integrate this update suggestion into your source code repository?
    opened by elfring 79
  • Add a dynamic rule enable/disable system

    Add a dynamic rule enable/disable system

    First, each rule now has a "state" attribute:

    enabled => rule is enabled ... disabled => rule is disabled. ...

    Second, each rule has a list of IDs of rules to disable and a list of rules to enable if fired:

    ... thatrule thisrule disabled thisrule ... thatrule ...

    Initially, the first and third rule are enabled. When the first rule gets fired, then the third rule becomes disabled and the second rule becomes enabled.

    Note that the behavior of this system is undefined when the rule to be enabled or disabled should fire on the same source fragment which fired the controlling rule.

    opened by bufferoverflow 37
  • Check that virtual function non-narrow access modifier in derived class

    Check that virtual function non-narrow access modifier in derived class

    That's kind a weird style when derived class has a private method which is public in parent. You can't invoke it directly but could cast it to parent and invoke.

    merge-after-next-release 
    opened by ntfshard 35
  • Initial QT support

    Initial QT support

    Hi guys,

    We've been using cppcheck for our QT project but we kept getting false-positives from some of the functions that were exposed to QT so I've done a small patch that'll scan the code for Q_PROPERTY variables and also tokenize the QML (essentially javascript) sudo-code for calls that reference the C/C++ code.

    //commit ---------------------------------------------------------------------------------------------

    • Will check for Q_PROPERTY fields and remove them from the unused function list
    • Will parse the .qml files (if they're in the source list of files to check) and remove references to C/C++ functions which would have otherwise been unused.

    Use --enable=all or --enable=qt etc to enable the functionality and add the *.qml (i.e. src/assets) path to the command line interface invocation.

    opened by sam-truscott 31
  • Bug #2524: Addition of CMake build files

    Bug #2524: Addition of CMake build files

    This is my third proposal for the building of the Cppcheck software with the tool "CMake" in this year. I hope that the chances will increase for integration of the suggested adjustments into your source repository.

    Would you like to accept this retry?

    opened by elfring 30
  • donate-cpu-server.py: added stale report / cleanups

    donate-cpu-server.py: added stale report / cleanups

    I recognized several entries in the crash report which were outdated and when trying to run them locally it turned out the archive was no longer available. There's probably even more cases which might lead to the results not being updated, but there's currently no way to find this packages so I added a stale report which will show the results which are older than 30 days.

    I also added the date and time to the crash report so it is easier to see which of the results are recent.

    opened by firewave 27
  • Add cpack packaging capability

    Add cpack packaging capability

    Linux distributions frequently lag behind actual releases. This offers users the opportunity to create their own packages easily.

    Example usage:

    $ mkdir build && cd build
    $ cmake -DCPACK_GENERATOR=RPM ..
    $ make package
    

    Note that the version info is automatically computed from the output of git describe --tags.

    opened by cleeland 26
  • Project configuration with CMake

    Project configuration with CMake

    Hi!

    I would like to help to the project with this small contribution. I added a new way to configure, compile and install the project using CMake. I think that for people familiar with this tool, the configuration, build and installation of the project is more intuitive. I didn't touch none of the previous configurations, and all of them can live together.

    Right now, I only tested that on Ubuntu 14.04 but It should be generic for any Linux distribution. If you decide to accept the contribution I can also deal with the Windows building (probably some minor changes should be made for that purpose).

    I have also some other ideas easy to implement with CMake that could be interesting for the project.

    opened by piponazo 26
  • Fix issue 8413: Condition is always false 'i=expr; if (i != expr) {}'

    Fix issue 8413: Condition is always false 'i=expr; if (i != expr) {}'

    When comparing same expression, this will follow variables if the variable hasn't been modified:

    void f() { const int i = sizeof(int);  if ( i != sizeof (int)){}}
    
    opened by pfultz2 24
  • Extend command line to support --xml-results=<file> option

    Extend command line to support --xml-results= option

    For integration with cmake and jenkins for a large-scale codebase, we'd like the XML results to be written to a specific file, rather than going to standard error.

    opened by nigels-com 24
  • Check for functions calls in sizeof calculations

    Check for functions calls in sizeof calculations

    A common mistake that I have found in our codebase is calling a function to get an integer or enum that represents the type such as:

    int numBytes = numElements * sizeof(x.GetType());
    

    This extends cppcheck for sizeof calculation to check for function calls as well.

    opened by pfultz2 23
  • compilerDefinitions.cmake: specify proper define for

    compilerDefinitions.cmake: specify proper define for "safe libc++"

    I followed the documentation from https://libcxx.llvm.org/DesignDocs/DebugMode.html#using-the-debug-mode which refers to LIBCXX_ENABLE_DEBUG_MODE. But that is a CMake define you are supposed to pass when building libc++. Also the debug mode needs the library to be built with it which is not something we do. So as suggested we should enable the assertions via _LIBCPP_ENABLE_ASSERTIONS=1 instead - see https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode.

    opened by firewave 0
  • MISRA: Speed up analysis of .ctu_info files

    MISRA: Speed up analysis of .ctu_info files

    When a .ctu-info file contains many macro definitions, the MISRA checks can take a long time (hours).

    In our case, we are using libdivide which includes tens of thousands of machine generated macros.

    The slow down is a result of the duplicate checks for MisraTypedefInfo, MisraTagNameand MisraMacro values, implemented as nested loops in analyse_ctu_info.

    This PR replaces the nested loops with a temporary dictionary, keyed on the item name.

    opened by adbancroft 2
  • generate `*.vcxproj` file lists with `dmake`

    generate `*.vcxproj` file lists with `dmake`

    cli.vcxproj and testrunner.vcxproj are changed completely since the newlines were wrong (CR instead of CRLF). We need a proper .gitattributes file which enforces those. To view those changes you need to enable the Hide whitespace option in the diff viewer (accessible via the "gear" icon).

    The added Label attribute is allowed - it is simply not used by Visual Studio in those files. It does allow use to define marker and the file lists in question so we can rewrite them.

    I have no added writing of the *.vcxproj.filters yet but that is simply for grouping in the IDE and has no effect on the builds. Will add that in a later PR.

    opened by firewave 3
  • Add SARIF output support.

    Add SARIF output support.

    This has been on my TODO list for a while! I've been wanting to integrate CppCheck's results into GitHub since Code Scanning came out. To do that, however, the tool needs to spit out SARIF.

    To test it out, run cppcheck --sarif --quiet foo.c

    Now, this is only an initial stab, and it's probably a bit ugly. I'm not quite done just yet (hence why it's a draft PR). For one, it's not truly outputting the correct line/column numbers. So, if you have any suggestions or comments, please let me know.

    Also, I initially tried to work SARIF output into the original design by adding a ErrorMessage::toSARIF method (ala ErrorMessage::toXML), but I quickly realized that this wouldn't work very well, since the SARIF document has to be "constructed", not "streamed" the way the XML document is. Which meant that I had to rework the way that findings ("errors") were collected and aggregated, since the SARIF document kinda needs to see everything all at once.

    opened by mario-campos 5
Releases(2.9)
  • 2.9(Aug 28, 2022)

    Analysis

    • restored check for negative allocation (new[]) and negative VLA sizes from cppcheck 1.87 (LCppC backport)
    • replaced hardcoded check for pipe() buffer size by library configuration option (LCppC backport)
    • on Windows the callstack is now being written to the output specific via "--exception-handling"
    • make it possible to disable the various exception handling parts via the CMake options "NO_UNIX_SIGNAL_HANDLING", "NO_UNIX_BACKTRACE_SUPPORT" and "NO_WINDOWS_SEH"
    • detect more redundant calls of std::string::c_str(), std::string::substr(), and unnecessary copies of containers
    • Add a match function to addon similiar to Token::Match used internally by cppcheck:
      • | for either-or tokens(ie struct|class to match either struct or class)
      • !! to negate a token
      • It supports the %any%, %assign%, %comp%, %name%, %op%, %or%, %oror%, and %var% keywords
      • It supports (*), {*}, [*], and <*> to match links
      • @ can be added to bind the token to a name
      • ** can be used to match until a token
    • Add math functions which can be used in library function definition. This enables evaluation of more math functions in ValueFlow
    • Further improve lifetime analysis with this pointers
    • Propagate condition values from outer function calls
    • Add debug intrinsics debug_valueflow and debug_valuetype to show more detail including source backtraces

    Cppcheck Premium

    GUI: Additional options to configure the Autosar, Cert C and Misra C++ coding standards Command line: A --premium option that is used to provide premium options

    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.9-x64-Setup.msi(16.75 MB)
  • 2.8(May 21, 2022)

    • Lifetime analysis can now track lifetime across user-defined constructors when they are inline and using member initializer list.
    • SymbolDatabase can now deduce iterator types from how they are specified in the library files.
    • ValueFlow can evaluate class member functions that return known values.
    • Improve duplicateValueTenary to not warn when used as an lvalue or when one branch has side effects
    • Fix variableScope to not warn when variables are used in lambda functions
    • Fix unassignedVariable warnings when using structured bindings
    • Fix redundantInitialization warning when variable is used in a lambda
    • Fix variableScope warnings when using if/while init-statement
    • Improve lifetime analysis when returning variadic template expressions
    • Detect more statements with constStatement
    • Detect variableScope for more types
    • Improvements to unreadVariable
    • Detect more instances of C style casts
    • Warn if the return value of new is discarded
    • The pre-ValueFlow uninitialized checker now uses a different ID as legacyUninitvar
    • Extended library format to exclude specific function argument values
    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.8-x64-Setup.msi(16.48 MB)
  • 2.7(Feb 5, 2022)

    Add support for container views. The view attribute has been added to the <container> library tag to specify the class is a view. The lifetime analysis has been updated to use this new attribute to find dangling lifetime containers.

    Various checker improvements.

    Fixed false positives.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.7-x64-Setup.msi(21.55 MB)
  • 2.6(Oct 2, 2021)

    New checks in core cppcheck:

    • missing return in function
    • writing overlapping data, detect undefined behavior
    • compared value is out of possible type range
    • [perf] Copy elision optimization can't be applied for return std::move(local)
    • file can not be opened for read and write access at the same time on different streams

    Various improvements:

    • Color output for diagnostics are added for unix-based platforms.
    • Added symbolic analysis for ValueFlow. A simple delta is used to compute the difference between two unknown variable.
    • Rules using the "define" tokenlist can also match #include as well.
    • Library <function> tags can now use <container> tag, so free functions that accept containers such as std::size, std::empty, std::begin, std::end, etc. can specify the yields or action for the container.
    • Library <smart-pointer> tag can specify a <unique> tag for smart pointers that have unique ownership. Cppcheck now warns about dangling references to smart pointers with unique ownership.
    • Fixed problems when --cppcheck-build-dir is used, that should now work better. It is recommended to use --cppcheck-build-dir to speedup Cppcheck analysis.
    • htmlreport can now output author information (using git blame)
    • More warnings about variables that is not const but can be const

    Misra C 2012 compliance has been "completed" All Misra C 2012 rules have been implemented except 1.1 , 1.2 and 17.3. Including the rules in amendment 1 and amendment 2. The rules 1.1 and 1.2 must be checked with a compiler. The rule 17.3 can be checked by a compiler, for instance GCC.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.6-x64-Setup.msi(20.83 MB)
  • 2.5(Jul 4, 2021)

    Parser:

    • various fixes
    • checked that all features in c++11, c++14, c++17 are supported
    • c++20 support is improved but not complete yet

    Core:

    • improved library files, better knowledge about APIs
    • improved checks to detect more bugs
    • fixed checks to avoid unwanted warnings

    Changed output:

    • try to use relative paths when using compile databases, if compile database is accessed with relative path
    • updated XML; The file0 attribute is moved from to

    Misra:

    • fixed crashes and false positives

    New checks:

    • suspicious container/iterator assignment in condition
    • rethrow without current handled exception
    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.5-x64-Setup.msi(20.63 MB)
  • 2.4.1(Mar 23, 2021)

  • 2.4(Mar 21, 2021)

  • 2.3(Dec 5, 2020)

    Improved C++ parser:

    • types
    • wrong operands in ast
    • better simplification of templates

    Improved clang import, various fixes. Improved value flow analysis

    Fixed false positives

    Improved configuration in library files

    • boost.cfg
    • googletest.cfg
    • qt.cfg
    • windows.cfg
    • wxwidgets.cfg

    Added several Misra rules:

    • 6.1
    • 6.2
    • 7.2
    • 7.4
    • 9.2
    • 10.2
    • 15.4

    Added platforms:

    • elbrus e1c+
    • pic
    • pic8
    • mips
    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.3-x64-Setup.msi(20.68 MB)
  • 2.2(Oct 3, 2020)

    New checks:

    • incorrect usage of mutexes and lock guards
    • Dereference end iterator
    • Iterating a known empty container
    • outOfBounds check for iterators to containers

    Removed 'operator=' check that ensures reference to self is returned. That is not about safety.

    Improved parser

    • various ast fixes

    Clang parser

    • The Clang import feature in Cppcheck should be considered to be experimental for now. There are problems.

    Improved bug hunting

    • variable constraints
    • handling of multidimension arrays
    • function calls, execute functions that are in same TU
    • improved handling of containers
    • several improvements for uninitialized variables check
    • improved analysis of for loops
    • added a hash value for warnings that can be used for suppressions

    Improved data flow

    • one more heuristic for ternary operators
    • improved data flow for containers

    CLI:

    • Fixed some addon execution problems when there are spaces etc

    GUI:

    • Fix handling of tags
    • Exclude files

    cppcheck-htmlreport:

    • several result files can be combined into 1 output

    Suppressions:

    • comments can be added at end of suppression in suppressions file
    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.2-x64-Setup.msi(20.59 MB)
  • 2.1(Jun 13, 2020)

    This is a minor release.

    We have tweaked build scripts.

    • When you use USE_Z3=yes, we will handle new versions of z3 better. If you have an old z3 library and get compilation problems you will need to add a z3_version.h in externals.
    • The cmake scripts was updated.

    There was a couple of bug fixes.

    New check:

    • for "expression % 1" the result is always 0.
    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.1-x64-Setup.msi(19.21 MB)
  • 2.0(May 10, 2020)

    Overview

    The command line is not changed drastically. Your old cppcheck scripts should work as before.

    Compiling: There is a new dependency Z3. When compiling with the Makefile it is highly recommended to use "USE_Z3=yes".

    Improved clang-tidy integration

    Several fixes to;

    • improve parsing
    • detect more bugs with existing checks
    • fix false alarms

    Clang import

    Clang is a C/C++ compiler that has a very robust and well made parser.

    Cppcheck will always use its internal parser by default. However there is now an option to use the Clang parser instead.

    It is recommended that you use the default internal Cppcheck parser unless you notice that it fails to parse your code properly (syntax errors, strange false alarms).

    Bug hunting

    There is a new "soundy" analysis in Cppcheck that should detect most bugs. You should expect false alarms, however the false alarms will not be overwhelming.

    This new "soundy" analysis is not intended to replace normal Cppcheck analysis. There are use cases where false alarms can not be tolerated.

    We have added 1 checker and that checks for division by zero:

    • It detects all "integer division by zero" bugs in the Juliet test suite.
    • It detects all "division by zero" bugs in the ITC test suite.
    • There was 28 division by zero CVEs published in 2019 for C/C++ open source projects, and we could quickly see that 21 of the bugs are found by Cppcheck. There is no CVE bug that we know Cppcheck fails to diagnose. But there are 7 CVEs that would require additional investigation to establish if it is really detected or not.

    You can read more about this analysis in the "Bug hunting" chapter in the manual.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-2.0-x64-Setup.msi(15.57 MB)
  • 1.90(Dec 21, 2019)

    New check:

    • alias to vector element invalid after vector is changed

    Improved checking:

    • improved value flow analysis for struct members
    • improved value flow analysis for pointer alias

    CERT:

    • Added ENV33-C: Do not call system()

    MISRA:

    • Added rule 2.7
    • Added rule 3.2
    • Added rule 4.2
    • Added rule 14.2
    • Added rule 21.1
    • Added rule 21.12
    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.90-x64-Setup.msi(10.82 MB)
  • 1.89(Sep 1, 2019)

    Command line:

    • The default warning message format was changed. The new format is similar to GCC. If you want to get warnings in the old format, add --template=cppcheck1 to the command line.

    Compiling:

    • From now on, use FILESDIR instead of CFGDIR to specify the path for Cppcheck data files. The readme.txt describes the available flags.

    Improved checking:

    • improved value flow analysis for pointer aliases
    • improved checking for uninitialized variables/structs
    • better checking of smart pointers
    • better checking of global variables
    • Added Cppcheck annotations cppcheck_low(VALUE) and cppcheck_high(VALUE)
    • shadow variables; warn when argument is shadowed
    • warn if local reference variable can be const

    CERT:

    • Added API01-C: Avoid laying out strings in memory directly before sensitive data
    • Added MSC24-C: Do not use deprecated or obsolescent functions
    • Added STR11-C: Do not specify the bound of a character array initialized with a string literal

    MISRA:

    • Added rule 17.2
    • Added rule 18.4
    • Added rule 18.7

    GUI:

    • Minor tweaks
    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.89-x64-Setup.msi(10.90 MB)
    cppcheck-1.89-x86-Setup.msi(9.11 MB)
  • 1.88(Jun 29, 2019)

    New checks:

    • Comparing pointers that point to different objects
    • Address of local variable 'x' is accessed at non-zero index
    • STL usage: unnecessary search before insertion
    • Duplicate expression for condition and assignment: if (x==3) x=3;

    Added --library configuration files for:

    • cppunit
    • libcerror
    • nspr
    • opengl
    • sqlite3

    Better handling of C++14 and C++17

    Command line:

    • New command line option --addon used to run addons directly from Cppcheck.
    • Some advanced options are only available in GUI:
      • remove unused declarations in header files to speedup analysis
      • remove unused templates to speedup analysis
      • when checking visual studio project, only check 1 configuration
      • max whole-program-analysis call stack depth To get these features in command line tool, create a GUI project file and import that on command line using --project.

    GUI:

    • started implementing theme support

    Makefile: Please use MATCHCOMPILER=yes instead of SRCDIR=build when compiling to enable the match compiler.

    Cert:

    • add check exp15-c
    • add check str03-c
    • add check str05-c
    • add check str07-c

    Misra:

    • Add check 17.7
    • Add check 20.7
    • Add check 20.10
    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.88-x64-Setup.msi(10.57 MB)
    cppcheck-1.88-x86-Setup.msi(9.06 MB)
  • 1.87(Feb 9, 2019)

    Command line interface:

    • --project can now import Cppcheck GUI projects.

    New checks:

    • Condition is always true when array address is compared with 0.
    • function argument expression calculation has known result (#8830)

    Improvements:

    • Better lifetime checking (using pointer/reference that points at deleted object)
    • Improved whole program analysis
    • Better handling of language extension [email protected]
    • Many improvements in parser to handle templates, type aliases, etc better

    Configuration:

    • new configuration for boost
    • much better wxwidgets configuration

    Addons:

    • New addon for checking naming conventions. Naming conventions are configured in json file.

    Performance: According to [email protected] Cppcheck-1.87 is in average 10% faster than Cppcheck-1.86.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.87-x64-Setup.msi(10.41 MB)
    cppcheck-1.87-x86-Setup.msi(8.90 MB)
  • 1.86(Dec 8, 2018)

    General:

    • Many fixes in the template simplifier
    • Several fixes in the abstract syntax tree.

    Checking improvements:

    • New check: passing address of char to function that expects a strz
    • New check: shadow variables
    • Improved lifetime checking
    • Improved STL iterators checking
    • Improved data flow analysis

    New libraries:

    • zlib
    • googletest

    Addons:

    • misra.py: Fixes for suppressions and exclusions
    • namingng.py: New addon to check naming conventions. Rules are specified in json file.
    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.86-x64-Setup.msi(10.35 MB)
    cppcheck-1.86-x86-Setup.msi(8.84 MB)
  • 1.85(Oct 14, 2018)

    General:

    • We are modernizing the Cppcheck code. Support for MSVC 2010 and GCC 4.4 is dropped. You now need a compiler that is at least as good as MSVC 2013 or GCC 4.6.
    • According to "[email protected]" (http://cppcheck.osuosl.org:8000)
      • There are fewer crashes.
      • Cppcheck-1.85 is ~25% slower than Cppcheck-1.84

    Checking improvements:

    • New check: Suggest STL algorithms instead of hard-coded for loops
    • New check: Warn about ineffective algorithms (same iterator passed)
    • New check: Mismatching iterators used together in operators
    • Container (STL/Qt/WxWidgets/etc) access out of bounds
    • Improved the checkers that warns about same/opposite expressions, track variable values better.
      • logical conjunctions
      • identical/opposite inner expressions
      • same expressions around operator
      • etc
    • Variable scope: warn about references also

    Graphical user interface:

    • You can specify undefines in the project file dialog
    • Fixed configuration of suppressions
    • Windows: Fixed issue of wrong/no theme being applied to UI elements

    Misra:

    • support per file excludes from cppcheck
    • support per file suppressions from cppcheck
    • summary will now summarize results for all files again
    • a few false positives were fixed
    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.85-x64-Setup.msi(10.33 MB)
    cppcheck-1.85-x86-Setup.msi(8.81 MB)
  • 1.84(Jun 12, 2018)

    New checks:

    • Same rhs expression used in consecutive assignments
    • Added more misra checkers
    • Function overrides base class function but is not marked with the override keyword

    Improved checks:

    • Identical inner condition
    • Opposite expressions
    • Call to virtual function in constructor or destructor
    • Variable not initialized by private constructor
    • A class that has dynamic allocation needs copy constructor, assignment operator and destructor

    Misc:

    • Various performance optimisations
    • Better support for C++17
    • --template=gcc format has been updated to match gcc output better.
    • We added a --template-location that can be used to format multiline messages.
    • Update --template so the piece of code with the warning can be shown
    • Symbol-based suppressions
    • XML based suppressions format

    Addons:

    • cert.py: Attempting to cast away const
    • misc.py: String concatenation in array initialization
    • misc.py: Passing struct to ellipsis function
    • misc.py: Function overrides base class function but is not marked with the virtual keyword

    Compiling: We dropped support for some old compilers. From now on you need gcc 4.6 or later / visual studio 2013 or later / other compiler with c++11 support.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.84-x64-Setup.msi(10.15 MB)
    cppcheck-1.84-x86-Setup.msi(8.63 MB)
  • 1.83(Apr 2, 2018)

  • 1.82(Jan 14, 2018)

    Bug fixes:

    • Better handling of namespaces
    • Fixed false positives
    • Fixed parsing of compile databases
    • Fixed parsing of visual studio projects

    Enhancements

    • New check; Detect mistakes when there are multiple strcmp() in condition Example:

      if (strcmp(password,"A")==0 || strcmp(password,"B")==0 || strcmp(password,"C"))
      

      There is a missing '==0', and therefore this condition is always true except when password is "C".

    • New check; pointer calculation result can't be NULL unless there is overflow Example:

      someType **list_p = ...;
      if ((list_p + 1) == NULL)
      

      The result for '(list_p + 1)' can't be NULL unless there is overflow (UB).

    • New check; public interface of classes should be safe - detect possible division by zero Example:

      class Fred {
      public:
      void setValue(int mul, int div) {
        value = mul / div; // <- unsafe
      }
      ...
      

      This check does not consider how Fred::setValue() is really called. If you agree that the public interface of classes should always be safe; it should be allowed to call all public methods with arbitrary arguments, then this checker will be useful.

    • Fixed a few false negatives

    • More information in the cfg files

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.82-x64-Setup.msi(9.84 MB)
    cppcheck-1.82-x86-Setup.msi(8.18 MB)
  • 1.81(Oct 7, 2017)

    CPPCHECK:

    • New warning: Check if condition after an early return is overlapping and therefore always false.
    • Improved knowledge about C/C++ standard, windows, posix, wxwidgets, gnu
    • Better handling of Visual Studio projects

    GUI:

    • Compile: Qt5 is now needed to build the GUI
    • Compile: New qmake flag HAVE_QCHART
    • Project: You can now run cppcheck-addons
    • Project: We have integrated clang-tidy
    • Results view: Reload last results (if cppcheck build dir is used) when GUI is started
    • Results view: Tag the warnings with custom keywords (bug/todo/not important/etc..)
    • Results view: Shows when warning first appeared (since date)
    • Results view: Suppress warnings through right-click menu
    • Statistics: Added charts (shown if Qt charts module is enabled during build)
    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.81-x64-Setup.msi(9.77 MB)
    cppcheck-1.81-x86-Setup.msi(8.17 MB)
    cppcheck-1.81.tar.bz2(1.44 MB)
    cppcheck-1.81.tar.gz(1.81 MB)
    cppcheck-1.81.zip(2.01 MB)
  • 1.80(Jul 29, 2017)

    Checking improvements:

    • Added platform for Atmel AVR 8 bit microcontrollers (avr8)
    • Better 'callstacks' in cppcheck messages
    • Improved gnu.cfg, posix.cfg, wxwidgets.cfg and std.cfg, added motif.cfg
    • Various improvements to AST, ValueFlow analysis and template parsing

    Command line changes:

    • Deprecated command line argument --append has been removed
    • New command line argument --plist-output to create .plist files
    • New command line argument --output-file to print output to file directly
    • Check OpenCL files (.cl)

    GUI:

    • Support export of statistics to PDF
    • Several small usability improvements

    Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.80-x64-Setup.msi(9.62 MB)
    cppcheck-1.80-x86-Setup.msi(7.97 MB)
  • 1.79(May 13, 2017)

    General changes:

    • C++ code in C files is rejected now (use --language=c++ to enforce checking the code as C++)
    • Write function access type to XML dump

    Checking improvements:

    • Improved configuration extraction in preprocessor
    • Improved accuracy of AST
    • Improved template parsing
    • Improved support for (STL) containers in SymbolDatabase
    • Improved support for C++11's 'auto' type
    • Experimental support for uninitialized variables in ValueFlow analysis
    • Added qt.cfg and sfml.cfg, improved several existing .cfg files

    GUI:

    • Use CFGDIR macro

    Windows installer:

    • We have dropped support for Windows XP in the precompiled binary. It was too much work to maintain the toolset.

    Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.79-x64-Setup.msi(9.50 MB)
    cppcheck-1.79-x86-Setup.msi(7.66 MB)
  • 1.78(Apr 1, 2017)

    General changes:

    • Reduced memory usage by up to 10% by reducing size of token list

    New checks:

    • Mismatching argument names between function declaration and definition
    • Detect classes which have a copy constructor but no copy operator and vice versa

    Checking improvements:

    • Improved matching of overloaded functions
    • Improved ValueType analysis, especially related to allocations with "new" and C++11's "auto"
    • Improved support for C++11 brace initialization
    • Improved ValueFlow analysis
    • Improved template parsing
    • Improved detection of memory leaks
    • Improved nullpointer checking when nullptr and NULL are used
    • Detect array out of bounds across compilation units
    • Extended windows.cfg, posix.cfg and std.cfg

    Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.78-x64-Setup.msi(9.41 MB)
    cppcheck-1.78-x86-Setup.msi(7.64 MB)
  • 1.77(Dec 31, 2016)

    General changes:

    • Added flag --cppcheck-build-dir to allow incremental analysis and inter-file checking
    • Improved --project support for Visual Studio solutions

    Removed checks:

    New checks:

    • Detect pointer overflow
    • Detect usage of variable after std::move or std::forward

    Checking improvements:

    • Warn about number and char literals in boolean expressions
    • Improved checking for variables modified but not used again
    • Libraries: Added support to specify
    • Improved ValueFlow, especially related to function return values and casts
    • Improved simplification of Null values to allow more accurate checking
    • Several improvements to windows.cfg, posix.cfg, gnu.cfg and std.cfg
    • Reimplemented check for using iterators of mismatching containers

    GUI:

    • Support build directory as in CLI

    Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.77-x64-Setup.msi(9.39 MB)
    cppcheck-1.77-x86-Setup.msi(7.63 MB)
  • 1.76.1(Oct 12, 2016)

  • 1.76(Oct 8, 2016)

    General changes:

    • Completed CWE mapping
    • Support opening project files of external build systems, including CMake and Visual Studio (CLI: --project)
    • XML format version 1 is deprecated and will be removed in 1.81

    Removed checks:

    New checks:

    Checking improvements:

    • Improved checking for conditions that are always true/false
    • Improved format string checking: Support more functions, support %h and %hh
    • Improved std.cfg, windows.cfg and qt.cfg; added wxwidgets.cfg
    • Improved ValueFlow analysis
    • Improved SymbolDatabase accuracy
    • Improved Preprocessor (simplecpp)
    • Support base class methods in Library

    GUI:

    • Support opening project files from GUI
    • Added .desktop file

    Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.76-x64-Setup.msi(9.30 MB)
    cppcheck-1.76-x86-Setup.msi(7.60 MB)
  • 1.75(Aug 6, 2016)

    General changes:

    • Replaced internal preprocessor by the brand-new preprocessor 'simplecpp'
    • Improved Windows installer: Install a copy of the license instead of asking to accept it
    • The Windows x64 binaries are now compiled with profile guided optimization, resulting in a speedup of 11%
    • Improved manual, especially the chapter about Libraries
    • Improved CWE mapping
    • --append is deprecated and will be removed in 1.80

    New checks:

    • Detect passed by value for non-const variables and print message only if type size justifies optimization

    Checking improvements:

    • Implemented support for trailing return types (C++11)
    • Improved support for digit separators (C++14)
    • Improved support for enum types in buffer overflow checking
    • Better handling of volatile variables when checking for redundant assignments
    • Properly support integer suffixes i64 and ui64
    • Support function arguments with default value in Libraries
    • Always set file0 attribute of error messages to identify the source file cppcheck was checking

    Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.75-x64-Setup.msi(9.23 MB)
    cppcheck-1.75-x86-Setup.msi(7.56 MB)
  • 1.74(Jun 5, 2016)

    General changes:

    • Improved CWE mapping of messages
    • Git pre-commit hook checks only added or modified files

    Checking improvements:

    • Replaced simplification of enums by keeping and parsing them in the SymbolDatabase
    • Added support to Library for specifying the parameter used by allocating/deallocating functions
    • Improved support for integers defined in Libraries
    • Improved accuracy of ValueType analysis
    • Improved accuracy of VarID assignment, especially when dealing with structs and unions
    • Improved performance of VarID assignment, checking for struct member usage, buffer overrun checking and several simplifications
    • Added support for lots functions to windows.cfg and posix.cfg
    • Better support for operator overloads
    • Detect buffer overflows when %c is used with a width
    • Improved checking for sizeof() taken of wrong type
    • Support char literals when checking for conditions being always true or false
    • Reimplemented check for usage of boolean results used in bitwise operations based on ValueType
    • Improved checking for c_str() usage

    Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.74-x64-Setup.msi(9.35 MB)
    cppcheck-1.74-x86-Setup.msi(7.69 MB)
  • 1.73(Apr 8, 2016)

    General changes:

    • CWE mapping of messages
    • Translated manual to Japanese language

    Removed checks:

    • Checks for variables hiding enums or typedefs have been removed

    New checks:

    Checking improvements:

    • Improved ValueType a lot, use it in more checks
    • Improved VarId support for template constructors, namespaces and references as class members
    • Improved libraries, especially gnu.cfg, posix.cfg and windows.cfg
    • Improved simplification of enums and templates
    • Better distinguishing between possible and known null pointer dereferenciations
    • Assume integers to be signed by default
    • better support for __cplusplus macro in preprocessor
    • Preprocessor directives for addons
    • New tools: times-vs.py, reduce.py

    GUI:

    • Detect Geany and QtCreator
    • Make statistics dialog shown when checking is finished optional

    Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

    Source code(tar.gz)
    Source code(zip)
    cppcheck-1.73-x64-Setup.msi(8.45 MB)
    cppcheck-1.73-x86-Setup.msi(7.69 MB)
Owner
Daniel Marjamäki
Lives in Sweden with wife and son. Works full time as C++ developer at Edgeware (TV streaming). Works on open source software in spare time.
Daniel Marjamäki
Pharos Static Binary Analysis Framework

Automated static analysis tools for binary programs

Software Engineering Institute 1.3k Dec 18, 2022
ELF static analysis and injection framework that parse, manipulate and camouflage ELF files.

elfspirit elfspirit is a useful program that parse, manipulate and camouflage ELF files. It provides a variety of functions, including adding or delet

null 21 Dec 21, 2022
A static analysis tool that helps security researchers scan a list of Windows kernel drivers for common vulnerability patterns in drivers (CVE makers!)

Driver Analyzer A static analysis tool that helps security researchers scan a list of Windows kernel drivers for common vulnerability patterns in driv

BehroozAbbassi 44 Sep 3, 2022
Static code checker for C++

cpplint - static code checker for C++ Cpplint is a command-line tool to check C/C++ files for style issues following Google's C++ style guide. Cpplint

null 1.2k Jan 7, 2023
Qt-oriented static code analyzer based on the Clang framework

WARNING: master is the development branch. Please use the v1.10 branch. clazy v1.11 clazy is a compiler plugin which allows clang to understand Qt sem

KDE GitHub Mirror 555 Jan 8, 2023
A static analyzer for Java, C, C++, and Objective-C

Infer Infer is a static analysis tool for Java, C++, Objective-C, and C. Infer is written in OCaml. Installation Read our Getting Started page for det

Facebook 13.8k Jan 4, 2023
Static analyzer for C/C++ based on the theory of Abstract Interpretation.

IKOS IKOS (Inference Kernel for Open Static Analyzers) is a static analyzer for C/C++ based on the theory of Abstract Interpretation. Introduction IKO

NASA - Software V&V 1.8k Jan 4, 2023
Static analyzer for C/C++ based on the theory of Abstract Interpretation.

IKOS IKOS (Inference Kernel for Open Static Analyzers) is a static analyzer for C/C++ based on the theory of Abstract Interpretation. Introduction IKO

NASA - Software V&V 1.8k Dec 28, 2022
Analysis of Argon and Xenon Collision data to test Bardeen-Cooper-Schrieffer Approximation

Univeristy of North Carolina Wilmington Analysis of Argon and Xenon Collision data to test Bardeen-Cooper-Schrieffer Approximation. Argon Data Tree Fi

William Jarratt 0 Aug 25, 2022
Clang build analysis tool using -ftime-trace

Clang Build Analyzer Clang C/C++ build analysis tool when using Clang 9+ -ftime-trace. The -ftime-trace compiler flag (see blog post or Clang 9 releas

Aras Pranckevičius 716 Dec 25, 2022
将 C/C++ 代码转换成流程图 / Turn your C/C++ code into flowchart

将 C/C++ 代码转换成流程图 / Turn your C/C++ code into flowchart

mgt 428 Jan 1, 2023
CITL's static analysis engine for native code artifacts

citl-static-analyzer Fast binary hardening analysis tooling. Building on Linux The build process varies by Linux distribution, owing to differences be

Cyber Independent Testing Lab 18 Aug 30, 2022
Static analysis of C/C++ code

Cppcheck GitHub Actions Linux Build Status Windows Build Status OSS-Fuzz Coverity Scan Build Status License About the name The original name of this p

Daniel Marjamäki 4.5k Dec 30, 2022
Pharos Static Binary Analysis Framework

Automated static analysis tools for binary programs

Software Engineering Institute 1.3k Dec 18, 2022
ELF static analysis and injection framework that parse, manipulate and camouflage ELF files.

elfspirit elfspirit is a useful program that parse, manipulate and camouflage ELF files. It provides a variety of functions, including adding or delet

null 21 Dec 21, 2022
A static analysis tool that helps security researchers scan a list of Windows kernel drivers for common vulnerability patterns in drivers (CVE makers!)

Driver Analyzer A static analysis tool that helps security researchers scan a list of Windows kernel drivers for common vulnerability patterns in driv

BehroozAbbassi 44 Sep 3, 2022
Cmake check - Static analysis for CMake files.

cmake_check Cmake_check is a linter for the CMake language. It takes a set of user-defined rules and reports violations for CMakeLists.txt files and C

Dael 21 Dec 10, 2022
Static analysis of structures is a fundamental step for determining the stability of structures

StAnD: A Dataset of Linear Static Analysis Problems [Abstract] [Paper] Static analysis of structures is a fundamental step for determining the stabili

Zuru Tech 3 Jan 4, 2023
Terrain Analysis Using Digital Elevation Models (TauDEM) software for hydrologic terrain analysis and channel network extraction.

TauDEM (Terrain Analysis Using Digital Elevation Models) is a suite of Digital Elevation Model (DEM) tools for the extraction and analysis of hydrolog

David Tarboton 191 Dec 28, 2022