1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 2 "http://www.w3.org/TR/html4/strict.dtd"> 3<html> 4<head> 5 <title>Available Checks</title> 6 <link type="text/css" rel="stylesheet" href="menu.css"> 7 <link type="text/css" rel="stylesheet" href="content.css"> 8 <script type="text/javascript" src="scripts/menu.js"></script> 9 <style type="text/css"> 10 tr:first-child { width:20%; } 11 </style> 12</head> 13<body> 14 15<div id="page"> 16<!--#include virtual="menu.html.incl"--> 17 18<div id="content"> 19 20<h1>Available Checks</h1> 21 22<h3>The list of the checks the analyzer performs by default</h3> 23<p> 24<table border="0" cellpadding="3" cellspacing="3" width="100%"> 25<!-- <tr> 26<th><h4>Checker Name</h4></th> 27<th><h4>Description</h4></th> 28</tr>--> 29<tr> 30<td><b>core.AdjustedReturnValue</b></td><td>Check to see if the return value of a function call is different than the caller expects (e.g., from calls through function pointers).</td> 31</tr> 32<tr> 33<td><b>core.CallAndMessage</b></td><td>Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers).</td> 34</tr> 35<tr> 36<td><b>core.DivideZero</b></td><td>Check for division by zero.</td> 37</tr> 38<tr> 39<td><b>core.NonNullParamChecker</b></td><td>Check for null pointers passed as arguments to a function whose arguments are known to be non-null.</td> 40</tr> 41<tr> 42<td><b>core.NullDereference</b></td><td>Check for dereferences of null pointers.</td> 43</tr> 44<tr> 45<td><b>core.StackAddressEscape</b></td><td>Check that addresses to stack memory do not escape the function.</td> 46</tr> 47<tr> 48<td><b>core.UndefinedBinaryOperatorResult</b></td><td>Check for undefined results of binary operators.</td> 49</tr> 50<tr> 51<td><b>core.VLASize</b></td><td>Check for declarations of VLA of undefined or zero size.</td> 52</tr> 53<tr> 54<td><b>core.builtin.BuiltinFunctions</b></td><td>Evaluate compiler builtin functions (e.g., alloca()).</td> 55</tr> 56<tr> 57<td><b>core.builtin.NoReturnFunctions</b></td><td>Evaluate "panic" functions that are known to not return to the caller.</td> 58</tr> 59<tr> 60<td><b>core.uninitialized.ArraySubscript</b></td><td>Check for uninitialized values used as array subscripts.</td> 61</tr> 62<tr> 63<td><b>core.uninitialized.Assign</b></td><td>Check for assigning uninitialized values.</td> 64</tr> 65<tr> 66<td><b>core.uninitialized.Branch</b></td><td>Check for uninitialized values used as branch conditions.</td> 67</tr> 68<tr> 69<td><b>core.uninitialized.CapturedBlockVariable</b></td><td>Check for blocks that capture uninitialized values.</td> 70</tr> 71<tr> 72<td><b>core.uninitialized.UndefReturn</b></td><td>Check for uninitialized values being returned to the caller.</td> 73</tr> 74<tr> 75<td><b>cplusplus.NewDelete</b></td><td>Check for double-free and use-after-free problems involving C++ <code>delete</code>.</td> 76</tr> 77<tr> 78<td><b>deadcode.DeadStores</b></td><td>Check for values stored to variables that are never read afterwards.</td> 79</tr> 80<!-- 81<tr> 82<td><b>deadcode.IdempotentOperations</b></td><td>Warn about idempotent operations.</td> 83</tr> 84--> 85<tr> 86<td><b>osx.API</b></td><td>Check for proper uses of various Apple APIs.</td> 87</tr> 88<tr> 89<td><b>osx.SecKeychainAPI</b></td><td>Check for proper uses of Secure Keychain APIs.</td> 90</tr> 91<tr> 92<td><b>osx.cocoa.AtSync</b></td><td>Check for nil pointers used as mutexes for @synchronized.</td> 93</tr> 94<tr> 95<td><b>osx.cocoa.ClassRelease</b></td><td>Check for sending 'retain', 'release', or 'autorelease' directly to a Class.</td> 96</tr> 97<tr> 98<td><b>osx.cocoa.IncompatibleMethodTypes</b></td><td>Warn about Objective-C method signatures with type incompatibilities.</td> 99</tr> 100<tr> 101<td><b>osx.cocoa.NSAutoreleasePool</b></td><td>Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode.</td> 102</tr> 103<tr> 104<td><b>osx.cocoa.NSError</b></td><td>Check usage of NSError** parameters.</td> 105</tr> 106<tr> 107<td><b>osx.cocoa.NilArg</b></td><td>Check for prohibited nil arguments to ObjC method calls.</td> 108</tr> 109<tr> 110<td><b>osx.cocoa.RetainCount</b></td><td>Check for leaks and improper reference count management.</td> 111</tr> 112<tr> 113<td><b>osx.cocoa.SelfInit</b></td><td>Check that 'self' is properly initialized inside an initializer method.</td> 114</tr> 115<tr> 116<td><b>osx.cocoa.UnusedIvars</b></td><td>Warn about private ivars that are never used.</td> 117</tr> 118<tr> 119<td><b>osx.cocoa.VariadicMethodTypes</b></td><td>Check for passing non-Objective-C types to variadic methods that expect only Objective-C types.</td> 120</tr> 121<tr> 122<td><b>osx.coreFoundation.CFError</b></td><td>Check usage of CFErrorRef* parameters.</td> 123</tr> 124<tr> 125<td><b>osx.coreFoundation.CFNumber</b></td><td>Check for proper uses of CFNumberCreate.</td> 126</tr> 127<tr> 128<td><b>osx.coreFoundation.CFRetainRelease</b></td><td>Check for null arguments to CFRetain/CFRelease/CFMakeCollectable.</td> 129</tr> 130<tr> 131<td><b>osx.coreFoundation.containers.OutOfBounds</b></td><td>Checks for index out-of-bounds when using 'CFArray' API.</td> 132</tr> 133<tr> 134<td><b>osx.coreFoundation.containers.PointerSizedValues</b></td><td>Warns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values.</td> 135</tr> 136<tr> 137<td><b>security.FloatLoopCounter</b></td><td>Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP).</td> 138</tr> 139<tr> 140<td><b>security.insecureAPI.UncheckedReturn</b></td><td>Warn on uses of functions whose return values must be always checked.</td> 141</tr> 142<tr> 143<td><b>security.insecureAPI.getpw</b></td><td>Warn on uses of the 'getpw' function.</td> 144</tr> 145<tr> 146<td><b>security.insecureAPI.gets</b></td><td>Warn on uses of the 'gets' function.</td> 147</tr> 148<tr> 149<td><b>security.insecureAPI.mkstemp</b></td><td>Warn when 'mkstemp' is passed fewer than 6 X's in the format string.</td> 150</tr> 151<tr> 152<td><b>security.insecureAPI.mktemp</b></td><td>Warn on uses of the 'mktemp' function.</td> 153</tr> 154<tr> 155<td><b>security.insecureAPI.rand</b></td><td>Warn on uses of the 'rand', 'random', and related functions.</td> 156</tr> 157<tr> 158<td><b>security.insecureAPI.strcpy</b></td><td>Warn on uses of the 'strcpy' and 'strcat' functions.</td> 159</tr> 160<tr> 161<td><b>security.insecureAPI.vfork</b></td><td>Warn on uses of the 'vfork' function.</td> 162</tr> 163<tr> 164<td><b>unix.API</b></td><td>Check calls to various UNIX/Posix functions.</td> 165</tr> 166<tr> 167<td><b>unix.Malloc</b></td><td>Check for memory leaks, double free, and use-after-free problems involving <code>malloc</code>.</td> 168</tr> 169<tr> 170<td><b>unix.MallocSizeof</b></td><td>Check for dubious malloc arguments involving sizeof.</td> 171</tr> 172<tr> 173<td><b>unix.MismatchedDeallocator</b></td><td>Check for mismatched deallocators (e.g. passing a pointer allocating with <code>new</code> to <code>free()</code>).</td> 174</tr> 175<tr> 176<td><b>unix.cstring.BadSizeArg</b></td><td>Check the size argument passed into C string functions for common erroneous patterns.</td> 177</tr> 178<tr> 179<td><b>unix.cstring.NullArg</b></td><td>Check for null pointers being passed as arguments to C string functions.</td> 180</table> 181 182<p>In addition to these the analyzer contains numerous experimental (alpha) checkers.</p> 183 184<h3>Writeups with examples of some of the bugs that the analyzer finds</h3> 185 186<ul> 187<li><a href="http://www.mobileorchard.com/bug-finding-with-clang-5-resources-to-get-you-started/">Bug Finding With Clang: 5 Resources To Get You Started</a></li> 188<li><a href="http://fruitstandsoftware.com/blog/index.php/2008/08/finding-memory-leaks-with-the-llvmclang-static-analyzer/#comment-2">Finding Memory Leaks With The LLVM/Clang Static Analyzer</a></li> 189<li><a href="http://www.rogueamoeba.com/utm/2008/07/14/the-clang-static-analyzer/">Under the Microscope - The Clang Static Analyzer</a></li> 190<li><a href="http://www.mikeash.com/?page=pyblog/friday-qa-2009-03-06-using-the-clang-static-analyzer.html">Mike Ash - Using the Clang Static Analyzer</a></li> 191</ul> 192 193 194</div> 195</div> 196</body> 197</html> 198 199