Checker | Guideline |
|---|
| DCL31-C. Declare identifiers before using them |
| DCL37-C. Do not declare or define a reserved identifier |
| EXP32-C. Do not access a volatile object through a nonvolatile reference |
| EXP44-C. Do not rely on side effects in operands to sizeof, _Alignof, or _Generic |
| INT36-C. Converting a pointer to integer or integer to pointer |
| FLP30-C. Do not use floating-point variables as loop counters |
| ARR37-C. Do not add or subtract an integer to a pointer to a non-array object |
| ARR38-C. Guarantee that library functions do not form invalid pointers |
| MEM30-C. Do not access freed memory |
| MEM31-C. Free dynamically allocated memory when no longer needed |
| FIO30-C. Exclude user input from format strings |
| FIO34-C. Distinguish between characters read from a file and EOF or WEOF |
| FIO42-C. Close files when they are no longer needed |
| FIO46-C. Do not access a closed file |
| ENV31-C. Do not rely on an environment pointer following an operation that may invalidate it |
| ENV33-C. Do not call system() |
| ENV34-C. Do not store pointers returned by certain functions |
| MSC30-C. Do not use the rand() function for generating pseudorandom numbers |
| POS30-C. Use the readlink() function properly |
| POS34-C. Do not call putenv() with a pointer to an automatic variable as the argument |
| ARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer |
| DCL00-C. Const-qualify immutable objects |
| DCL01-C. Do not reuse variable names in subscopes |
| DCL02-C. Use visually distinct identifiers |
| DCL05-C. Use typedefs of non-pointer types only |
| ENV02-C. Beware of multiple environment variables with the same effective name |
| EXP05-C. Do not cast away a const qualification |
| EXP12-C. Do not ignore values returned by functions |
| EXP14-C. Beware of integer promotion when performing bitwise operations on integer types smaller than int |
| FIO08-C. Take care when calling remove() on an open file |
| FIO11-C. Take care when specifying the mode parameter of fopen() |
| FIO22-C. Close files before spawning processes |
| INT09-C. Ensure enumeration constants map to unique values |
| INT12-C. Do not make assumptions about the type of a plain int bit-field when used in an expression |
| MEM01-C. Store a new value in pointers immediately after free() |
| MEM07-C. Ensure that the arguments to calloc(), when multiplied, do not wrap |
| MSC17-C. Finish every set of statements associated with a case label with a break statement |
| MSC21-C. Use robust loop termination conditions |
| STR04-C. Use plain char for characters in the basic character set |
| STR05-C. Use pointers to const when referring to string literals |
| STR06-C. Do not assume that strtok() leaves the parse string unchanged |
| STR11-C. Do not specify the bound of a character array initialized with a string literal |
| Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well | EXP33-C. Do not read uninitialized memory |
| A module written in Compass/ROSE can detect violations of this rule | CON33-C. Avoid race conditions when using library functions |
| Can catch violations of this rule by scanning the printf() and scanf() family of functions. For each such function, any variable that corresponds to a %d qualifier (or any qualifier besides %j) and that is not one of the built-in types (char, short, int, long, long long) indicates a violation of this rule. To catch violations, ROSE would also have to recognize derived types in expressions, such as size_t | INT15-C. Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types |
| Can detect all of these | MEM33-C. Allocate and copy structures containing a flexible array member dynamically |
| Can detect common violations of this rule. However, it cannot handle cases in which the value returned by fgetpos() is copied between several variables before being passed to fsetpos() | FIO44-C. Only use values for fsetpos() that are returned from fgetpos() |
| Can detect simple violations of this recommendation. In particular, it warns when two calls to ungetc() on the same stream are not interspersed with a file-positioning or file-read function. It cannot handle cases where ungetc() is called from inside a loop | FIO13-C. Never push back anything other than one read character |
| Can detect simple violations of this rule | STR30-C. Do not attempt to modify string literals |
| Can detect simple violations of this rule | FIO38-C. Do not copy a FILE object |
| Can detect simple violations of this rule | FIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning call |
| Can detect simple violations of this rule. It needs to examine each expression and make sure that no variable is modified twice in the expression. It also must check that no variable is modified once, then read elsewhere, with the single exception that a variable may appear on both the left and right of an assignment operator | EXP30-C. Do not depend on the order of evaluation for side effects |
| Can detect some violations of this recommendation when checking EXP36-C. Do not cast pointers into more strictly aligned pointer types | MEM02-C. Immediately cast the result of a memory allocation function call into a pointer to the allocated type |
| Can detect some violations of this recommendation. In particular, it flags switch statements that do not have a default clause. ROSE should detect "fake switches" as well (that is, a chain of if statements each checking the value of the same variable). These if statements should always end in an else clause, or they should mathematically cover every possibility. For instance, consider the following: if (x > 0) { /* ... */ } else if (x < 0) { /* ... */ } else if (x == 0) { /* ... */ } | MSC01-C. Strive for logical completeness |
| Can detect some violations of this recommendation. In particular, it warns when chown(), stat(), or chmod() are called on an open file | FIO01-C. Be careful using functions that use file names for identification |
| Can detect some violations of this rule | STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string |
| Can detect some violations of this rule | MEM34-C. Only free memory allocated dynamically |
| Can detect some violations of this rule (In particular, it ensures that all operations involving division or modulo are preceded by a check ensuring that the second operand is nonzero.) | INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors |
| Can detect some violations of this rule but cannot flag violations involving universal names | DCL23-C. Guarantee that mutually visible identifiers are unique |
| Can detect some violations of this rule. However, it can only detect violations involving abort() because assert() is implemented as a macro | ERR06-C. Understand the termination behavior of assert() and abort() |
| Can detect some violations of this rule. However, it does not flag implicit casts, only explicit ones | FLP34-C. Ensure that floating-point conversions are within range of the new type |
| Can detect some violations of this rule. In particular, it ensures that all calls to open() supply exactly two arguments if the second argument does not involve O_CREAT, and exactly three arguments if the second argument does involve O_CREAT | EXP37-C. Call functions with the correct number and type of arguments |
| Can detect some violations of this rule. In particular, it ensures that calls to open() that are preceded by a call to lstat() are also followed by a call to fstat(). | POS35-C. Avoid race conditions while checking for the existence of a symbolic link |
| Can detect some violations of this rule. In particular, it warns if the last element of a struct is an array with a small index (0 or 1) | DCL38-C. Use the correct syntax when declaring a flexible array member |
| Can detect some violations of this rule. In particular, it warns when calls to setgid() are immediately preceded by a call to setuid() | POS36-C. Observe correct revocation order while relinquishing privileges |
| Can detect some violations of this rule. In particular, it warns when the argument to malloc() is a variable that has not been compared against 0 or that is known at compile time to be 0 | MEM04-C. Beware of zero-length allocations |
| Can detect violations of the recommendation but cannot distinguish between incomplete array declarations and pointer declarations | ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array |
| Can detect violations of the rule by using the same method as STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator | ENV01-C. Do not make assumptions about the size of an environment variable |
| Can detect violations of the rule for single-file programs | SIG30-C. Call only asynchronous-safe functions within signal handlers |
| Can detect violations of the rule. However, it is unable to handle cases involving strcpy_s() or manual string copies such as the one in the first example | STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator |
| Can detect violations of this recommendation | MSC05-C. Do not manipulate time_t typed values directly |
| Can detect violations of this recommendation by flagging invocations of the following functions:atoi()scanf(), fscanf(), sscanf()Others? | ERR34-C. Detect errors when converting a string to a number |
| Can detect violations of this recommendation when checking for violations of EXP12-C. Do not ignore values returned by functions and EXP34-C. Do not dereference null pointers | ERR33-C. Detect and handle standard library errors |
| Can detect violations of this recommendation when checking for violations of EXP12-C. Do not ignore values returned by functions and EXP34-C. Do not dereference null pointers | POS54-C. Detect and handle POSIX library errors |
| Can detect violations of this recommendation while checking for violations of recommendation DCL00-C. Const-qualify immutable objects | DCL13-C. Declare function parameters that are pointers to values not changed by the function as const |
| Can detect violations of this recommendation. However, it can detect only those violations where both bitwise and arithmetic operators are used in the same expression | INT14-C. Avoid performing bitwise and arithmetic operations on the same data |
| Can detect violations of this recommendation. In particular, it catches comparisons and operations where one operand is of type size_t or rsize_t and the other is not | INT01-C. Use rsize_t or size_t for all integer values representing the size of an object |
| Can detect violations of this recommendation. In particular, it checks to see if the arguments to an equality operator are of a floating-point type | FLP02-C. Avoid using floating-point numbers when precise computation is needed |
| Can detect violations of this recommendation. In particular, it flags any instance of a variable of type char (without a signed or unsigned qualifier) that appears in an arithmetic expression | INT07-C. Use only explicitly signed or unsigned char type for numeric values |
| Can detect violations of this recommendation. In particular, it looks for the size argument of malloc(), calloc(), or realloc() and flags when it does not find a sizeof operator in the argument expression. It does not flag if the return value is assigned to a char *; in this case a string is being allocated, and sizeof is unnecessary because sizeof(char) == 1 | EXP09-C. Use sizeof to determine the size of a type or variable |
| Can detect violations of this recommendation. In particular, it notes uses of the scanf() family of functions where on the type specifier is a floating-point or integer type | INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs |
| Can detect violations of this recommendation. Specifically, it reports violations ifA pointer to one object is type cast to the pointer of a different objectThe pointed-to object of the (type cast) pointer is then modified arithmetically | EXP11-C. Do not make assumptions regarding the layout of structures with bit-fields |
| Can detect violations of this recommendation. Specifically, Rose reports use of tmpnam(), tmpnam_s(), tmpfile(), and mktemp() | FIO21-C. Do not create temporary files in shared directories |
| Can detect violations of this rule by ensuring that operations are checked for overflow before being performed (Be mindful of exception INT30-EX2 because it excuses many operations from requiring validation, including all the operations that would validate a potentially dangerous operation. For instance, adding two unsigned ints together requires validation involving subtracting one of the numbers from UINT_MAX, which itself requires no validation because it cannot wrap.) | INT30-C. Ensure that unsigned integer operations do not wrap |
| Can detect violations of this rule for single-file programs | SIG31-C. Do not access shared objects in signal handlers |
| Can detect violations of this rule when checking for violations of INT07-C. Use only explicitly signed or unsigned char type for numeric values |
