<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Available Checks</title>
<link type="text/css" rel="stylesheet" href="menu.css">
<link type="text/css" rel="stylesheet" href="content.css">
<script type="text/javascript" src="scripts/menu.js"></script>
<style type="text/css">
tr:first-child { width:20%; }
</style>
</head>
<body>
<div id="page">
<!--#include virtual="menu.html.incl"-->
<div id="content">
<h1>Available Checks</h1>
<h3>The list of the checks the analyzer performs by default</h3>
<p>
<table border="0" cellpadding="3" cellspacing="3" width="100%">
<!-- <tr>
<th><h4>Checker Name</h4></th>
<th><h4>Description</h4></th>
</tr>-->
<tr>
<td><b>core.AdjustedReturnValue</b></td><td>Check to see if the return value of a function call is different than the caller expects (e.g., from calls through function pointers).</td>
</tr>
<tr>
<td><b>core.AttributeNonNull</b></td><td>Check for null pointers passed as arguments to a function whose arguments are marked with the 'nonnull' attribute.</td>
</tr>
<tr>
<td><b>core.CallAndMessage</b></td><td>Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers).</td>
</tr>
<tr>
<td><b>core.DivideZero</b></td><td>Check for division by zero.</td>
</tr>
<tr>
<td><b>core.NullDereference</b></td><td>Check for dereferences of null pointers.</td>
</tr>
<tr>
<td><b>core.StackAddressEscape</b></td><td>Check that addresses to stack memory do not escape the function.</td>
</tr>
<tr>
<td><b>core.UndefinedBinaryOperatorResult</b></td><td>Check for undefined results of binary operators.</td>
</tr>
<tr>
<td><b>core.VLASize</b></td><td>Check for declarations of VLA of undefined or zero size.</td>
</tr>
<tr>
<td><b>core.builtin.BuiltinFunctions</b></td><td>Evaluate compiler builtin functions (e.g., alloca()).</td>
</tr>
<tr>
<td><b>core.builtin.NoReturnFunctions</b></td><td>Evaluate "panic" functions that are known to not return to the caller.</td>
</tr>
<tr>
<td><b>core.uninitialized.ArraySubscript</b></td><td>Check for uninitialized values used as array subscripts.</td>
</tr>
<tr>
<td><b>core.uninitialized.Assign</b></td><td>Check for assigning uninitialized values.</td>
</tr>
<tr>
<td><b>core.uninitialized.Branch</b></td><td>Check for uninitialized values used as branch conditions.</td>
</tr>
<tr>
<td><b>core.uninitialized.CapturedBlockVariable</b></td><td>Check for blocks that capture uninitialized values.</td>
</tr>
<tr>
<td><b>core.uninitialized.UndefReturn</b></td><td>Check for uninitialized values being returned to the caller.</td>
</tr>
<tr>
<td><b>deadcode.DeadStores</b></td><td>Check for values stored to variables that are never read afterwards.</td>
</tr>
<!--
<tr>
<td><b>deadcode.IdempotentOperations</b></td><td>Warn about idempotent operations.</td>
</tr>
-->
<tr>
<td><b>osx.API</b></td><td>Check for proper uses of various Mac OS X APIs.</td>
</tr>
<tr>
<td><b>osx.AtomicCAS</b></td><td>Evaluate calls to OSAtomic functions.</td>
</tr>
<tr>
<td><b>osx.SecKeychainAPI</b></td><td>Check for proper uses of Secure Keychain APIs.</td>
</tr>
<tr>
<td><b>osx.cocoa.AtSync</b></td><td>Check for null pointers used as mutexes for @synchronized.</td>
</tr>
<tr>
<td><b>osx.cocoa.ClassRelease</b></td><td>Check for sending 'retain', 'release', or 'autorelease' directly to a Class.</td>
</tr>
<tr>
<td><b>osx.cocoa.IncompatibleMethodTypes</b></td><td>Warn about Objective-C method signatures with type incompatibilities.</td>
</tr>
<tr>
<td><b>osx.cocoa.NSAutoreleasePool</b></td><td>Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode.</td>
</tr>
<tr>
<td><b>osx.cocoa.NSError</b></td><td>Check usage of NSError** parameters.</td>
</tr>
<tr>
<td><b>osx.cocoa.NilArg</b></td><td>Check for prohibited nil arguments to ObjC method calls.</td>
</tr>
<tr>
<td><b>osx.cocoa.RetainCount</b></td><td>Check for leaks and improper reference count management.</td>
</tr>
<tr>
<td><b>osx.cocoa.SelfInit</b></td><td>Check that 'self' is properly initialized inside an initializer method.</td>
</tr>
<tr>
<td><b>osx.cocoa.UnusedIvars</b></td><td>Warn about private ivars that are never used.</td>
</tr>
<tr>
<td><b>osx.cocoa.VariadicMethodTypes</b></td><td>Check for passing non-Objective-C types to variadic methods that expect only Objective-C types.</td>
</tr>
<tr>
<td><b>osx.coreFoundation.CFError</b></td><td>Check usage of CFErrorRef* parameters.</td>
</tr>
<tr>
<td><b>osx.coreFoundation.CFNumber</b></td><td>Check for proper uses of CFNumberCreate.</td>
</tr>
<tr>
<td><b>osx.coreFoundation.CFRetainRelease</b></td><td>Check for null arguments to CFRetain/CFRelease/CFMakeCollectable.</td>
</tr>
<tr>
<td><b>osx.coreFoundation.containers.OutOfBounds</b></td><td>Checks for index out-of-bounds when using 'CFArray' API.</td>
</tr>
<tr>
<td><b>osx.coreFoundation.containers.PointerSizedValues</b></td><td>Warns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values.</td>
</tr>
<tr>
<td><b>security.FloatLoopCounter</b></td><td>Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP).</td>
</tr>
<tr>
<td><b>security.insecureAPI.UncheckedReturn</b></td><td>Warn on uses of functions whose return values must be always checked.</td>
</tr>
<tr>
<td><b>security.insecureAPI.getpw</b></td><td>Warn on uses of the 'getpw' function.</td>
</tr>
<tr>
<td><b>security.insecureAPI.gets</b></td><td>Warn on uses of the 'gets' function.</td>
</tr>
<tr>
<td><b>security.insecureAPI.mkstemp</b></td><td>Warn when 'mkstemp' is passed fewer than 6 X's in the format string.</td>
</tr>
<tr>
<td><b>security.insecureAPI.mktemp</b></td><td>Warn on uses of the 'mktemp' function.</td>
</tr>
<tr>
<td><b>security.insecureAPI.rand</b></td><td>Warn on uses of the 'rand', 'random', and related functions.</td>
</tr>
<tr>
<td><b>security.insecureAPI.strcpy</b></td><td>Warn on uses of the 'strcpy' and 'strcat' functions.</td>
</tr>
<tr>
<td><b>security.insecureAPI.vfork</b></td><td>Warn on uses of the 'vfork' function.</td>
</tr>
<tr>
<td><b>unix.API</b></td><td>Check calls to various UNIX/Posix functions.</td>
</tr>
<tr>
<td><b>unix.Malloc</b></td><td>Check for memory leaks, double free, and use-after-free problems.</td>
</tr>
<tr>
<td><b>unix.MallocSizeof</b></td><td>Check for dubious malloc arguments involving sizeof.</td>
</tr>
<tr>
<td><b>unix.cstring.BadSizeArg</b></td><td>Check the size argument passed into C string functions for common erroneous patterns.</td>
</tr>
<tr>
<td><b>unix.cstring.NullArg</b></td><td>Check for null pointers being passed as arguments to C string functions.</td>
</table>
<p>In addition to these the analyzer contains numerous experimental (alpha) checkers.</p>
<h3>Writeups with examples of some of the bugs that the analyzer finds</h3>
<ul>
<li><a href="http://www.mobileorchard.com/bug-finding-with-clang-5-resources-to-get-you-started/">Bug Finding With Clang: 5 Resources To Get You Started</a></li>
<li><a href="http://fruitstandsoftware.com/blog/index.php/2008/08/finding-memory-leaks-with-the-llvmclang-static-analyzer/#comment-2">Finding Memory Leaks With The LLVM/Clang Static Analyzer</a></li>
<li><a href="http://www.rogueamoeba.com/utm/2008/07/14/the-clang-static-analyzer/">Under the Microscope - The Clang Static Analyzer</a></li>
<li><a href="http://www.mikeash.com/?page=pyblog/friday-qa-2009-03-06-using-the-clang-static-analyzer.html">Mike Ash - Using the Clang Static Analyzer</a></li>
</ul>
</div>
</div>
</body>
</html>