Astrée ist ein Werkzeug zur statischen Analyse von C-Quellcode, bei der das Hauptaugenmerk darauf liegt, Laufzeitfehler aufzudecken bzw. deren Abwesenheit zu beweisen. Dazu zählt z. B. jeder Gebrauch der Sprache, der nach den C99-, C11-, C17- und C18-Normen ein undefiniertes Verhalten aufweist.
Seit 2020 kann die Laufzeitfehleranalyse auch auf C++-Code angewendet werden, sowie auf gemischten C- und C++-Code. Unterstützt werden alle modernen Varianten der C++-Sprache, einschließlich C++17.
Darüberhinaus kann Astrées hochentwickelte Analyse-Engine dazu benutzt werden, den Quellcode auf verschiedenste sicherheitsrelevante Eigenschaften hin zu überprüfen. Dazu zählt Konformität mit Standards wie CWE, SEI CERT und MISRA.
Diese Seite bietet einen Überblick darüber, welche Kriterien, Regeln und Empfehlungen dieser Standards Astrée überprüft.
C99
Im Anhang J von ISO/IEC 9899:1999 (E), ISO/IEC 9899:2011 und ISO/IEC 9899:2018 finden sich die Verhalten, die der jeweilige Standard als unspezifiziert, undefiniert oder implementierungsabhängig erachtet. In drei Abschnitten werden dabei Hunderte von Szenarien behandelt.
Wie Astrée jedes einzelne dieser Szenarien abdeckt, ist in einem 30-seitigen PDF-Dokument beschrieben, das Sie im Tool unter „Help“ → „Compliance matrices“ finden oder auf Anfrage bei info@absint.com kostenlos erhalten können.
Common Weakness Enumeration (CWE)
Die folgende Tabelle führt alle CWE-Regeln auf, die seit der Astrée-Version 24.04 unterstützt werden. Dazu zählen Regeln mit der CWE-CCR-Abdeckung „Exact“, „CWE-more-abstract“, „CWE-more-specific“ und „CWE-partial“. Weitere Details können Sie im Astrée-Menü „Help“ finden, oder bei info@absint.com erfragen.
Astrée-Analysen sind sicher, d. h. jede Regel, die verletzt wird, wird auch als verletzt gemeldet.
| 15 | External control of system or configuration setting | ✓ |
| 73 | External control of file system or path | ✓ |
| 77 | Improper neutralization of special elements used in a command (command injection) | ✓ |
| 78 | Improper neutralization of special elements used in an OS command (OS-command injection) | ✓ |
| 79 | Improper neutralization of input during Web page generation (cross-site scripting) | ✓ |
| 88 | Argument injection or modification | ✓ |
| 89 | Improper neutralization of special elements used in an SQL command (SQL injection) | ✓ |
| 90 | Improper neutralization of special elements used in an LDAP command (LDAP injection) | ✓ |
| 91 | XML injection (aka blind XPath injection) | ✓ |
| 99 | Improper control of resource identifiers (resource injection) | ✓ |
| 117 | Improper output neutralization for logs | ✓ |
| 118 | Improper access of indexable resource | ✓ |
| 119 | Improper restriction of operations within the bounds of a memory buffer | ✓ |
| 120 | Buffer copy without checking size of input (‘classic buffer overflow‘) | ✓ |
| 121 | Stack-based buffer overflow | ✓ |
| 122 | Heap-based buffer overflow | ✓ |
| 123 | Write-what-where condition | ✓ |
| 124 | Buffer underwrite | ✓ |
| 125 | Out-of-bounds read | ✓ |
| 126 | Buffer over-read | ✓ |
| 127 | Buffer under-read | ✓ |
| 128 | Wrap-around error | ✓ |
| 129 | Improper validation of array index | ✓ |
| 130 | Improper handling of length parameter inconsistency | ✓ |
| 131 | Incorrect calculation of buffer size | ✓ |
| 134 | Uncontrolled format string | ✓ |
| 135 | Incorrect calculation of multi-byte string length | ✓ |
| 170 | Improper null termination | ✓ |
| 188 | Reliance on data/memory layout | ✓ |
| 190 | Integer overflow or wraparound | ✓ |
| 191 | Integer underflow or wraparound | ✓ |
| 192 | Integer coercion error | ✓ |
| 193 | Off-by-one error | ✓ |
| 194 | Unexpected sign extension | ✓ |
| 195 | Signed to unsigned conversion error | ✓ |
| 196 | Unsigned to signed conversion error | ✓ |
| 197 | Numeric truncation error | ✓ |
| 240 | Improper handling of inconsistent structural elements | ✓ |
| 242 | Use of inherently dangerous function | ✓ |
| 244 | Improper clearing of heap memory before release (‘heap inspection’) | ✓ |
| 248 | Uncaught exception | ✓ |
| 252 | Unchecked return value | ✓ |
| 253 | Incorrect check of function return value | ✓ |
| 328 | Reversible one-way hash | ✓ |
| 362 | Concurrent execution using shared resource with improper synchronization (‘race condition’) |
✓ |
| 364 | Signal handler race condition | ✓ |
| 365 | Race condition in switch | ✓ |
| 366 | Race condition within a thread | ✓ |
| 367 | Time-of-check time-of-use (TOCTOU) race condition | ✓ |
| 369 | Divde by zero | ✓ |
| 398 | Indicator of poor code quality | ✓ |
| 401 | Improper release of memory before removing last reference (memory leak) | ✓ |
| 404 | Improper resource shutdown or release | ✓ |
| 411 | Resource locking problems | ✓ |
| 415 | Double free | ✓ |
| 416 | Use after free | ✓ |
| 456 | Missing initialization of a variable | ✓ |
| 457 | Use of uninitialized variable | ✓ |
| 460 | Improper cleanup on thrown exception | ✓ |
| 463 | Deletion of data structure sentinel | ✓ |
| 464 | Addition of data structure sentinel | ✓ |
| 466 | Return of pointer value outside of expected range | ✓ |
| 467 | Use of sizeof() on a pointer type |
✓ |
| 468 | Incorrect pointer scaling | ✓ |
| 471 | Modification of assumed-immutable data (MAID) | ✓ |
| 475 | Undefined behavior for input to API | ✓ |
| 476 | NULL pointer dereference | ✓ |
| 477 | Use of obsolete functions | ✓ |
| 478 | Missing default case in switch statement |
✓ |
| 479 | Signal handler use of a non-reentrant function | ✓ |
| 480 | Use of incorrect operator | ✓ |
| 481 | Assigning instead of comparing | ✓ |
| 482 | Comparing instead of assigning | ✓ |
| 497 | Exposure of system data to an unauthorized control sphere | ✓ |
| 543 | Use of singleton pattern without synchronization in a multi-threaded context | ✓ |
| 558 | Use of getlogin() in multithreaded application |
✓ |
| 561 | Dead code | ✓ |
| 562 | Return of stack variable address | ✓ |
| 563 | Assignment to variable without use (‘unused variable’) | ✓ |
| 567 | Unsynchronized access to shared data in a multithreaded context | ✓ |
| 573 | Improper following of specification by caller | ✓ |
| 587 | Assignment of a fixed address to a pointer | ✓ |
| 588 | Attempt to access child of a nonstructure pointer | ✓ |
| 606 | Unchecked input for loop condition | ✓ |
| 611 | Improper restriction of XML External Entity reference (XXE) | ✓ |
| 628 | Function call with incorrectly specified arguments | ✓ |
| 643 | Improper neutralization of data within XPath expressions (XPath injection) | ✓ |
| 662 | Improper synchronization | ✓ |
| 663 | Use of a non-reentrant function in a concurrent context | ✓ |
| 665 | Improper initialization | ✓ |
| 666 | Operation on resource in wrong phase of lifetime | ✓ |
| 667 | Improper locking | ✓ |
| 672 | Operation on a resource after expiration or release | ✓ |
| 676 | Use of potentially dangerous function | ✓ |
| 680 | Integer overflow to buffer overflow | ✓ |
| 681 | Incorrect conversion between numeric types | ✓ |
| 682 | Incorrect calculation | ✓ |
| 685 | Function call with incorrect number of arguments | ✓ |
| 686 | Function call with incorrect argument type | ✓ |
| 690 | Unchecked return value to NULL pointer dereference | ✓ |
| 704 | Incorrect type conversion or cast | ✓ |
| 754 | Improper check for unusual or exceptional conditions | ✓ |
| 759 | Use of a one-way hash without a salt | ✓ |
| 761 | Free of pointer not at start of buffer | ✓ |
| 762 | Mismatched memory management routines | ✓ |
| 763 | Release of invalid pointer or reference | ✓ |
| 764 | Multiple locks of a critical resource | ✓ |
| 765 | Multiple unlocks of a critical resource | ✓ |
| 767 | Access to critical private variable via public method | ✓ |
| 783 | Operator precedence logic error | ✓ |
| 785 | Use of path manipulation function without maximum-sized buffer | ✓ |
| 786 | Access of memory location before start of buffer | ✓ |
| 787 | Out-of-bounds write | ✓ |
| 789 | Uncontrolled memory allocation | ✓ |
| 805 | Buffer access with incorrect length value | ✓ |
| 806 | Buffer access using size of source buffer | ✓ |
| 807 | Reliance on untrusted inputs in a security decision | ✓ |
| 822 | Untrusted pointer dereference | ✓ |
| 823 | Use of out-of-range pointer offset | ✓ |
| 824 | Access of uninitialized pointer | ✓ |
| 825 | Expired pointer dereference | ✓ |
| 831 | Signal handler function associated with multiple signals | ✓ |
| 832 | Unlock of a resource that is not locked | ✓ |
| 833 | Deadlock | ✓ |
| 835 | Loop with unreachable exit condition (‘infinite loop’) | ✓ |
| 843 | Access of resource using incompatible type (‘type confusion’) | ✓ |
| 908 | Use of uninitialized resource | ✓ |
| 910 | Use of expired file descriptor | ✓ |
| 911 | Improper update of reference count | ✓ |
| 1325 | Improperly controlled sequential memory allocation | ✓ |
| 1335 | Incorrect bitwise shift or integer | ✓ |
| 1341 | Multiple releases of same resource or handle | ✓ |
SEI CERT C/C++ Coding Standard
Die folgenden Tabellen listen die seit der Astrée-Version 21.04 unterstützten SEI-CERT-Regeln und -Empfehlungen. Die ausgegrauten Einträge werden nur teilweise unterstützt. Ausrufezeichen markieren Empfehlungen, die per Definition von keinem Tool automatisch überprüft werden können. Weitere Details erhalten Sie auf Anfrage bei info@absint.com.
Regeln
| Regel 01: Präprozessor | ||
| PRE30-C | Do not create a universal character name through concatenation | ✓ |
| PRE32-C | Do not use preprocessor directives in invocations of function-like macros | ✓ |
| Regel 02: Deklarationen und Initialisierung | ||
| DCL30-C | Declare objects with appropriate storage durations | ✓ |
| DCL31-C | Declare identifiers before using them | ✓ |
| DCL36-C | Do not declare an identifier with conflicting linkage classifications | ✓ |
| DCL37-C | Do not declare or define a reserved identifier | ✓ |
| DCL38-C | Use the correct syntax when declaring a flexible array member | ✓ |
| DCL40-C | Do not create incompatible declarations of the same function or object | ✓ |
| DCL41-C | Do not declare variables inside a switch statement before the first case label |
✓ |
| Regel 03: Ausdrücke | ||
| EXP30-C | Do not depend on the order of evaluation for side effects | ✓ |
| EXP32-C | Do not access a volatile object through a nonvolatile reference | ✓ |
| EXP33-C | Do not read uninitialized memory | ✓ |
| EXP34-C | Do not dereference null pointers | ✓ |
| EXP36-C | Do not cast pointers into more strictly aligned pointer types | ✓ |
| EXP37-C | Call functions with the correct number and type of arguments | ✓ |
| EXP40-C | Do not modify constant objects | ✓ |
| EXP42-C | Do not compare padding data | ✓ |
| EXP43-C | Avoid undefined behavior when using restrict-qualified pointers | ✓ |
| EXP44-C | Do not rely on side effects in operands to sizeof, _Alignof, or _Generic |
✓ |
| EXP45-C | Do not perform assignments in selection statements | ✓ |
| EXP46-C | Do not use a bitwise operator with a Boolean-like operand | ✓ |
| Regel 04: Ganze Zahlen | ||
| INT30-C | Ensure that unsigned integer operations do not wrap | ✓ |
| INT31-C | Ensure that integer conversions do not result in lost or misinterpreted data | ✓ |
| INT32-C | Ensure that operations on signed integers do not result in overflow | ✓ |
| INT33-C | Ensure that division and remainder operations do not result in divide-by-zero errors | ✓ |
| INT34-C | Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand |
✓ |
| INT35-C | Use correct integer precisions | ✓ |
| INT36-C | Converting a pointer to integer or integer to pointer | ✓ |
| Regel 05: Gleitkommazahlen | ||
| FLP30-C | Do not use floating-point variables as loop counters | ✓ |
| FLP32-C | Prevent or detect domain and range errors in math functions | ✓ |
| FLP34-C | Ensure that floating-point conversions are within range of the new type | ✓ |
| FLP36-C | Preserve precision when converting integral values to floating-point type | ✓ |
| FLP37-C | Do not use object representations to compare floating-point values | ✓ |
| Regel 06: Felder | ||
| ARR30-C | Do not form or use out-of-bounds pointers or array subscripts | ✓ |
| ARR36-C | Do not subtract or compare two pointers that do not refer to the same array | ✓ |
| ARR37-C | Do not add or subtract an integer to a pointer to a non-array object | ✓ |
| ARR38-C | Guarantee that library functions do not form invalid pointers | ✓ |
| ARR39-C | Do not add or subtract a scaled integer to a pointer | ✓ |
| Regel 07: Zeichen und Strings | ||
| STR30-C | Do not attempt to modify string literals | ✓ |
| STR31-C | Guarantee that storage for strings has sufficient space for character data and the null terminator |
✓ |
| STR32-C | Do not pass a non-null-terminated character sequence to a library function that expects a string |
✓ |
| STR37-C | Arguments to character-handling functions must be representable as an unsigned char |
✓ |
| STR38-C | Do not confuse narrow and wide character strings and functions | ✓ |
| Regel 08: Speicherverwaltung | ||
| MEM30-C | Do not access freed memory | ✓ |
| MEM31-C | Free dynamically allocated memory when no longer needed | ✓ |
| MEM33-C | Allocate and copy structures containing a flexible array member dynamically | ✓ |
| MEM34-C | Only free memory allocated dynamically | ✓ |
| MEM35-C | Allocate sufficient memory for an object | ✓ |
| MEM36-C | Do not modify the alignment of objects by calling realloc() |
✓ |
| Regel 09: Input/Output | ||
| FIO37-C | Do not assume that fgets() or fgetws()returns a nonempty string when successful |
✓ |
| FIO38-C | Do not copy a FILE object | ✓ |
| FIO39-C | Do not alternately input and output from a stream without an intervening flush or positioning call | ✓ |
| FIO41-C | Do not call getc(),
putc(),
getwc() or
putwc()
with a stream argument that has side effects |
✓ |
| FIO42-C | Close files when they are no longer needed | ✓ |
| Regel 10: Umgebung | ||
| ENV30-C | Do not modify the object referenced by the return value of certain functions | ✓ |
| ENV33-C | Do not call system() |
✓ |
| Regel 11: Signale | ||
| SIG30-C | Call only asynchronous-safe functions within signal handlers | ✓ |
| SIG31-C | Do not access shared objects in signal handlers | ✓ |
| SIG34-C | Do not call signal() from within interruptible signal handlers |
✓ |
| Regel 12: Fehlerbehandlung | ||
| ERR30-C | Set errno to zero before calling a library function known to set errno,
and check errno only after the function returns a value indicating failure |
✓ |
| ERR33-C | Detect and handle standard library errors | ✓ |
| Regel 14: Nebenläufigkeit | ||
| CON30-C | Clean up thread-specific storage | ✓ |
| CON31-C | Do not destroy a mutex while it is locked | ✓ |
| CON32-C | Prevent data races when accessing bit-fields from multiple threads | ✓ |
| CON33-C | Avoid race conditions when using library functions | ✓ |
| CON35-C | Avoid deadlock by locking in a predefined order | ✓ |
| CON37-C | Do not call signal() in a multithreaded program |
✓ |
| CON39-C | Do not join or detach a thread that was previously joined or detached | ✓ |
| CON40-C | Do not refer to an atomic variable twice in an expression | ✓ |
| Regel 48: Verschiedenes | ||
| MSC30-C | Do not use the rand() function for generating pseudorandom numbers |
✓ |
| MSC32-C | Properly seed pseudorandom number generators | ✓ |
| MSC33-C | Do not pass invalid data to the asctime() function |
✓ |
| MSC37-C | Ensure that control never reaches the end of a non-void function | ✓ |
| MSC38-C | Do not treat a predefined identifier as an object if it might only be implemented as a macro | ✓ |
| MSC40-C | Do not violate constraints | ✓ |
Empfehlungen
| Empfehlung 01: Präprozessor | ||
| PRE00-C | Prefer inline or static functions to function-like macros | ✓ |
| PRE01-C | Use parentheses within macros around parameter names | ✓ |
| PRE05-C | Understand macro replacement when concatenating tokens or performing stringification |
! |
| PRE06-C | Enclose header files in an inclusion guard | ✓ |
| PRE07-C | Avoid using repeated question marks | ✓ |
| Empfehlung 02: Deklarationen und Initialisierung | ||
| DCL00-C | Const-qualify immutable objects | ✓ |
| DCL01-C | Do not reuse variable names in subscopes | ✓ |
| DCL07-C | Include the appropriate type information in function declarators | ✓ |
| DCL08-C | Properly encode relationships in constant definitions | ! |
| DCL10-C | Maintain the contract between the writer and caller of variadic functions | ✓ |
| DCL11-C | Understand the type issues associated with variadic functions | ! |
| DCL13-C | Declare function parameters that are pointers to values not changed by the function as const |
✓ |
| DCL15-C | Declare file-scope objects or functions that do not need external linkage as static | ✓ |
| DCL16-C | Use L, not l, to indicate a long value |
✓ |
| DCL17-C | Beware of miscompiled volatile-qualified variables | ! |
| DCL18-C | Do not begin integer constants with 0 when specifying a decimal value |
✓ |
| DCL19-C | Minimize the scope of variables and functions | ✓ |
| DCL20-C | Explicitly specify void when a function accepts no arguments |
✓ |
| DCL21-C | Understand the storage of compound literals | ! |
| DCL22-C | Use volatile for data that cannot be cached | ! |
| DCL23-C | Guarantee that mutually visible identifiers are unique | ✓ |
| Empfehlung 03: Ausdrücke | ||
| EXP02-C | Be aware of the short-circuit behavior of the logical AND and OR operators | ✓ |
| EXP03-C | Do not assume the size of a structure is the sum of the sizes of its members | ✓ |
| EXP08-C | Ensure pointer arithmetic is used correctly | ✓ |
| EXP10-C | Do not depend on the order of evaluation of subexpressions or the order in which side effects take place |
✓ |
| EXP12-C | Do not ignore values returned by functions | ✓ |
| EXP19-C | Use braces for the body of an if, for, or while statement |
✓ |
| EXP20-C | Perform explicit tests to determine success, true and false, and equality | ✓ |
| Empfehlung 04: Ganze Zahlen | ||
| INT00-C | Understand the data model used by your implementation(s) | ! |
| INT02-C | Understand integer conversion rules | ! |
| INT07-C | Use only explicitly signed or unsigned char type for numeric values | ✓ |
| INT08-C | Verify that all integer values are in range | ✓ |
| INT09-C | Ensure enumeration constants map to unique values | ✓ |
| INT12-C | Do not make assumptions about the type of a plain int bit-field when used in an expression |
✓ |
| INT13-C | Use bitwise operators only on unsigned operands | ✓ |
| INT18-C | Evaluate integer expressions in a larger size before comparing or assigning to that size |
✓ |
| Empfehlung 05: Gleitkommazahlen | ||
| FLP00-C | Understand the limitations of floating-point numbers | ! |
| FLP01-C | Take care in rearranging floating-point expressions | ! |
| FLP02-C | Avoid using floating-point numbers when precise computation is needed | ✓ |
| FLP03-C | Detect and handle floating-point errors | ✓ |
| FLP04-C | Check floating-point inputs for exceptional values | ✓ |
| FLP06-C | Convert integers to floating point for floating-point operations | ✓ |
| Empfehlung 06: Felder | ||
| ARR00-C | Understand how arrays work | ! |
| ARR02-C | Explicitly specify array bounds, even if implicitly defined by an initializer | ✓ |
| Empfehlung 07: Zeichen und Strings | ||
| STR00-C | Represent characters using an appropriate type | ✓ |
| STR04-C | Use plain char for characters in the basic character set | ✓ |
| STR09-C | Don’t assume numeric values for expressions with type plain character | ✓ |
| STR11-C | Do not specify the bound of a character array initialized with a string literal | ✓ |
| Empfehlung 08: Speicherverwaltung | ||
| MEM01-C | Store a new value in pointers immediately after free() |
✓ |
| MEM04-C | Beware of zero-length allocations | ✓ |
| MEM07-C | Ensure that the arguments to calloc(), when multiplied, do not wrap |
✓ |
| Empfehlung 09: Input/Output | ||
| FIO14-C | Understand the difference between text mode and binary mode with file streams | ! |
| Empfehlung 11: Signale | ||
| SIG01-C | Understand implementation-specific details regarding signal handler persistence | ! |
| Empfehlung 12: Fehlerbehandlung | ||
| ERR06-C | Understand the termination behavior of assert() and abort() |
! |
| Empfehlung 14: Nebenläufigkeit | ||
| CON00-C | Avoid race conditions with multiple threads | ✓ |
| CON01-C | Acquire and release synchronization primitives in the same module, at the same level of abstraction |
✓ |
| CON03-C | Ensure visibility when accessing shared variables | ✓ |
| CON06-C | Ensure that every mutex outlives the data it protects | ✓ |
| Empfehlung 15: Nebenläufigkeit (POSIX) | ||
| CON00-C | Avoid race conditions with multiple threads | ✓ |
| Empfehlung 48: Verschiedenes | ||
| MSC01-C | Strive for logical completeness | ✓ |
| MSC04-C | Use comments consistently and in a readable fashion | ✓ |
| MSC07-C | Detect and remove dead code | ✓ |
| MSC12-C | Detect and remove code that has no effect or is never executed | ✓ |
| MSC13-C | Detect and remove unused values | ✓ |
| MSC15-C | Do not depend on undefined behavior | ✓ |
| MSC17-C | Finish every set of statements associated with a case labelwith a break statement |
✓ |
| MSC20-C | Do not use a switch statement to transfer control into a complex block |
✓ |
| MSC23-C | Beware of vendor-specific library and language differences | ✓ |
| MSC24-C | Do not use deprecated or obsolescent functions | ✓ |
| Empfehlung 51: Microsoft Windows | ||
| WIN03-C | Understand HANDLE inheritance | ! |
| Declarations and initialization | ||
| DCL.30 | Declare objects with appropriate storage durations | ✓ |
| DCL.40 | Do not create incompatible declarations of the same function or object | ✓ |
| DCL.50 | Do not define a C-style variadic function | ✓ |
| DCL.51 | Do not declare or define a reserved identifier | ✓ |
| DCL.54 | Overload allocation and deallocation functions as a pair in the same scope | ✓ |
| DCL.57 | Do not let exceptions escape from descructors or deallocation functions | ✓ |
| DCL.59 | Do not define an unnamed namespace in a header file | ✓ |
| DCL.60 | Obey the one-definition rule | ✓ |
| Expressions | ||
| EXP.52 | Do not rely on side effects in unevaluated operands | ✓ |
| EXP.53 | Do not read uninitialized memory | ✓ |
| EXP.54 | Do not access an object outside of its lifetime | ✓ |
| EXP.55 | Do not access a cv-qualified object through a cv-unqualified type | ✓ |
| EXP.57 | Do not cast or delete pointers to incomplete classes | ✓ |
| EXP.61 | A lambda object must not outlive any of its reference captured objects | ✓ |
| EXP.62 | Do not access the bits of an object representation that are not part of the object’s value representation | ✓ |
| Arrays | ||
| ARR.30 | Do not form or use out-of-bounds pointers or array subscripts | ✓ |
| Containers | ||
| CTR.50 | Guarantee that container indices and iterators are within the valid range | ✓ |
| CTR.51 | Use valid references, pointers, and iterators to reference elements of a container | ✓ |
| CTR.52 | Guarantee that library functions do not overflow | ✓ |
| CTR.53 | Use valid iterator ranges | ✓ |
| CTR.54 | Do not subtract iterators that do not refer to the same container | ✓ |
| Characters and strings | ||
| STR.51 | Do not attempt to create a std::string from a null pointer |
✓ |
| STR.53 | Range check element access | ✓ |
| Memory management | ||
| MEM.50 | Do not access freed memory | ✓ |
| MEM.51 | Properly deallocate dynamically allocated resources | ✓ |
| MEM.56 | Do not store an already-owned pointer value in an unrelated smart pointer | ✓ |
| Environment | ||
| ENV.33 | Do not call system() |
✓ |
| Exceptions and error handling | ||
| ERR.33 | Detect and handle standard library errors | ✓ |
| ERR.50 | Do not abruptly terminate the program | ✓ |
| ERR.51 | Handle all exceptions | ✓ |
| ERR.52 | Do not use setjmp() or longjmp() |
✓ |
| ERR.53 | Do not reference base classes or class data members in a constructor or destructor function-try-block handler | ✓ |
| ERR.54 | Catch handlers should order their parameter types from most derived to least derived | ✓ |
| ERR.55 | Honor exception specifications | ✓ |
| ERR.58 | Handle all exceptions thrown before main() begins executing |
✓ |
| ERR.61 | Catch exceptions by lvalue reference | ✓ |
| Object oriented programming | ||
| OOP.50 | Do not invoke virtual functions from constructors or destructors | ✓ |
| OOP.52 | Do not delete a polymorphic object without a virtual destructor | ✓ |
| OOP.53 | Write constructor member initializers in the canonical order | ✓ |
| OOP.54 | Gracefully handle self-copy assignment | ✓ |
| OOP.55 | Do not use pointer-to-member operators to access nonexistent members | ✓ |
| OOP.57 | Prefer special member functions and overloaded operators to C Standard Library functions | ✓ |
| Concurrency | ||
| CON.37 | Do not call signal() in a multithreaded program |
✓ |
| CON.52 | Prevent data races when accessing bit-fields from multiple threads | ✓ |
| Miscellaneous | ||
| MSC.30 | Do not use the rand() function for generating pseudorandom numbers |
✓ |
| MSC.32 | Properly seed pseudorandom number generators | ✓ |
| MSC.37 | Ensure that control never reaches the end of a non-void function | ✓ |
| MSC.50 | Do not use std::rand() for generating pseudorandom numbers |
✓ |
| MSC.51 | Ensure your random number generator is properly seeded | ✓ |
| MSC.52 | Value-returning functions must return a value from all exit paths | ✓ |
| MSC.53 | Do not return from a function declared [[noreturn]] | ✓ |
MISRA C/C++
Astrée unterstützt:
- MISRA C:2004
- MISRA C:2012 inklusive der Zusätze 1, 2 und 3
- MISRA C:2023
- MISRA C++:2008
- MISRA C++:2023
Die Checks sind fein konfigurierbar. Jede Regel und sogar einzelne Aspekte bestimmter Regeln können individuell hinzugeschaltet werden.
Das aktuelle Release überprüft insgesamt mehr als 900 Regeln der fünf Regelsätze. Eine siebzigseitige PDF-Beschreibung, wie Astrée jede einzelne Regel behandelt, ist auf Anfrage kostenlos erhältlich. Kontaktieren Sie dazu info@absint.com.
Nachfolgend ist nur ein schneller Überblick über die unterstützten Regelkategorien.
| MISRA C:2004 | ||
| 1 | Environment | ✓ |
| 2 | Language extensions | ✓ |
| 3 | Documentation | ✓ |
| 4 | Character sets | ✓ |
| 5 | Identifiers | ✓ |
| 6 | Types | ✓ |
| 7 | Constants | ✓ |
| 8 | Declarations and definitions | ✓ |
| 9 | Initialization | ✓ |
| 10 | Arithmetic type conversions | ✓ |
| 11 | Pointer type conversions | ✓ |
| 12 | Expressions | ✓ |
| 13 | Control statement expressions | ✓ |
| 14 | Control flow | ✓ |
| 15 | Switch statements | ✓ |
| 16 | Functions | ✓ |
| 17 | Pointers and arrays | ✓ |
| 18 | Structures and unions | ✓ |
| 19 | Preprocessing directives | ✓ |
| 20 | Standard libraries | ✓ |
| 21 | Run-time failures | ✓ |
| MISRA C:2012 | ||
| D | Directives | ✓ |
| 1 | A standard C environment | ✓ |
| 2 | Unused code | ✓ |
| 3 | Comments | ✓ |
| 4 | Character sets and lexical convention | ✓ |
| 5 | Identifiers | ✓ |
| 6 | Types | ✓ |
| 7 | Literals and constants | ✓ |
| 8 | Declarations and definitions | ✓ |
| 9 | Initialization | ✓ |
| 10 | The essential type model | ✓ |
| 11 | Pointer type conversions | ✓ |
| 12 | Expressions | ✓ |
| 13 | Side effects | ✓ |
| 14 | Control statement expressions | ✓ |
| 15 | Control flow | ✓ |
| 16 | Switch statements | ✓ |
| 17 | Functions | ✓ |
| 18 | Pointers and arrays | ✓ |
| 19 | Overlapping storage | ✓ |
| 20 | Preprocessing directives | ✓ |
| 21 | Standard libraries | ✓ |
| 22 | Resources | ✓ |
| MISRA C:2012 Zusatz 1 | ||
| Alle 15 Regeln | ✓ | |
| MISRA C:2012 Zusatz 2 | ||
| Alle 4 Regeln | ✓ | |
| MISRA C:2012 Zusatz 3 | ||
| 28 von 29 Regeln | ✓ | |
| MISRA C++:2008 | ||
| 0 | Language-independent issues | ✓ |
| 1 | General | ✓ |
| 2 | Lexical conventions | ✓ |
| 3 | Basic concepts | ✓ |
| 4 | Standard conversions | ✓ |
| 5 | Expressions | ✓ |
| 6 | Statements | ✓ |
| 7 | Declarations | ✓ |
| 8 | Declarators | ✓ |
| 9 | Classes | ✓ |
| 10 | Derived classes | ✓ |
| 11 | Member access control | ✓ |
| 12 | Special member functions | ✓ |
| 14 | Templates | ✓ |
| 15 | Exception handling | ✓ |
| 16 | Preprocessing directives | ✓ |
| 17 | Library introduction | ✓ |
| 18 | Language support library | ✓ |
| 19 | Diagnostics library | ✓ |
| 27 | Input/output library | ✓ |
| MISRA C++:2023 | ||
| 0 | Language-independent issues | ✓ |
| 4 | General principles | ✓ |
| 5 | Lexical conventions | ✓ |
| 6 | Basic concepts | ✓ |
| 7 | Standard conversions | ✓ |
| 8 | Expressions | ✓ |
| 9 | Statements | ✓ |
| 10 | Declarations | ✓ |
| 11 | Declarators | ✓ |
| 12 | Classes | ✓ |
| 13 | Derived classes | ✓ |
| 14 | Member access control | ✓ |
| 15 | Special member functions | ✓ |
| 16 | Overloading | ✓ |
| 17 | Templates | ✓ |
| 18 | Exception handling | ✓ |
| 19 | Preprocessing directives | ✓ |
| 21 | Language support library | ✓ |
| 22 | Diagnostics library | ✓ |
| 23 | General utilities library | ✓ |
| 24 | Strings library | ✓ |
| 25 | Localization library | ✓ |
| 26 | Containers library | ✓ |
| 28 | Algorithms library | ✓ |
| 30 | Input/output library | ✓ |
ISO/IEC TS 17961:2013
Die folgende Tabelle listet die seit der Astrée-Version 21.04 unterstützten Regeln der ISO/IEC-TS-17961:2013-Norm. Die ausgegrauten Einträge werden nur teilweise unterstützt. Weitere Details erhalten Sie auf Anfrage bei info@absint.com.
| accfree | Accessing freed memory | ✓ |
| accsig | Accessing shared objects in signal handlers | ✓ |
| addrescape | Escaping of the address of an automatic object | ✓ |
| alignconv | Converting pointer values to more strictly aligned pointer types | ✓ |
| argcomp | Calling functions with incorrect arguments | ✓ |
| asyncsig | Calling functions in the C Standard Library other than
abort, _Exit, and signal from within a signal handler |
✓ |
| boolasgn | No assignment in conditional expressions. | ✓ |
| chrsgnext | Passing arguments to character-handling functions that are not representable as unsigned char. | ✓ |
| dblfree | Freeing memory multiple times | ✓ |
| diverr | Integer division errors | ✓ |
| filecpy | Copying a FILE object | ✓ |
| funcdecl | Declaring the same function or object in incompatible ways | ✓ |
| insufmem | Allocating insufficient memory | ✓ |
| intoflow | Overflowing signed integers | ✓ |
| intptrconv | Converting a pointer to integer or integer to pointer | ✓ |
| inverrno | Incorrectly setting and using errno | ✓ |
| invfmtstr | Using invalid format strings | ✓ |
| invptr | Forming or using out-of-bounds pointers or array subscripts | ✓ |
| ioileave | Interleaving stream inputs and outputs without a flush or positioning call | ✓ |
| liberr | Failing to detect and handle standard library errors | ✓ |
| libmod | Modifying the string returned by
getenv, localeconv, setlocale, and strerror |
✓ |
| libptr | Forming invalid pointers by library function | ✓ |
| libuse | Using an object overwritten by getenv, localeconv, setlocale, and strerror |
✓ |
| nonnullcs | Passing a non-null-terminated character sequence to a library function that expects a string | ✓ |
| nullref | Dereferencing an out-of-domain pointer | ✓ |
| padcomp | Comparison of padding data | ✓ |
| ptrcomp | Accessing an object through a pointer to an incompatible type | ✓ |
| ptrobj | Subtracting or comparing two pointers that do not refer to the same array | ✓ |
| resident | Using identifiers that are reserved for the implementation | ✓ |
| restrict | Passing pointers into the same object as arguments to different restrict-qualified parameters | ✓ |
| sigcall | Calling signal from interruptible signal handlers | ✓ |
| sizeofptr | Taking the size of a pointer to determine the size of the pointed-to type | ✓ |
| strmod | Modifying string literals | ✓ |
| swtchdflt | Use of an implied default in a switch statement | ✓ |
| syscall | Calling system | ✓ |
| taintformatio | Using a tainted value to write to an object using a formatted input or output function | ✓ |
| taintnoproto | Using a tainted value as an argument to an unprototyped function pointer | ✓ |
| taintsink | Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink | ✓ |
| taintstrcpy | Tainted strings are passed to a string copying function | ✓ |
| uninitref | Referencing uninitialized memory | ✓ |
| usrfmt | Including tainted or out-of-domain input in a format string | ✓ |
| xfilepos | Using a value for fsetpos other than a value returned from fgetpos |
✓ |
| xfree | Reallocating or freeing memory that was not dynamically allocated | ✓ |
AUTOSAR C++14
Das aktuelle Release deckt insgesamt mehr als 300 AUTOSAR-Regeln ab. Eine genaue PDF-Beschreibung, wie Astrée jede einzelne Regel behandelt, ist auf Anfrage kostenlos erhältlich. Kontaktieren Sie dazu info@absint.com.
Nachfolgend ist nur ein schneller Überblick über die unterstützten Regelkategorien.
| 0 | Language independent issues | ✓ |
| 1 | General | ✓ |
| 2 | Lexical conventions | ✓ |
| 3 | Basic concepts | ✓ |
| 4 | Standard conversions | ✓ |
| 5 | Expressions | ✓ |
| 6 | Statements | ✓ |
| 7 | Declarations | ✓ |
| 8 | Declarators | ✓ |
| 9 | Classes | ✓ |
| 10 | Derived classes | ✓ |
| 11 | Member access control | ✓ |
| 12 | Special member functions | ✓ |
| 13 | Overloading | ✓ |
| 14 | Templates | ✓ |
| 15 | Exception handling | ✓ |
| 16 | Preprocessing directives | ✓ |
| 17 | Library instruction | ✓ |
| 18 | Language support library | ✓ |
| 19 | Diagnostics library | ✓ |
| 27 | Input/output library | ✓ |