Astrée and RuleChecker release 23.04

  • Added support for C++20.
  • Added support for MISRA C:2012 Amendment 3.
  • Updated the Clang/LLVM frontend to version 15.

New DAX version 1.15

  • Removed the top-level DAX tag <files/>. Files that do not require preprocessing must now be specified in preprocessor configurations with the additional tag <use-internal-preprocessor>no</use-internal-preprocessor>.
  • The tag <use-internal-preprocessor/> is no longer allowed directly inside of the <preprocess/> tag. It can now only be specified inside of individual preprocessor configurations, i.e. within <config/> tags.
  • Changed the specification of the comment mode. It is now specified in the new top-level tag <comment-mode>AAL|patterns</comment-mode>.
  • The attribute use-relative-paths=yes|no for items in the top-level tag <files/> is now deprecated.

Improved precision

  • Improved precision when casts from integers to floats are used in comparisons.
  • Improved precision of the congruence intervals domain.
  • Improved precision when checking for run-time errors in conditions, to prevent false alarms reported in previous releases.
  • Improved the precision of modulo with powers of two.
  • Improved precision when copying shared variables that are possibly zero-initialized.
  • More precise handling of bitwise & in conditions.
  • Improved the precision of __ASTREE_modify on arrays when the array index is an enumerator.
  • Improved the precision on non-linear expressions when sub-expressions can be handled by octagons.

Improved comments

  • Removed restrictions on the use of different mechanisms for commenting alarms.
    • The comment mode setting in the Info view of the GUI and the corresponding DAX tag no longer restricts which comment mechanism (AAL or Patterns) is available. Instead it only specifies the preferred comment mechanism when commenting alarms in the Findings view.
    • The “comment alarm(s)…” dialog accessible via the context menu in the Findings view now allows to select a particular comment mechanism, overriding the default specified by the comment mode when appropriate. This allows mixing AAL and Pattern comments in the same analysis project.
    • AAL comments are now enforced for alarms about rule violations when Pattern comments are not appropriate for technical reasons.
  • Overhauled the comment patterns feature. Comment patterns are now:
    • available for commenting alarms in the analysis config file
    • more strictly avoided for commenting rule violations
    • appliable to control_flow_anomaly alarms about non-returning functions

New options

  • no-partition-functions specifies a list of functions that are excluded from automatic partitioning.
  • warn-on-unsigned-integer-lshift-range for controlling warnings about overflows in unsigned left shifts.
  • precise-multiple-return-function applies automatic state-machine partitioning to functions with multiple returns. The option is only available in astree-cxx mode to enable a more precise analysis of such functions when using the clang-based C/C++ frontend.
  • New options for bounded analysis:
    • analysis-timeout specifies a timeout after which the analyzer starts a soft shutdown, collecting partial, unsound results.
    • shutdown-timeout allows specifying an additional timeout for the soft shutdown initiated by the option analysis-timeout.
  • Removed the option warn-on-integer-lshift-range. Existing analysis projects that enabled this option must now enable the two options warn-on-unsigned-integer-lshift-range and warn-on-signed-integer-lshift-range.

Improved directives

  • Improved the __ASTREE_partition_ranges directive to generate more appropriate partitions for small integer intervals.
  • Partitioning directives no longer cut the undefined cases when evaluating expressions with undefined behaviors. As a visible consequence, alarms may shift from partitioning directives to other statements of the program.
  • The directive __ASTREE_octagon_pack can now also be used in global scope, i.e. outside of function bodies.
  • Within functions, the directive __ASTREE_octagon_pack now also accepts variables of pointer type, used as arrays, and simple C expressions appearing as array indices in directive access paths. For example:
    void f(int x, int *arr, int n) {
      __ASTREE_octagon_pack((x, arr[0:n - 1]));
      ..
    }
  • The __ASTREE_modify and __ASTREE_initialize directives no longer accept arguments of the form ptr[] where ptr is a pointer. Such arguments should be replaced by ptr[lb..ub] where lb and ub are appropriate bounds for accessing ptr.
  • The __ASTREE_known_range directive now supports slice syntax when used with arrays and pointers, e.g. arr[0:2] or ptr[3:5].
  • Fixed an issue that could cause __ASTREE_octagon_pack and __ASTREE_boolean_pack to choose a variable from an out-of-scope function when addressing it using the var@function_name syntax.

Improved alarms

  • Alarms about invalid_pointer_arithmetics in array and field accesses now cut NULL and INVALID pointer values to prevent them from causing subsequent alarms.
  • Alarms about unbounded loops now only highlight the keyword of the loop instead of the complete loop.
  • Removed false alarms for shift_argument when the ABI value bits_of_byte is set to 16 bits.
  • Removed false alarms about field_overflow_upon_dereference for bit-fields.

Other improvements

  • Optimized analyzer for better performance on large, asynchronous code.
  • Uninstallation on Windows can now be made silent by providing the option /VERYSILENT to the installer.
  • Providing an analysis option that is not supported by the configured analysis mode (astree, astree-cxx, rulechecker) now triggers an error message.
  • It is now possible to start program slicing from declarations with an initializer that contains a function call.
  • Overhauled the implementation of the automatic partitioning heuristics. In rare cases the new behavior may differ from the old one, causing changes in precision and performance of affected analyses.
  • Improved the separate function heuristics.
  • Improved the display of context information (e.g. in alarm messages) for partitions produced by the __ASTREE_partition_expr directive.
  • The analyzer now distinguishes more clearly between arithmetic overflows with predictable result (on unsigned integers) and arithmetic overflows with unpredictable result (on signed integers). To this end, it now reports the latter as class A alarms using the new alarm key arithmetic_overflow_unpredictable.
  • Non-returning separately analyzed functions are now only reported at the call sites of such functions. The additional, redundant alarms at the function definitions, reported by previous versions, are now omitted.
  • The analyzer now distinguishes more clearly between arithmetic overflows on floats with predictable result (±∞ when keep-float-specials=yes) and with unpredictable result (floating-point exception raised when keep-float-specials=no). To this end, it now reports the latter as class A alarms using the new alarm key arithmetic_overflow_unpredictable.
  • Added new syntax [<lb>:<ub>] for specifying array slices in Astrée directives. In contrast to the [<lb>..<ub>] syntax for array slices, the new syntax works not only with plain constants for lb and ub, but also with arbitrary constant expressions or even variables, if supported by the directive.
  • Analyses on asynchronous code now report all processes that are created during the analysis, including additional information such as priorities and locks. The new information appears in the Output view and in the text report file in the new section “List of processes”.

Integration with TargetLink

  • Added support for TargetLink 2022-B.
  • When looking for the <model>_pcf.c file required for the analysis, the toolbox now takes into account the output folder configuration.

Integration with KEIL μVision

The toolbox no longer generates deprecated <coverage-ignore> DAX elements.

  • Rule-checking related sections in the log output and text report have been renamed to better reflect their contents.
  • The new diagnostic rule B.1.7 (legacy-alarm-annotation) informs about suppress or comment directives that, for reasons of backwards compatibility, are applied to alarms with new alarm keys introduced in later releases.
  • New scope option for rule check configurations that controls whether a configuration applies to all the contents of the selected files or only to code that appears inside or outside of designated code blocks, respectively. The new RuleChecker option designated-block-comment specifies the comment pattern that identifies designated code blocks.
  • Improved the reporting of active rule checks in the text report and the Output view. They now contain only one section that lists all active rule checks.
  • Improved performance of application-wide code metrics calculation.

Rule sets and checks for C

  • Added support for MISRA C:2012 Amendment 3.
  • Improved coverage of rule CERT.PRE.6. The rule is now fully checked.
  • Replaced the check object-definition-without-extern by the new check global-object-declaration in rule X.F.30.

Rule sets and checks for C++

  • Messages about rule violations now report the C++ template instantiation(s) in which the corresponding checks are violated.
  • New checks:
    • dynamic_cast_in_constructor (M2008.12.1.1, AUTOSAR.12.1.1M)
    • typeid_in_constructor (M2008.12.1.1, AUTOSAR.12.1.1M)
    • cast-pointer-to-intptr and cast-pointer-void-to-intptr, split off from the checks cast-pointer-to-integer, cast-pointer-void-to-integer and associated with the same rules (M2008.5.2.9, AUTOSAR.5.2.9M)
    • include-guard-pragma-once (CERT.PRE.6, M2008.16.2.3, AUTOSAR.16.2.3M, M202x-DRAFT.000207), split from the check include-guard-missing to warn about usage of #pragma once as include guard. To allow the usage of #pragma once for certain rules, you can now deselect the new check.
  • Split the check macro-function-like (AUTOSAR.16.0.1A, CERT.PRE.0, M.19.7, M2008.16.0.4, M2008.16.2.1, M2012.D.4.9) into the two checks macro-function-like and macro-function-like-strict. This enables configuring whether function-like macros with __LINE__, __FILE__, __func__, or the operators # or ## shall be regarded as rule violations or not.

Rule sets and checks specific to Astrée

  • New diagnostic check unknown-component (A.5.7) that warns about unknown component names used in the option component-pairs-under-observation.
  • If the memory block specified by an __ASTREE_absolute_address directive does not fit into the addressable memory, the directive is now ignored and a violation of the check invalid-directive is reported.

Enhancements, clarifications, refinements, and fixes

Both C and C++

  • Fixed errors that could occur during rule checking due to unresolved environment variables in the preprocessor configuration.
  • Removed false negatives for the check function_name_usage (M2008.8.4.4, AUTOSAR.8.4.4M) when function identifiers are not subject to pointer decay.
  • Removed false positives for the check parameter-name-match (AUTOSAR.8.4.2M, M.16.4, M2008.8.4.2, M2012.8.3, M202x-DRAFT.000149). The check no longer reports unnamed parameters as a conflict.
  • Declarations in files excluded from rule checks are no longer considered for the check parameter-name-match (AUTOSAR.8.4.2M, M.16.4, M2008.8.4.2, M2012.8.3, M202x-DRAFT.000149).
  • The new check precedence-pp warns about missing parentheses in expressions evaluated by the preprocessor. This removes false negatives for the rules AUTOSAR.5.0.2M, M.12.1, M2008.5.0.2, and M2012.12.1.
  • Rule violations are now consistently reported only in files that use the language(s) addressed by the corresponding rule set.
  • Extended the check parameter-name-match (AUTOSAR.8.4.2M, M.16.4, M2008.8.4.2, M2012.8.3, M202x-DRAFT.000149) to remove false negatives regarding different parameter names in different translation units when at least one translation unit is C++.

C code

  • Removed false positives for the check parameter-missing-const (CERT.DCL.0, CERT.DCL.13, M.16.7, M2012.8.13). It no longer warns about parameters passed to __astree_bzero, __astree_memcpy, or __ASTREE_trash.
  • Removed false positives for the check uninitialized-local-read (CERT.EXP.33, CWE.456, CWE.457, CWE.665, CWE.824, CWE.908, ISO17961.uninitref, M.9.1, M2012.9.1) when taking the address of an array that is part of a struct.
  • Removed false negatives for the following checks, which did not warn about conversions applied to arrays converted to pointer (cf. C11 §6.3.2.1):
    • incompatible-object-pointer-conversion (A.1.11, CERT.MSC.40, M.1.1, M2012.D.2.1, M2012.1.1)
    • pointer-qualifier-cast-const (CERT.EXP.5, CERT.EXP.40, M.11.5, M2012.11.8)
    • pointer-qualifier-cast-volatile (M.11.5, M2012.11.8)
  • Removed false positives for the check return-reference-local (CERT.DCL.30, CERT.ARR.30, ISO17961.addrescape, M.17.6, M2012.18.6), which erroneously warned about values taken from objects of struct types, if a preceding assignment to another field of that struct stored a pointer to a local variable.
  • Removed false positives for the check evaluation-order (A.4.1, CERT.EXP.10, CERT.EXP.30, M.12.2, M2012.1.3, M2012.13.2) that could occur when implicitly taking the address of an array.
  • The check pointer-cast-alignment no longer warns about null pointer constants.
  • Removed false positives for the check return-implicit (CERT.MSC.37, M.16.8, M2012.17.4, X.F.41). It no longer warns about asm functions.
  • Refined the rule check return-value-type (X.F.39) to ignore conversions that only affect type qualifiers.
  • Improved the rule check multiple-instructions-per-line (X.F.1). It now ignores statements stemming from macro invocations.
  • Removed an issue that caused the analyzer to report an “Out of memory” error during rule checks.
  • Updated the coverage information for rule M2012.D.4.7, which is checked only partially even when Astrée is used.
  • Violations of the check parameter-name-match (M.16.4, M2012.8.3) are now reported at the parameter declaration and not the function name.
  • Removed false negatives for the check function-pointer-cast (M2012.11.1) which did not warn about casts changing qualifiers in parameter types.
  • Removed false negatives for the checks type-compatibility-link and type-compatibility (A.1.1, CERT.DCL.40, CERT.MSC.40, ISO17961.funcdecl, M.1.1, M.8.4, M2012.D.2.1, M2012.1.1) which in some cases did not report declarations with different use of volatile qualifiers in typedefs.
  • Violations of the checks include-characters, include-characters-backslash, and include-characters-sline (M.19.2, M2012.20.2) are no longer reported for code that is excluded by preprocessor directives (e.g. using #if 0 ... #endif).

C++ code

  • Fixed false negatives for the checks octal_escape_sequence (M2008.2.13.2, AUTOSAR.2.13.2M), float_suffix (M2008.2.13.4, AUTOSAR.2.13.4M), long_suffix (M2008.2.13.4, AUTOSAR.2.13.4M), digit_separator_placement (AUTOSAR.13.6.1A), and hexadecimal_lower_case_digit (AUTOSAR.2.13.5A) for literals used within macro expansions.
  • Fixed the detection of subexpressions and expression statements in the presence of temporaries. This removes:
    • false positives for the checks conditional_as_sub_expression (AUTOSAR.5.16.1A) and unary_assign_separation (AUTOSAR.5.2.10M, M2008.5.2.10)
    • false negatives for the checks constructor_call_statement (AUTOSAR.6.2.2A), function_return_unused (AUTOSAR.0.1.2A, M2008.0.1.7), and error_information_unused (AUTOSAR.0.3.2M, CERT-CPP.ERR.33C, M2008.0.3.2).
  • Fixed identification of forwarding references in the presence of parameter packs. This removes false positives and false negatives for the checks forward-parameter (AUTOSAR.8.4.6A), move-forwarding-reference (AUTOSAR.18.9.2A), forward-rvalue-reference (AUTOSAR.18.9.2A), and consume-parameter (AUTOSAR.8.4.5A).
  • Extended the calculation of metrics to more template functions. This removes false negatives for all threshold checks (ruleset T).
  • The check expensive-to-copy (AUTOSAR.8.4.7A) no longer warns about parameters of non-copy-constructible types.
  • The check array-argument-to-pointer-decay (AUTOSAR.5.2.12M, M2008.5.2.12) now also warns about non-identifier expressions of array type that are subject to pointer decay.
  • Adjusted the check precedence (M2008.5.0.2, AUTOSAR.5.0.2M) to follow the more precise descriptions used in M202x-DRAFT and M2012. In particular, expressions with different operators but of the same precedence no longer require explicit parentheses, e.g. a + b - c no longer violates this check.
  • The checks member-function-missing-const and member-function-missing-static (M2008.9.3.3, AUTOSAR.9.3.3M) no longer report violations for templated methods when the body uses dependent calls that cannot be resolved without instantiation. This removes false positives for these checks. For instantiations of templated methods, all violations are reported as before.
  • Removed false positives for the check functional-cast (M2008.5.2.4, M202x-DRAFT.000089) when the type is a deduced template specialization and the expression thus constitutes an object construction and not a functional cast.
  • Rule violations that concern explicit function template instantiations are now reported at the declaration of the corresponding template.
  • Removed false negatives for the check unused-local-variable (M2008.0.1.3, AUTOSAR.0.1.3M, M202x-DRAFT.000003) when C++17 structured bindings are used.
  • Removed false alarms for the check unused-local-variable (M2008.0.1.3, AUTOSAR.0.1.3M, M202x-DRAFT.000003) within the scope of not instantiated templates.
  • The check enum-usage-overloaded-operator no longer reports enum usage in operator() and operator,. This removes false positives with respect to a revised interpretation of AUTOSAR.4.5.1A.
  • The check enum-usage no longer reports enum usage in the operators ?: and ,. This removes false positives with respect to a revised interpretation of M2008.4.5.2 and AUTOSAR.4.5.1A.
  • Removed false positives for the check member-function-missing-static (M2008.9.3.3, AUTOSAR.9.3.3M) with virtual functions.
  • Removed false positives for the check undefined-extern (AUTOSAR.3.2.2M, AUTOSAR.3.2.4M, CERT-CPP.DCL.60, M2008.3.2.2, M2008.3.2.4) with constexpr static data members.
  • The base classes list of class and variable template specializations/instantiations is no longer ignored. This removes false negatives and false positives for all C++ checks.
  • Removed false positives for the check c-style-cast (AUTOSAR.5.2.2A, M2008.5.2.4). It no longer reports the use of non-type template arguments as cast.
  • Removed false positives for the check check_precedence (AUTOSAR.5.0.2M, M2008.5.0.2).
  • Removed false positives for the check logop-postfix-operand (M2008.5.2.1).

Server and server controller

  • Improved responsiveness of the server when importing large AAF files or creating revisions of large analysis projects.
  • Fixed an issue that caused the analysis server to crash when
    • trying to import an AAF file from a later release
    • connecting a client to a project with an unsupported analysis version using the command line option --id <analysis-id>
  • Fixed an issue that could trigger a “Cannot commit analysis state” error on analysis start after restarting a server with a different system user or after switching from a user space server to service without changing the data directory.
  • The server log file now uses the JSON line format.
  • Improved stability of the analysis server.
  • Improved performance of the network communication between server and client.
  • Fixed the encoding used for the XML output of the server-controller command-line interface.

Client GUI, batch mode, and report files

  • Files that do not require preprocessing are now specified in the Preprocessor view. The new flag “Use the built-in preprocessor” specifies for each preprocessor configuration whether or not the listed files require preprocessing by the internal preprocessor.
  • Removed the preprocessor option “Remove analysis files before importing preprocessed files” from the client GUI.
  • The tag <function> of the XML report file has been extended by the new optional attribute “tu=pX” to indicate that a function has internal linkage and is the instance in the translation unit represented by preprocessed file pX.
  • Importing options from a DAX file into an existing project now also overwrites options that are set to non-default values in the project (e.g. with their default value specified in the imported DAX file).
  • Improved error reporting on DAX import.
  • Improved the identifier search for identifiers in macro expansions, so that all such identifiers are now found at the locations at which they appear literally in the code.
  • The project monitor has been reworked to display additional information, e.g. used and available server memory and disk space.
  • Tooltips in editor windows now stay longer before disappearing.
  • Errors that occur during JSON compilation database import in batch mode are now reported via stderr.
  • The copy action in the annotations view now also copies the alarm location comments of AAL comment directives, if available.
  • The Global data flow view has been extended to show the kind of data race that a variable is involved in:
    • no (not involved in a data race)
    • rw (involved only in read-write data races)
    • ww (involved only in write-write data races)
    • rw+ww (involved in both read-write and write-write data races).
  • The tag <variable/> in XML report files has been extended by the new attributes has_read_write_datarace and has_write_write_datarace that indicate whether a variable is involved in a read-write or write-write data race.
  • Fixed an issue that on Windows prevented the context menu for alarm comments in the editor views from being displayed.
  • In the Control flow and Global Data flow views, the core a process runs on is now also displayed for non-AUTOSAR projects.
  • Changed order of the columns Application and Core in custom reports with data flow and/or control flow information.
  • Fixed location information for additional lines (as reported for some findings) in the XML report.
  • The new batch mode option --preprocess-only allows running only the preprocessing without running the subsequent analysis. The option is useful in conjunction with --export for creating AAF files in batch mode. These AAF files then contain the analysis setup plus all preprocessed and original source files. The actual analysis can be performed later, possibly on different machines, by importing the AAFs and triggering the analysis.
  • The Global Data Flow view now also displays the phase in which a variable is read or written by a process.

Frontends and preprocessor

  • Removed errors about missing source files caused by source directives mixed with nested comments and parentheses within the same comment.
  • Improved compatibility of the preprocessor with ClearCase drives.
  • The C frontend now supports the GCC builtin type __builtin_va_list and the following GCC builtin functions:
    • __builtin_va_arg
    • __builtin_va_copy
    • __builtin_va_end
    • __builtin_va_start
  • Fixed an issue that could cause the C++ frontend to crash when encountering recursively inheriting templates.
  • Fixed a corner case regarding the “Patterns to ignore” feature that could cause a function filter to remove code blocks following a #define directive in which the filter matched.
  • The C frontend now rejects initializing a struct/union/array by a scalar without braces.
  • The C frontend now by default uses internal linkage for functions with the asm specifier (asm macros).
  • The JSON compilation database importer now recognizes the compile option -include <file> and maps it to an auto-include in the generated preprocessor configuration.
  • Improved handling of _Atomic and _Thread_local in the C frontend.
  • The C frontend now supports the following GCC builtin functions:
    • __atomic_compare_exchange_n
    • __atomic_exchange_n
    • __atomic_fetch_add
    • __atomic_fetch_and
    • __atomic_fetch_or
    • __atomic_fetch_sub
    • __atomic_fetch_xor
    • __atomic_load_n
    • __atomic_store_n
  • Fixed the parsing of the __ASTREE_comment directive in the C++ analysis mode to remove parse errors such as
    frontend_clang: arguments to ASTREE directive cannot be parsed

Stub libraries, ABIs, OS and compiler configurations

  • Removed legacy stub code for the AUTOSAR modules NvM and Dem. Stubbing these modules is no longer necessary.
  • Fixed converting constructor of std::deque::const_iterator from std::deque::iterator in the more abstract STL stubs to remove false alarms about definite runtime errors.
  • Updated and improved the ARINC-653 OS stubs.
  • Rule violations in the generated part of the OSEK stubs are now automatically suppressed. Astrée directives that are generated into these files no longer appear in the list of “Further directives” in the reports.
  • Fixed type-generic macros in the tgmath.h header of the C stub library.
  • Invocations of the error() function in the OSEK/AUTOSAR stubs are now reported as definite run-time errors, stopping the analysis for the corresponding contexts. This generally results in more efficient and precise analyses. The old behavior, i.e. continuing with the analysis without reporting an error, can be restored by defining the preprocessor macro KEEP_OSEKSTUB_ERRORS in the preprocessor settings for the OSEK/AUTOSAR stubs.

Qualification Support Kits

  • MISRA C++:2008 is now completely covered by the RuleChecker QSK.
  • The driver program to run QSK packages has been renamed to qualify.

New test cases in the Astrée QSK

  • qk_alarm_arithmetic_overflow_unpredictable
  • qk_check_bad_macro_use
  • qk_check_function_prototype
  • qk_check_legacy_alarm_annotation
  • qk_check_local_object_name_max_length
  • qk_check_global_object_name_max_length
  • qk_check_realloc_zero
  • qk_check_static_function_declaration
  • qk_check_static_object_declaration
  • qk_check_static_object_name_max_length
  • qk_check_stdbool_redefine
  • qk_check_storage_class_placement
  • qk_check_unknown_component
  • qk_commandline_preprocess_only
  • qk_filter_expressions_alternatives
  • qk_option_analysis_timeout
  • qk_option_no_partition_functions
  • qk_option_shutdown_timeout
  • qk_option_warn_on_unsigned_integer_lshift_ranges
  • qk_rule_a_5_7
  • qk_rule_b_1_7
  • qk_rule_s_obj_0_3

The test cases qk_filter_expressions_directives, qk_filter_pragma_asm, qk_option_warn_on_integer_lshift_ranges, and qk_option_remove_analysis_files have been removed from the Astrée QSK.

Two test cases have been renamed:

  • qk_filter_expressions_alternatives_special_characters → qk_filter_expressions_special_characters
  • qk_filter_expressions_dot_star → qk_filter_expressions_dot_repetitions

Astrée QSK test cases extended to C++

  • qk_option_analysis_entry
  • qk_option_c_version
  • qk_option_code_lines
  • qk_option_continue_on_definite_rte
  • qk_option_cut_arithmetic_operations_on_null
  • qk_option_cut_integer_division_by_zero
  • qk_option_cxx_version
  • qk_option_generate_undeclared_absolute_addresses
  • qk_option_inline_semantics
  • qk_option_keep_float_specials
  • qk_option_metrics
  • qk_option_skip_analysis
  • qk_check_stdlib_limits
  • qk_option_equality

New test cases in the RuleChecker QSK

  • qk_check_alignas_zero
  • qk_check_alignment_specification_mismatch
  • qk_check_alignment_specification_mismatch_link
  • qk_check_bad_function_use
  • qk_check_bad_macro_use
  • qk_check_bad_pragma_use
  • qk_check_bad_type_use
  • qk_check_cast_pointer_to_intptr
  • qk_check_cast_pointer_void_to_intptr
  • qk_check_class_inconsistent_definitions
  • qk_check_dynamic_cast_in_constructor
  • qk_check_exception_specification_mismatch_link
  • qk_check_generic_association_qualified_type
  • qk_check_generic_association_type
  • qk_check_generic_function_namespace
  • qk_check_generic_operator_namespace
  • qk_check_generic_selection_default_position
  • qk_check_generic_selection_essential_type_mismatch
  • qk_check_generic_selection_ignores_parameters
  • qk_check_generic_selection_outside_macro
  • qk_check_generic_selection_pointer_conversion
  • qk_check_generic_selection_without_non_default
  • qk_check_hexadecimal_lower_case_digit
  • qk_check_inappropriate_float
  • qk_check_inappropriate_type_tgmath
  • qk_check_include_guard_pragma_once
  • qk_check_inconsistent_alignment_specification
  • qk_check_inconsistent_alignment_specification_link
  • qk_check_invalid_noreturn
  • qk_check_logop_postfix_operand
  • qk_check_macro_function_like_strict
  • qk_check_missing_noreturn
  • qk_check_multiple_alignas
  • qk_check_noreturn_void
  • qk_check_precedence_pp
  • qk_check_qualified_function_type
  • qk_check_realloc_zero
  • qk_check_register
  • qk_check_return_reference_parameter_const
  • qk_check_stdbool_redefine
  • qk_check_stdint_constant_macro_argument
  • qk_check_stdlib_use_alloc_strict
  • qk_check_storage_class_placement
  • qk_check_temporary_array_to_pointer_conversion
  • qk_check_tgmath_argument_type_compatible
  • qk_check_typeid_in_constructor
  • qk_check_undefined_extern_pure_virtual
  • qk_check_unhandled_throw_noexcept
  • qk_check_union_bitfield_member
  • qk_commandline_preprocess_only
  • qk_dax_rulechecks_scope
  • qk_externaldeclaration_one_function
  • qk_externaldeclaration_typedef
  • qk_filter_expressions_alternatives
  • qk_filter_expressions_begin_and_end_of_line
  • qk_filter_expressions_char_set
  • qk_filter_expressions_dot_repetitions
  • qk_filter_expressions_naming
  • qk_filter_expressions_special_characters
  • qk_filter_expressions_word_boundaries
  • qk_option_designated_block_comment
  • qk_filter_ignore
  • qk_filter_more_functions
  • qk_filter_one_function
  • qk_filter_replacement
  • qk_rule_autosar_0_1_1a
  • qk_rule_autosar_0_1_2m
  • qk_rule_autosar_0_1_3m
  • qk_rule_autosar_0_1_9m
  • qk_rule_autosar_0_3_2m
  • qk_rule_autosar_0_4_4a
  • qk_rule_autosar_14_5_3a
  • qk_rule_autosar_15_4_2a
  • qk_rule_autosar_15_5_3a
  • qk_rule_autosar_16_0_2m
  • qk_rule_autosar_16_1_1m
  • qk_rule_autosar_16_1_2m
  • qk_rule_autosar_16_2_1a
  • qk_rule_autosar_17_0_1a
  • qk_rule_autosar_18_0_2a
  • qk_rule_autosar_18_0_3m
  • qk_rule_autosar_18_2_1m
  • qk_rule_autosar_18_5_10a
  • qk_rule_autosar_18_5_1a
  • qk_rule_autosar_18_5_6a
  • qk_rule_autosar_2_10_1a
  • qk_rule_autosar_2_10_1m
  • qk_rule_autosar_2_13_2m
  • qk_rule_autosar_2_13_3m
  • qk_rule_autosar_2_13_4m
  • qk_rule_autosar_2_13_5a
  • qk_rule_autosar_2_5_1a
  • qk_rule_autosar_3_2_1m
  • qk_rule_autosar_3_2_2m
  • qk_rule_autosar_3_2_4m
  • qk_rule_autosar_3_3_2m
  • qk_rule_autosar_3_8_1a
  • qk_rule_autosar_3_9_1a
  • qk_rule_autosar_5_0_10m
  • qk_rule_autosar_5_0_2m
  • qk_rule_autosar_5_0_3a
  • qk_rule_autosar_5_2_10m
  • qk_rule_autosar_5_2_3a
  • qk_rule_autosar_5_2_6m
  • qk_rule_autosar_5_2_8m
  • qk_rule_autosar_5_3_2a
  • qk_rule_autosar_5_3_2m
  • qk_rule_autosar_5_6_1a
  • qk_rule_autosar_5_8_1m
  • qk_rule_autosar_6_4_3m
  • qk_rule_autosar_6_4_5m
  • qk_rule_autosar_6_5_2a
  • qk_rule_autosar_6_6_1m
  • qk_rule_autosar_7_1_4a
  • qk_rule_autosar_7_4_1m
  • qk_rule_autosar_7_5_1a
  • qk_rule_autosar_7_5_1m
  • qk_rule_autosar_7_6_1a
  • qk_rule_autosar_8_4_4m
  • qk_rule_autosar_8_5_2m
  • qk_rule_autosar_9_6_4m
  • qk_rule_cert_cpp_arr_30c
  • qk_rule_cert_cpp_dcl_30c
  • qk_rule_cert_cpp_dcl_40c
  • qk_rule_cert_cpp_dcl_51
  • qk_rule_cert_cpp_dcl_60
  • qk_rule_cert_cpp_env_33c
  • qk_rule_cert_cpp_err_33c
  • qk_rule_cert_cpp_err_50
  • qk_rule_cert_cpp_err_51
  • qk_rule_cert_cpp_err_55
  • qk_rule_cert_cpp_exp_34c
  • qk_rule_cert_cpp_exp_54
  • qk_rule_cert_cpp_exp_55
  • qk_rule_cert_cpp_int_33c
  • qk_rule_cert_cpp_mem_30c
  • qk_rule_cert_cpp_mem_31c
  • qk_rule_cert_cpp_mem_50
  • qk_rule_cert_cpp_mem_51
  • qk_rule_cert_cpp_mem_54
  • qk_rule_cert_cpp_msc_53
  • qk_rule_cert_cpp_oop_57
  • qk_rule_m_1_2
  • qk_rule_m2008_0_1_2
  • qk_rule_m2008_0_1_3
  • qk_rule_m2008_0_1_6
  • qk_rule_m2008_0_1_9
  • qk_rule_m2008_0_3_2
  • qk_rule_m2008_14_5_1
  • qk_rule_m2008_15_4_1
  • qk_rule_m2008_15_5_3
  • qk_rule_m2008_16_0_2
  • qk_rule_m2008_16_0_3
  • qk_rule_m2008_16_1_1
  • qk_rule_m2008_16_1_2
  • qk_rule_m2008_16_2_4
  • qk_rule_m2008_17_0_1
  • qk_rule_m2008_18_0_2
  • qk_rule_m2008_18_0_3
  • qk_rule_m2008_18_2_1
  • qk_rule_m2008_18_4_1
  • qk_rule_m2008_2_10_1
  • qk_rule_m2008_2_10_2
  • qk_rule_m2008_2_10_3
  • qk_rule_m2008_2_13_2
  • qk_rule_m2008_2_13_3
  • qk_rule_m2008_2_13_4
  • qk_rule_m2008_2_3_1
  • qk_rule_m2008_3_2_1
  • qk_rule_m2008_3_2_2
  • qk_rule_m2008_3_2_4
  • qk_rule_m2008_3_3_2
  • qk_rule_m2008_3_9_2
  • qk_rule_m2008_5_0_10
  • qk_rule_m2008_5_0_19
  • qk_rule_m2008_5_0_2
  • qk_rule_m2008_5_2_10
  • qk_rule_m2008_5_2_5
  • qk_rule_m2008_5_2_6
  • qk_rule_m2008_5_2_8
  • qk_rule_m2008_5_3_2
  • qk_rule_m2008_5_8_1
  • qk_rule_m2008_6_4_3
  • qk_rule_m2008_6_4_5
  • qk_rule_m2008_6_4_8
  • qk_rule_m2008_6_5_1
  • qk_rule_m2008_6_6_1
  • qk_rule_m2008_6_6_4
  • qk_rule_m2008_7_4_1
  • qk_rule_m2008_7_5_1
  • qk_rule_m2008_7_5_3
  • qk_rule_m2008_8_4_4
  • qk_rule_m2008_8_5_2
  • qk_rule_m2008_9_6_4
  • qk_rule_m2012a3_10_1
  • qk_rule_m2012a3_1_4
  • qk_rule_m2012a3_1_5
  • qk_rule_m2012a3_17_10
  • qk_rule_m2012a3_17_11
  • qk_rule_m2012a3_17_12
  • qk_rule_m2012a3_17_13
  • qk_rule_m2012a3_17_9
  • qk_rule_m2012a3_18_9
  • qk_rule_m2012a3_21_11
  • qk_rule_m2012a3_21_12
  • qk_rule_m2012a3_21_22
  • qk_rule_m2012a3_21_23
  • qk_rule_m2012a3_21_24
  • qk_rule_m2012a3_23_1
  • qk_rule_m2012a3_23_2
  • qk_rule_m2012a3_23_3
  • qk_rule_m2012a3_23_4
  • qk_rule_m2012a3_23_5
  • qk_rule_m2012a3_23_6
  • qk_rule_m2012a3_23_8
  • qk_rule_m2012a3_6_3
  • qk_rule_m2012a3_7_5
  • qk_rule_m2012a3_8_15
  • qk_rule_m2012a3_8_16
  • qk_rule_m2012a3_8_17

The test cases qk_aal_comment_pattern_basic and qk_option_remove_analysis_files have been removed from the RuleChecker QSK.

The test case include-guard-missing has been extended to C.

RuleChecker QSK test cases extended to C++

  • qk_check_bitfield_signed_size
  • qk_check_bitop_recast
  • qk_check_boolean_invariant_expression
  • qk_check_defined_generation
  • qk_check_defined_usage
  • qk_check_definition_duplicate
  • qk_check_error_information_unused
  • qk_check_function_name_usage
  • qk_check_function_pointer_cast
  • qk_check_goto_nesting
  • qk_check_identifier_hidden
  • qk_check_identifier_unique_typedef
  • qk_check_include_characters
  • qk_check_include_characters_sline
  • qk_check_initializer_complete_strict
  • qk_check_initializer_shape
  • qk_check_keyword_override
  • qk_check_long_suffix
  • qk_check_macro_argument_hash
  • qk_check_octal_escape_sequence
  • qk_check_offsetof
  • qk_check_pointer_qualifier_cast_const
  • qk_check_precedence
  • qk_check_precedence_pp
  • qk_check_reserved_identifier
  • qk_check_return_reference_local
  • qk_check_shift_width_constant
  • qk_check_static_function_declaration
  • qk_check_stdlib_limits
  • qk_check_stdlib_use_alloc
  • qk_check_stdlib_use_ato
  • qk_check_stdlib_use_getenv
  • qk_check_stdlib_use
  • qk_check_switch_clause_break_continue
  • qk_check_switch_clause_break_return
  • qk_check_trigraph
  • qk_check_unary_assign_separation
  • qk_check_undefined_extern
  • qk_check_underlying_minus
  • qk_check_undocumented_asm
  • qk_check_unused_label

Known issues

ID Short summary for 23.04 Status in 23.10 Status in 24.10
2304-00298If a process may run in several phases,
the analysis may fail to consider some possible values.
persistsfixed
2304-01422__ASTREE_partition_ranges may fail to cover all possible floating point values when used with several intervals whose integer bounds relate in a specific way.persistsfixed
2304-05631Intermediate values written by non-realtime processes may not be considered by realtime processes with the same priority.fixedfixed
2304-11071C++ analysis may silently stop contexts in which the evaluation of __ASTREE_partition_expr fails.fixedfixed
2304-11615Upon activating the Interpolation domain,
conversion-overflow alarms may be missing.
persistsfixed
2304-17206Under specific circumstances, a comparison between pointers converted to integers may be unsound.persistsfixed
2304-21244With a specific combination of option settings,
the Equality domain may miss some of the possible values.
persistsfixed
2304-21667In two specific scenarios, the Interpolation domain may remove actually possible values and justified alarms about overflows.persistsfixed
2304-27280Analysis of C++ code may fail to alarm about invalid pointer subtraction under specific circumstances.persistsfixed
2304-31291With the option cut-write-to-const=yes, the effect of __ASTREE_modify on constant bytes is not propagated in certain scenarios.fixedfixed
2304-32124The option exclude-signed-in-unsigned-overflows may hide conversion-overflow alarms for expressions that contain casts from signed to unsigned and then to enum.persistsfixed
2304-37864The Gauge domain may miss some of the incoming values
for a variable assigned in a loop.
persistsfixed
2304-41330With anonymous structs or unions, alignment and size of types may be wrong for C code (C++ not affected).fixedfixed
2304-42241Effects of other processes may not be fully considered when a separately-analyzed function enters a critical section but does not leave it.fixedfixed
2304-47889When using the Octagon domain, the analysis may fail to take some possible rounding errors into account.fixedfixed
2304-51344When the alignment of the underlying type of a bitfield is different from the size of that type, the analysis may compute a wrong layout under specific circumstances.persistsfixed
2304-54870For variables with absolute addresses,
misaligned dereferences may not be reported under certain circumstances.
persistsfixed
2304-58263The Octagon domain computes wrong bounds for divisions in which the dividend is an integer > 9007199254740992 (253).persistsfixed
2304-61346Analysis uses C99 scoping of iteration- and selection-statements when language version is set to C90.persistsfixed
2304-65218Tainting is not propagated
through certain expressions and statements.
persistsfixed
2304-69013Under specific circumstances, the C frontend may assume wrong types in parameter type lists.persistsfixed
2304-71355With the non-default ABI setting enum_preferred_sign=unsigned, enumerators get wrong type.fixedfixed
2304-75228Writing to an array element using a tainted index
does not taint the written array elements.
persistsfixed
2304-79444Global assertion failures on smashed integer arrays
may lead to missing values.
fixedfixed
2304-81360Initializers for volatile array elements or volatile struct and union members may be ignored in certain cases.persistsfixed
2304-85245Five additional scenarios for known issue 2304-55218 when the option track-taint-hues is combined with certain directives.persistsfixed
2304-91367Invalid pointer comparison alarms may be missing when comparing two null pointers in arithmetic expressions.persistsfixed
2304-95261Taints may not be propagated between asynchronous processes when using memcpy or copy assignment.persistsfixed

If you cannot upgrade to a more recent release for any reason, please write to support@absint.com with any issue IDs of interest to receive further details, code examples, tell-tale symptoms, and known workarounds.