RuleChecker release 18.04

RuleChecker screenshot

RuleChecker screenshot

RuleChecker screenshot


C++ support

RuleChecker can now analyze C++ code. This release introduces support for a majority of MISRA C++:2008 rules.

Floating licenses

RuleChecker and Astrée now support floating licenses in addition to node-locked licenses. Any existing node-locked license can be upgraded to floating if desired. Contact support@absint.com with any questions.

Support for macOS

On request and for an additional fee, RuleChecker is now also available for macOS High Sierra 10.13 or newer.

Improved configuration

  • The ABI now allows to configure the following types:

    • size_t
    • ptrdiff_t
    • wchar_t
    • wint_t
    • char16_t
    • char32_t
    • intptr_t
    • intmax_t
    • sig_atomic_t
  • New ABI option max_atomic_width for specifying the maximum width lock-free atomic operation supported by the target.
  • Paths in RuleChecker configurations containing “..” are now normalized in batch mode execution as well. This does away with error messages of the form
    Unknown file in RuleChecker configuration: /a/path/with/../in/it.c
  • The configuration-specific base directory is now also applied to automatic includes.

Extended Qualification Support Kits

  • 28 new test cases for RuleChecker.
  • Seven new test cases for Astrée.

Improved reporting

  • The Output view and text report files now contain more detailed version and configuration information for the built-in preprocessor.
  • In both the Output view and text report, the analysis summary is now printed at the very end of the log, after postprocessing and printing of memory statistics.
  • Rule violations detected during runtime error analysis are now printed with full context information.
  • The analyzer no longer emits type C alarms about statically evaluable expressions when no runtime error analysis is performed.

Portable version

For all operating systems, the portable version now comes as a ZIP file. The top-level directory within is named like the file itself, including the build number, with the .app suffix added on macOS. This prevents different builds from overwriting each another upon unzip.

Under Linux, the ZIP file also contains the install script, should you later decide to install the software rather than running it from the unzipped directory.

Other improvements

  • Type abbreviations for array types are now supported.
  • Syntactically invalid conditions in an inactive #if directive no longer trigger error messages.
  • Rule checks are now also applied to size expressions of array declarators and to case labels.
  • Parser filters are no longer applied to #include directives when rule checking.
  • The check struct-type-incomplete now also reports non-compliant anonymous struct types, and no longer issues alarms for opaque pointers to structs/unions:
    struct ST *p; // Compliant even if no definition for ST is given

Bug fixes

  • Fixed false alarms for the check function-pointer-integer-cast when analyzing expressions involving null pointer constants.
  • Fixed an issue that could cause macro definitions for specific configurations to be applied to all files during rule checking.
  • Fixed missing RuleChecker alarms about potential side effects for calls to functions without definition when using the option auto-generate-stubs=no.

MISRA C++:2008

This is the first stable release of RuleChecker to support checking C++ code for compliance with MISRA C++:2008 rules.

MISRA-C:2004 and MISRA-C:2012

  • Improved precision of the side-effect analysis in the presence of array look-ups. This removes false alarms for the checks multiple-volatile-accesses and logop-side-effect, and the respective rules M.12.2, M2012.13.2, and M.12.4.

  • The default parameter of rule M.3.4 has changed such that it now rejects all uses of #pragma.
  • The rule arguments for M.19.2 and M2012.20.2 have been removed, as the distinction they supplied is no longer necessary. The relevant check include-characters has been split into the two checks include-characters and include-characters-backslash.
  • The check for rule M.5.1 is now also applied to macros.
  • Violations of the check non-standard-keyword are now also reported for the keywords typeof, __asm, __asm__, and __alignof__. This affects rule M2012.1.2 and M.1.1.
  • The checks statement-sideeffect and expression-statement-dead now warn about statements containing the ?: operator if at least one branch has no side effect. This affects rule M.14.2 and M2012.2.2.
  • Removed false alarms for rule M.19.5 by restricting the check define-in-block to function bodies.
  • The check type-compatibility (rule M.8.4) now uses the unqualified types of function parameters when checking for type compatibility.
  • In rare circumstances, RuleChecker considered a call to a function without definition a persistent side effect with respect to rule M2012.13.5. This has been fixed.
  • The check identifier-hidden now warns about hidden tags. This affects rule M.5.2.
  • The following checks have been extended to preprocessing directives:
    • octal-constant (M.7.1, M2012.7.1)
    • octal-escape-sequence (M.7.1)
    • other-escape-sequence (M.4.1)
  • The checks for M.12.11 and M2012.12.4 now also cover integer constant expressions where permitted by the standard (e.g. in switch cases, array designators, and enumeration constants).
  • The check bitop-type now also checks the sign of the right-hand side of shift operators (<<, >>, <<=, >>=). Furthermore, it now considers signed integer constants of positive value as underlying signed and reports rule violations in such cases. This affects rule M.12.7.
  • Removed false alarms for M.1.1, M.11.5, M2012.1.1, and M2012.11.8 when casting or assigning a string literal to a pointer to non-const char.
  • RuleChecker now warns about violation of rule M.1.1, M.11.5, M2012.1.1, and M2012.11.8 when accessing a struct or union member where the base object is qualified but the accessed member is not. Example:
    const struct { int non_const_qualified_member; } const_qualified_structure;
    
    // assignment-to-non-modifiable-lvalue
    const_qualified_structure.non_const_qualified_member = 0;
    
    // pointer-qualifier-cast
    (int *) &const_qualified_structure.non_const_qualified_member;
  • The check identifier-unique-typedef (rule M.5.3, M.5.6, M.5.7, and M2012.5.6) now reports the locations of both the typedef and the conflicting occurrence.
  • Fixed false alarm for check identifier-unique-tag in case of forward-declared structs. This affects rule M.5.4, M.5.6, M.5.7, and M2012.5.7.
  • Fixed the handling of type qualifiers for arrays. This affects the checks type-compatibility (rule M.8.4) and parameter-missing-const (rule M.16.7, M2012.8.13).
  • The check reserved-identifier now warns about any identifier starting with an underscore, including identifiers of the standard library. This affects rule M.20.1, M2008.17.0.1, and M2012.21.1.
  • The check integral-type-name in rule M.6.3 and M2012.D.4.6 no longer warns about the use of _Bool, _Complexor, and _Imaginary. The only check to warn about these type names is now integral-type-name-extended in rule X.A.5.6.

MITRE CWE

  • Added support for rule CWE.476 and rule CWE.561.
  • Extended support for CWE.125, CWE.126, CWE.127, CWE.190, CWE.191, and CWE.823.

SEI CERT Secure C

  • Improved precision of the side-effect analysis in the presence of array look-ups. This removes false alarms for the checks multiple-volatile-accesses and logop-side-effect, and the respective rules CERT.EXP.2, CERT.EXP.10, and CERT.EXP.30.
  • The checks statement-sideeffect and expression-statement-dead now warn about statements containing the ?: operator if at least one branch has no side effect. This affects rule CERT.MSC.12.
  • The check reserved-identifier now warns about any identifier starting with an underscore, including identifiers of the standard library. This affects rule CERT.DCL.37.
  • The check bitop-type now considers signed integer constants of positive value as underlying signed and reports rule violations in such cases. This affects rule CERT.INT.13.
  • The check type-compatibility for rule CERT.DCL.40 now uses the unqualified types of function parameters when checking for type compatibility.
  • The check octal-constant for rule CERT.DCL.18 has been extended to preprocessing directives.

ISO/IEC TS 17961:2013

The check reserved-identifier now warns about any identifier starting with an underscore, including identifiers of the standard library. This affects rule ISO.17961.44.

Diagnostics

  • New rules:
    • A.1.7 warns about modifications of non-modifiable l-values.
    • A.1.8 together with the check initializer-excess warns about braced initializer lists exceeding the size of the object initialized.
    • A.1.9 together with the check redeclaration warns about re-declarations of an identifier without linkage in the same scope.
    • A.2.10 warns about binary constants such as 0b0101 (GCC extension).
    • A.5.1 warns when an invalid directive is dropped or when a directive contains an interval that exceeds the range of values of the respective type.
  • Violations of the check non-standard-keyword are now also reported for the keywords typeof, __asm, __asm__, and __alignof__. This affects rule A.2.7.
  • Fixed the handling of type qualifiers for arrays. This affects the check type-compatibility (rule A.1.1).
  • RuleChecker now warns about violation of rule A.1.7 when accessing a struct or union member where the base object is qualified but the accessed member is not. Example:

    const struct { int non_const_qualified_member; } const_qualified_structure;
    
    // assignment-to-non-modifiable-lvalue
    const_qualified_structure.non_const_qualified_member = 0;
    
    // pointer-qualifier-cast
    (int *) &const_qualified_structure.non_const_qualified_member;
  • The check type-compatibility (rule A.1.1) now uses the unqualified types of function parameters when checking for type compatibility.

Style and naming rules

  • New naming rules S.TYP.2.1-3 for checking the naming of typedefs for union types.
  • The S.1.x naming rules have been replaced. Old analysis configurations that enable these rules are automatically converted as follows:
    • S.1.1S.MCR.0.1
    • S.1.2S.OBJ.0.1
    • S.1.3S.TYP.0.1
    • S.1.4S.FCT.0.1
    • S.1.5S.ENM.0.1

Customer-specific rules

  • Added exceptions for rule X.B.5.1: the constants 0 and 1, and enumeration constant definitions.
  • Rule X.B.5.4 has been changed to use the check precedence, which checks that expressions are parenthesized according to MISRA-C:2012 rule 12.1.
  • Fixed false alarm for rule X.B.3.5 (check identifier-unique-tag) in case of forward-declared structs.
  • The check identifier-unique-typedef (rule X.B.3.5) now reports the locations of both the typedef and the conflicting occurrence.
  • The check identifier-hidden now warns about hidden tags. This affects rule X.A.5.14.
  • The checks octal-constant, octal-escape-sequence, simple-escape-sequence, and other-escape-sequence for rule X.A.3.8 have been extended to preprocessing directives.