Zurzeit ist diese Übersicht nur in Englisch verfügbar.
SEI CERT C/C++ Coding Standards
Below is the list of SEI CERT C rules and recommendations supported as of RuleChecker 21.04, followed by the list of supported SEI CERT C++ rules and recommendations.
Light-colored items are supported either partially or only when using RuleChecker in conjunction with Astrée. Exclamation marks denote recommendations that, by definition, cannot be checked for automatically by any tool.
Further details on individual rules are available via RuleChecker’s “Help” menu or by contacting info@absint.com.
SEI CERT C Coding Standard
| Preprocessor | ||
| PRE.0 | Prefer inline or static functions to function-like macros | ✓ |
| PRE.1 | Use parentheses within macros around parameter names | ✓ |
| PRE.5 | Understand macro replacement when concatenating tokens or performing stringification |
! |
| PRE.6 | Enclose header files in an inclusion guard | ✓ |
| PRE.7 | Avoid using repeated question marks | ✓ |
| PRE.9 | Do not replace secure functions with deprecated or obsolescent functions | ✓ |
| PRE.11 | Do not conclude macro definitions with a semicolon | ✓ |
| PRE.12 | Do not define unsafe macros | ✓ |
| PRE.30 | Do not create a universal character name through concatenation | ✓ |
| PRE.32 | Do not use preprocessor directives in invocations of function-like macros | ✓ |
| Declarations and initialization | ||
| DCL.0 | Const-qualify immutable objects | ✓ |
| DCL.1 | Do not reuse variable names in subscopes | ✓ |
| DCL.5 | Use typedefs of non-pointer types only | ✓ |
| DCL.7 | Include the appropriate type information in function declarators | ✓ |
| DCL.8 | Properly encode relationships in constant definitions | ! |
| DCL.10 | Maintain the contract between the writer and caller of variadic functions | ✓ |
| DCL.11 | Understand the type issues associated with variadic functions | ! |
| DCL.13 | Declare function parameters that are pointers to values not changed by the function as const |
✓ |
| DCL.15 | Declare file-scope objects or functions that do not need external linkage as static | ✓ |
| DCL.16 | Use L, not l, to indicate a long value |
✓ |
| DCL.17 | Beware of miscompiled volatile-qualified variables | ! |
| DCL.18 | Do not begin integer constants with 0 when specifying a decimal value |
✓ |
| DCL.19 | Minimize the scope of variables and functions | ✓ |
| DCL.20 | Explicitly specify void when a function accepts no arguments |
✓ |
| DCL.21 | Understand the storage of compound literals | ! |
| DCL.22 | Use volatile for data that cannot be cached | ! |
| DCL.23 | Guarantee that mutually visible identifiers are unique | ✓ |
| DCL.30 | Declare objects with appropriate storage durations | ✓ |
| DCL.31 | Declare identifiers before using them | ✓ |
| DCL.36 | Do not declare an identifier with conflicting linkage classifications | ✓ |
| DCL.37 | Do not declare or define a reserved identifier | ✓ |
| DCL.38 | Use the correct syntax when declaring a flexible array member | ✓ |
| DCL.40 | Do not create incompatible declarations of the same function or object | ✓ |
| DCL.41 | Do not declare variables inside a switch statement before the first case label |
✓ |
| Expressions | ||
| EXP.2 | Be aware of the short-circuit behavior of the logical AND and OR operators | ✓ |
| EXP.3 | Do not assume the size of a structure is the sum of the sizes of its members | ✓ |
| EXP.5 | Do not cast away a const qualification | ✓ |
| EXP.8 | Ensure pointer arithmetic is used correctly | ✓ |
| EXP.9 | Use sizeof to determine the size of a type or variable |
✓ |
| EXP.10 | Do not depend on the order of evaluation of subexpressions or the order in which side effects take place |
✓ |
| EXP.11 | Do not make assumptions regarding the layout of structures with bit-fields | ✓ |
| EXP.12 | Do not ignore values returned by functions | ✓ |
| EXP.13 | Treat relational and equality operators as if they were non-associative | ✓ |
| EXP.15 | Do not place a semicolon on the same line as an if, for, or while statement |
✓ |
| EXP.16 | Do not compare function pointers to constant values | ✓ |
| EXP.19 | Use braces for the body of an if, for, or while statement |
✓ |
| EXP.20 | Perform explicit tests to determine success, true and false, and equality | ✓ |
| EXP.30 | Do not depend on the order of evaluation for side effects | ✓ |
| EXP.32 | Do not access a volatile object through a nonvolatile reference | ✓ |
| EXP.33 | Do not read uninitialized memory | ✓ |
| EXP.34 | Do not dereference null pointers | ✓ |
| EXP.36 | Do not cast pointers into more strictly aligned pointer types | ✓ |
| EXP.37 | Call functions with the correct number and type of arguments | ✓ |
| EXP.40 | Do not modify constant objects | ✓ |
| EXP.42 | Do not compare padding data | ✓ |
| EXP.43 | Avoid undefined behavior when using restrict-qualified pointers | ✓ |
| EXP.44 | Do not rely on side effects in operands to sizeof, _Alignof, or _Generic |
✓ |
| EXP.45 | Do not perform assignments in selection statements | ✓ |
| EXP.46 | Do not use a bitwise operator with a Boolean-like operand | ✓ |
| Integers | ||
| INT.0 | Understand the data model used by your implementation(s) | ! |
| INT.2 | Understand integer conversion rules | ! |
| INT.7 | Use only explicitly signed or unsigned char type for numeric values | ✓ |
| INT.8 | Verify that all integer values are in range | ✓ |
| INT.9 | Ensure enumeration constants map to unique values | ✓ |
| INT.12 | Do not make assumptions about the type of a plain int bit-field when used in an expression |
✓ |
| INT.13 | Use bitwise operators only on unsigned operands | ✓ |
| INT.16 | Do not make assumptions about representation of signed integers | ✓ |
| INT.18 | Evaluate integer expressions in a larger size before comparing or assigning to that size |
✓ |
| INT.30 | Ensure that unsigned integer operations do not wrap | ✓ |
| INT.31 | Ensure that integer conversions do not result in lost or misinterpreted data | ✓ |
| INT.32 | Ensure that operations on signed integers do not result in overflow | ✓ |
| INT.33 | Ensure that division and remainder operations do not result in divide-by-zero errors | ✓ |
| INT.34 | Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand |
✓ |
| INT.35 | Use correct integer precisions | ✓ |
| INT.36 | Converting a pointer to integer or integer to pointer | ✓ |
| Floating point | ||
| FLP.0 | Understand the limitations of floating-point numbers | ! |
| FLP.1 | Take care in rearranging floating-point expressions | ! |
| FLP.2 | Avoid using floating-point numbers when precise computation is needed | ✓ |
| FLP.3 | Detect and handle floating-point errors | ✓ |
| FLP.4 | Check floating-point inputs for exceptional values | ✓ |
| FLP.6 | Convert integers to floating point for floating-point operations | ✓ |
| FLP.30 | Do not use floating-point variables as loop counters | ✓ |
| FLP.32 | Prevent or detect domain and range errors in math functions | ✓ |
| FLP.34 | Ensure that floating-point conversions are within range of the new type | ✓ |
| FLP.36 | Preserve precision when converting integral values to floating-point type | ✓ |
| FLP.37 | Do not use object representations to compare floating-point values | ✓ |
| Arrays | ||
| ARR.0 | Understand how arrays work | ! |
| ARR.1 | Do not apply the sizeof operator to a pointer when taking the size of an array | ✓ |
| ARR.2 | Explicitly specify array bounds, even if implicitly defined by an initializer | ✓ |
| ARR.30 | Do not form or use out-of-bounds pointers or array subscripts | ✓ |
| ARR.36 | Do not subtract or compare two pointers that do not refer to the same array | ✓ |
| ARR.37 | Do not add or subtract an integer to a pointer to a non-array object | ✓ |
| ARR.38 | Guarantee that library functions do not form invalid pointers | ✓ |
| ARR.39 | Do not add or subtract a scaled integer to a pointer | ✓ |
| Characters and strings | ||
| STR.0 | Represent characters using an appropriate type | ✓ |
| STR.4 | Use plain char for characters in the basic character set | ✓ |
| STR.5 | Use pointers to const when referring to string literals | ✓ |
| STR.9 | Don’t assume numeric values for expressions with type plain character | ✓ |
| STR.10 | Do not concatenate different types of string literals | ✓ |
| STR.11 | Do not specify the bound of a character array initialized with a string literal | ✓ |
| STR.30 | Do not attempt to modify string literals | ✓ |
| STR.31 | Guarantee that storage for strings has sufficient space for character data and the null terminator |
✓ |
| STR.32 | Do not pass a non-null-terminated character sequence to a library function that expects a string |
✓ |
| STR.34 | Cast characters to unsigned char before converting to larger integer sizes | ✓ |
| STR.37 | Arguments to character-handling functions must be representable as an unsigned char | ✓ |
| STR.38 | Do not confuse narrow and wide character strings and functions | ✓ |
| Memory management | ||
| MEM.1 | Store a new value in pointers immediately after free() |
✓ |
| MEM.2 | Immediately cast the result of a memory-allocation function call into a pointer to the allocated type | ✓ |
| MEM.4 | Beware of zero-length allocations | ✓ |
| MEM.7 | Ensure that the arguments to calloc(), when multiplied, do not wrap |
✓ |
| MEM.30 | Do not access freed memory | ✓ |
| MEM.31 | Free dynamically allocated memory when no longer needed | ✓ |
| MEM.33 | Allocate and copy structures containing a flexible array member dynamically | ✓ |
| MEM.34 | Only free memory allocated dynamically | ✓ |
| MEM.35 | Allocate sufficient memory for an object | ✓ |
| MEM.36 | Do not modify the alignment of objects by calling realloc() |
✓ |
| Input/output | ||
| FIO.14 | Understand the difference between text mode and binary mode with file streams | ! |
| FIO.37 | Do not assume that fgets() or fgetws()returns a nonempty string when successful |
✓ |
| FIO.38 | Do not copy a FILE object | ✓ |
| FIO.39 | Do not alternately input and output from a stream without an intervening flush or positioning call | ✓ |
| FIO.41 | Do not call getc(), putc(),
getwc() or putwc()
with a stream argument that has side effects |
✓ |
| FIO.42 | Close files when they are no longer needed | ✓ |
| Environment | ||
| ENV.30 | Do not modify the object referenced by the return value of certain functions | ✓ |
| ENV.33 | Do not call system() |
✓ |
| Signals | ||
| SIG.1 | Understand implementation-specific details regarding signal handler persistence | ! |
| SIG.30 | Call only asynchronous-safe functions within signal handlers | ✓ |
| SIG.31 | Do not access shared objects in signal handlers | ✓ |
| SIG.34 | Do not call signal() from within interruptible signal handlers |
✓ |
| Error handling | ||
| ERR.6 | Understand the termination behavior of assert() and abort() |
! |
| ERR.30 | Set errno to zero before calling a library function known to set errno,
and check errno only after the function returns a value indicating failure |
✓ |
| ERR.33 | Detect and handle standard library errors | ✓ |
| Application Programming Interfaces (API) | ||
| API.8 | Avoid parameter names in a function prototype | ✓ |
| Concurrency | ||
| CON.0 | Avoid race conditions with multiple threads | ✓ |
| CON.1 | Acquire and release synchronization primitives in the same module, at the same level of abstraction |
✓ |
| CON.3 | Ensure visibility when accessing shared variables | ✓ |
| CON.6 | Ensure that every mutex outlives the data it protects | ✓ |
| CON.30 | Clean up thread-specific storage | ✓ |
| CON.31 | Do not destroy a mutex while it is locked | ✓ |
| CON.32 | Prevent data races when accessing bit-fields from multiple threads | ✓ |
| CON.33 | Avoid race conditions when using library functions | ✓ |
| CON.35 | Avoid deadlock by locking in a predefined order | ✓ |
| CON.37 | Do not call signal() in a multithreaded program |
✓ |
| CON.39 | Do not join or detach a thread that was previously joined or detached | ✓ |
| CON.40 | Do not refer to an atomic variable twice in an expression | ✓ |
| Miscellaneous | ||
| MSC.1 | Strive for logical completeness | ✓ |
| MSC.4 | Use comments consistently and in a readable fashion | ✓ |
| MSC.7 | Detect and remove dead code | ✓ |
| MSC.12 | Detect and remove code that has no effect or is never executed | ✓ |
| MSC.13 | Detect and remove unused values | ✓ |
| MSC.15 | Do not depend on undefined behavior | ✓ |
| MSC.17 | Finish every set of statements associated with a case labelwith a break statement |
✓ |
| MSC.20 | Do not use a switch statement to transfer control into a complex block |
✓ |
| MSC.21 | Use robust loop termination conditions | ✓ |
| MSC.23 | Beware of vendor-specific library and language differences | ✓ |
| MSC.24 | Do not use deprecated or obsolescent functions | ✓ |
| MSC.30 | Do not use the rand() function for generating pseudorandom numbers |
✓ |
| MSC.32 | Properly seed pseudorandom number generators | ✓ |
| MSC.33 | Do not pass invalid data to the asctime()function |
✓ |
| MSC.37 | Ensure that control never reaches the end of a non-void function | ✓ |
| MSC.40 | Do not violate constraints | ✓ |
| Microsoft Windows | ||
| WIN03 | Understand HANDLE inheritance | ! |
SEI CERT C++ Coding Standard
| Declarations and initialization | ||
| DCL.30 | Declare objects with appropriate storage durations | ✓ |
| DCL.40 | Do not create incompatible declarations of the same function or object | ✓ |
| DCL.50 | Do not define a C-style variadic function | ✓ |
| DCL.51 | Do not declare or define a reserved identifier | ✓ |
| DCL.54 | Overload allocation and deallocation functions as a pair in the same scope | ✓ |
| DCL.57 | Do not let exceptions escape from descructors or deallocation functions | ✓ |
| DCL.59 | Do not define an unnamed namespace in a header file | ✓ |
| DCL.60 | Obey the one-definition rule | ✓ |
| Expressions | ||
| EXP.52 | Do not rely on side effects in unevaluated operands | ✓ |
| EXP.53 | Do not read uninitialized memory | ✓ |
| EXP.54 | Do not access an object outside of its lifetime | ✓ |
| EXP.55 | Do not access a cv-qualified object through a cv-unqualified type | ✓ |
| EXP.57 | Do not cast or delete pointers to incomplete classes | ✓ |
| EXP.61 | A lambda object must not outlive any of its reference captured objects | ✓ |
| EXP.62 | Do not access the bits of an object representation that are not part of the object’s value representation | ✓ |
| Arrays | ||
| ARR.30 | Do not form or use out-of-bounds pointers or array subscripts | ✓ |
| Containers | ||
| CTR.50 | Guarantee that container indices and iterators are within the valid range | ✓ |
| CTR.51 | Use valid references, pointers, and iterators to reference elements of a container | ✓ |
| CTR.52 | Guarantee that library functions do not overflow | ✓ |
| CTR.53 | Use valid iterator ranges | ✓ |
| CTR.54 | Do not subtract iterators that do not refer to the same container | ✓ |
| Characters and strings | ||
| STR.51 | Do not attempt to create a std::string from a null pointer | ✓ |
| STR.53 | Range check element access | ✓ |
| Memory management | ||
| MEM.50 | Do not access freed memory | ✓ |
| MEM.51 | Properly deallocate dynamically allocated resources | ✓ |
| MEM.56 | Do not store an already-owned pointer value in an unrelated smart pointer | ✓ |
| Environment | ||
| ENV.33 | Do not call system() | ✓ |
| Exceptions and error handling | ||
| ERR.33 | Detect and handle standard library errors | ✓ |
| ERR.50 | Do not abruptly terminate the program | ✓ |
| ERR.51 | Handle all exceptions | ✓ |
| ERR.52 | Do not use setjmp() or longjmp() | ✓ |
| ERR.53 | Do not reference base classes or class data members in a constructor or destructor function-try-block handler | ✓ |
| ERR.54 | Catch handlers should order their parameter types from most derived to least derived | ✓ |
| ERR.55 | Honor exception specifications | ✓ |
| ERR.58 | Handle all exceptions thrown before main() begins executing | ✓ |
| ERR.61 | Catch exceptions by lvalue reference | ✓ |
| Object oriented programming | ||
| OOP.50 | Do not invoke virtual functions from constructors or destructors | ✓ |
| OOP.52 | Do not delete a polymorphic object without a virtual destructor | ✓ |
| OOP.53 | Write constructor member initializers in the canonical order | ✓ |
| OOP.54 | Gracefully handle self-copy assignment | ✓ |
| OOP.55 | Do not use pointer-to-member operators to access nonexistent members | ✓ |
| OOP.57 | Prefer special member functions and overloaded operators to C Standard Library functions | ✓ |
| Concurrency | ||
| CON.37 | Do not call signal() in a multithreaded program | ✓ |
| CON.52 | Prevent data races when accessing bit-fields from multiple threads | ✓ |
| Miscellaneous | ||
| MSC.30 | Do not use the rand() function for generating pseudorandom numbers | ✓ |
| MSC.32 | Properly seed pseudorandom number generators | ✓ |
| MSC.37 | Ensure that control never reaches the end of a non-void function | ✓ |
| MSC.50 | Do not use std::rand() for generating pseudorandom numbers | ✓ |
| MSC.51 | Ensure your random number generator is properly seeded | ✓ |
| MSC.52 | Value-returning functions must return a value from all exit paths | ✓ |
| MSC.53 | Do not return from a function declared [[noreturn]] | ✓ |
MISRA
RuleChecker supports MISRA-C:2004, MISRA-C:2012 (including Amendments 1 and 2), and MISRA-C++:2008. It is highly configurable, allowing you to check for individual rules and even specific aspects of certain rules.
Between the three rule sets and the amendments, a total of 502 rules are checked. A 30-page PDF description of how RuleChecker handles each rule is available on request. Contact info@absint.com for your free copy.
Below is only a quick overview of all the supported rule categories.
| MISRA-C:2004 | ||
| 1 | Environment | ✓ |
| 2 | Language extensions | ✓ |
| 3 | Documentation | ✓ |
| 4 | Character sets | ✓ |
| 5 | Identifiers | ✓ |
| 6 | Types | ✓ |
| 7 | Constants | ✓ |
| 8 | Declarations and definitions | ✓ |
| 9 | Initialization | ✓ |
| 10 | Arithmetic type conversions | ✓ |
| 11 | Pointer type conversions | ✓ |
| 12 | Expressions | ✓ |
| 13 | Control statement expressions | ✓ |
| 14 | Control flow | ✓ |
| 15 | Switch statements | ✓ |
| 16 | Functions | ✓ |
| 17 | Pointers and arrays | ✓ |
| 18 | Structures and unions | ✓ |
| 19 | Preprocessing directives | ✓ |
| 20 | Standard libraries | ✓ |
| 21 | Run-time failures | ✓ |
| MISRA-C:2012 | ||
| D | Directives | ✓ |
| 1 | A standard C environment | ✓ |
| 2 | Unused code | ✓ |
| 3 | Comments | ✓ |
| 4 | Character sets and lexical convention | ✓ |
| 5 | Identifiers | ✓ |
| 6 | Types | ✓ |
| 7 | Literals and constants | ✓ |
| 8 | Declarations and definitions | ✓ |
| 9 | Initialization | ✓ |
| 10 | The essential type model | ✓ |
| 11 | Pointer type conversions | ✓ |
| 12 | Expressions | ✓ |
| 13 | Side effects | ✓ |
| 14 | Control statement expressions | ✓ |
| 15 | Control flow | ✓ |
| 16 | Switch statements | ✓ |
| 17 | Functions | ✓ |
| 18 | Pointers and arrays | ✓ |
| 19 | Overlapping storage | ✓ |
| 20 | Preprocessing directives | ✓ |
| 21 | Standard libraries | ✓ |
| 22 | Resources | ✓ |
| MISRA-C:2012 Amendment 1 | ||
| 12 | Expressions | ✓ |
| 21 | Standard libraries | ✓ |
| MISRA-C:2012 Amendment 2 | ||
| 1 | A standard C environment | ✓ |
| 21 | Standard libraries | ✓ |
| MISRA-C++:2008 | ||
| 0 | Language-independent issues | ✓ |
| 1 | General | ✓ |
| 2 | Lexical conventions | ✓ |
| 3 | Basic concepts | ✓ |
| 4 | Standard conversions | ✓ |
| 5 | Expressions | ✓ |
| 6 | Statements | ✓ |
| 7 | Declarations | ✓ |
| 8 | Declarators | ✓ |
| 9 | Classes | ✓ |
| 10 | Derived classes | ✓ |
| 11 | Member access control | ✓ |
| 12 | Special member functions | ✓ |
| 14 | Templates | ✓ |
| 15 | Exception handling | ✓ |
| 16 | Preprocessing directives | ✓ |
| 17 | Library introduction | ✓ |
| 18 | Language support library | ✓ |
| 19 | Diagnostics library | ✓ |
| 27 | Input/output library | ✓ |
Common Weakness Enumeration (CWE)
Below is the list of supported CWE rules as of RuleChecker 21.04. This includes items with the CWE CCR accuracies Exact, CWE-more-abstract, CWE-more-specific, and CWE-partial.
| 118 | Improper access of indexable resource | ✓ |
| 123 | Write-what-where condition | ✓ |
| 124 | Buffer underwrite | ✓ |
| 125 | Out-of-bounds read | ✓ |
| 126 | Buffer over-read | ✓ |
| 127 | Buffer under-read | ✓ |
| 129 | Improper validation of array index | ✓ |
| 415 | Double free | ✓ |
| 456 | Missing initialization of a variable | ✓ |
| 457 | Use of uninitialized variable | ✓ |
| 467 | Use of sizeof() on a pointer type |
✓ |
| 468 | Incorrect pointer scaling | ✓ |
| 478 | Missing default case in switch statement |
✓ |
| 481 | Assigning instead of comparing | ✓ |
| 558 | Use of getlogin() in multithreaded application |
✓ |
| 561 | Dead code | ✓ |
| 665 | Improper initialization | ✓ |
| 676 | Use of potentially dangerous function | ✓ |
| 685 | Function call with incorrect number of arguments | ✓ |
| 686 | Function call with incorrect argument type | ✓ |
| 761 | Free of pointer not at start of buffer | ✓ |
| 823 | Use of out-of-range pointer offset | ✓ |
| 824 | Access of uninitialized pointer | ✓ |
| 908 | Use of uninitialized resource | ✓ |
| The following rules are additionally supported when using RuleChecker in conjunction with Astrée. For further details, see RuleChecker’s “Help” menu or contact info@absint.com. | ||
| 15 | External control of system or configuration setting | ✓ |
| 73 | External control of file system or path | ✓ |
| 77 | Improper neutralization of special elements used in a command (command injection) | ✓ |
| 78 | Improper neutralization of special elements used in an OS command (OS-command injection) | ✓ |
| 79 | Improper neutralization of input during Web page generation (cross-site scripting) | ✓ |
| 88 | Argument injection or modification | ✓ |
| 89 | Improper neutralization of special elements used in an SQL command (SQL injection) | ✓ |
| 90 | Improper neutralization of special elements used in an LDAP command (LDAP injection) | ✓ |
| 91 | XML injection (aka blind XPath injection) | ✓ |
| 99 | Improper control of resource identifiers (resource injection) | ✓ |
| 117 | Improper output neutralization for logs | ✓ |
| 119 | Improper restriction of operations within the bounds of a memory buffer | ✓ |
| 120 | Buffer copy without checking size of input (‘classic buffer overflow‘) | ✓ |
| 121 | Stack-based buffer overflow | ✓ |
| 122 | Heap-based buffer overflow | ✓ |
| 128 | Wrap-around error | ✓ |
| 130 | Improper handling of length parameter inconsistency | ✓ |
| 131 | Incorrect calculation of buffer size | ✓ |
| 170 | Improper null termination | ✓ |
| 188 | Reliance on data/memory layout | ✓ |
| 190 | Integer overflow or wraparound | ✓ |
| 191 | Integer underflow or wraparound | ✓ |
| 193 | Off-by-one error | ✓ |
| 194 | Unexpected sign extension | ✓ |
| 195 | Signed to unsigned conversion error | ✓ |
| 196 | Unsigned to signed conversion error | ✓ |
| 197 | Numeric truncation error | ✓ |
| 240 | Improper handling of inconsistent structural elements | ✓ |
| 242 | Use of inherently dangerous function | ✓ |
| 252 | Unchecked return value | ✓ |
| 253 | Incorrect check of function return value | ✓ |
| 362 | Concurrent execution using shared resource with improper synchronization (‘race condition’) |
✓ |
| 364 | Signal handler race condition | ✓ |
| 365 | Race condition in switch | ✓ |
| 366 | Race condition within a thread | ✓ |
| 367 | Time-of-check time-of-use (TOCTOU) race condition | ✓ |
| 369 | Divde by zero | ✓ |
| 398 | Indicator of poor code quality | ✓ |
| 404 | Improper resource shutdown or release | ✓ |
| 411 | Resource locking problems | ✓ |
| 415 | Double free | ✓ |
| 416 | Use after free | ✓ |
| 466 | Return of pointer value outside of expected range | ✓ |
| 471 | Modification of assumed-immutable data (MAID) | ✓ |
| 475 | Undefined behavior for input to API | ✓ |
| 476 | NULL pointer dereference | ✓ |
| 567 | Unsynchronized access to shared data in a multithreaded context | ✓ |
| 573 | Improper following of specification by caller | ✓ |
| 587 | Assignment of a fixed address to a pointer | ✓ |
| 588 | Attempt to access child of a nonstructure pointer | ✓ |
| 628 | Function call with incorrectly specified arguments | ✓ |
| 662 | Improper synchronization | ✓ |
| 667 | Improper locking | ✓ |
| 672 | Operation on a resource after expiration or release | ✓ |
| 680 | Integer overflow to buffer overflow | ✓ |
| 681 | Incorrect conversion between numeric types | ✓ |
| 682 | Incorrect calculation | ✓ |
| 690 | Unchecked return value to NULL pointer dereference | ✓ |
| 754 | Improper check for unusual or exceptional conditions | ✓ |
| 763 | Release of invalid pointer or reference | ✓ |
| 764 | Multiple locks of a critical resource | ✓ |
| 765 | Multiple unlocks of a critical resource | ✓ |
| 785 | Use of path manipulation function without maximum-sized buffer | ✓ |
| 786 | Access of memory location before start of buffer | ✓ |
| 787 | Out-of-bounds write | ✓ |
| 805 | Buffer access with incorrect length value | ✓ |
| 806 | Buffer access using size of source buffer | ✓ |
| 825 | Expired pointer dereference | ✓ |
| 832 | Unlock of a resource that is not locked | ✓ |
| 835 | Loop with unreachable exit condition (‘infinite loop’) | ✓ |
ISO/IEC
Below is the list of ISO/IEC rules and diagnostics supported as of RuleChecker 21.04. Further details on individual rules are available via RuleChecker’s “Help” menu or by contacting info@absint.com.
ISO/IEC TS 17961:2013 C Secure Coding Rules
| accfree | Accessing freed memory | ✓ |
| accsig | Accessing shared objects in signal handlers | ✓ |
| addrescape | Escaping of the address of an automatic object | ✓ |
| alignconv | Converting pointer values to more strictly aligned pointer types | ✓ |
| argcomp | Calling functions with incorrect arguments | ✓ |
| asyncsig | Calling functions in the C Standard Library other than
abort, _Exit, and signal from within a signal handler |
✓ |
| boolasgn | No assignment in conditional expressions. | ✓ |
| chrsgnext | Passing arguments to character-handling functions that are not representable as unsigned char. | ✓ |
| dblfree | Freeing memory multiple times | ✓ |
| diverr | Integer division errors | ✓ |
| filecpy | Copying a FILE object | ✓ |
| funcdecl | Declaring the same function or object in incompatible ways | ✓ |
| insufmem | Allocating insufficient memory | ✓ |
| intoflow | Overflowing signed integers | ✓ |
| intptrconv | Converting a pointer to integer or integer to pointer | ✓ |
| inverrno | Incorrectly setting and using errno | ✓ |
| invfmtstr | Using invalid format strings | ✓ |
| invptr | Forming or using out-of-bounds pointers or array subscripts | ✓ |
| ioileave | Interleaving stream inputs and outputs without a flush or positioning call | ✓ |
| liberr | Failing to detect and handle standard library errors | ✓ |
| libmod | Modifying the string returned by
getenv, localeconv, setlocale, and strerror |
✓ |
| libptr | Forming invalid pointers by library function | ✓ |
| libuse | Using an object overwritten by getenv, localeconv, setlocale, and strerror |
✓ |
| nonnullcs | Passing a non-null-terminated character sequence to a library function that expects a string | ✓ |
| nullref | Dereferencing an out-of-domain pointer | ✓ |
| padcomp | Comparison of padding data | ✓ |
| ptrcomp | Accessing an object through a pointer to an incompatible type | ✓ |
| ptrobj | Subtracting or comparing two pointers that do not refer to the same array | ✓ |
| resident | Using identifiers that are reserved for the implementation | ✓ |
| restrict | Passing pointers into the same object as arguments to different restrict-qualified parameters | ✓ |
| sigcall | Calling signal from interruptible signal handlers | ✓ |
| sizeofptr | Taking the size of a pointer to determine the size of the pointed-to type | ✓ |
| strmod | Modifying string literals | ✓ |
| swtchdflt | Use of an implied default in a switch statement | ✓ |
| syscall | Calling system | ✓ |
| taintformatio | Using a tainted value to write to an object using a formatted input or output function | ✓ |
| taintnoproto | Using a tainted value as an argument to an unprototyped function pointer | ✓ |
| taintsink | Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink | ✓ |
| taintstrcpy | Tainted strings are passed to a string copying function | ✓ |
| uninitref | Referencing uninitialized memory | ✓ |
| usrfmt | Including tainted or out-of-domain input in a format string | ✓ |
| xfilepos | Using a value for fsetpos other than a value returned from fgetpos |
✓ |
| xfree | Reallocating or freeing memory that was not dynamically allocated | ✓ |
ISO/IEC 9899:1999 diagnostics
| Constraint violations | ||
| 6.2.7p2 | Two declarations that declare the same entity must be of compatible type | ✓ |
| 6.2.7p2 | At least one type specifier shall be given in a declaration | ✓ |
| 6.5.2.2p2 | The number of arguments shall agree with the number of parameters | ✓ |
| 6.5.4p3 | No implicit conversion shall be performed between pointer types and integer types | ✓ |
| 6.7.5.2p1 | If the size expression of an array declarator is constant, it shall have a value greater than zero | ✓ |
| 6.7.10p2 | The constant expression of a static assert shall compare unequal to zero | ✓ |
| Language extensions | ||
| 4p5 | Assembler code shall be avoided | ✓ |
| 4p5 | Data placement at an absolute location shall be avoided | ✓ |
| 4p5 | Enums shall not be forward-declared, i.e. used as complete type before being defined | ✓ |
| 4p5 | Lvalue casts shall be avoided | ✓ |
| 4p5 | Non-standard keywords shall not be used | ✓ |
| 4p5 | Pointer attributes shall be avoided | ✓ |
| 4p5 | GCC’s statement expressions shall not be used | ✓ |
| 6.5.1p2 | Implicit function declaration shall not be used | ✓ |
| 6.6p10 | Only integer constant expressions stricly conforming to the C standard shall be used | ✓ |
| Implementation-defined behavior | ||
| 6.3.2.3p5+6 | No cast shall be performed between pointer types and integer types | ✓ |
| 6.4.4.4p10 | The value of an integer character constant containing more than one character is implementation-defined | ✓ |
| Unspecified behavior | ||
| 6.5 | The result of the evaluation of an expression shall not depend on the order of evaluation of subexpressions | ✓ |
| 6.7.8 | The result of the evaluation of an initializer list expression shall not depend on the order of evaluation of elements and subexpressions | ✓ |
AUTOSAR C++14
As of release 21.04, RuleChecker supports a total of 296 AUTOSAR C++14 coding rules. A detailed 30-page PDF description of how each rule is handled is available on request. Contact info@absint.com for your free copy.
Below is just a quick overview of the currently supported rule categories.
| 0 | Language independent issues | ✓ |
| 1 | General | ✓ |
| 2 | Lexical conventions | ✓ |
| 3 | Basic concepts | ✓ |
| 4 | Standard conversions | ✓ |
| 5 | Expressions | ✓ |
| 6 | Statements | ✓ |
| 7 | Declarations | ✓ |
| 8 | Declarators | ✓ |
| 9 | Classes | ✓ |
| 10 | Derived classes | ✓ |
| 11 | Member access control | ✓ |
| 12 | Special member functions | ✓ |
| 13 | Overloading | ✓ |
| 14 | Templates | ✓ |
| 15 | Exception handling | ✓ |
| 16 | Preprocessing directives | ✓ |
| 17 | Library instruction | ✓ |
| 18 | Language support library | ✓ |
| 19 | Diagnostics library | ✓ |
| 27 | Input/output library | ✓ |
Metrics
RuleChecker automatically compiles various code metrics. For each metric, you can optionally specify thresholds to check your code against, essentially creating additional rules of your own.
| Comment density | ✓ |
| Cyclomatic complexity | ✓ |
| Number of return statements | ✓ |
| Number of goto statements | ✓ |
| Number of instructions per function | ✓ |
| Number of parameters | ✓ |
| Number of maintainable code lines | ✓ |
| Maximum nesting of control structures | ✓ |
| Maximum number of execution paths | ✓ |
| Number of called functions | ✓ |
| Number of calling functions | ✓ |
| Number of recursive paths | ✓ |
| Language scope | ✓ |
| Comment density (HIS) | ✓ |
Other rules
Customer-specific rules
We have experience with extending RuleChecker for various customers with their very own in-house rule sets. Please contact info@absint.com with any questions.
Style rules
These optional rules cover the naming of all C identifiers. For each kind of identifier, you can specify a maximum and minimum length, and check the spelling using regular expressions.
| Function naming | |
| All functions | ✓ |
| Global functions | ✓ |
| Static functions | ✓ |
| Parameters | ✓ |
| Macro naming | |
| All macros | ✓ |
| Function-like macros | ✓ |
| Object-like macros | ✓ |
| Member naming | |
| All members | ✓ |
| Struct members | ✓ |
| Union members | ✓ |
| Bitfields | ✓ |
| Object naming | |
| All objects | ✓ |
| Global objects | ✓ |
| Static objects | ✓ |
| Local objects | ✓ |
| Tag naming | |
| All tags | ✓ |
| Enumeration tags | ✓ |
| Struct tags | ✓ |
| Union tags | ✓ |
| Type naming | |
| All types | ✓ |
| Struct types | ✓ |
| Enumeration naming | |
| Enumeration constants | ✓ |