Defect detection by the advanced static analysis engine of CodeSonar

CodeSonar acts similar to a compiler which does a build of your code using your existing build environment. Instead of creating object code, the tool constructs an abstract model of your entire program. Afterwards, the symbolic execution engine of CodeSonar explores program paths, reasoning about program variables and their relation. Advanced dataflow analysis prunes infeasible program paths from the exploration.

If the path exploration notices an anomaly, a warning will be generated. Because of the large number of combinations of circumstances CodeSonar employs a variety of strategies to ensure scalability. For example, procedure summaries are refined and compacted during the analysis as well as paths are explored in an order that minimizes paging.

Over 100 different types of problems can be found by the advanced static analysis of CodeSonar. In addition to this out-of-the-box checkers, the tool offers several mechanisms provided for defining own checkers.
Further information is available from create customised code checkers in CodeSonar.

The "Out-of-the-box" defect checks for C/C++ code includes:

• Buffer Overrun
  A read or write to data after the end of a buffer. > example
• Dangerous Function Cast
  A function pointer is cast to another function pointer having an incompatible signature or return type.
• Data Race Condition
  Shared data accessed in an unsafe manner.
• Deadlock
  Two or more threads prevent each other from making progress.
• Delete Object Created by malloc
  An attempt to release memory obtained with malloc using delete.
• Delete Object Created by new
  An attempt to release memory obtained with new using delete.
• Divide By Zero
  An attempt to perform integer division where the denominator is 0.
• Double Close
  An attempt to close a file descriptor or file pointer twice.
• Double Free
  Two calls to free on the same object.
• Double Lock
  An attempt to lock a mutex twice.
• Double Unlock
  An attempt to unlock a mutex twice.
• Format String
  A function that should have a format string passed in a particular argument position has been passed a string that either is not a format string or is from an untrusted source. (Potential security vulnerability.)
• Free Non-Heap Variable
  An attempt to free an object which was not allocated on the heap, such as a stack-allocated variable.
• Free Null Pointer
  An attempt to free a null pointer.
• Free Object Created by new
  An attempt to release memory obtained with new using free.
• Ignored Return Value
  The value returned by some function has not been used.
• Leak
  Dynamically allocated storage has not been freed. > example
• Misuse of Libraries
  Misuse of standard library functions.
• Misuse of Memory Allocation
  Incorrect use of memory allocators.
• Misuse of Memory Copying
  Incorrect use of copying functions.
• Missing Return Statement
  At least one path through a non-void return-type function does not contain a return statement.
• Null Pointer Dereference
  An attempt to dereference a pointer to the address 0. > example
• Null Test After Dereference
  A pointer is NULL-checked when it has already been dereferenced.
• Process Starvation
  A thread of execution may not run.
• Redundant Condition
  Some condition is either always or never satisfied.
• Return Pointer To Freed
  A procedure returns a pointer to memory that has already been freed.
• Return Pointer To Local
  A procedure returns a pointer to one of its local variables.
• TOCTTOU Vulnerability
  A time-of-check-to-time-of-use race condition that can create a security vulnerability.
• Try-lock that will never succeed
  An attempt to lock a mutex that cannot possibly succeed.
• Type Overrun
  An overrun of a boundary within an aggregate type.
• Type Underrun
  An underrun of a boundary within an aggregate type.
• Uninitialized Variable
  An attempt to use the value of a variable that has not been initialized.
• Unreachable Code
  Some of the code in a function is unreachable from the function entry point under any circumstances.
• Unused Value
  variable is assigned a value, but that value is never subsequently used on any execution path.
• Use After Free
  A dereference of a pointer to a freed object.
• Useless Assignment
  Some assignment always assigns the value that the variable being modified already has.
• User-Defined Bug Classes
  Checks for arbitrary bug classes can be implemented through the CodeSonar extension functions.
• Varargs Function Cast
  A varargs function pointer is cast to another function pointer having different parameters or return type.