This rule finds branching statements with conditions that always evaluate to the same value. -More likely than not these conditions indicate a defect in the branching condition or are an artifact left behind after debugging.
+This query finds branching statements with conditions that always evaluate to the same value. +It is likely that these conditions indicate an error in the branching condition. +Alternatively, the conditions may have been left behind after debugging.
Check the branch condition for defects, and verify that it isn't a remnant from debugging.
- +Check the branch condition for logic errors. Check whether it is still required.
This example shows two branch conditions that always evaluate to the same value. +The two conditions and their associated branches should be deleted. +This will simplify the code and make it easier to maintain.
+This rule finds functions that are non-public, non-virtual and are never called. Dead functions are often deprecated pieces of code, and should be removed -as they may increase object code size, decrease code comprehensibility, and create the possibility of misuse.
+This query highlights functions that are non-public, non-virtual, and are never called. +Dead functions are often deprecated pieces of code, and should be removed. +If left in the code base they increase object code size, decrease code comprehensibility, and create the possibility of misuse.
-public and protected functions are not considered by the check, as they could be part of the program's
-API and could be used by external programs.
+public and protected functions are ignored by this query.
+This type of function may be part of the program's API and could be used by external programs.
Consider removing the function.
- +Verify that the function is genuinely unused and consider removing it.
The example below includes a function f that is no longer used and should be deleted.
This rule finds calls to functions that use a global variable which happen before the variable was initialized. +
This rule finds calls to functions that use a global variable before the variable has been initialized. Not all compilers generate code that zero-out memory, especially when optimizations are enabled or the compiler is not compliant with the latest language standards. Accessing uninitialized memory will lead to undefined results.
Initialize the global variable. If no constant can be used for initialization, ensure that all accesses to the variable occur after the initialization code is executed.
-callCtr is wrongly used before it has been initialized.
+This rule finds pointer dereferences that do not check the pointer for nullness, while the same pointer is checked for nullness in other -places in the code. It is most likely that the nullness check was omitted, and that a NULL pointer dereference can occur. -Dereferencing a null pointer and attempting to modify its contents can lead to anything from a segfault to corrupting -important system data (i.e. the interrupt table in some architectures). +
This query finds pointer dereferences that do not first check the pointer for nullness, +even though the same pointer is checked for nullness in other +parts of the code. It is likely that the nullness check was accidentally omitted, and that a null pointer dereference can occur. +Dereferencing a null pointer and attempting to modify its contents can lead to anything from a segmentation fault to corrupting +important system data (including the interrupt table in some architectures).
Make the nullness check on the pointer consistent across all dereferences.
+Use a nullness check consistently in all cases where a pointer is dereferenced.
-This rule finds malloc that use a strlen for the size but to not take the
-zero terminator into consideration, and strcat/strncat calls that are done on buffers that do
-not have the sufficient size to contain the new string.
+This query finds calls to:
malloc that use a strlen for the buffer size and do not take the
+zero terminator into consideration.strcat or strncat that use buffers that are too small to contain the new string.-The indicated expression will cause a buffer overflow due to a buffer that is of insufficient size to contain -the data being copied. Buffer overflows can result to anything from a segfault to a security vulnerability (particularly +The highlighted expression will cause a buffer overflow because the buffer is too small to contain +the data being copied. Buffer overflows can result to anything from a segmentation fault to a security vulnerability (particularly if the array is on stack-allocated memory).
@@ -24,18 +27,23 @@ if the array is on stack-allocated memory).Increase the size of the buffer being allocated.
- -This example includes thre annotated calls that copy a string into a buffer.
+The first call to malloc creates a buffer that's the
+same size as the string, leaving no space for the zero terminator
+and causing an overflow. The second call to strcat appends an additional string to the same buffer
+causing a second overflow.
The bounded copy functions memcpy, memmove, strncpy, strncat accept a size argument. You should call these functions with a size argument that is derived from the size of the destination buffer. Using a size argument that is derived from the source buffer may cause a buffer overflow. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.
The bounded copy functions memcpy, memmove, strncpy, strncat accept a size argument.
+You should call these functions with a size argument that is derived from the size of the destination buffer.
+Using a size argument that is derived from the source buffer may cause a buffer overflow.
+Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.
Check the highlighted function calls carefully, and ensure that the size parameter is derived from the size of the destination buffer, +
Check the highlighted function calls carefully. +Ensure that the size parameter is derived from the size of the destination buffer, and not the source buffer.
+The code below shows an example where strncpy is called incorrectly, without checking the size of the destination buffer.
+In the second example the call has been updated to include the size of the destination buffer.