@@ -961,180 +961,3 @@ Example usage:
961961 ./cppcheck gui/test.cpp --xml 2> err.xml
962962 htmlreport/cppcheck-htmlreport --file=err.xml --report-dir=test1 --source-dir=.
963963
964- # Bug hunting
965-
966- If you want to detect most bugs and can accept false alarms, then Cppcheck has analysis for that.
967-
968- This analysis is soundy; it should diagnose most bugs reported in CVEs and from dynamic analysis.
969-
970- You have to expect false alarms. However Cppcheck tries to limit false alarms.
971- The purpose of the data flow analysis is to limit false alarms.
972-
973- Some possible use cases;
974-
975- - you are writing new code and want to ensure it is safe.
976- - you are reviewing code and want to get hints about possible UB.
977- - you need extra help troubleshooting a weird bug.
978- - you want to check if a release candidate is safe.
979-
980- The intention is that this will be used primarily in the GUI.
981-
982- ## Activate this analysis
983-
984- On the command line you can use ` --bug-hunting ` . In the GUI go to the project dialog.
985- In the ` Analysis ` tab there is a check box for ` Bug hunting ` .
986-
987- ## Contracts
988-
989- To handle false alarms and improve the analysis you are encouraged to use contracts.
990-
991- To provide contracts, you can either annotate your code or configure the contracts in the GUI.
992-
993- There exists various annotations for C and C++ code. gcc has attributes, there
994- are SAL annotations, and then there are standard C++ annotations. It is our
995- goal to handle various types of annotations, if you can reuse those annotations
996- in Cppcheck analysis that will be an extra benefit.
997-
998- ### Function contracts
999-
1000- Here is an example code:
1001-
1002- int foo(int x)
1003- {
1004- return 100 / x;
1005- }
1006-
1007- The bug hunting analysis will warn about a division by zero. Right now, it
1008- can't be proven that x can't be 0 here. A function contract can be used to
1009- tell Cppcheck what input "foo(x)" expects.
1010-
1011- #### Annotation
1012-
1013- You can use "C++ function contracts" syntax both in C and C++.
1014-
1015- For C++ code you can write:
1016-
1017- int foo(int x)
1018- [[expects: x > 0]]
1019- {
1020- return 100 / x; // No division by zero
1021- }
1022-
1023- void bar()
1024- {
1025- foo(-10); // Warning: Contract is violated!
1026- }
1027-
1028- For C code you can write (works in C++ too):
1029-
1030- #ifdef __cppcheck__
1031- #define Expects(EXPR) [[expects: EXPR]]
1032- #else
1033- #define Expects(EXPR)
1034- #endif
1035-
1036- int foo(int x)
1037- Expects(x > 0)
1038- {
1039- return 100 / x;
1040- }
1041-
1042- void bar()
1043- {
1044- foo(-10); // Warning: Contract is violated!
1045- }
1046-
1047-
1048- #### Configuration in gui
1049-
1050- You can configure contracts in the GUI.
1051-
1052- Example code:
1053-
1054- int foo(int x)
1055- {
1056- return 100 / x;
1057- }
1058-
1059- If you run bug hunting analysis on this code, then because Cppcheck can't prove
1060- that x can't be 0, you will get a warning about division by zero.
1061-
1062- Either:
1063-
1064- - Right click on that warning and select "Edit contract..".
1065- - Open the "Functions" tab at the bottom and lookup the "foo(x)" function. Then
1066- double click on that.
1067-
1068- A dialog box is shown where you can configure the contract for function "foo(x)".
1069- A textbox allows you to edit the "Expects" expression.
1070-
1071- Enter the expression "x > 0" in the dialog box and click OK.
1072-
1073- Now if you run analysis the division by zero warning will be gone. As for
1074- annotations, if the contract is violated somewhere then you will get a warning.
1075-
1076-
1077-
1078- ### Variable contracts
1079-
1080- Here is an example code:
1081-
1082- int x;
1083-
1084- int foo()
1085- {
1086- return 100 / x;
1087- }
1088-
1089- The bug hunting analysis will warn about a division by zero. It can't be proven
1090- that x can't be 0.
1091-
1092- A variable contract specify the allowed values for a variable. Cppcheck use variable
1093- contracts both when a variable is read and written:
1094- - When a variable is read, Cppcheck will assume that the contract is met. This
1095- means you can avoid false positives for impossible variable values.
1096- - When a variable is written, Cppcheck will ensure that its contract is not
1097- violated. If it can't be determined that the contract is met you will get a
1098- warning.
1099-
1100- #### Annotation
1101-
1102- You can use Cppcheck attributes ` __cppcheck_low__(value) ` and
1103- ` __cppcheck_high__(value) ` to configure min and max values for variables
1104- and types.
1105-
1106- Example code:
1107-
1108- __cppcheck_low__(1) int x;
1109-
1110- int foo()
1111- {
1112- return 100 / x; // No division by zero
1113- }
1114-
1115- Tip: You can create an integer type with a limited value range. For instance
1116- here is an unsigned integer type that can only have the values 0-100:
1117-
1118- typedef __cppcheck_high__(100) unsigned int percent_t;
1119- percent_t x;
1120- x = 110; // <- Cppcheck will warn about this assignment
1121-
1122-
1123- #### GUI
1124-
1125- To configure variable contracts in the GUI, open the "Variables" tab at the
1126- bottom.
1127-
1128- Lookup the variable you want to configure and double click on that.
1129-
1130- A dialog box is shown for the variable, where you can configure the min and
1131- max values.
1132-
1133-
1134- ## Incomplete analysis
1135-
1136- The data flow analysis can analyze simple functions completely but complex functions are not analyzed completely (yet).
1137- The data flow analysis will be continuously improved in the future but it will never be perfect.
1138-
1139- It is likely that you will get false alarms caused by incomplete data flow analysis. Unfortunately it is unlikely that
1140- such false alarms can be fixed by contracts.
0 commit comments