Writing Cppcheck rules

Writing Cppcheck rules - Part 2 Daniel Marjamäki Cppcheck 2010

Introduction In this article I will discuss the data representation that Cppcheck uses. The data representation that Cppcheck uses is specifically designed for static analysis. It is not intended to be generic and useful for other tasks.

See the data There are two ways to look at the data representation at runtime. Using --rule=.+ is one way. All tokens are written on a line: int a ; int b ; Using --debug is another way. The tokens are line separated in the same way as the original code: 1: int a@1 ; 2: int b@2 ; In the --debug output there are "@1" and "@2" shown. These are the variable ids (Cppcheck gives each variable a unique id). You can ignore these if you only plan to write rules with regular expressions, you can't use variable ids with regular expressions.

Simplifications This is not intended to be a complete reference for all simplifications. It is mostly intended to show that the data is simplified in many ways. The intention with the simplifications is to remove all information that the rules don't use.

Preprocessing (Preprocessor) The Cppcheck data is preprocessed. There are no comments, #define, #include, etc. #define SIZE 123 char a[SIZE]; Debug output: 1: 2: char a@1 [ 123 ] ;

typedef (Tokenizer::simplifyTypedef) The typedefs are simplified. typedef char s8; s8 x; Debug output: 1: ; 2: char x@1 ;

Calculations (Tokenizer::simplifyCalculations) Calculations are simplified. int a[10 + 4]; Debug output: 1: int a@1 [ 14 ] ;

Variables

Variable declarations (Tokenizer::simplifyVarDecl) Variable declarations are simplified. Only one variable can be declared at a time. The initialization is also broken out into a separate statement. int *a=0, b=2; Debug output: 1: int * a@1 ; a@1 = 0 ; int b@2 ; b@2 = 2 ;

Known variable values (Tokenizer::simplifyKnownVariables) Known variable values are simplified. void f() { int x = 0; x++; array[x + 2] = 0; } Debug output: 1: void f ( ) 2: { 3: ; ; 4: ; 5: array [ 3 ] = 0 ; 6: } The variable x is removed because it is not used after the simplification. It is therefore redundant. The "known values" doesn't have to be numeric. Variable aliases, pointer aliases, strings, etc should be handled too. Example code: void f() { char *a = strdup("hello"); char *b = a; free(b); } Debug output: 1: void f ( ) 2: { 3: char * a@1 ; a@1 = strdup ( "hello" ) ; 4: ; ; 5: free ( a@1 ) ; 6: }

if/for/while

Braces in if/for/while-body (Tokenizer::simplifyIfAddBraces) There are always braces in if/for/while bodies. if (x) f1(); Debug output: 1: if ( x ) { 2: f1 ( ) ; }

No else if The simplified data representation doesn't have "else if". void f(int x) { if (x == 1) f1(); else if (x == 2) f2(); } Debug output: 1: void f ( int x@1 ) 2: { 3: if ( x@1 == 1 ) { 4: f1 ( ) ; } 5: else { if ( x@1 == 2 ) { 6: f2 ( ) ; } } 7: }

Condition is always true / false Conditions that are always true / false are simplified. void f() { if (true) { f1(); } } Debug output: 1: void f ( ) 2: { 3: { 4: f1 ( ) ; 5: } 6: } Another example: void f() { if (false) { f1(); } } The debug output: 1: void f ( ) 2: { 3: 4: 5: 6: }

Assignments (Tokenizer::simplifyIfAssign) Assignments within conditions are broken out from the condition. void f() { int x; if ((x = f1()) == 12) { f2(); } } The "x = f1()" is broken out. Debug output: 1: void f ( ) 2: { 3: int x@1 ; 4: x@1 = f1 ( ) ; if ( x@1 == 12 ) { 5: f2 ( ) ; 6: } 7: } Replacing the "if" with "while" in the above example: void f() { int x; while ((x = f1()) == 12) { f2(); } } The "x = f1()" is broken out twice. Debug output: 1: void f ( ) 2: { 3: int x@1 ; 4: x@1 = f1 ( ) ; while ( x@1 == 12 ) { 5: f2 ( ) ; x@1 = f1 ( ) ; 5: 6: } 7: } An interesting thing here is that "f2 ( ) ;" is written on line 5. But the "x@1 = f1 ( ) ;" after it is written on line 4.