SonarCfamily For C/C++ Now Plays With The Big Kids

by massimo paladin|

    Version 4.6 of our SonarCfamily for C/C++ has just been released with a shiny new Buffer Overflow detection mechanism. To get an idea of what bugs we can now spot and why you should read this post, I'll start with a bug found in the Linux kernel:

    We started developing SonarCfamily 4 years ago. It has been tough, and we faced many challenges, but we are finally seeing the result of the huge effort we have invested in it. In the last 12 months, thanks to previous work on accurate semantic analysis and analyzer configuration (thanks to build-wrapper), we were able to start working on a new advanced data flow engine, and deliver many cool rules:

    • S3519 - Memory access should be explicitly bounded to prevent buffer overflows
    • S2259 - Null pointers should not be dereferenced
    • S2583 - Conditions should not unconditionally evaluate to "TRUE" or to "FALSE"
    • S3518 - Zero should not be a possible denominator
    • S836 - Variables should be initialized before use
    • S2095 - Resources should be closed
    • S3588 - Closed resources should not be accessed
    • S3584 - Dynamically allocated memory should be released
    • S3520 - Memory locations should not be released more than once
    • S3590 - Stack allocated memory should not be freed
    • S1232 - Appropriate memory de-allocation should be used
    • S2637 - "nonnull" pointers should not be set to null
    • S3807 - Parameters should match function definition

    Here are a few examples of issues found with these rules in real projects:

    Data flow analysis is by definition an approximation, and our data flow engine is constantly evolving. In that evolution we follow simple principles to develop the most helpful engine: keep the signal-to-noise ratio as high as possible, do not compromise performance, listen to users' feedback, and react quickly. We've already made good progress, but we have great plans for the future to help you discover the trickiest and nastiest bugs.

    But data flow was not the only thing we worked on in the last 12 months. We had 10 (!!!) releases with many other features delivered:

    • Support for SonarLint for Eclipse; you can now now get real time feedback while you code
    • ~130 new rules
    • Intel compiler support on Linux and OS X
    • WindRiver GCC compiler support
    • and more...

    As you can see, we now have one of the very best static code analyzers on the market for C and C++. It can be viewed and tested online on sonarqube.com, which offers analysis of open source projects for free. Just get started, no matter what OS and compiler you are using.

    For more information about the product, you can visit the product page.