I have launched one more Kickstarter project. Its goal is to improve the Clang import feature in Cppcheck.

There are two tasks:

• Comparison of Clang/Cppcheck syntax tree. This will help us ensure that Cppcheck and Clang import work properly.
• The Cppcheck SymbolDatabase has a few fields for Variables that are not set properly by Clang import.

Link to project:
https://www.kickstarter.com/projects/3300446/cppcheck-clang-import

I launched a Kickstarter project today.

https://www.kickstarter.com/projects/3300446/cppcheck-variable-constraints

I will add configuration of variable constraints. With such configuration, Cppcheck will get both better precision and better soundness.

To start with I only plan to use the constraints in the bug hunting analysis. However in the long run, the constraints can be used in traditional analysis also.

This is a minor release.

We have tweaked build scripts.

• When you use USE_Z3=yes, we will handle new versions of z3 better. If you have an old z3 library and get compilation problems you will need to add a z3_version.h in externals.
• The cmake scripts was updated.

There was a couple of bug fixes.

New check:

• for "expression % 1" the result is always 0.

As of today:

• there has been 601,753 downloads on sourceforge; https://sourceforge.net/projects/cppcheck/files/cppcheck/stats/timeline?dates=2007-02-09+to+2020-05-25
• there has been 398,248 downloads from github; https://somsubhra.com/github-release-stats/?username=danmar&repository=cppcheck

The download count is now above 1 million!

Those statistics are not complete. But those are the known downloads. For instance we do not know how many have downloaded through apt-get or how many grabbed the source code directly from github and compiled that - the github download count is only for the windows installers.

Overview

The command line is not changed drastically. Your old cppcheck scripts should work as before.

Compiling: There is a new dependency Z3. When compiling with the Makefile it is highly recommended to use "USE_Z3=yes".

Improved clang-tidy integration

Several fixes to;

• improve parsing
• detect more bugs with existing checks
• fix false alarms

Clang import

Clang is a C/C++ compiler that has a very robust and well made parser.... read more

I launched a new Kickstarter project today.

https://www.kickstarter.com/projects/3300446/diagnose-buffer-overflow-cve

Thousands of software vulnerabilities are found in released software each year.

I will investigate the reported vulnerabilities and pick a buffer overflow that is not diagnosed by Cppcheck yet. Then I will fix Cppcheck so it detects such overflows.

This is a small step, but in the long run it should be possible to detect most buffer overflows by using Cppcheck.

I launched a new Kickstarter project today.

https://www.kickstarter.com/projects/3300446/add-all-missing-10x-misra-rules

If this is funded 4 MISRA rules will be added in the misra addon.

Cppcheck-1.90 has been released.

New check:

• alias to vector element invalid after vector is changed

Improved checking:

• improved value flow analysis for struct members
• improved value flow analysis for pointer alias

CERT:

• Added ENV33-C: Do not call system()

MISRA:

• Added rule 2.7
• Added rule 3.2
• Added rule 4.2
• Added rule 14.2
• Added rule 21.1
• Added rule 21.12

Addons:

• Add --recursive option. You can check dump files recursively.

I have launched one more Kickstarter project.

This project is about "Software verification". A new analysis mode that will be added in Cppcheck later.

It will make it possible to detect much more bugs.

Here is the link:
https://www.kickstarter.com/projects/3300446/software-verification-1

Together with Georgy Komarov, I started a new Kickstarter project. We want to implement two additional MISRA C 2012 rules:

• Do not define or undefine reserved identifiers or macro names
• Do not use exception handling features of <fenv.h></fenv.h>

The MISRA addon is still very much incomplete. To make the rule coverage acceptable we need to get funding.

The project is available here: https://www.kickstarter.com/projects/3300446/improve-misra-checking-2

Cppcheck-1.89 has been released

Command line:

• The default warning message format was changed. The new format is similar to GCC. If you want to get warnings in the old format, add --template=cppcheck1 to the command line.

Compiling:

• From now on, use FILESDIR instead of CFGDIR to specify the path for Cppcheck data files. The readme.txt describes the available flags.

Improved checking:

• improved value flow analysis for pointer aliases
• improved checking for uninitialized variables/structs
• better checking of smart pointers
• better checking of global variables
• Added Cppcheck annotations cppcheck_low(VALUE) and cppcheck_high(VALUE)
• shadow variables; warn when argument is shadowed
• warn if local reference variable can be const... read more

For information, I wrote a blog post about "safe checks"
https://danielmarjamaki.blogspot.com/2019/07/static-analysis-safe-interfaces-my-plan.html

This is new checking that is added to Cppcheck. I believe it will help you detect more bugs that are out of reach for other tools.

Today I started a new Kickstarter crowdfunding project with the goal to detect more uninitialized variable usage in your code:
https://www.kickstarter.com/projects/3300446/cppcheck-5259

We have a few tickets that I believe are "low hanging fruit" - they would be relatively quick to fix and would increase bug detection. It is a shame that these tickets are unfixed for years. We need funding to get more speed. Ticket 5259 is one "low hanging fruit" ticket.... read more

Cppcheck-1.88 has been released.

New checks:

• Comparing pointers that point to different objects
• Address of local variable 'x' is accessed at non-zero index
• STL usage: unnecessary search before insertion
• Duplicate expression for condition and assignment: if (x==3) x=3;

Added --library configuration files for:

• cppunit
• libcerror
• nspr
• opengl
• sqlite3

Better handling of C++14 and C++17... read more

A new crowdfunding project has been created that has the goal to detect more uninitialized variable usage in your code.
https://www.indiegogo.com/projects/cppcheck-detect-more-uninitalized-variable-usage/x/21980698#/

A kickstarter project has been created to add a check to our MISRA addon.

https://www.kickstarter.com/projects/3300446/improve-misra-checking

The MISRA addon does not get enough attention at the moment. This kickstarter project can change that.

Cppcheck-1.86 has been released

General:

• Many fixes in the template simplifier
• Several fixes in the abstract syntax tree.

Checking improvements:

• New check: passing address of char to function that expects a strz
• New check: shadow variables
• Improved lifetime checking
• Improved STL iterators checking
• Improved data flow analysis

New libraries:

• zlib
• googletest

Addons:

• misra.py: Fixes for suppressions and exclusions
• namingng.py: New addon to check naming conventions. Rules are specified in json file.

Cppcheck-1.85 has been released.

General:

• We are modernizing the Cppcheck code. Support for MSVC 2010 and GCC 4.4 is dropped. You now need a compiler that is at least as good as MSVC 2013 or GCC 4.6.
• According to "daca@home" (http://cppcheck.osuosl.org:8000)
  • There are fewer crashes.
  • Cppcheck-1.85 is ~25% slower than Cppcheck-1.84

Checking improvements:

• New check: Suggest STL algorithms instead of hard-coded for loops
• New check: Warn about ineffective algorithms (same iterator passed)
• New check: Mismatching iterators used together in operators
• Container (STL/Qt/WxWidgets/etc) access out of bounds
• Improved the checkers that warns about same/opposite expressions, track variable values better.
  • logical conjunctions
  • identical/opposite inner expressions
  • same expressions around operator
  • etc
• Variable scope: warn about references also

Graphical user interface:... read more

Cppcheck-1.83 has been released

The biggest news is that Cppcheck now has "MISRA C 2012" compliance checks

Command line:

• fixes in parser
• Improved loading of platform files.

GUI:

• few minor improvements in user interface
• Code preview
• Added MISRA addon integration
• Platform can be selected in project settings
• Fixed issue when loading xml results file

Addons:

• We are now officially releasing our MISRA addon. So far it supports MISRA C 2012.

We have released Cppcheck-1.82. The release notes are:

Bug fixes:

• Better handling of namespaces
• Fixed false positives
• Fixed parsing of compile databases
• Fixed parsing of visual studio projects

Enhancements

• New check; Detect mistakes when there are multiple strcmp() in condition
  Example:

       if (strcmp(password,"A")==0 || strcmp(password,"B")==0 || strcmp(password,"C"))

There is a missing '==0', and therefore this condition is always true except when password is "C".... read more

Cppcheck-1.81 has been released

CPPCHECK:

• New warning: Check if condition after an early return is overlapping and therefore always false.
• Improved knowledge about C/C++ standard, windows, posix, wxwidgets, gnu
• Better handling of Visual Studio projects

GUI:

• Compile: Qt5 is now needed to build the GUI
• Compile: New qmake flag HAVE_QCHART
• Project: You can now run cppcheck-addons
• Project: We have integrated clang-tidy
• Results view: Reload last results (if cppcheck build dir is used) when GUI is started
• Results view: Tag the warnings with custom keywords (bug/todo/not important/etc..)
• Results view: Shows when warning first appeared (since date)
• Results view: Suppress warnings through right-click menu
• Statistics: Added charts (shown if Qt charts module is enabled during build)

Cppcheck 1.80 has been released

Checking improvements:

• Added platform for Atmel AVR 8 bit microcontrollers (avr8)
• Better 'callstacks' in cppcheck messages
• Improved gnu.cfg, posix.cfg, wxwidgets.cfg and std.cfg, added motif.cfg
• Various improvements to AST, ValueFlow analysis and template parsing

Command line changes:

• Deprecated command line argument --append has been removed
• New command line argument --plist-output to create .plist files
• New command line argument --output-file to print output to file directly
• Check OpenCL files (.cl)... read more

Cppcheck-1.79 has been released

General changes:

• C++ code in C files is rejected now (use --language=c++ to enforce checking the code as C++)
• Write function access type to XML dump

Checking improvements:

• Improved configuration extraction in preprocessor
• Improved accuracy of AST
• Improved template parsing
• Improved support for (STL) containers in SymbolDatabase
• Improved support for C++11's 'auto' type
• Experimental support for uninitialized variables in ValueFlow analysis
• Added qt.cfg and sfml.cfg, improved several existing .cfg files... read more

The Cppcheck project was registered on Sourceforge on 2007-05-08,

I originally thought that it would only be a small utility to catch some bugs in my code. I planned that the development would take ~2 weeks, because after that I expected that I would loose interest and do something else. Therefore the original design was very Keep-It-Simple.

I planned that I would loose interest, but that has not happened yet. Therefore I have continued working on Cppcheck and gradually added more and more features.... read more

Cppcheck-1.78 has been released.

General changes:

• Reduced memory usage by up to 10% by reducing size of token list

New checks:

• Mismatching argument names between function declaration and definition
• Detect classes which have a copy constructor but no copy operator and vice versa

Checking improvements:

• Improved matching of overloaded functions
• Improved ValueType analysis, especially related to allocations with "new" and C++11's "auto"
• Improved support for C++11 brace initialization
• Improved ValueFlow analysis
• Improved template parsing
• Improved detection of memory leaks
• Improved nullpointer checking when nullptr and NULL are used
• Detect array out of bounds across compilation units
• Extended windows.cfg, posix.cfg and std.cfg... read more