Cppcheck-2.14.0

Release Notes for Cppcheck 2.14.0

Summary:

• Fixed 23 "crash" tickets
• Fixed 69 "false positive" tickets
• Fixed 36 "improve check" tickets

New checks:

• eraseIteratorOutOfBounds: warns when erase() is called on an iterator that is out of bounds
• returnByReference: warns when a large class member is returned by value from a getter function

GUI:
-Make it possible to suppress warnings in all files in a folder

Changed interface:

• Fixed crash with '--rule-file=' if some data was missing.
• '--rule-file' will now bail out if a rule could not be added or a file contains unexpected data.
• Add option '--check-version', you can use it to pin the cppcheck version in a script.
• Added '--template=simple'. It is expands to '{file}:{line}:{column}: {severity}:{inconclusive:inconclusive:} {message} [{id}]' without any additional location details.
• Removed deprecated platform type 'Unspecified'. Please use 'unspecified' instead.
• Add --file-filter=- option that reads file filters from stdin. Added for a plugin.

Other:

• Added CMake option 'EXTERNALS_AS_SYSTEM' to treat external includes as 'SYSTEM' ones.
• The minimum required compiler versions have been bumped to GCC 5.1 / Clang 3.5 / Visual Studio 2015
• The minimum required CMake version has been bumped to 3.5
• Using Visual Studio with CMake now checks if the CMake version is at least 3.13. This was always required but was not checked explicitly.
• Removed deprecated 'Makefile' option 'SRCDIR'.
• Added CMake option 'DISALLOW_THREAD_EXECUTOR' to control the inclusion of the executor which performs the analysis within a thread of the main process.
• Removed CMake option 'USE_THREADS' in favor of 'DISALLOW_THREAD_EXECUTOR'.
• misra-config will not be treated as a critical error anymore

Safety critical:

• #12440 : Misra violations found but cppcheck exited with 0 even after specifying exit code

Cppcheck-2.13.0

Release Notes for Cppcheck 2.13

New checks:

• passedByValueCallback for functions which take a parameter by value but are used as callbacks (subset of passedByValue)
• returnImplicitInt for C functions without return type (previously reported as a debug message)
• iterateByValue for iterating by value in a range-based for loop when a const reference could be used

Changed interface:

• Final report of active checkers is reported as a normal information message instead.

Deprecations:

• "--showtime=top5" has been deprecated and will be removed in Cppcheck 2.14. Please use --showtime=top5_file or --showtime=top5_summary instead.
• Building with Qt5 has been deprecated (it went EOL in May 2023) and will be removed in a future version - please use Qt6 instead.

Other:

• Windows builds now default to the native platform instead of win32A or win64. Please specify it explicitly if you depend on it.
• The undocumented and deprecated command-line options --template <template> and --template-format <template> has been removed. Please use --template= and --template-format= instead.
• "--showtime=summary" will now show a single summary at the end instead of showing it after each file when using the thread execution (default on Windows)
• added "--showtime=none" to disable any previously specified showtime report. "--showtime=" without parameter is no longer valid.
• Multiple "--project" options are now prohibited. These would have overlapped each other and lead to unexpected behavior. Please use separate runs with a single "--project" option instead.
• "--project" can also no longer be used in conjunction with additional source files.
• If a addon cannot be found it will bail out immediately instead of continously writing errors and failing the analysis at the end.
• clang-tidy was not invoked when the process-based executor (only available on Linux / default) was used.
• Added CMake option "BUILD_MANPAGE" which adds the "man" target which will build the manpage. This requires xsltproc and the docbook XSLs to be installed.
• Added some library configurations to the official Windows installer.
• Removed some unused Qt DLLs from the official Windows installer.
• Improved inline suppressions:
  • You can suppress warnings in a block of code using "-begin" and "-end".
  • You can suppress warnings in current file using "-file".
  • You can suppress all warnings where macro is used using "-macro"
• Cppcheck will now error out when an option, which requires code which is not compiled in, is being specified. In the past it might have silently ignored it or reported it as unknown.
• Several macros defined by "limits.h"/"climits" will now be generated from the used platform condiguration and passed to the analysis.
• fixed CMake build with UBSAN and GCC
• Files will now be processed in the order as specified via the command-line.
• Added command-line options "--fsigned-char" and "--funsigned-char" to control the signess of the "char" type. This overrides previously specified "--platform" options and is overrides by following ones.
• An error is now reported when the "cppcheck.cfg" is invalid. The CLI version will also exit with a failure in that case.
• Fixed loading of addons from "cppcheck.cfg" in the GUI application.
• Markup files will now be processed after the regular source files when using multiple threads/processes (some issues remain - see Trac #12167 for details).
• Added file name to ValueFlow "--debug" output.
• Fixed build when using "clang-cl" in CMake.

Safety critical:

• #10866 unsafe handling of unconditional #error
• #12071 unsafe suppressions of critical errors
• #12079 missing "misra-config" warning, calling unknown function in condition

Cppcheck-2.12.1

Bug fix:

• Fix problem to import GUI project (#5456 ).

Cppcheck-2.12.0

New checks:

• uselessOverride finds overriding functions that either duplicate code from or delegate back to the base class implementation
• knownPointerToBool finds pointer to bool conversions that are always true or false

Improved checking:

• truncLongCastAssignment and truncLongCastReturn check additional types, including float/double/long double
• duplInheritedMember also reports duplicated member functions
• constParameter*/constVariable* checks find more instances of pointers/references that can be const, e.g. when calling library functions

GUI:

• Show in statistics which checkers have been activated in latest analysis
• Make it more visible if there has been critical errors that caused checkers to be skipped

Changed interface:

• Write how many checkers was activated after a run
• Added --checkers-report that can be used to generate a report in a file that shows what checkers was activated and disabled

Deprecations:

• The qmake build system has been deprecated and will be removed in a future version.
• Command-line option '--template ' is deprecated and will be removed in 2.13 - please use '--template=' instead.
• Command-line option '--template-location ' is deprecated and will be removed in 2.13 - please use '--template-location=' instead.

  Other:

  • "USE_QT6=On" will no longer fallback to Qt5 when Qt6 is not found.
  • When the execution of an addon fails with an exitcode it will now result in an 'internalError' instead of being silently ignored.
  • "Win32" configurations have been removed from the bundled Visual Studio solution and projects. You might still be able to build 32-bit binaries using CMake but that is untested and unmaintained.

Cppcheck-2.11

New checks:

• pop_back on empty container is UB

Improved checking:

• Improve useStlAlgorithm check to handle many more conditions in the loop for any_of, all_of and none_of algorithms
• ValueFlow can evaluate the return value of functions even when conditionals are used
• ValueFlow will now forward the container sizes being returned from a function
• ValueFlow can infer possible values from possible symbolic values
• Improve valueflow after pushing to container

GUI:

• The platform type 'Unspecified' within .cppcheck projects has been deprecated and will be removed in Cppcheck 2.14. Please use 'unspecified' instead.
• Do not replace relative paths with absolute paths in suppressions in the project file dialog

Interface:

• The new option --check-level= has been added that controls how much checking is made by Cppcheck. The default checking level is "normal". If you feel that you can wait longer on results you can use --check-level=exhaustive.
• It is no longer necessary to run "--check-config" to get detailed "missingInclude" and "missingIncludeSystem" messages. They will always be issued in the regular analysis if "missingInclude" is enabled.
• "missingInclude" and "missingIncludeSystem" are reported with "-j" is > 1 and processes are used in the backend (default in non-Windows binaries)
• "missingInclude" and "missingIncludeSystem" will now cause the "--error-exitcode" to be applied
• "--enable=information" will no longer implicitly enable "missingInclude" starting with 2.16. Please enable it explicitly if you require it.
• The constParameter and constVariable checks have been split into 3 different IDs based on if the variable is a pointer, a reference, or local. The different IDs will allow users to suppress different const warning based on variable type.
  • constParameter
  • constParameterReference
  • constParameterPointer
  • constVariable
  • constVariableReference
  • constVariablePointer
• More command-line parameters will now check if the given integer argument is actually valid. Several other internal string-to-integer conversions will now be error checked.
• scanning projects (with -j1) will now defer the analysis of markup files until the whole code was processed

Cppcheck-2.10

Analysis:

• Many improvements and fixes in checkers.
• Windows binaries currently default to the "win32A" and "win64" platform respectively. Starting with Cppcheck 2.13 they will default to 'native' instead. Please specify '--platform=win32A' or '--platform=win64' explicitly if you rely on this.
• New check: use memset/memcpy instead of loop

CLI:

• if the file provided via "--file-list" cannot be opened it will now error out
• add command-line option "--disable=" to individually disable checks

GUI:

• Detect when installed version is old. There is setting in Edit/Preferences to turn this on.
• Fix path issue with backslashes
• Cleanup *.ctu-info files after analysis

Build:

• the deprecated Makefile option SRCDIR is no longer accepted
• added CMake option BUILD_CORE_DLL to build lib as cppcheck-core.dll with Visual Studio

Cppcheck-2.9

Analysis

• restored check for negative allocation (new[]) and negative VLA sizes from cppcheck 1.87 (LCppC backport)
• replaced hardcoded check for pipe() buffer size by library configuration option (LCppC backport)
• on Windows the callstack is now being written to the output specific via "--exception-handling"
• make it possible to disable the various exception handling parts via the CMake options "NO_UNIX_SIGNAL_HANDLING", "NO_UNIX_BACKTRACE_SUPPORT" and "NO_WINDOWS_SEH"
• detect more redundant calls of std::string::c_str(), std::string::substr(), and unnecessary copies of containers
• Add a match function to addon similiar to Token::Match used internally by cppcheck:
  • | for either-or tokens(ie struct|class to match either struct or class)
  • !! to negate a token
  • It supports the %any%, %assign%, %comp%, %name%, %op%, %or%, %oror%, and %var% keywords
  • It supports (*), {*}, [*], and <*> to match links
  • @ can be added to bind the token to a name
  • ** can be used to match until a token
• Add math functions which can be used in library function definition. This enables evaluation of more math functions in ValueFlow
• Further improve lifetime analysis with this pointers
• Propagate condition values from outer function calls
• Add debug intrinsics debug_valueflow and debug_valuetype to show more detail including source backtraces

Cppcheck Premium

GUI: Additional options to configure the Autosar, Cert C and Misra C++ coding standards
Command line: A --premium option that is used to provide premium options

Cppcheck-2.8

• Lifetime analysis can now track lifetime across user-defined constructors when they are inline and using member initializer list.
• SymbolDatabase can now deduce iterator types from how they are specified in the library files.
• ValueFlow can evaluate class member functions that return known values.
• Improve duplicateValueTenary to not warn when used as an lvalue or when one branch has side effects
• Fix variableScope to not warn when variables are used in lambda functions
• Fix unassignedVariable warnings when using structured bindings
• Fix redundantInitialization warning when variable is used in a lambda
• Fix variableScope warnings when using if/while init-statement
• Improve lifetime analysis when returning variadic template expressions
• Detect more statements with constStatement
• Detect variableScope for more types
• Improvements to unreadVariable
• Detect more instances of C style casts
• Warn if the return value of new is discarded
• The pre-ValueFlow uninitialized checker now uses a different ID as legacyUninitvar
• Extended library format to exclude specific function argument values

Cppcheck-2.7

Add support for container views. The view attribute has been added to the <container> library tag to specify the class is a view. The lifetime analysis has been updated to use this new attribute to find dangling lifetime containers.

Various checker improvements.

Fixed false positives.

Cppcheck-2.6

New checks in core cppcheck:

• missing return in function
• writing overlapping data, detect undefined behavior
• compared value is out of possible type range
• [perf] Copy elision optimization can't be applied for return std::move(local)
• file can not be opened for read and write access at the same time on different streams

Various improvements:

• Color output for diagnostics are added for unix-based platforms.
• Added symbolic analysis for ValueFlow. A simple delta is used to compute the difference between two unknown variable.
• Rules using the "define" tokenlist can also match #include as well.
• Library <function> tags can now use <container> tag, so free functions that accept containers such as std::size, std::empty, std::begin, std::end, etc. can specify the yields or action for the container.
• Library <smart-pointer> tag can specify a <unique> tag for smart pointers that have unique ownership. Cppcheck now warns about dangling references to smart pointers with unique ownership.
• Fixed problems when --cppcheck-build-dir is used, that should now work better. It is recommended to use --cppcheck-build-dir to speedup Cppcheck analysis.
• htmlreport can now output author information (using git blame)
• More warnings about variables that is not const but can be const

Misra C 2012 compliance has been "completed"
All Misra C 2012 rules have been implemented except 1.1 , 1.2 and 17.3. Including the rules in amendment 1 and amendment 2.
The rules 1.1 and 1.2 must be checked with a compiler.
The rule 17.3 can be checked by a compiler, for instance GCC.