C/C++代码缺陷静态检查工具cppcheck

UUUUTaossienUUUU

已于 2023-02-15 22:09:19 修改

阅读量1.8k

点赞数

分类专栏： C/C++ 文章标签： c++ c语言静态检查工具 cppcheck

于 2023-02-15 14:52:31 首次发布

本文链接：https://blog.csdn.net/UUUUTaossienUUUU/article/details/129043176

版权

C/C++ 专栏收录该内容

28 篇文章 0 订阅

订阅专栏

cppcheck介绍和安装

CppCheck是一个C/C++代码缺陷静态检查工具。静态代码检查是检查代码是否安全和健壮，是否有隐藏问题。
CppCheck只检查编译器检查不出来的bug，不检查语法错误。

CentOS在线安装命令：
yum install cppcheck

C/C++常见内存问题

（1）heap use after free 堆内存释放后继续使用

（2）stack use after return 栈内存函数返回后继续使用

（3）stack use after scope 栈内存在作用域范围外继续使用

（4）heap buffer overflow 堆内存溢出

（5）stack buffer overflow 栈内存溢出

（6）global buffer overflow 全局内存溢出

（7）allocation size too big 堆内存分配较大

（8）memory leaks 内存泄露

（9）double free 堆内存重复释放

（10）initialization order bugs 初始化命令错误

cppcheck检查内存问题

（1）heap use after free 堆内存释放后继续使用

#include <stdio.h>
int main (int argc, char* argv []) {
    int* array = new int[100];
    delete [] array;
    int num = array[0];
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:5:15: error: Dereferencing 'array' after it is deallocated / released [deallocuse]
    int num = array[0];
              ^
main.cpp:4:15: error: Memory is allocated but not initialized: array [uninitdata]
    delete [] array;
              ^

（2）stack use after return 栈内存函数返回后继续使用

#include <stdio.h>
int* p = NULL;
void fun() {
    int a[10];
    p = a; // 或者 p = &a[0];
}
int main() {
    fun();
    int num = p[0];
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:5:5: error: Non-local variable 'p' will use pointer to local variable 'a'. [danglingLifetime]
    p = a; // 或者 p = &a[0];
    ^
main.cpp:5:9: note: Array decayed to pointer here.
    p = a; // 或者 p = &a[0];
        ^
main.cpp:4:9: note: Variable created here.
    int a[10];
        ^
main.cpp:5:5: note: Non-local variable 'p' will use pointer to local variable 'a'.
    p = a; // 或者 p = &a[0];
    ^

（3）stack use after scope 栈内存在作用域范围外继续使用

#include <stdio.h>
int* p = NULL;
int main(int argc, char* argv[]) {
    {
        int a[10];
        p = &a[0];
    }
    p[0] = 1000;
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:6:9: error: Non-local variable 'p' will use pointer to local variable 'a'. [danglingLifetime]
        p = &a[0];
        ^
main.cpp:6:13: note: Address of variable taken here.
        p = &a[0];
            ^
main.cpp:5:13: note: Variable created here.
        int a[10];
            ^
main.cpp:6:9: note: Non-local variable 'p' will use pointer to local variable 'a'.
        p = &a[0];
        ^
main.cpp:8:5: error: Using pointer to local variable 'a' that is out of scope. [invalidLifetime]
    p[0] = 1000;
    ^
main.cpp:6:13: note: Address of variable taken here.
        p = &a[0];
            ^
main.cpp:5:13: note: Variable created here.
        int a[10];
            ^
main.cpp:8:5: note: Using pointer to local variable 'a' that is out of scope.
    p[0] = 1000;
    ^

（4）heap buffer overflow 堆内存溢出

#include <stdio.h>
int main (int argc, char** argv) {
    int* array = new int[100];
    int res = array[100];
    delete [] array;
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:4:15: error: Memory is allocated but not initialized: array [uninitdata]
    int res = array[100];
              ^

（5）stack buffer overflow 栈内存溢出

#include <stdio.h>
int main(int argc, char* argv[]) {
    int a[2] = {100,200};
    int b = a[2];
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:4:14: error: Array 'a[2]' accessed at index 2, which is out of bounds. [arrayIndexOutOfBounds]
    int b = a[2];
             ^

（6）global buffer overflow 全局内存溢出

#include <stdio.h>
int array[100];
int main(int argc, char* argv[]) {
    int num = array[100];
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:4:20: error: Array 'array[100]' accessed at index 100, which is out of bounds. [arrayIndexOutOfBounds]
    int num = array[100];
                   ^

（7）allocation size too big 堆内存分配较大

#include <stdio.h>
#include <stdlib.h>
int main(int argc, char* argv[]) {
    int x = 1000;
    int y = 1000;
    int* p = (int*)malloc(x * y * x * y);
    free(p);
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:7:37: error: Signed integer overflow for expression 'x*y*x*y'. [integerOverflow]
    int* p = (int*)malloc(x * y * x * y);
                                    ^
main.cpp:5:13: note: Assignment 'x=1000', assigned value is 1000
    int x = 1000;
            ^
main.cpp:7:37: note: Integer overflow
    int* p = (int*)malloc(x * y * x * y);
                                    ^

（8）memory leaks 内存泄露

#include <stdlib.h>
int main(int argc, char *argv[]) {
    int* ptr = (int*)malloc(10 * sizeof(int));
    int num = ptr[0];
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:5:5: error: Memory leak: ptr [memleak]
    return 0;
    ^
main.cpp:4:15: error: Memory is allocated but not initialized: ptr [uninitdata]
    int num = ptr[0];
              ^

（9）double free 堆内存重复释放

#include <stdio.h>
int main(int argc, char* argv[]) {
    int* p = new int[10];
    delete [] p;
    delete [] p;
    return 0;
}

cppcheck main.cpp

Checking main.cpp ...
main.cpp:5:15: error: Memory pointed to by 'p' is freed twice. [doubleFree]
    delete [] p;
              ^
main.cpp:4:5: note: Memory pointed to by 'p' is freed twice.
    delete [] p;
    ^
main.cpp:5:15: note: Memory pointed to by 'p' is freed twice.
    delete [] p;
              ^
main.cpp:4:15: error: Memory is allocated but not initialized: p [uninitdata]
    delete [] p;
              ^