Fehleraufdeckung mit der fortschrittlichen Analyse-Engine von CodeSonar®

Wie ein Compiler baut CodeSonar® den Code in Ihrer Build-Umgebung. Statt Objektcode zu erstellen, gibt CodeSonar zunächst ein abstraktes Modell Ihres gesamten Programms aus. Dann untersucht die "symbolic execution engine" des Werkzeugs die Programmpfade und die Relation der Variablen zueinander. Eine leistungsfähige Datenflussanalyse schließt dabei unausführbare Programmpfade von der Analyse aus.

Tritt bei der Untersuchung der Pfade eine Anomalie auf, wird eine entsprechende Warnung generiert. Da hierfür eine sehr hohe Anzahl von Zustandskombinationen überprüft werden muss, nutzt CodeSonar verschiedene Strategien um die Skalierbarkeit der Analyse zu ermöglichen. Beispielsweise werden während der Analyse Zusammenfassungen verfeinert und verdichtet sowie Pfade in einer bestimmten Reihenfolge analysiert.

Die leistungsfähige Analyse-Engine von CodeSonar findet über einhundert verschiedene Fehlerarten, die mit "Out-of-the-box-Checkern" überprüft werden.
Neben diesen "Out-of-the-box-Checkern" verfügt CodeSonar über verschiedene Möglichkeiten zusätzlich eigene Checker zu erstellen.
Weitere Informationen hierzu unter Create Customised Code Checkers in CodeSonar.

Bei der Fehleranalyse von C und C++ Code werden unter anderem folgende Probleme mit "Out-of-the-box-Checkern" aufgedeckt:

"Out-of-the-box" Defect Checks for C/C++ Code Include:

• Data Race Condition / Wettlaufsituationen
  Shared data accessed in an unsafe manner.
• Deadlock
  Two or more threads prevent each other from making progress.
• Process Starvation
  read or write to data after the end of a buffer.
• Buffer Overrun / Pufferüberlauf
  A read or write to data after the end of a buffer. -> Beispiel
• Leak
  Dynamically allocated storage has not been freed.-> Beispiel
• Null Pointer Dereference
  An attempt to dereference a pointer to the address 0. -> Beispiel
• Type Overrun
  An overrun of a boundary within an aggregate type.
• Type Underrun
  An underrun of a boundary within an aggregate type.
• Divide By Zero
  An attempt to perform integer division where the denominator is 0.
• Double Free
  Two calls to free on the same object.
• Use After Free
  A dereference of a pointer to a freed object.
• Free Non-Heap Variable
  An attempt to free an object which was not allocated on the heap, such as a stack-allocated variable.
• Uninitialized Variable
  An attempt to use the value of a variable that has not been initialized.
• Dangerous Function Cast
  A function pointer is cast to another function pointer having an incompatible signature or return type.
• Delete[] Object Created by malloc
  An attempt to release memory obtained with malloc using delete[]
• Delete[] Object Created by new
  An attempt to release memory obtained with new using delete[]
• Delete Object Created by malloc
  An attempt to release memory obtained with malloc using delete
• Delete Object Created by new[]
  An attempt to release memory obtained with new[] using delete
• Free Object Created by new[]
  An attempt to release memory obtained with new[] using free
• Free Object Created by new
  An attempt to release memory obtained with new using free
• Missing Return Statement
  At least one path through a non-void return-type function does not contain a return statement.
• Redundant Condition
  Some condition is either always or never satisfied.
• Return Pointer To Local
  A procedure returns a pointer to one of its local variables.
• Return Pointer To Freed
  A procedure returns a pointer to memory that has already been freed.
• Unused Value
  A variable is assigned a value, but that value is never subsequently used on any execution path.
• Useless Assignment
  Some assignment always assigns the value that the variable being modified already has.
• Varargs Function Cast
  A varargs function pointer is cast to another function pointer having different parameters or return type.
• Ignored Return Value
  The value returned by some function has not been used.
• Free Null Pointer
  An attempt to free a null pointer.
• Unreachable Code
  Some of the code in a function is unreachable from the function entry point under any circumstances.
• Null Test After Dereference
  A pointer is NULL-checked when it has already been dereferenced.
• Format String
  A function that should have a format string passed in a particular argument position has been passed a string that either is not a format string or is from an untrusted source. (Potential security vulnerability.)
• Double Close
  An attempt to close a file descriptor or file pointer twice.
• TOCTTOU Vulnerability
  A time-of-check-to-time-of-use race condition that can create a security vulnerability.
• Double Lock
  An attempt to lock a mutex twice.
• Double Unlock
  An attempt to unlock a mutex twice.
• Try-lock that will never succeed
  An attempt to lock a mutex that cannot possibly succeed.
• Misuse of Memory Allocation
  Incorrect use of memory allocators.
• Misuse of Memory Copying
  Incorrect use of copying functions.
• Misuse of Libraries
  Misuse of standard library functions.
• User-Defined Bug Classes
  Checks for arbitrary bug classes can be implemented through the CodeSonar extension functions.