JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
Official release date: June 15, 2020.
| Warning Classes |
Several changes:
|
|---|---|
| Default Presets | You can now specify default presets to be used for all
CodeSonar analyses. |
| Other Preset Changes | There is a new CodeSonar preset: intel. Three existing presets have been modified: all_warningclasses, thorough, and security. |
| Configuration Tool | New option 'Modify analysis settings' allows you to select certain default presets. |
| Configuration Parameters | There are new parameters, and factory settings for some existing parameters have changed. |
| Compiler Models | Many compiler models have bug fixes and improvements. |
| Library Models | There are many improvements to CodeSonar's shipped library models, resulting in improved checking for a number of warning classes. |
| Front End Improvements | Many front end crashes and parse errors have been fixed. |
| NetBSD Support | The supported NetBSD version is now 8.0. Version 6 is no longer supported. |
| Third Party Upgrades | A number of third party packages shipped with CodeSonar have been upgraded, in particular Curl and OpenSSL. See the Notices page for information, including version numbers, about all third party components. |
| Build/Analysis Options | New option -no-default-presets specifies that the build/analysis should be run without default presets (if any). |
| C# Build Options | Most build options now have one dash. |
| Extended Documentation for Third Party Static Analyzer Result Integration |
The manual has been updated to describe:
|
| Analysis Improvements |
False positive rates for a number of warning classes have been
reduced, especially the taint+dp warning
classes.
Checking for the set of warning classes enabled by the various MISRA-specific presets will now scale to much larger codebases without running out of memory. |
| Extension API | A number of Extension API functions/macros that involve int values now have size_t equivalents. |
| HTML5 Visualization Tool |
The HTML5 Visualization Tool display panel has two new pieces of
functionality:
|
| API Changes | There are two new API methods. |
| AST Changes | There are a small number of changes to the set of unnormalized C/C++ AST classes, and a larger number of changes to the normalized C/C++ AST classes. |
| Safari Note | The Safari browser no longer supports the keygen tag, so the Generate and Save Certificate functionality is no longer available on the User Certificates page when it is viewed in Safari. Instead, Safari users can generate new user certificates for certificate-based user authentication using the procedure for Manually Generating and Uploading User Certificates. |
| Product Compatibility Notes | CodeSonar is not compatible with Avast Antivirus. |
Several changes.
There are nine new warning classes
| New Warning Class | Mnemonic | Notes |
|---|---|---|
| Assembly Pragma | LANG.ASM.PRAGMA | Supports MisraC++2008:7-4-2. |
| Confusing Operator Overload | LANG.OPS.OVERLOADS | Supports MisraC++2008:5-2-11 and MisraC++2008:5-3-3. |
| Ellipsis | LANG.STRUCT.ELLIPSIS | Supports MisraC++2008:8-4-1. |
| Essential Type Diagnostic | DIAG.MISRA.ETYPE | Identifies the essential type category of every expression in the analyzed code. |
| Floating Point Equality | LANG.ARITH.FPEQUAL | Supports MisraC++2008:6-2-2 and Misra2004:13.3 |
| Pointed-to Type Could Be const | LANG.TYPE.CBCONST | Supports MisraC++2008:7-1-2, Misra2012:8.13, and Misra2004:16.7 |
| Using Declaration in Header File | LANG.STRUCT.USING.HDECL | Supports MisraC++2008:7-3-6. |
| Using Directive | LANG.STRUCT.USING.DIRECTIVE | Supports MisraC++2008:7-3-4. |
| Using Directive in Header File | LANG.STRUCT.USING.HDIR | Supports MisraC++2008:7-3-4 and MisraC++2008:7-3-6. |
You can now specify default presets to be used for all CodeSonar analyses.
Files with the extension .conf located in directory $CSONAR/codesonar/default_presets/ are automatically processed immediately after template.conf, as if you had specified them using -conf-file. The files are processed in lexicographical order of filename (as determined by strcmp).
Use the -no-default-presets command line option to run the build or analysis without invoking default presets.
There is one new CodeSonar preset: intel.
There are also changes to three CodeSonar presets.
| Modified Preset | Changes |
|---|---|
| all_warningclasses |
No longer enables warning classes with mnemonics of the form
DIAG.*.
These classes are for analysis diagnostics, rather than for
warning about issues in your code.
|
| thorough | Modified to reduce false positives. |
| security | Extended to be more useful for security audits. |
Most build options now use one dash. The double dash is deprecated. The following options now use a single dash:
There are new parameters, and some existing parameters have been modified.
| New Parameter | Purpose |
|---|---|
| ESSENTIAL_TYPE_DIAGNOSTIC_ENABLED | Specifies whether or not to report Essential Type Diagnostic warnings (warnings of this class are reported for all expressions). |
| IMPLICIT_INITIALIZER_ELT_LIMIT | Specifies an upper bound on the number of implicitly-zero-initialized array elements from a curly-brace initializer CodeSonar will explicitly track, on each end of the implicitly-initialized segment of the array. |
| MISRA_SHIFT_AMOUNT_EXCEEDS_BIT_WIDTH | Specifies whether Shift Amount Exceeds Bit Width checks should follow MISRA rules (as opposed to the C standards) for determining whether an arithmetic-shift operation exceeds the number of bits occupied by the left-hand operand of the operation. |
| TRANSACTION_BUFFER_SIZE_LIMIT | Specifies the maximum amount of memory (in megabytes) to allocate in the analysis master for a pending transaction. |
| Modified Parameter | Change |
|---|---|
| IGNORED_COMPILATIONS | Now also applies to Java analyses. |
| RETURN_CHECKER_BUILT_IN_CHECKED_FUNCS | ^getchar$ removed from factory settings. |
| RETURN_CHECKER_BUILT_IN_CHECKED_PURE_FUNCS | ^posix_memalign$ added to factory settings. |
| RETURN_CHECKER_IGNORED_FUNCS | ^getchar$ added to factory settings. |
| PREPROCESS_IF_FAIL | Factory setting now Yes (previously No). |
Many compiler models have bug fixes and improvements. In particular:
Existing COMPILER_MODELS mappings to iar will continue to be handled—specifically, they will be passed in the first instance to the iccgeneric model, which will redirect to a more specific model if it is able to determine one from the native compiler basename—but we recommend updating any such rules to use a more specific model if one is suitable.
There are two new API methods/functions.
| API Implementation | Notes | ||
|---|---|---|---|
| C++ | Python | C | |
| procedure::basename() | procedure.basename() | cs_pdg_basename() cs_pdg_basename_string() |
Get the basename of a procedure: for use in constructing cross-referencing queries and examining query results. |
| point::is_implicit_actual_in() | point.is_implicit_actual_in() | cs_pdg_vertex_is_implicit_actual_in | An implicit actual-in can occur in C++ code where the callee returns a non-trivial C++ object. |
There are a small number of changes to the set of unnormalized C/C++ AST classes, and a larger number of changes to the normalized C/C++ AST classes.
We provide the canonical class name along with the names used in the various API implementations to help you locate any uses of these classes in your custom checks.
| Deleted Class | API Artifact | ||
|---|---|---|---|
| C++ (ast_class attribute) | Python (ast_class attribute) | C (enum symbol) | |
| c:array-ref-all | ast_class::NC_ARRAYREFALL | ast_class.NC_ARRAYREFALL | csac_nc_arrayrefall |
| c:args | ast_class::NC_ARGS | ast_class.NC_ARGS | csac_nc_args |
| c:compound | ast_class::NC_ABSTRACT_COMPOUND | ast_class.NC_ABSTRACT_COMPOUND | csac_nc_abstract_compound |
| c:fullcall | ast_class::NC_FULLCALL | ast_class.NC_FULLCALL | csac_nc_fullcall |
| c:imaginary-value | ast_class::NC_IMAGINARY_VALUE | ast_class.NC_IMAGINARY_VALUE | csac_nc_imaginary_value |
| c:incdec | ast_class::NC_ABSTRACT_INCDEC | ast_class.NC_ABSTRACT_INCDEC | csac_nc_abstract_incdec |
| c:index-range | ast_class::NC_INDEX_RANGE | ast_class.NC_INDEX_RANGE | csac_nc_index_range |
| c:indices-list | ast_class::NC_INDICES_LIST | ast_class.NC_INDICES_LIST | csac_nc_indices_list |
| c:noexcept-expr | ast_class::NC_NOEXCEPTEXPR | ast_class.NC_NOEXCEPTEXPR | csac_nc_noexceptexpr |
| c:or | ast_class::NC_OREXPR | ast_class.NC_OREXPR | csac_nc_orexpr |
| c:or-assign | ast_class::NC_ORASSIGN | ast_class.NC_ORASSIGN | csac_nc_orassign |
| c:return-void-stmt | ast_class::NC_RETURN_VOID_STMT | ast_class.NC_RETURN_VOID_STMT | csac_nc_return_void_stmt |
| c:return-with-value-stmt | ast_class::NC_RETURN_WITH_VALUE_STMT | ast_class.NC_RETURN_WITH_VALUE_STMT | csac_nc_return_with_value_stmt |
| c:v++ | ast_class::NC_POSTINCEXPR | ast_class.NC_POSTINCEXPR | csac_nc_postincexpr |
| c:v-- | ast_class::NC_POSTDECEXPR | ast_class.NC_POSTDECEXPR | csac_nc_postdecexpr |
| c:++v | ast_class::NC_PREINCEXPR | ast_class.NC_PREINCEXPR | csac_nc_preincexpr |
| c:--v | ast_class::NC_PREDECEXPR | ast_class.NC_PREDECEXPR | csac_nc_predecexpr |
| c:x= | ast_class::NC_ABSTRACT_X_EQUALS | ast_class.NC_ABSTRACT_X_EQUALS | csac_nc_abstract_x_equals |
| c:*= | ast_class::NC_MULASSIGN | ast_class.NC_MULASSIGN | csac_nc_mulassign |
| c:/= | ast_class::NC_DIVASSIGN | ast_class.NC_DIVASSIGN | csac_nc_divassign |
| c:%= | ast_class::NC_MODASSIGN | ast_class.NC_MODASSIGN | csac_nc_modassign |
| c:+= | ast_class::NC_ADDASSIGN | ast_class.NC_ADDASSIGN | csac_nc_addassign |
| c:-= | ast_class::NC_SUBASSIGN | ast_class.NC_SUBASSIGN | csac_nc_subassign |
| c:<<= | ast_class::NC_LEFTASSIGN | ast_class.NC_LEFTASSIGN | csac_nc_leftassign |
| c:>>= | ast_class::NC_RIGHTASSIGN | ast_class.NC_RIGHTASSIGN | csac_nc_rightassign |
| c:&= | ast_class::NC_ANDASSIGN | ast_class.NC_ANDASSIGN | csac_nc_andassign |
| c:^= | ast_class::NC_XORASSIGN | ast_class.NC_XORASSIGN | csac_nc_xorassign |
| c:#= | ast_class::NC_BLOCKASSIGN | ast_class.NC_BLOCKASSIGN | csac_nc_blockassign |
| c:?: | ast_class::NC_IFTHENELSEEXPR | ast_class.NC_IFTHENELSEEXPR | csac_nc_ifthenelseexpr |
| c:&& | ast_class::NC_ANDEXPR | ast_class.NC_ANDEXPR | csac_nc_andexpr |
| c:! | ast_class::NC_NOTEXPR | ast_class.NC_NOTEXPR | csac_nc_notexpr |
| c:-> | ast_class::NC_POINTERREF | ast_class.NC_POINTERREF | csac_nc_pointerref |
| Modified Class | Changes |
|---|---|
| c:cast | parent class is now c:rvalue (previously c:lvalue) |
| c:complex | new child :element-type |
| c:complex-conj | parent class is now c:arithmetic (previously c:rvalue) |
| c:exprs | parent class is now c:rvalue (previously c:lvalue); no longer has :indices-list attribute |
| c:float | parent class is now c:abstract-float (previously c:abstract-type) |
| c:imaginary | parent class is now c:abstract-float (previously c:abstract-type) |
| c:label | parent class is now c:lvalue (previously c:rvalue) |
| c:routine | parent class is now c:lvalue (previously c:rvalue) |
| Modified Class | Changes |
|---|---|
| cc:scope | new child :using-directives |
A number of Extension API functions/macros that involve int values now have size_t equivalents.
| New size_t function/macro | Existing int equivalent |
|---|---|
| size_t csonar_taint_mux_size(size_t taintval, size_t nontaintval) | int csonar_taint_mux(int taintval, int nontaintval) |
| size_t csonar_taint_size_source_<NAME_OF_KIND>(void) | int csonar_taint_source_<NAME_OF_KIND>(void) |
| size_t cs_untrusted_size(void) | int cs_untrusted_value(void) |
| size_t csonar_bounded_size(size_t val, size_t lb, size_t ub) | int csonar_bounded_value(int val, int lb, int ub) |
| NUMBER | NAME | NOTES |
|---|---|---|
| 14185 | CodeSonar cored: Out Of Memory in CodeSonar MISRA project | fixed |
| 14288 | False Positive leak and double free warnings from std::list::erase | fixed |
| 16593 | Feature Request: Configuration How To | New manual pages explaining the following presets: stable_results, fast, and security. |
| 17779 | MISRA FN (Rule 12.2): "Shift Amount Exceeds Bit Width" | New configuration parameter MISRA_SHIFT_AMOUNT_EXCEEDS_BIT_WIDTH added. |
| 19269 | Use of '==' in our _atomic_compare_exchange and others | fixed |
| 19978 | False Positive: Front end drops curly brace array initializer | fixed |
| 20685 | Scope Could Be File static / Local static, and C++ variables | fixed |
| 21067 | Feature Request: Make it possible to not do a clean analysis after doing a Visual Studio build without CodeSonar | fixed; while using the Microsoft Visual Studio plugin for CodeSonar, you can choose to activate CodeSonar without cleaning. |
| 21161 | __STATIC_INLINE in armcc compiler conf | fixed |
| 21168 | targ_size_t_max on Windows | fixed |
| 21181 | Microsoft Visual Studio 2017 variadic templates not turned on? | fixed |
| 21218 | Enable binary numbers and non-standard anonymous unions in cl2000 | Updated the Ti CodeComposer compiler models: cl6x, armcl, cl2000, cl430. |
| 21403 | gcc compiler model does not preserve order of arguments | fixed |
| 24055 | Compiler-specific configuration setting causing parse errors | fixed |
| 24568 | Document streaming replication hub backup technique | Full instructions are provided in Task: Back Up and Restore a Hub Database. |
| 26562 | MISRA False Positive: Warning report does not include procedure name | fixed |
| 27611 | Number of warnings shown on a file line | fixed |
| 27865 | ParseIssueFetcher warning priority clause does not include warning filter, dropping results | fixed |
| 27969 | Commented-Out Code warning appears to only honor C-style multi-line comments | Separate but contiguous comments are now treated as a single comment in the Commented-out Code check; in particular, C++-style multiple line comments are treated as a single comment rather than multiple one line comments. |
| 28185 | IAR compiler parse error "incomplete type is not allowed" | fixed; the IAR compiler models now specify front end option --cs_flexible_array_members when the -e flag is used. |
| 28304 | Designated initializers, C++20 feature, parse errors in IAR compiler, | fixed |
| 28544 | Windows 10 Uninstall CodeSonar still in Apps & Features list | fixed |
| 28957 | Parse Errors: use of digraphs in the preprocessor is not properly supported | fixed |
| 29092 | NPD reported during analysis | fixed |
| 29331 | cs-metascan warning because cs-metascan.text.64.conf does not exist | fixed |
| 29363 | Exception Type:BadSummaryReML/MalformedXml, Exception Value: not well-formed (invalid token) - msg_metric_warning procedure attr not XML escaped | fixed |
| 29364 | Feature Request: Improvements to memcpy handling | fixed |
| 29455 | Working with Freescale hc12 compiler using the -ViewHidden flag to surpress the GUI doesn't work any more as expected. | fixed |
| 29544 | False Positive for Unchecked Parameter Dereference in C++ code | fixed |
| 30061 | Issues for the armcc compiler | fixed |
| 32293 | [EDGcpfe/22715] Limited length for include paths on windows | fixed |
| 32303 | [EDGcpfe/22673] Crash in Microsoft Visual Studio 2019 with analyzing C++ using cl with /clr option | fixed |
| 32734 | cl compiler model incompatible with some headers in VS 2019 | fixed |