Path to this page:
Subject: CVS commit: pkgsrc/devel/cppcheck
From: Thomas Klausner
Date: 2020-06-29 15:06:51
Message id: 20200629130651.7A1A0FB28@cvs.NetBSD.org
Log Message:
cppcheck: update to 2.1.
2.1
This is a minor release.
We have tweaked build scripts.
* When you use USE_Z3=yes, we will handle new versions of z3 better.
If you have an old z3 library and get compilation problems you will
need to add a z3_version.h in externals.
* The cmake scripts were updated.
There was a couple of bug fixes.
New check:
* for "expression % 1" the result is always 0.
2.0
Overview
The command line is not changed drastically. Your old cppcheck
scripts should work as before.
Compiling: There is a new dependency Z3. When compiling with the
Makefile it is highly recommended to use "USE_Z3=yes".
Improved clang-tidy integration
Several fixes to;
improve parsing detect more bugs with existing checks fix false
alarms
Clang import
Clang is a C/C++ compiler that has a very robust and well made
parser.
Cppcheck will always use its internal parser by default. However
there is now an option to use the Clang parser instead.
It is recommended that you use the default internal Cppcheck parser
unless you notice that it fails to parse your code properly (syntax
errors, strange false alarms). Bug hunting
There is a new "soundy" analysis in Cppcheck that should detect
most bugs. You should expect false alarms, however the false alarms
will not be overwhelming.
This new "soundy" analysis is not intended to replace normal Cppcheck
analysis. There are use cases where false alarms can not be tolerated.
We have added 1 checker and that checks for division by zero:
It detects all "integer division by zero" bugs in the Juliet
test suite.
It detects all "division by zero" bugs in the ITC test suite.
There was 28 division by zero CVEs published in 2019 for C/C++
open source projects, and we could quickly see that 21 of the
bugs are found by Cppcheck. There is no CVE bug that we know
Cppcheck fails to diagnose. But there are 7 CVEs that would
require additional investigation to establish if it is really
detected or not.
You can read more about this analysis in the "Bug hunting" chapter
in the manual.
Files: