How It Works

Like a compiler, CodeSonar does a build of your code, but instead of creating object code it creates an abstract representation of the program. After the individual files are built, a synthesis phase combines the results into a whole-program model. The model is symbolically executed and the analysis keeps track of variables and how they are related. Warnings are generated when anomalies are encountered. CodeSonar does not need test cases and works with the existing build system.

CodeSonar Product Data Sheet

A detailed technical description of how CodeSonar works can be found here.

Representative List of CodeSonar Checks

Buffer Overrun: A read or write to data after the end of a buffer.
Buffer Underrun: A read or write to data before the beginning of a buffer.
Type Overrun: An overrun of a boundary within an aggregate type.
Type Underrun: An underrun of a boundary within an aggregate type.
Null Pointer Dereference: An attempt to dereference a pointer to the address 0.
Divide By Zero: An attempt to perform integer division where the denominator is 0.
Double Free: Two calls to free on the same object.
Use After Free: A dereference of a pointer to a freed object.
Free Non-Heap Variable: An attempt to free an object which was not allocated on the heap, such as a stack-allocated variable.
Uninitialized Variable: An attempt to use the value of a variable that has not been initialized.
Leak: Dynamically allocated storage has not been freed.
Dangerous Function Cast: A function pointer is cast to another function pointer having an incompatible signature or return type.
Delete[] Object Created by malloc: An attempt to release memory obtained with malloc using delete[]
Delete[] Object Created by new: An attempt to release memory obtained with new using delete[]
Delete Object Created by malloc: An attempt to release memory obtained with malloc using delete
Delete Object Created by new[]: An attempt to release memory obtained with new[] using delete
Free Object Created by new[]: An attempt to release memory obtained with new[] using free
Free Object Created by new: An attempt to release memory obtained with new using free
Missing Return Statement: At least one path through a non-void return-type function does not contain a return statement.
Redundant Condition: Some condition is either always or never satisfied.
Return Pointer To Local: A procedure returns a pointer to one of its local variables.
Return Pointer To Freed: A procedure returns a pointer to memory that has already been freed.
Unused Value: A variable is assigned a value, but that value is never subsequently used on any execution path.
Useless Assignment: Some assignment always assigns the value that the variable being modified already has.
Varargs Function Cast: A varargs function pointer is cast to another function pointer having different parameters or return type.
Ignored Return Value: The value returned by some function has not been used.
Free Null Pointer: An attempt to free a null pointer.
Unreachable Code: Some of the code in a function is unreachable from the function entry point under any circumstances.
Null Test After Dereference: A pointer is NULL-checked when it has already been dereferenced.
Format String: A function that should have a format string passed in a particular argument position has been passed a string that either is not a format string or is from an untrusted source. (Potential security vulnerability.)
Double Close: An attempt to close a file descriptor or file pointer twice.
TOCTTOU Vulnerability: A time-of-check-to-time-of-use race condition that can create a security vulnerability.
Double Lock: An attempt to lock a mutex twice.
Double Unlock: An attempt to unlock a mutex twice.
Try-lock that will never succeed: An attempt to lock a mutex that cannot possibly succeed.
Misuse of Memory Allocation: Incorrect use of memory allocators.
Misuse of Memory Copying: Incorrect use of copying functions.
Misuse of Libraries: Misuse of standard library functions.
User-Defined Bug Classes: Checks for arbitrary bug classes can be implemented through the CodeSonar extension functions.