Cppcheck-2.8

• Lifetime analysis can now track lifetime across user-defined constructors when they are inline and using member initializer list.
• SymbolDatabase can now deduce iterator types from how they are specified in the library files.
• ValueFlow can evaluate class member functions that return known values.
• Improve duplicateValueTenary to not warn when used as an lvalue or when one branch has side effects
• Fix variableScope to not warn when variables are used in lambda functions
• Fix unassignedVariable warnings when using structured bindings
• Fix redundantInitialization warning when variable is used in a lambda
• Fix variableScope warnings when using if/while init-statement
• Improve lifetime analysis when returning variadic template expressions
• Detect more statements with constStatement
• Detect variableScope for more types
• Improvements to unreadVariable
• Detect more instances of C style casts
• Warn if the return value of new is discarded
• The pre-ValueFlow uninitialized checker now uses a different ID as legacyUninitvar
• Extended library format to exclude specific function argument values

Cppcheck-2.7

Add support for container views. The view attribute has been added to the <container> library tag to specify the class is a view. The lifetime analysis has been updated to use this new attribute to find dangling lifetime containers.

Various checker improvements.

Fixed false positives.

Cppcheck-2.6

New checks in core cppcheck:

• missing return in function
• writing overlapping data, detect undefined behavior
• compared value is out of possible type range
• [perf] Copy elision optimization can't be applied for return std::move(local)
• file can not be opened for read and write access at the same time on different streams

Various improvements:

• Color output for diagnostics are added for unix-based platforms.
• Added symbolic analysis for ValueFlow. A simple delta is used to compute the difference between two unknown variable.
• Rules using the "define" tokenlist can also match #include as well.
• Library <function> tags can now use <container> tag, so free functions that accept containers such as std::size, std::empty, std::begin, std::end, etc. can specify the yields or action for the container.
• Library <smart-pointer> tag can specify a <unique> tag for smart pointers that have unique ownership. Cppcheck now warns about dangling references to smart pointers with unique ownership.
• Fixed problems when --cppcheck-build-dir is used, that should now work better. It is recommended to use --cppcheck-build-dir to speedup Cppcheck analysis.
• htmlreport can now output author information (using git blame)
• More warnings about variables that is not const but can be const

Misra C 2012 compliance has been "completed"
All Misra C 2012 rules have been implemented except 1.1 , 1.2 and 17.3. Including the rules in amendment 1 and amendment 2.
The rules 1.1 and 1.2 must be checked with a compiler.
The rule 17.3 can be checked by a compiler, for instance GCC.

Cppcheck-2.5

Parser:

• various fixes
• checked that all features in c++11, c++14, c++17 are supported
• c++20 support is improved but not complete yet

Core:

• improved library files, better knowledge about APIs
• improved checks to detect more bugs
• fixed checks to avoid unwanted warnings

Changed output:

• try to use relative paths when using compile databases, if compile database is accessed with relative path
• updated XML; The file0 attribute is moved from to

Misra:

• fixed crashes and false positives

New checks:

• suspicious container/iterator assignment in condition
• rethrow without current handled exception

Cppcheck-2.4.1

Fixed windows installer, a file needed by the Misra addon was missing.

Cppcheck-2.4

Fixed false negatives and false positives

New check; Detect one definition rule violations

Various improvements:

• MISRA improvements
• ImportProject fixes
• Various bug hunting improvements
• Fixes when importing AST from clang

Cppcheck-2.3

Improved C++ parser:

• types
• wrong operands in ast
• better simplification of templates

Improved clang import, various fixes.
Improved value flow analysis

Fixed false positives

Improved configuration in library files

• boost.cfg
• googletest.cfg
• qt.cfg
• windows.cfg
• wxwidgets.cfg

Added several Misra rules:

• 6.1
• 6.2
• 7.2
• 7.4
• 9.2
• 10.2
• 15.4

Added platforms:

• elbrus e1c+
• pic
• pic8
• mips

Cppcheck-2.2

New checks:

• incorrect usage of mutexes and lock guards
• Dereference end iterator
• Iterating a known empty container
• outOfBounds check for iterators to containers

Removed 'operator=' check that ensures reference to self is returned. That is not about safety.

Improved parser

• various ast fixes

Clang parser

• The Clang import feature in Cppcheck should be considered to be experimental for now. There are problems.

Improved bug hunting

• variable constraints
• handling of multidimension arrays
• function calls, execute functions that are in same TU
• improved handling of containers
• several improvements for uninitialized variables check
• improved analysis of for loops
• added a hash value for warnings that can be used for suppressions

Improved data flow

• one more heuristic for ternary operators
• improved data flow for containers

CLI:

• Fixed some addon execution problems when there are spaces etc

GUI:

• Fix handling of tags
• Exclude files

cppcheck-htmlreport:

• several result files can be combined into 1 output

Suppressions:

• comments can be added at end of suppression in suppressions file

Cppcheck-2.1

This is a minor release.

We have tweaked build scripts.

• When you use USE_Z3=yes, we will handle new versions of z3 better. If you have an old z3 library and get compilation problems you will need to add a z3_version.h in externals.
• The cmake scripts was updated.

There was a couple of bug fixes.

New check:

• for "expression % 1" the result is always 0.

Cppcheck-2.0

Overview

The command line is not changed drastically. Your old cppcheck scripts should work as before.

Compiling: There is a new dependency Z3. When compiling with the Makefile it is highly recommended to use "USE_Z3=yes".

Improved clang-tidy integration

Several fixes to;

• improve parsing
• detect more bugs with existing checks
• fix false alarms

Clang import

Clang is a C/C++ compiler that has a very robust and well made parser.

Cppcheck will always use its internal parser by default. However there is now an option to use the Clang parser instead.

It is recommended that you use the default internal Cppcheck parser unless you notice that it fails to parse your code properly (syntax errors, strange false alarms).

Bug hunting

There is a new "soundy" analysis in Cppcheck that should detect most bugs. You should expect false alarms, however the false alarms will not be overwhelming.

This new "soundy" analysis is not intended to replace normal Cppcheck analysis. There are use cases where false alarms can not be tolerated.

We have added 1 checker and that checks for division by zero:

• It detects all "integer division by zero" bugs in the Juliet test suite.
• It detects all "division by zero" bugs in the ITC test suite.
• There was 28 division by zero CVEs published in 2019 for C/C++ open source projects, and we could quickly see that 21 of the bugs are found by Cppcheck. There is no CVE bug that we know Cppcheck fails to diagnose. But there are 7 CVEs that would require additional investigation to establish if it is really detected or not.

You can read more about this analysis in the "Bug hunting" chapter in the manual.