extraclangtools - Man Page

Name

extraclangtools ā€” Extra Clang Tools Documentation

Welcome to the clang-tools-extra project which contains extra tools built using Clang's tooling APIs.

Extra Clang Tools 19.1.4 Release Notes

Written by the LLVM Team

Introduction

This document contains the release notes for the Extra Clang Tools, part of the Clang release 19.1.4. Here we describe the status of the Extra Clang Tools in some detail, including major improvements from the previous release and new feature work. All LLVM releases may be downloaded from the LLVM releases web site.

For more information about Clang or LLVM, including information about the latest release, please see the Clang Web Site or the LLVM Web Site.

Note that if you are reading this file from a Git checkout or the main Clang web page, this document applies to the next release, not the current one. To see the release notes for a specific release, please see the releases page.

What's New in Extra Clang Tools 19.1.4?

Some of the major new features and improvements to Extra Clang Tools are listed here. Generic improvements to Extra Clang Tools as a whole or to its underlying infrastructure are described first, followed by tool-specific sections.

Major New Features

...

Improvements to clangd

  • Introduced exmperimental support for C++20 Modules. The experimental support can be enabled by -experimental-modules-support option. It is in an early development stage and may not perform efficiently in real-world scenarios.

Inlay hints

Diagnostics

Semantic Highlighting

  • Improved semantic token coverage in some edge cases, e.g. IndirectFieldDecl

Compile flags

Hover

Code completion

  • --function-arg-placeholders=0 is now respected for variable template argument lists

    as well

  • Macro proposals now use the completion item kind Constant (for object-like macros) or Function (for function-style macros) even for proposals coming from the index

Code actions

  • The "extract variable" tweak is no longer offered for the initializer expression of a declaration
  • The tweak for turning unscoped into scoped enums now removes redundant prefixes from the enum values.
  • Support "move function body out-of-line" in non-header files as well

Signature help

  • Signature help now shows function argument names for calls through pointers to functions in struct fields

Cross-references

  • Improve go-to-definition for some concept references

Document outline

  • Improved precision of document outline information for symbols whose definitions involve macro expansions

Clang-tidy integration

  • The quick fix for clang-tidy's readability-identifier-naming diagnostic is now hooked to invoke textDocument/rename, renaming the identifier across the whole project rather than just the translation unit of the diagnostic
  • misc-const-correctness can now be enabled with FastCheckFilter: None (previously clangd would force it off unconditionally due to its run time)

Objective-C

  • Added support for renaming Objective-C methods

Miscellaneous

  • Worked around a clang-format bug that caused memory exhaustion when opening some large .h files due to the formatter's language guessing heuristic (#GH85703)
  • Various other stability improvements, e.g. crash fixes
  • Added a boolean option AnalyzeAngledIncludes to Includes config section, which allows to enable unused includes detection for all angled ("system") headers. At this moment umbrella headers are not supported, so enabling this option may result in false-positives.

Improvements to clang-doc

Improvements to clang-query

  • Added the file command to dynamically load a list of commands and matchers from an external file, allowing the cost of reading the compilation database and building the AST to be imposed just once for faster prototyping.
  • Removed support for enable output srcloc. Fixes #GH82591

Improvements to clang-rename

The improvements are...

Improvements to clang-tidy

  • Improved run-clang-tidy.py script. Added argument -source-filter to filter source files from the compilation database, via a RegEx. In a similar fashion to what -header-filter does for header files. Added progress indicator with a number of processed files and the runtime of each invocation after completion.
  • Improved check_clang_tidy.py script. Added argument -export-fixes to aid in clang-tidy and test development.
  • Fixed bug where big values for unsigned check options overflowed into negative values when being printed with --dump-config.
  • Fixed --verify-config option not properly parsing checks when using the literal operator in the .clang-tidy config.
  • Added argument --exclude-header-filter and config option ExcludeHeaderFilterRegex to exclude headers from analysis via a RegEx.
  • Added argument --allow-no-checks to suppress "no checks enabled" error when disabling all of the checks by --checks='-*'.

New checks

  • New boost-use-ranges check.

    Detects calls to standard library iterator algorithms that could be replaced with a Boost ranges version instead.

  • New bugprone-crtp-constructor-accessibility check.

    Detects error-prone Curiously Recurring Template Pattern usage, when the CRTP can be constructed outside itself and the derived class.

  • New bugprone-pointer-arithmetic-on-polymorphic-object check.

    Finds pointer arithmetic performed on classes that contain a virtual function.

  • New bugprone-return-const-ref-from-parameter check.

    Detects return statements that return a constant reference parameter as constant reference. This may cause use-after-free errors if the caller uses xvalues as arguments.

  • New bugprone-suspicious-stringview-data-usage check.

    Identifies suspicious usages of std::string_view::data() that could lead to reading out-of-bounds data due to inadequate or incorrect string null termination.

  • New misc-use-internal-linkage check.

    Detects variables and functions that can be marked as static or moved into an anonymous namespace to enforce internal linkage.

  • New modernize-min-max-use-initializer-list check.

    Replaces nested std::min and std::max calls with an initializer list where applicable.

  • New modernize-use-designated-initializers check.

    Finds initializer lists for aggregate types that could be written as designated initializers instead.

  • New modernize-use-ranges check.

    Detects calls to standard library iterator algorithms that could be replaced with a ranges version instead.

  • New modernize-use-std-format check.

    Converts calls to absl::StrFormat, or other functions via configuration options, to C++20's std::format, or another function via a configuration option, modifying the format string appropriately and removing now-unnecessary calls to std::string::c_str() and std::string::data().

  • New readability-enum-initial-value check.

    Enforces consistent style for enumerators' initialization, covering three styles: none, first only, or all initialized explicitly.

  • New readability-math-missing-parentheses check.

    Check for missing parentheses in mathematical expressions that involve operators of different priorities.

  • New readability-use-std-min-max check.

    Replaces certain conditional statements with equivalent calls to std::min or std::max.

New check aliases

  • New alias cert-ctr56-cpp to bugprone-pointer-arithmetic-on-polymorphic-object was added.
  • New alias cert-int09-c to readability-enum-initial-value was added.

Changes in existing checks

  • Improved bugprone-assert-side-effect check by detecting side effect from calling a method with non-const reference parameters.
  • Improved bugprone-assignment-in-if-condition check by ignoring assignments in the C++20 requires clause.
  • Improved bugprone-casting-through-void check by ignoring casts where source is already a void` pointer, making middle void pointer casts bug-free.
  • Improved bugprone-exception-escape Ā check to correctly detect exception handler of type CV void * as catching all Ā CV compatible pointer types.
  • Improved bugprone-forwarding-reference-overload check to ignore deleted constructors which won't hide other overloads.
  • Improved bugprone-implicit-widening-of-multiplication-result check by adding an option to ignore constant expressions of signed integer types that fit in the source expression type.
  • Improved bugprone-inc-dec-in-conditions check to ignore code within unevaluated contexts, such as decltype.
  • Improved bugprone-lambda-function-name check by ignoring __func__ macro in lambda captures, initializers of default parameters and nested function declarations.
  • Improved bugprone-multi-level-implicit-pointer-conversion check by ignoring implicit pointer conversions that are part of a cast expression.
  • Improved bugprone-non-zero-enum-to-bool-conversion check by eliminating false positives resulting from direct usage of bitwise operators within parentheses.
  • Improved bugprone-optional-value-conversion check by eliminating false positives resulting from use of optionals in unevaluated context.
  • Improved bugprone-sizeof-expression check by clarifying the diagnostics, eliminating some false positives and adding a new (off-by-default) option WarnOnSizeOfPointer that reports all sizeof(pointer) expressions (except for a few that are idiomatic).
  • Improved bugprone-suspicious-include check by replacing the local options HeaderFileExtensions and ImplementationFileExtensions by the global options of the same name.
  • Improved bugprone-too-small-loop-variable check by incorporating better support for const loop boundaries.
  • Improved bugprone-unused-local-non-trivial-variable check by ignoring local variable with [maybe_unused] attribute.
  • Improved bugprone-unused-return-value check by updating the parameter CheckedFunctions to support regexp, avoiding false positive for function with the same prefix as the default argument, e.g. std::unique_ptr and std::unique, avoiding false positive for assignment operator overloading.
  • Improved bugprone-use-after-move check to also handle calls to std::forward. Fixed sequencing of designated initializers. Fixed sequencing of callees: In C++17 and later, the callee of a function is guaranteed to be sequenced before the arguments, so don't warn if the use happens in the callee and the move happens in one of the arguments.
  • Improved cppcoreguidelines-avoid-non-const-global-variables check with a new option AllowInternalLinkage to disable the warning for variables with internal linkage.
  • Improved cppcoreguidelines-macro-usage check by ignoring macro with hash preprocessing token.
  • Improved cppcoreguidelines-missing-std-forward check by no longer giving false positives for deleted functions, by fixing false negatives when only a few parameters are forwarded and by ignoring parameters without a name (unused arguments).
  • Improved cppcoreguidelines-owning-memory check to properly handle return type in lambdas and in nested functions.
  • Improved cppcoreguidelines-prefer-member-initializer check by removing enforcement of rule C.48, which was deprecated since clang-tidy 17. This rule is now covered by cppcoreguidelines-use-default-member-init. Fixed incorrect hints when using list-initialization.
  • Improved cppcoreguidelines-special-member-functions check with a new option AllowImplicitlyDeletedCopyOrMove, which removes the requirement for explicit copy or move special member functions when they are already implicitly deleted.
  • Improved google-build-namespaces check by replacing the local option HeaderFileExtensions by the global option of the same name.
  • Improved google-explicit-constructor check to better handle C++20 explicit(bool).
  • Improved google-global-names-in-headers check by replacing the local option HeaderFileExtensions by the global option of the same name.
  • Improved google-runtime-int check performance through optimizations.
  • Improved hicpp-signed-bitwise check by ignoring false positives involving positive integer literals behind implicit casts when IgnorePositiveIntegerLiterals is enabled.
  • Improved hicpp-ignored-remove-result check by ignoring other functions with same prefixes as the target specific functions.
  • Improved linuxkernel-must-check-errs check documentation to consistently use the check's proper name.
  • Improved llvm-header-guard check by replacing the local option HeaderFileExtensions by the global option of the same name.
  • Improved misc-const-correctness check by avoiding infinite recursion for recursive functions with forwarding reference parameters and reference variables which refer to themselves. Also adapted the check to work with function-try-blocks.
  • Improved misc-definitions-in-headers check by replacing the local option HeaderFileExtensions by the global option of the same name. Additionally, the option UseHeaderFileExtensions is removed, so that the check uses the HeaderFileExtensions option unconditionally.
  • Improved misc-header-include-cycle check by avoiding crash for self include cycles.
  • Improved misc-unused-using-decls check by replacing the local option HeaderFileExtensions by the global option of the same name.
  • Improved misc-use-anonymous-namespace check by replacing the local option HeaderFileExtensions by the global option of the same name.
  • Improved modernize-avoid-c-arrays check by introducing the new AllowStringArrays option, enabling the exclusion of array types with deduced length initialized from string literals.
  • Improved modernize-loop-convert check by ensuring that fix-its don't remove parentheses used in sizeof calls when they have array index accesses as arguments.
  • Improved modernize-use-constraints check by fixing a crash that occurred in some scenarios and excluding system headers from analysis.
  • Improved modernize-use-nullptr check to include support for C23, which also has introduced the nullptr keyword.
  • Improved modernize-use-override check to also remove any trailing whitespace when deleting the virtual keyword.
  • Improved modernize-use-starts-ends-with check to also handle calls to compare method.
  • Improved modernize-use-std-print check to not crash if the format string parameter of the function to be replaced is not of the expected type.
  • Improved modernize-use-using check by adding support for detection of typedefs declared on function level.
  • Improved performance-inefficient-vector-operation fixing false negatives caused by different variable definition type and variable initial value type in loop initialization expression.
  • Improved performance-move-const-arg check by ignoring std::move() calls when their target is used as an rvalue.
  • Improved performance-unnecessary-copy-initialization check by detecting more cases of constant access. In particular, pointers can be analyzed, so the check now handles the common patterns const auto e = (*vector_ptr)[i] and const auto e = vector_ptr->at(i);. Calls to mutable function where there exists a const overload are also handled. Fix crash in the case of a non-member operator call.
  • Improved performance-unnecessary-value-param check detecting more cases for template functions including lambdas with auto. E.g., std::sort(a.begin(), a.end(), [](auto x, auto y) { return a > b; }); will be detected for expensive to copy types. Fixed false positives for dependent call expressions.
  • Improved readability-avoid-return-with-void-value check by adding fix-its.
  • Improved readability-const-return-type check to eliminate false positives when returning types with const not at the top level.
  • Improved readability-container-size-empty check to prevent false positives when utilizing size or length methods that accept parameter. Fixed crash when facing template user defined literals.
  • Improved readability-duplicate-include check by excluding include directives that form the filename using macro.
  • Improved readability-else-after-return check to ignore if consteval statements, for which the else branch must not be removed.
  • Improved readability-identifier-naming check in GetConfigPerFile mode by resolving symbolic links to header files. Fixed handling of Hungarian Prefix when configured to LowerCase. Added support for renaming designated initializers. Added support for renaming macro arguments. Fixed renaming conflicts arising from out-of-line member function template definitions.
  • Improved readability-implicit-bool-conversion check to provide valid fix suggestions for static_cast without a preceding space and fixed problem with duplicate parentheses in double implicit casts. Corrected the fix suggestions for C23 and later by using C-style casts instead of static_cast. Fixed false positives in C++20 spaceship operator by ignoring casts in implicit and defaulted functions.
  • Improved readability-non-const-parameter check to not crash when redeclaration have fewer parameters than expected.
  • Improved readability-redundant-inline-specifier check to properly emit warnings for static data member with an in-class initializer.
  • Improved readability-redundant-member-init check to avoid false-positives when type of the member does not match the type of the initializer.
  • Improved readability-static-accessed-through-instance check to support calls to overloaded operators as base expression and provide fixes to expressions with side-effects.
  • Improved readability-simplify-boolean-expr check to avoid to emit warning for macro when IgnoreMacro option is enabled and improve messages when auto-fix does not work.
  • Improved readability-static-definition-in-anonymous-namespace check by resolving fix-it overlaps in template code by disregarding implicit instances.
  • Improved readability-string-compare check to also detect usages of std::string_view::compare. Added a StringLikeClasses option to detect usages of compare method in custom string-like classes.

Removed checks

  • Removed cert-dcl21-cpp, which was deprecated since clang-tidy 17, since the rule DCL21-CPP has been removed from the CERT guidelines.

Miscellaneous

  • Fixed incorrect formatting in clang-apply-replacements when no --format option is specified. Now clang-apply-replacements applies formatting only with the option.

Improvements to include-fixer

The improvements are...

Improvements to clang-include-fixer

The improvements are...

Improvements to modularize

The improvements are...

Improvements to pp-trace

Clang-tidy Visual Studio plugin

Clang-Tidy

Contents

  • Clang-Tidy

    • Using clang-tidy
    • Suppressing Undesired Diagnostics

See also:

Clang-Tidy Checks

abseil-cleanup-ctad

Suggests switching the initialization pattern of absl::Cleanup instances from the factory function to class template argument deduction (CTAD), in C++17 and higher.

auto c1 = absl::MakeCleanup([] {});

const auto c2 = absl::MakeCleanup(std::function<void()>([] {}));

becomes

absl::Cleanup c1 = [] {};

const absl::Cleanup c2 = std::function<void()>([] {});

abseil-duration-addition

Check for cases where addition should be performed in the absl::Time domain. When adding two values, and one is known to be an absl::Time, we can infer that the other should be interpreted as an absl::Duration of a similar scale, and make that inference explicit.

Examples:

// Original - Addition in the integer domain
int x;
absl::Time t;
int result = absl::ToUnixSeconds(t) + x;

// Suggestion - Addition in the absl::Time domain
int result = absl::ToUnixSeconds(t + absl::Seconds(x));

abseil-duration-comparison

Checks for comparisons which should be in the absl::Duration domain instead of the floating point or integer domains.

N.B.: In cases where a Duration was being converted to an integer and then compared against a floating-point value, truncation during the Duration conversion might yield a different result. In practice this is very rare, and still indicates a bug which should be fixed.

Examples:

// Original - Comparison in the floating point domain
double x;
absl::Duration d;
if (x < absl::ToDoubleSeconds(d)) ...

// Suggested - Compare in the absl::Duration domain instead
if (absl::Seconds(x) < d) ...


// Original - Comparison in the integer domain
int x;
absl::Duration d;
if (x < absl::ToInt64Microseconds(d)) ...

// Suggested - Compare in the absl::Duration domain instead
if (absl::Microseconds(x) < d) ...

abseil-duration-conversion-cast

Checks for casts of absl::Duration conversion functions, and recommends the right conversion function instead.

Examples:

// Original - Cast from a double to an integer
absl::Duration d;
int i = static_cast<int>(absl::ToDoubleSeconds(d));

// Suggested - Use the integer conversion function directly.
int i = absl::ToInt64Seconds(d);


// Original - Cast from a double to an integer
absl::Duration d;
double x = static_cast<double>(absl::ToInt64Seconds(d));

// Suggested - Use the integer conversion function directly.
double x = absl::ToDoubleSeconds(d);

Note: In the second example, the suggested fix could yield a different result, as the conversion to integer could truncate. In practice, this is very rare, and you should use absl::Trunc to perform this operation explicitly instead.

abseil-duration-division

absl::Duration arithmetic works like it does with integers. That means that division of two absl::Duration objects returns an int64 with any fractional component truncated toward 0. See this link for more information on arithmetic with absl::Duration.

For example:

absl::Duration d = absl::Seconds(3.5);
int64 sec1 = d / absl::Seconds(1);     // Truncates toward 0.
int64 sec2 = absl::ToInt64Seconds(d);  // Equivalent to division.
assert(sec1 == 3 && sec2 == 3);

double dsec = d / absl::Seconds(1);  // WRONG: Still truncates toward 0.
assert(dsec == 3.0);

If you want floating-point division, you should use either the absl::FDivDuration() function, or one of the unit conversion functions such as absl::ToDoubleSeconds(). For example:

absl::Duration d = absl::Seconds(3.5);
double dsec1 = absl::FDivDuration(d, absl::Seconds(1));  // GOOD: No truncation.
double dsec2 = absl::ToDoubleSeconds(d);                 // GOOD: No truncation.
assert(dsec1 == 3.5 && dsec2 == 3.5);

This check looks for uses of absl::Duration division that is done in a floating-point context, and recommends the use of a function that returns a floating-point value.

abseil-duration-factory-float

Checks for cases where the floating-point overloads of various absl::Duration factory functions are called when the more-efficient integer versions could be used instead.

This check will not suggest fixes for literals which contain fractional floating point values or non-literals. It will suggest removing superfluous casts.

Examples:

// Original - Providing a floating-point literal.
absl::Duration d = absl::Seconds(10.0);

// Suggested - Use an integer instead.
absl::Duration d = absl::Seconds(10);


// Original - Explicitly casting to a floating-point type.
absl::Duration d = absl::Seconds(static_cast<double>(10));

// Suggested - Remove the explicit cast
absl::Duration d = absl::Seconds(10);

abseil-duration-factory-scale

Checks for cases where arguments to absl::Duration factory functions are scaled internally and could be changed to a different factory function. This check also looks for arguments with a zero value and suggests using absl::ZeroDuration() instead.

Examples:

// Original - Internal multiplication.
int x;
absl::Duration d = absl::Seconds(60 * x);

// Suggested - Use absl::Minutes instead.
absl::Duration d = absl::Minutes(x);


// Original - Internal division.
int y;
absl::Duration d = absl::Milliseconds(y / 1000.);

// Suggested - Use absl:::Seconds instead.
absl::Duration d = absl::Seconds(y);


// Original - Zero-value argument.
absl::Duration d = absl::Hours(0);

// Suggested = Use absl::ZeroDuration instead
absl::Duration d = absl::ZeroDuration();

abseil-duration-subtraction

Checks for cases where subtraction should be performed in the absl::Duration domain. When subtracting two values, and the first one is known to be a conversion from absl::Duration, we can infer that the second should also be interpreted as an absl::Duration, and make that inference explicit.

Examples:

// Original - Subtraction in the double domain
double x;
absl::Duration d;
double result = absl::ToDoubleSeconds(d) - x;

// Suggestion - Subtraction in the absl::Duration domain instead
double result = absl::ToDoubleSeconds(d - absl::Seconds(x));

// Original - Subtraction of two Durations in the double domain
absl::Duration d1, d2;
double result = absl::ToDoubleSeconds(d1) - absl::ToDoubleSeconds(d2);

// Suggestion - Subtraction in the absl::Duration domain instead
double result = absl::ToDoubleSeconds(d1 - d2);

Note: As with other clang-tidy checks, it is possible that multiple fixes may overlap (as in the case of nested expressions), so not all occurrences can be transformed in one run. In particular, this may occur for nested subtraction expressions. Running clang-tidy multiple times will find and fix these overlaps.

abseil-duration-unnecessary-conversion

Finds and fixes cases where absl::Duration values are being converted to numeric types and back again.

Floating-point examples:

// Original - Conversion to double and back again
absl::Duration d1;
absl::Duration d2 = absl::Seconds(absl::ToDoubleSeconds(d1));

// Suggestion - Remove unnecessary conversions
absl::Duration d2 = d1;

// Original - Division to convert to double and back again
absl::Duration d2 = absl::Seconds(absl::FDivDuration(d1, absl::Seconds(1)));

// Suggestion - Remove division and conversion
absl::Duration d2 = d1;

Integer examples:

// Original - Conversion to integer and back again
absl::Duration d1;
absl::Duration d2 = absl::Hours(absl::ToInt64Hours(d1));

// Suggestion - Remove unnecessary conversions
absl::Duration d2 = d1;

// Original - Integer division followed by conversion
absl::Duration d2 = absl::Seconds(d1 / absl::Seconds(1));

// Suggestion - Remove division and conversion
absl::Duration d2 = d1;

Unwrapping scalar operations:

// Original - Multiplication by a scalar
absl::Duration d1;
absl::Duration d2 = absl::Seconds(absl::ToInt64Seconds(d1) * 2);

// Suggestion - Remove unnecessary conversion
absl::Duration d2 = d1 * 2;

Note: Converting to an integer and back to an absl::Duration might be a truncating operation if the value is not aligned to the scale of conversion. In the rare case where this is the intended result, callers should use absl::Trunc to truncate explicitly.

abseil-faster-strsplit-delimiter

Finds instances of absl::StrSplit() or absl::MaxSplits() where the delimiter is a single character string literal and replaces with a character. The check will offer a suggestion to change the string literal into a character. It will also catch code using absl::ByAnyChar() for just a single character and will transform that into a single character as well.

These changes will give the same result, but using characters rather than single character string literals is more efficient and readable.

Examples:

// Original - the argument is a string literal.
for (auto piece : absl::StrSplit(str, "B")) {

// Suggested - the argument is a character, which causes the more efficient
// overload of absl::StrSplit() to be used.
for (auto piece : absl::StrSplit(str, 'B')) {


// Original - the argument is a string literal inside absl::ByAnyChar call.
for (auto piece : absl::StrSplit(str, absl::ByAnyChar("B"))) {

// Suggested - the argument is a character, which causes the more efficient
// overload of absl::StrSplit() to be used and we do not need absl::ByAnyChar
// anymore.
for (auto piece : absl::StrSplit(str, 'B')) {


// Original - the argument is a string literal inside absl::MaxSplits call.
for (auto piece : absl::StrSplit(str, absl::MaxSplits("B", 1))) {

// Suggested - the argument is a character, which causes the more efficient
// overload of absl::StrSplit() to be used.
for (auto piece : absl::StrSplit(str, absl::MaxSplits('B', 1))) {

abseil-no-internal-dependencies

Warns if code using Abseil depends on internal details. If something is in a namespace that includes the word "internal", code is not allowed to depend upon it because it's an implementation detail. They cannot friend it, include it, you mention it or refer to it in any way. Doing so violates Abseil's compatibility guidelines and may result in breakage. See https://abseil.io/about/compatibility for more information.

The following cases will result in warnings:

absl::strings_internal::foo();
// warning triggered on this line
class foo {
  friend struct absl::container_internal::faa;
  // warning triggered on this line
};
absl::memory_internal::MakeUniqueResult();
// warning triggered on this line

abseil-no-namespace

Ensures code does not open namespace absl as that violates Abseil's compatibility guidelines. Code should not open namespace absl as that conflicts with Abseil's compatibility guidelines and may result in breakage.

Any code that uses:

namespace absl {
 ...
}

will be prompted with a warning.

See the full Abseil compatibility guidelines for more information.

abseil-redundant-strcat-calls

Suggests removal of unnecessary calls to absl::StrCat when the result is being passed to another call to absl::StrCat or absl::StrAppend.

The extra calls cause unnecessary temporary strings to be constructed. Removing them makes the code smaller and faster.

Examples:

std::string s = absl::StrCat("A", absl::StrCat("B", absl::StrCat("C", "D")));
//before

std::string s = absl::StrCat("A", "B", "C", "D");
//after

absl::StrAppend(&s, absl::StrCat("E", "F", "G"));
//before

absl::StrAppend(&s, "E", "F", "G");
//after

abseil-str-cat-append

Flags uses of absl::StrCat() to append to a std::string. Suggests absl::StrAppend() should be used instead.

The extra calls cause unnecessary temporary strings to be constructed. Removing them makes the code smaller and faster.

a = absl::StrCat(a, b); // Use absl::StrAppend(&a, b) instead.

Does not diagnose cases where absl::StrCat() is used as a template argument for a functor.

abseil-string-find-startswith

Checks whether a std::string::find() or std::string::rfind() (and corresponding std::string_view methods) result is compared with 0, and suggests replacing with absl::StartsWith(). This is both a readability and performance issue.

starts_with was added as a built-in function on those types in C++20. If available, prefer enabling modernize-use-starts-ends-with instead of this check.

string s = "...";
if (s.find("Hello World") == 0) { /* do something */ }
if (s.rfind("Hello World", 0) == 0) { /* do something */ }

becomes

string s = "...";
if (absl::StartsWith(s, "Hello World")) { /* do something */ }
if (absl::StartsWith(s, "Hello World")) { /* do something */ }

Options

StringLikeClasses

Semicolon-separated list of names of string-like classes. By default both std::basic_string and std::basic_string_view are considered. The list of methods to be considered is fixed.

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

AbseilStringsMatchHeader

The location of Abseil's strings/match.h. Defaults to absl/strings/match.h.

abseil-string-find-str-contains

Finds s.find(...) == string::npos comparisons (for various string-like types) and suggests replacing with absl::StrContains().

This improves readability and reduces the likelihood of accidentally mixing find() and npos from different string-like types.

By default, "string-like types" includes ::std::basic_string, ::std::basic_string_view, and ::absl::string_view. See the StringLikeClasses option to change this.

std::string s = "...";
if (s.find("Hello World") == std::string::npos) { /* do something */ }

absl::string_view a = "...";
if (absl::string_view::npos != a.find("Hello World")) { /* do something */ }

becomes

std::string s = "...";
if (!absl::StrContains(s, "Hello World")) { /* do something */ }

absl::string_view a = "...";
if (absl::StrContains(a, "Hello World")) { /* do something */ }

Options

StringLikeClasses

Semicolon-separated list of names of string-like classes. By default includes ::std::basic_string, ::std::basic_string_view, and ::absl::string_view.

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

AbseilStringsMatchHeader

The location of Abseil's strings/match.h. Defaults to absl/strings/match.h.

abseil-time-comparison

Prefer comparisons in the absl::Time domain instead of the integer domain.

N.B.: In cases where an absl::Time is being converted to an integer, alignment may occur. If the comparison depends on this alignment, doing the comparison in the absl::Time domain may yield a different result. In practice this is very rare, and still indicates a bug which should be fixed.

Examples:

// Original - Comparison in the integer domain
int x;
absl::Time t;
if (x < absl::ToUnixSeconds(t)) ...

// Suggested - Compare in the absl::Time domain instead
if (absl::FromUnixSeconds(x) < t) ...

abseil-time-subtraction

Finds and fixes absl::Time subtraction expressions to do subtraction in the Time domain instead of the numeric domain.

There are two cases of Time subtraction in which deduce additional type information:

  • When the result is an absl::Duration and the first argument is an absl::Time.
  • When the second argument is a absl::Time.

In the first case, we must know the result of the operation, since without that the second operand could be either an absl::Time or an absl::Duration. In the second case, the first operand must be an absl::Time, because subtracting an absl::Time from an absl::Duration is not defined.

Examples:

int x;
absl::Time t;

// Original - absl::Duration result and first operand is an absl::Time.
absl::Duration d = absl::Seconds(absl::ToUnixSeconds(t) - x);

// Suggestion - Perform subtraction in the Time domain instead.
absl::Duration d = t - absl::FromUnixSeconds(x);


// Original - Second operand is an absl::Time.
int i = x - absl::ToUnixSeconds(t);

// Suggestion - Perform subtraction in the Time domain instead.
int i = absl::ToInt64Seconds(absl::FromUnixSeconds(x) - t);

abseil-upgrade-duration-conversions

Finds calls to absl::Duration arithmetic operators and factories whose argument needs an explicit cast to continue compiling after upcoming API changes.

The operators *=, /=, *, and / for absl::Duration currently accept an argument of class type that is convertible to an arithmetic type. Such a call currently converts the value to an int64_t, even in a case such as std::atomic<float> that would result in lossy conversion.

Additionally, the absl::Duration factory functions (absl::Hours, absl::Minutes, etc) currently accept an int64_t or a floating-point type. Similar to the arithmetic operators, calls with an argument of class type that is convertible to an arithmetic type go through the int64_t path.

These operators and factories will be changed to only accept arithmetic types to prevent unintended behavior. After these changes are released, passing an argument of class type will no longer compile, even if the type is implicitly convertible to an arithmetic type.

Here are example fixes created by this check:

std::atomic<int> a;
absl::Duration d = absl::Milliseconds(a);
d *= a;

becomes

std::atomic<int> a;
absl::Duration d = absl::Milliseconds(static_cast<int64_t>(a));
d *= static_cast<int64_t>(a);

Note that this check always adds a cast to int64_t in order to preserve the current behavior of user code. It is possible that this uncovers unintended behavior due to types implicitly convertible to a floating-point type.

altera-id-dependent-backward-branch

Finds ID-dependent variables and fields that are used within loops. This causes branches to occur inside the loops, and thus leads to performance degradation.

// The following code will produce a warning because this ID-dependent
// variable is used in a loop condition statement.
int ThreadID = get_local_id(0);

// The following loop will produce a warning because the loop condition
// statement depends on an ID-dependent variable.
for (int i = 0; i < ThreadID; ++i) {
  std::cout << i << std::endl;
}

// The following loop will not produce a warning, because the ID-dependent
// variable is not used in the loop condition statement.
for (int i = 0; i < 100; ++i) {
  std::cout << ThreadID << std::endl;
}

Based on the Altera SDK for OpenCL: Best Practices Guide.

altera-kernel-name-restriction

Finds kernel files and include directives whose filename is kernel.cl, Verilog.cl, or VHDL.cl. The check is case insensitive.

Such kernel file names cause the offline compiler to generate intermediate design files that have the same names as certain internal files, which leads to a compilation error.

Based on the Guidelines for Naming the Kernel section in the Intel FPGA SDK for OpenCL Pro Edition: Programming Guide.

altera-single-work-item-barrier

Finds OpenCL kernel functions that call a barrier function but do not call an ID function (get_local_id, get_local_id, get_group_id, or get_local_linear_id).

These kernels may be viable single work-item kernels, but will be forced to execute as NDRange kernels if using a newer version of the Altera Offline Compiler (>= v17.01).

If using an older version of the Altera Offline Compiler, these kernel functions will be treated as single work-item kernels, which could be inefficient or lead to errors if NDRange semantics were intended.

Based on the Altera SDK for OpenCL: Best Practices Guide.

Examples:

// error: function calls barrier but does not call an ID function.
void __kernel barrier_no_id(__global int * foo, int size) {
  for (int i = 0; i < 100; i++) {
    foo[i] += 5;
  }
  barrier(CLK_GLOBAL_MEM_FENCE);
}

// ok: function calls barrier and an ID function.
void __kernel barrier_with_id(__global int * foo, int size) {
  for (int i = 0; i < 100; i++) {
    int tid = get_global_id(0);
    foo[tid] += 5;
  }
  barrier(CLK_GLOBAL_MEM_FENCE);
}

// ok with AOC Version 17.01: the reqd_work_group_size turns this into
// an NDRange.
__attribute__((reqd_work_group_size(2,2,2)))
void __kernel barrier_with_id(__global int * foo, int size) {
  for (int i = 0; i < 100; i++) {
    foo[tid] += 5;
  }
  barrier(CLK_GLOBAL_MEM_FENCE);
}

Options

AOCVersion

Defines the version of the Altera Offline Compiler. Defaults to 1600 (corresponding to version 16.00).

altera-struct-pack-align

Finds structs that are inefficiently packed or aligned, and recommends packing and/or aligning of said structs as needed.

Structs that are not packed take up more space than they should, and accessing structs that are not well aligned is inefficient.

Fix-its are provided to fix both of these issues by inserting and/or amending relevant struct attributes.

Based on the Altera SDK for OpenCL: Best Practices Guide.

// The following struct is originally aligned to 4 bytes, and thus takes up
// 12 bytes of memory instead of 10. Packing the struct will make it use
// only 10 bytes of memory, and aligning it to 16 bytes will make it
// efficient to access.
struct example {
  char a;    // 1 byte
  double b;  // 8 bytes
  char c;    // 1 byte
};

// The following struct is arranged in such a way that packing is not needed.
// However, it is aligned to 4 bytes instead of 8, and thus needs to be
// explicitly aligned.
struct implicitly_packed_example {
  char a;  // 1 byte
  char b;  // 1 byte
  char c;  // 1 byte
  char d;  // 1 byte
  int e;   // 4 bytes
};

// The following struct is explicitly aligned and packed.
struct good_example {
  char a;    // 1 byte
  double b;  // 8 bytes
  char c;    // 1 byte
} __attribute__((packed)) __attribute__((aligned(16));

// Explicitly aligning a struct to the wrong value will result in a warning.
// The following example should be aligned to 16 bytes, not 32.
struct badly_aligned_example {
  char a;    // 1 byte
  double b;  // 8 bytes
  char c;    // 1 byte
} __attribute__((packed)) __attribute__((aligned(32)));

altera-unroll-loops

Finds inner loops that have not been unrolled, as well as fully unrolled loops with unknown loop bounds or a large number of iterations.

Unrolling inner loops could improve the performance of OpenCL kernels. However, if they have unknown loop bounds or a large number of iterations, they cannot be fully unrolled, and should be partially unrolled.

Notes:

  • This check is unable to determine the number of iterations in a while or do..while loop; hence if such a loop is fully unrolled, a note is emitted advising the user to partially unroll instead.
  • In for loops, our check only works with simple arithmetic increments ( +, -, *, /). For all other increments, partial unrolling is advised.
  • Depending on the exit condition, the calculations for determining if the number of iterations is large may be off by 1. This should not be an issue since the cut-off is generally arbitrary.

Based on the Altera SDK for OpenCL: Best Practices Guide.

for (int i = 0; i < 10; i++) {  // ok: outer loops should not be unrolled
   int j = 0;
   do {  // warning: this inner do..while loop should be unrolled
      j++;
   } while (j < 15);

   int k = 0;
   #pragma unroll
   while (k < 20) {  // ok: this inner loop is already unrolled
      k++;
   }
}

int A[1000];
#pragma unroll
// warning: this loop is large and should be partially unrolled
for (int a : A) {
   printf("%d", a);
}

#pragma unroll 5
// ok: this loop is large, but is partially unrolled
for (int a : A) {
   printf("%d", a);
}

#pragma unroll
// warning: this loop is large and should be partially unrolled
for (int i = 0; i < 1000; ++i) {
   printf("%d", i);
}

#pragma unroll 5
// ok: this loop is large, but is partially unrolled
for (int i = 0; i < 1000; ++i) {
   printf("%d", i);
}

#pragma unroll
// warning: << operator not supported, recommend partial unrolling
for (int i = 0; i < 1000; i<<1) {
   printf("%d", i);
}

std::vector<int> someVector (100, 0);
int i = 0;
#pragma unroll
// note: loop may be large, recommend partial unrolling
while (i < someVector.size()) {
   someVector[i]++;
}

#pragma unroll
// note: loop may be large, recommend partial unrolling
while (true) {
   printf("In loop");
}

#pragma unroll 5
// ok: loop may be large, but is partially unrolled
while (i < someVector.size()) {
   someVector[i]++;
}

Options

MaxLoopIterations

Defines the maximum number of loop iterations that a fully unrolled loop can have. By default, it is set to 100.

In practice, this refers to the integer value of the upper bound within the loop statement's condition expression.

android-cloexec-accept

The usage of accept() is not recommended, it's better to use accept4(). Without this flag, an opened sensitive file descriptor would remain open across a fork+exec to a lower-privileged SELinux domain.

Examples:

accept(sockfd, addr, addrlen);

// becomes

accept4(sockfd, addr, addrlen, SOCK_CLOEXEC);

android-cloexec-accept4

accept4() should include SOCK_CLOEXEC in its type argument to avoid the file descriptor leakage. Without this flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain.

Examples:

accept4(sockfd, addr, addrlen, SOCK_NONBLOCK);

// becomes

accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC);

android-cloexec-creat

The usage of creat() is not recommended, it's better to use open().

Examples:

int fd = creat(path, mode);

// becomes

int fd = open(path, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, mode);

android-cloexec-dup

The usage of dup() is not recommended, it's better to use fcntl(), which can set the close-on-exec flag. Otherwise, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain.

Examples:

int fd = dup(oldfd);

// becomes

int fd = fcntl(oldfd, F_DUPFD_CLOEXEC);

android-cloexec-epoll-create

The usage of epoll_create() is not recommended, it's better to use epoll_create1(), which allows close-on-exec.

Examples:

epoll_create(size);

// becomes

epoll_create1(EPOLL_CLOEXEC);

android-cloexec-epoll-create1

epoll_create1() should include EPOLL_CLOEXEC in its type argument to avoid the file descriptor leakage. Without this flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain.

Examples:

epoll_create1(0);

// becomes

epoll_create1(EPOLL_CLOEXEC);

android-cloexec-fopen

fopen() should include e in their mode string; so re would be valid. This is equivalent to having set FD_CLOEXEC on that descriptor.

Examples:

fopen("fn", "r");

// becomes

fopen("fn", "re");

android-cloexec-inotify-init

The usage of inotify_init() is not recommended, it's better to use inotify_init1().

Examples:

inotify_init();

// becomes

inotify_init1(IN_CLOEXEC);

android-cloexec-inotify-init1

inotify_init1() should include IN_CLOEXEC in its type argument to avoid the file descriptor leakage. Without this flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain.

Examples:

inotify_init1(IN_NONBLOCK);

// becomes

inotify_init1(IN_NONBLOCK | IN_CLOEXEC);

android-cloexec-memfd-create

memfd_create() should include MFD_CLOEXEC in its type argument to avoid the file descriptor leakage. Without this flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain.

Examples:

memfd_create(name, MFD_ALLOW_SEALING);

// becomes

memfd_create(name, MFD_ALLOW_SEALING | MFD_CLOEXEC);

android-cloexec-open

A common source of security bugs is code that opens a file without using the O_CLOEXEC flag. Without that flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain, leaking that sensitive data. Open-like functions including open(), openat(), and open64() should include O_CLOEXEC in their flags argument.

Examples:

open("filename", O_RDWR);
open64("filename", O_RDWR);
openat(0, "filename", O_RDWR);

// becomes

open("filename", O_RDWR | O_CLOEXEC);
open64("filename", O_RDWR | O_CLOEXEC);
openat(0, "filename", O_RDWR | O_CLOEXEC);

android-cloexec-pipe

This check detects usage of pipe(). Using pipe() is not recommended, pipe2() is the suggested replacement. The check also adds the O_CLOEXEC flag that marks the file descriptor to be closed in child processes. Without this flag a sensitive file descriptor can be leaked to a child process, potentially into a lower-privileged SELinux domain.

Examples:

pipe(pipefd);

Suggested replacement:

pipe2(pipefd, O_CLOEXEC);

android-cloexec-pipe2

This check ensures that pipe2() is called with the O_CLOEXEC flag. The check also adds the O_CLOEXEC flag that marks the file descriptor to be closed in child processes. Without this flag a sensitive file descriptor can be leaked to a child process, potentially into a lower-privileged SELinux domain.

Examples:

pipe2(pipefd, O_NONBLOCK);

Suggested replacement:

pipe2(pipefd, O_NONBLOCK | O_CLOEXEC);

android-cloexec-socket

socket() should include SOCK_CLOEXEC in its type argument to avoid the file descriptor leakage. Without this flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain.

Examples:

socket(domain, type, SOCK_STREAM);

// becomes

socket(domain, type, SOCK_STREAM | SOCK_CLOEXEC);

android-comparison-in-temp-failure-retry

Diagnoses comparisons that appear to be incorrectly placed in the argument to the TEMP_FAILURE_RETRY macro. Having such a use is incorrect in the vast majority of cases, and will often silently defeat the purpose of the TEMP_FAILURE_RETRY macro.

For context, TEMP_FAILURE_RETRY is a convenience macro provided by both glibc and Bionic. Its purpose is to repeatedly run a syscall until it either succeeds, or fails for reasons other than being interrupted.

Example buggy usage looks like:

char cs[1];
while (TEMP_FAILURE_RETRY(read(STDIN_FILENO, cs, sizeof(cs)) != 0)) {
  // Do something with cs.
}

Because TEMP_FAILURE_RETRY will check for whether the result of the comparison is -1, and retry if so.

If you encounter this, the fix is simple: lift the comparison out of the TEMP_FAILURE_RETRY argument, like so:

char cs[1];
while (TEMP_FAILURE_RETRY(read(STDIN_FILENO, cs, sizeof(cs))) != 0) {
  // Do something with cs.
}

Options

RetryMacros

A comma-separated list of the names of retry macros to be checked.

boost-use-ranges

Detects calls to standard library iterator algorithms that could be replaced with a Boost ranges version instead.

Example

auto Iter1 = std::find(Items.begin(), Items.end(), 0);
auto AreSame = std::equal(Items1.cbegin(), Items1.cend(), std::begin(Items2),
                          std::end(Items2));

Transforms to:

auto Iter1 = boost::range::find(Items, 0);
auto AreSame = boost::range::equal(Items1, Items2);

Supported algorithms

Calls to the following std library algorithms are checked:

std::accumulate, std::adjacent_difference, std::adjacent_find, std::all_of, std::any_of, std::binary_search, std::copy_backward, std::copy_if, std::copy, std::count_if, std::count, std::equal_range, std::equal, std::fill, std::find_end, std::find_first_of, std::find_if_not, std::find_if, std::find, std::for_each, std::generate, std::includes, std::iota, std::is_partitioned, std::is_permutation, std::is_sorted_until, std::is_sorted, std::lexicographical_compare, std::lower_bound, std::make_heap, std::max_element, std::merge, std::min_element, std::mismatch, std::next_permutation, std::none_of, std::parital_sum, std::partial_sort_copy, std::partition_copy, std::partition_point, std::partition, std::pop_heap, std::prev_permutation, std::push_heap, std::random_shuffle, std::reduce, std::remove_copy_if, std::remove_copy, std::remove_if, std::remove, std::replace_copy_if, std::replace_copy, std::replace_if, std::replace, std::reverse_copy, std::reverse, std::search, std::set_difference, std::set_intersection, std::set_symmetric_difference, std::set_union, std::sort_heap, std::sort, std::stable_partition, std::stable_sort, std::transform, std::unique_copy, std::unique, std::upper_bound.

The check will also look for the following functions from the boost::algorithm namespace:

all_of_equal, any_of_equal, any_of, apply_permutation, apply_reverse_permutation, clamp_range, copy_if_until, copy_if_while, copy_if, copy_until, copy_while, find_backward, find_if_backward, find_if_not_backward, find_if_not, find_not_backward, hex_lower, hex, iota, all_of, is_decreasing, is_increasing, is_palindrome, is_partitioned_until, is_partitioned, is_permutation, is_sorted_until, is_sorted, is_strictly_decreasing, is_strictly_increasing, none_of_equal, none_of, one_of_equal, one_of, partition_copy, partition_point, reduce, unhex.

Reverse Iteration

If calls are made using reverse iterators on containers, The code will be fixed using the boost::adaptors::reverse adaptor.

auto AreSame = std::equal(Items1.rbegin(), Items1.rend(),
                          std::crbegin(Items2), std::crend(Items2));

Transforms to:

auto AreSame = boost::range::equal(boost::adaptors::reverse(Items1),
                                   boost::adaptors::reverse(Items2));

Options

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

IncludeBoostSystem

If true (default value) the boost headers are included as system headers with angle brackets (#include <boost.hpp>), otherwise quotes are used (#include "boost.hpp").

UseReversePipe

When true (default false), fixes which involve reverse ranges will use the pipe adaptor syntax instead of the function syntax.

std::find(Items.rbegin(), Items.rend(), 0);

Transforms to:

boost::range::find(Items | boost::adaptors::reversed, 0);

boost-use-to-string

This check finds conversion from integer type like int to std::string or std::wstring using boost::lexical_cast, and replace it with calls to std::to_string and std::to_wstring.

It doesn't replace conversion from floating points despite the to_string overloads, because it would change the behavior.

auto str = boost::lexical_cast<std::string>(42);
auto wstr = boost::lexical_cast<std::wstring>(2137LL);

// Will be changed to
auto str = std::to_string(42);
auto wstr = std::to_wstring(2137LL);

bugprone-argument-comment

Checks that argument comments match parameter names.

The check understands argument comments in the form /*parameter_name=*/ that are placed right before the argument.

void f(bool foo);

...

f(/*bar=*/true);
// warning: argument name 'bar' in comment does not match parameter name 'foo'

The check tries to detect typos and suggest automated fixes for them.

Options

StrictMode

When false (default value), the check will ignore leading and trailing underscores and case when comparing names -- otherwise they are taken into account.

IgnoreSingleArgument

When true, the check will ignore the single argument.

CommentBoolLiterals

When true, the check will add argument comments in the format /*ParameterName=*/ right before the boolean literal argument.

Before:

void foo(bool TurnKey, bool PressButton);

foo(true, false);

After:

void foo(bool TurnKey, bool PressButton);

foo(/*TurnKey=*/true, /*PressButton=*/false);
CommentIntegerLiterals

When true, the check will add argument comments in the format /*ParameterName=*/ right before the integer literal argument.

Before:

void foo(int MeaningOfLife);

foo(42);

After:

void foo(int MeaningOfLife);

foo(/*MeaningOfLife=*/42);
CommentFloatLiterals

When true, the check will add argument comments in the format /*ParameterName=*/ right before the float/double literal argument.

Before:

void foo(float Pi);

foo(3.14159);

After:

void foo(float Pi);

foo(/*Pi=*/3.14159);
CommentStringLiterals

When true, the check will add argument comments in the format /*ParameterName=*/ right before the string literal argument.

Before:

void foo(const char *String);
void foo(const wchar_t *WideString);

foo("Hello World");
foo(L"Hello World");

After:

void foo(const char *String);
void foo(const wchar_t *WideString);

foo(/*String=*/"Hello World");
foo(/*WideString=*/L"Hello World");
CommentCharacterLiterals

When true, the check will add argument comments in the format /*ParameterName=*/ right before the character literal argument.

Before:

void foo(char *Character);

foo('A');

After:

void foo(char *Character);

foo(/*Character=*/'A');
CommentUserDefinedLiterals

When true, the check will add argument comments in the format /*ParameterName=*/ right before the user defined literal argument.

Before:

void foo(double Distance);

double operator"" _km(long double);

foo(402.0_km);

After:

void foo(double Distance);

double operator"" _km(long double);

foo(/*Distance=*/402.0_km);
CommentNullPtrs

When true, the check will add argument comments in the format /*ParameterName=*/ right before the nullptr literal argument.

Before:

void foo(A* Value);

foo(nullptr);

After:

void foo(A* Value);

foo(/*Value=*/nullptr);

bugprone-assert-side-effect

Finds assert() with side effect.

The condition of assert() is evaluated only in debug builds so a condition with side effect can cause different behavior in debug / release builds.

Options

AssertMacros

A comma-separated list of the names of assert macros to be checked.

CheckFunctionCalls

Whether to treat non-const member and non-member functions as they produce side effects. Disabled by default because it can increase the number of false positive warnings.

IgnoredFunctions

A semicolon-separated list of the names of functions or methods to be considered as not having side-effects. Regular expressions are accepted, e.g. [Rr]ef(erence)?$ matches every type with suffix Ref, ref, Reference and reference. The default is empty. If a name in the list contains the sequence :: it is matched against the qualified typename (i.e. namespace::Type, otherwise it is matched against only the type name (i.e. Type).

bugprone-assignment-in-if-condition

Finds assignments within conditions of if statements. Such assignments are bug-prone because they may have been intended as equality tests.

This check finds all assignments within if conditions, including ones that are not flagged by -Wparentheses due to an extra set of parentheses, and including assignments that call an overloaded operator=(). The identified assignments violate BARR group "Rule 8.2.c".

int f = 3;
if(f = 4) { // This is identified by both `Wparentheses` and this check - should it have been: `if (f == 4)` ?
  f = f + 1;
}

if((f == 5) || (f = 6)) { // the assignment here `(f = 6)` is identified by this check, but not by `-Wparentheses`. Should it have been `(f == 6)` ?
  f = f + 2;
}

bugprone-bad-signal-to-kill-thread

Finds pthread_kill function calls when a thread is terminated by raising SIGTERM signal and the signal kills the entire process, not just the individual thread. Use any signal except SIGTERM.

pthread_kill(thread, SIGTERM);

This check corresponds to the CERT C Coding Standard rule POS44-C. Do not use signals to terminate threads.

cert-pos44-c redirects here as an alias of this check.

bugprone-bool-pointer-implicit-conversion

Checks for conditions based on implicit conversion from a bool pointer to bool.

Example:

bool *p;
if (p) {
  // Never used in a pointer-specific way.
}

bugprone-branch-clone

Checks for repeated branches in if/else if/else chains, consecutive repeated branches in switch statements and identical true and false branches in conditional operators.

if (test_value(x)) {
  y++;
  do_something(x, y);
} else {
  y++;
  do_something(x, y);
}

In this simple example (which could arise e.g. as a copy-paste error) the then and else branches are identical and the code is equivalent the following shorter and cleaner code:

test_value(x); // can be omitted unless it has side effects
y++;
do_something(x, y);

If this is the intended behavior, then there is no reason to use a conditional statement; otherwise the issue can be solved by fixing the branch that is handled incorrectly.

The check also detects repeated branches in longer if/else if/else chains where it would be even harder to notice the problem.

In switch statements the check only reports repeated branches when they are consecutive, because it is relatively common that the case: labels have some natural ordering and rearranging them would decrease the readability of the code. For example:

switch (ch) {
case 'a':
  return 10;
case 'A':
  return 10;
case 'b':
  return 11;
case 'B':
  return 11;
default:
  return 10;
}

Here the check reports that the 'a' and 'A' branches are identical (and that the 'b' and 'B' branches are also identical), but does not report that the default: branch is also identical to the first two branches. If this is indeed the correct behavior, then it could be implemented as:

switch (ch) {
case 'a':
case 'A':
  return 10;
case 'b':
case 'B':
  return 11;
default:
  return 10;
}

Here the check does not warn for the repeated return 10;, which is good if we want to preserve that 'a' is before 'b' and default: is the last branch.

Switch cases marked with the [[fallthrough]] attribute are ignored.

Finally, the check also examines conditional operators and reports code like:

return test_value(x) ? x : x;

Unlike if statements, the check does not detect chains of conditional operators.

Note: This check also reports situations where branches become identical only after preprocessing.

bugprone-casting-through-void

Detects unsafe or redundant two-step casting operations involving void*.

Two-step type conversions via void* are discouraged for several reasons.

  • They obscure code and impede its understandability, complicating maintenance.
  • These conversions bypass valuable compiler support, erasing warnings related to pointer alignment. It may violate strict aliasing rule and leading to undefined behavior.
  • In scenarios involving multiple inheritance, ambiguity and unexpected outcomes can arise due to the loss of type information, posing runtime issues.

In summary, avoiding two-step type conversions through void* ensures clearer code, maintains essential compiler warnings, and prevents ambiguity and potential runtime errors, particularly in complex inheritance scenarios.

Examples:

using IntegerPointer = int *;
double *ptr;

static_cast<IntegerPointer>(static_cast<void *>(ptr)); // WRONG
reinterpret_cast<IntegerPointer>(reinterpret_cast<void *>(ptr)); // WRONG
(IntegerPointer)(void *)ptr; // WRONG
IntegerPointer(static_cast<void *>(ptr)); // WRONG

bugprone-chained-comparison

Check detects chained comparison operators that can lead to unintended behavior or logical errors.

Chained comparisons are expressions that use multiple comparison operators to compare three or more values. For example, the expression a < b < c compares the values of a, b, and c. However, this expression does not evaluate as (a < b) && (b < c), which is probably what the developer intended. Instead, it evaluates as (a < b) < c, which may produce unintended results, especially when the types of a, b, and c are different.

To avoid such errors, the check will issue a warning when a chained comparison operator is detected, suggesting to use parentheses to specify the order of evaluation or to use a logical operator to separate comparison expressions.

Consider the following examples:

int a = 2, b = 6, c = 4;
if (a < b < c) {
    // This block will be executed
}

In this example, the developer intended to check if a is less than b and b is less than c. However, the expression a < b < c is equivalent to (a < b) < c. Since a < b is true, the expression (a < b) < c is evaluated as 1 < c, which is equivalent to true < c and is invalid in this case as b < c is false.

Even that above issue could be detected as comparison of int to bool, there is more dangerous example:

bool a = false, b = false, c = true;
if (a == b == c) {
    // This block will be executed
}

In this example, the developer intended to check if a, b, and c are all equal. However, the expression a == b == c is evaluated as (a == b) == c. Since a == b is true, the expression (a == b) == c is evaluated as true == c, which is equivalent to true == true. This comparison yields true, even though a and b are false, and are not equal to c.

To avoid this issue, the developer can use a logical operator to separate the comparison expressions, like this:

if (a == b && b == c) {
    // This block will not be executed
}

Alternatively, use of parentheses in the comparison expressions can make the developer's intention more explicit and help avoid misunderstanding.

if ((a == b) == c) {
    // This block will be executed
}

bugprone-compare-pointer-to-member-virtual-function

Detects unspecified behavior about equality comparison between pointer to member virtual function and anything other than null-pointer-constant.

struct A {
  void f1();
  void f2();
  virtual void f3();
  virtual void f4();

  void g1(int);
};

void fn() {
  bool r1 = (&A::f1 == &A::f2);  // ok
  bool r2 = (&A::f1 == &A::f3);  // bugprone
  bool r3 = (&A::f1 != &A::f3);  // bugprone
  bool r4 = (&A::f3 == nullptr); // ok
  bool r5 = (&A::f3 == &A::f4);  // bugprone

  void (A::*v1)() = &A::f3;
  bool r6 = (v1 == &A::f1); // bugprone
  bool r6 = (v1 == nullptr); // ok

  void (A::*v2)() = &A::f2;
  bool r7 = (v2 == &A::f1); // false positive, but potential risk if assigning other value to v2.

  void (A::*v3)(int) = &A::g1;
  bool r8 = (v3 == &A::g1); // ok, no virtual function match void(A::*)(int) signature.
}

Provide warnings on equality comparisons involve pointers to member virtual function or variables which is potential pointer to member virtual function and any entity other than a null-pointer constant.

In certain compilers, virtual function addresses are not conventional pointers but instead consist of offsets and indexes within a virtual function table (vtable). Consequently, these pointers may vary between base and derived classes, leading to unpredictable behavior when compared directly. This issue becomes particularly challenging when dealing with pointers to pure virtual functions, as they may not even have a valid address, further complicating comparisons.

Instead, it is recommended to utilize the typeid operator or other appropriate mechanisms for comparing objects to ensure robust and predictable behavior in your codebase. By heeding this detection and adopting a more reliable comparison method, you can mitigate potential issues related to unspecified behavior, especially when dealing with pointers to member virtual functions or pure virtual functions, thereby improving the overall stability and maintainability of your code. In scenarios involving pointers to member virtual functions, it's only advisable to employ nullptr for comparisons.

Limitations

Does not analyze values stored in a variable. For variable, only analyze all virtual methods in the same class or struct and diagnose when assigning a pointer to member virtual function to this variable is possible.

bugprone-copy-constructor-init

Finds copy constructors where the constructor doesn't call the copy constructor of the base class.

class Copyable {
public:
  Copyable() = default;
  Copyable(const Copyable &) = default;

  int memberToBeCopied = 0;
};

class X2 : public Copyable {
  X2(const X2 &other) {} // Copyable(other) is missing
};

Also finds copy constructors where the constructor of the base class don't have parameter.

class X3 : public Copyable {
  X3(const X3 &other) : Copyable() {} // other is missing
};

Failure to properly initialize base class sub-objects during copy construction can result in undefined behavior, crashes, data corruption, or other unexpected outcomes. The check ensures that the copy constructor of a derived class properly calls the copy constructor of the base class, helping to prevent bugs and improve code quality.

Limitations:

  • It won't generate warnings for empty classes, as there are no class members (including base class sub-objects) to worry about.
  • It won't generate warnings for base classes that have copy constructor private or deleted.
  • It won't generate warnings for base classes that are initialized using other non-default constructor, as this could be intentional.

The check also suggests a fix-its in some cases.

bugprone-crtp-constructor-accessibility

Detects error-prone Curiously Recurring Template Pattern usage, when the CRTP can be constructed outside itself and the derived class.

The CRTP is an idiom, in which a class derives from a template class, where itself is the template argument. It should be ensured that if a class is intended to be a base class in this idiom, it can only be instantiated if the derived class is it's template argument.

Example:

template <typename T> class CRTP {
private:
  CRTP() = default;
  friend T;
};

class Derived : CRTP<Derived> {};

Below can be seen some common mistakes that will allow the breaking of the idiom.

If the constructor of a class intended to be used in a CRTP is public, then it allows users to construct that class on its own.

Example:

template <typename T> class CRTP {
public:
  CRTP() = default;
};

class Good : CRTP<Good> {};
Good GoodInstance;

CRTP<int> BadInstance;

If the constructor is protected, the possibility of an accidental instantiation is prevented, however it can fade an error, when a different class is used as the template parameter instead of the derived one.

Example:

template <typename T> class CRTP {
protected:
  CRTP() = default;
};

class Good : CRTP<Good> {};
Good GoodInstance;

class Bad : CRTP<Good> {};
Bad BadInstance;

To ensure that no accidental instantiation happens, the best practice is to make the constructor private and declare the derived class as friend. Note that as a tradeoff, this also gives the derived class access to every other private members of the CRTP.

Example:

template <typename T> class CRTP {
  CRTP() = default;
  friend T;
};

class Good : CRTP<Good> {};
Good GoodInstance;

class Bad : CRTP<Good> {};
Bad CompileTimeError;

CRTP<int> AlsoCompileTimeError;

Limitations:

  • The check is not supported below C++11
  • The check does not handle when the derived class is passed as a variadic template argument
  • Accessible functions that can construct the CRTP, like factory functions are not checked

The check also suggests a fix-its in some cases.

bugprone-dangling-handle

Detect dangling references in value handles like std::string_view. These dangling references can be a result of constructing handles from temporary values, where the temporary is destroyed soon after the handle is created.

Examples:

string_view View = string();  // View will dangle.
string A;
View = A + "A";  // still dangle.

vector<string_view> V;
V.push_back(string());  // V[0] is dangling.
V.resize(3, string());  // V[1] and V[2] will also dangle.

string_view f() {
  // All these return values will dangle.
  return string();
  string S;
  return S;
  char Array[10]{};
  return Array;
}

Options

HandleClasses

A semicolon-separated list of class names that should be treated as handles. By default only std::basic_string_view and std::experimental::basic_string_view are considered.

bugprone-dynamic-static-initializers

Finds instances of static variables that are dynamically initialized in header files.

This can pose problems in certain multithreaded contexts. For example, when disabling compiler generated synchronization instructions for static variables initialized at runtime (e.g. by -fno-threadsafe-statics), even if a particular project takes the necessary precautions to prevent race conditions during initialization by providing their own synchronization, header files included from other projects may not. Therefore, such a check is helpful for ensuring that disabling compiler generated synchronization for static variable initialization will not cause problems.

Consider the following code:

int foo() {
  static int k = bar();
  return k;
}

When synchronization of static initialization is disabled, if two threads both call foo for the first time, there is the possibility that k will be double initialized, creating a race condition.

bugprone-easily-swappable-parameters

Finds function definitions where parameters of convertible types follow each other directly, making call sites prone to calling the function with swapped (or badly ordered) arguments.

void drawPoint(int X, int Y) { /* ... */ }
FILE *open(const char *Dir, const char *Name, Flags Mode) { /* ... */ }

A potential call like drawPoint(-2, 5) or openPath("a.txt", "tmp", Read) is perfectly legal from the language's perspective, but might not be what the developer of the function intended.

More elaborate and type-safe constructs, such as opaque typedefs or strong types should be used instead, to prevent a mistaken order of arguments.

struct Coord2D { int X; int Y; };
void drawPoint(const Coord2D Pos) { /* ... */ }

FILE *open(const Path &Dir, const Filename &Name, Flags Mode) { /* ... */ }

Due to the potentially elaborate refactoring and API-breaking that is necessary to strengthen the type safety of a project, no automatic fix-its are offered.

Options

Extension/relaxation options

Relaxation (or extension) options can be used to broaden the scope of the analysis and fine-tune the enabling of more mixes between types. Some mixes may depend on coding style or preference specific to a project, however, it should be noted that enabling all of these relaxations model the way of mixing at call sites the most. These options are expected to make the check report for more functions, and report longer mixable ranges.

QualifiersMix

Whether to consider parameters of some cvr-qualified T and a differently cvr-qualified T (i.e. T and const T, const T and volatile T, etc.) mixable between one another. If false, the check will consider differently qualified types unmixable. True turns the warnings on. Defaults to false.

The following example produces a diagnostic only if QualifiersMix is enabled:

void *memcpy(const void *Destination, void *Source, std::size_t N) { /* ... */ }
ModelImplicitConversions

Whether to consider parameters of type T and U mixable if there exists an implicit conversion from T to U and U to T. If false, the check will not consider implicitly convertible types for mixability. True turns warnings for implicit conversions on. Defaults to true.

The following examples produce a diagnostic only if ModelImplicitConversions is enabled:

void fun(int Int, double Double) { /* ... */ }
void compare(const char *CharBuf, std::string String) { /* ... */ }
NOTE:

Changing the qualifiers of an expression's type (e.g. from int to const int) is defined as an implicit conversion in the C++ Standard. However, the check separates this decision-making on the mixability of differently qualified types based on whether QualifiersMix was enabled.

For example, the following code snippet will only produce a diagnostic if both QualifiersMix and ModelImplicitConversions are enabled:

void fun2(int Int, const double Double) { /* ... */ }

Filtering options

Filtering options can be used to lessen the size of the diagnostics emitted by the checker, whether the aim is to ignore certain constructs or dampen the noisiness.

MinimumLength

The minimum length required from an adjacent parameter sequence to be diagnosed. Defaults to 2. Might be any positive integer greater or equal to 2. If 0 or 1 is given, the default value 2 will be used instead.

For example, if 3 is specified, the examples above will not be matched.

IgnoredParameterNames

The list of parameter names that should never be considered part of a swappable adjacent parameter sequence. The value is a ;-separated list of names. To ignore unnamed parameters, add "" to the list verbatim (not the empty string, but the two quotes, potentially escaped!). This option is case-sensitive!

By default, the following parameter names, and their Uppercase-initial variants are ignored: "" (unnamed parameters), iterator, begin, end, first, last, lhs, rhs.

IgnoredParameterTypeSuffixes

The list of parameter type name suffixes that should never be considered part of a swappable adjacent parameter sequence. Parameters which type, as written in the source code, end with an element of this option will be ignored. The value is a ;-separated list of names. This option is case-sensitive!

By default, the following, and their lowercase-initial variants are ignored: bool, It, Iterator, InputIt, ForwardIt, BidirIt, RandomIt, random_iterator, ReverseIt, reverse_iterator, reverse_const_iterator, RandomIt, random_iterator, ReverseIt, reverse_iterator, reverse_const_iterator, Const_Iterator, ConstIterator, const_reverse_iterator, ConstReverseIterator. In addition, _Bool (but not _bool) is also part of the default value.

SuppressParametersUsedTogether

Suppresses diagnostics about parameters that are used together or in a similar fashion inside the function's body. Defaults to true. Specifying false will turn off the heuristics.

Currently, the following heuristics are implemented which will suppress the warning about the parameter pair involved:

  • The parameters are used in the same expression, e.g. f(a, b) or a < b.
  • The parameters are further passed to the same function to the same parameter of that function, of the same overload. E.g. f(a, 1) and f(b, 2) to some f(T, int).

    NOTE:

    The check does not perform path-sensitive analysis, and as such, "same function" in this context means the same function declaration. If the same member function of a type on two distinct instances are called with the parameters, it will still be regarded as "same function".

  • The same member field is accessed, or member method is called of the two parameters, e.g. a.foo() and b.foo().
  • Separate return statements return either of the parameters on different code paths.
NamePrefixSuffixSilenceDissimilarityTreshold

The number of characters two parameter names might be different on either the head or the tail end with the rest of the name the same so that the warning about the two parameters are silenced. Defaults to 1. Might be any positive integer. If 0, the filtering heuristic based on the parameters' names is turned off.

This option can be used to silence warnings about parameters where the naming scheme indicates that the order of those parameters do not matter.

For example, the parameters LHS and RHS are 1-dissimilar suffixes of each other: L and R is the different character, while HS is the common suffix. Similarly, parameters text1, text2, text3 are 1-dissimilar prefixes of each other, with the numbers at the end being the dissimilar part. If the value is at least 1, such cases will not be reported.

Limitations

This check is designed to check function signatures!

The check does not investigate functions that are generated by the compiler in a context that is only determined from a call site. These cases include variadic functions, functions in C code that do not have an argument list, and C++ template instantiations. Most of these cases, which are otherwise swappable from a caller's standpoint, have no way of getting "fixed" at the definition point. In the case of C++ templates, only primary template definitions and explicit specializations are matched and analyzed.

None of the following cases produce a diagnostic:

int printf(const char *Format, ...) { /* ... */ }
int someOldCFunction() { /* ... */ }

template <typename T, typename U>
int add(T X, U Y) { return X + Y };

void theseAreNotWarnedAbout() {
    printf("%d %d\n", 1, 2);   // Two ints passed, they could be swapped.
    someOldCFunction(1, 2, 3); // Similarly, multiple ints passed.

    add(1, 2); // Instantiates 'add<int, int>', but that's not a user-defined function.
}

Due to the limitation above, parameters which type are further dependent upon template instantiations to prove that they mix with another parameter's is not diagnosed.

template <typename T>
struct Vector {
  typedef T element_type;
};

// Diagnosed: Explicit instantiation was done by the user, we can prove it
// is the same type.
void instantiated(int A, Vector<int>::element_type B) { /* ... */ }

// Diagnosed: The two parameter types are exactly the same.
template <typename T>
void exact(typename Vector<T>::element_type A,
           typename Vector<T>::element_type B) { /* ... */ }

// Skipped: The two parameters are both 'T' but we cannot prove this
// without actually instantiating.
template <typename T>
void falseNegative(T A, typename Vector<T>::element_type B) { /* ... */ }

In the context of implicit conversions (when ModelImplicitConversions is enabled), the modelling performed by the check warns if the parameters are swappable and the swapped order matches implicit conversions. It does not model whether there exists an unrelated third type from which both parameters can be given in a function call. This means that in the following example, even while strs() clearly carries the possibility to be called with swapped arguments (as long as the arguments are string literals), will not be warned about.

struct String {
    String(const char *Buf);
};

struct StringView {
    StringView(const char *Buf);
    operator const char *() const;
};

// Skipped: Directly swapping expressions of the two type cannot mix.
// (Note: StringView -> const char * -> String would be **two**
// user-defined conversions, which is disallowed by the language.)
void strs(String Str, StringView SV) { /* ... */ }

// Diagnosed: StringView implicitly converts to and from a buffer.
void cStr(StringView SV, const char *Buf() { /* ... */ }

bugprone-empty-catch

Detects and suggests addressing issues with empty catch statements.

try {
  // Some code that can throw an exception
} catch(const std::exception&) {
}

Having empty catch statements in a codebase can be a serious problem that developers should be aware of. Catch statements are used to handle exceptions that are thrown during program execution. When an exception is thrown, the program jumps to the nearest catch statement that matches the type of the exception.

Empty catch statements, also known as "swallowing" exceptions, catch the exception but do nothing with it. This means that the exception is not handled properly, and the program continues to run as if nothing happened. This can lead to several issues, such as:

  • Hidden Bugs: If an exception is caught and ignored, it can lead to hidden bugs that are difficult to diagnose and fix. The root cause of the problem may not be apparent, and the program may continue to behave in unexpected ways.
  • Security Issues: Ignoring exceptions can lead to security issues, such as buffer overflows or null pointer dereferences. Hackers can exploit these vulnerabilities to gain access to sensitive data or execute malicious code.
  • Poor Code Quality: Empty catch statements can indicate poor code quality and a lack of attention to detail. This can make the codebase difficult to maintain and update, leading to longer development cycles and increased costs.
  • Unreliable Code: Code that ignores exceptions is often unreliable and can lead to unpredictable behavior. This can cause frustration for users and erode trust in the software.

To avoid these issues, developers should always handle exceptions properly. This means either fixing the underlying issue that caused the exception or propagating the exception up the call stack to a higher-level handler. If an exception is not important, it should still be logged or reported in some way so that it can be tracked and addressed later.

If the exception is something that can be handled locally, then it should be handled within the catch block. This could involve logging the exception or taking other appropriate action to ensure that the exception is not ignored.

Here is an example:

try {
  // Some code that can throw an exception
} catch (const std::exception& ex) {
  // Properly handle the exception, e.g.:
  std::cerr << "Exception caught: " << ex.what() << std::endl;
}

If the exception cannot be handled locally and needs to be propagated up the call stack, it should be re-thrown or new exception should be thrown.

Here is an example:

try {
  // Some code that can throw an exception
} catch (const std::exception& ex) {
  // Re-throw the exception
  throw;
}

In some cases, catching the exception at this level may not be necessary, and it may be appropriate to let the exception propagate up the call stack. This can be done simply by not using try/catch block.

Here is an example:

void function() {
  // Some code that can throw an exception
}

void callerFunction() {
  try {
    function();
  } catch (const std::exception& ex) {
    // Handling exception on higher level
    std::cerr << "Exception caught: " << ex.what() << std::endl;
  }
}

Other potential solution to avoid empty catch statements is to modify the code to avoid throwing the exception in the first place. This can be achieved by using a different API, checking for error conditions beforehand, or handling errors in a different way that does not involve exceptions. By eliminating the need for try-catch blocks, the code becomes simpler and less error-prone.

Here is an example:

// Old code:
try {
  mapContainer["Key"].callFunction();
} catch(const std::out_of_range&) {
}

// New code
if (auto it = mapContainer.find("Key"); it != mapContainer.end()) {
  it->second.callFunction();
}

In conclusion, empty catch statements are a bad practice that can lead to hidden bugs, security issues, poor code quality, and unreliable code. By handling exceptions properly, developers can ensure that their code is robust, secure, and maintainable.

Options

IgnoreCatchWithKeywords

This option can be used to ignore specific catch statements containing certain keywords. If a catch statement body contains (case-insensitive) any of the keywords listed in this semicolon-separated option, then the catch will be ignored, and no warning will be raised. Default value: @TODO;@FIXME.

AllowEmptyCatchForExceptions

This option can be used to ignore empty catch statements for specific exception types. By default, the check will raise a warning if an empty catch statement is detected, regardless of the type of exception being caught. However, in certain situations, such as when a developer wants to intentionally ignore certain exceptions or handle them in a different way, it may be desirable to allow empty catch statements for specific exception types. To configure this option, a semicolon-separated list of exception type names should be provided. If an exception type name in the list is caught in an empty catch statement, no warning will be raised. Default value: empty string.

bugprone-exception-escape

Finds functions which may throw an exception directly or indirectly, but they should not. The functions which should not throw exceptions are the following:

  • Destructors
  • Move constructors
  • Move assignment operators
  • The main() functions
  • swap() functions
  • iter_swap() functions
  • iter_move() functions
  • Functions marked with throw() or noexcept
  • Other functions given as option

A destructor throwing an exception may result in undefined behavior, resource leaks or unexpected termination of the program. Throwing move constructor or move assignment also may result in undefined behavior or resource leak. The swap() operations expected to be non throwing most of the cases and they are always possible to implement in a non throwing way. Non throwing swap() operations are also used to create move operations. A throwing main() function also results in unexpected termination.

Functions declared explicitly with noexcept(false) or throw(exception) will be excluded from the analysis, as even though it is not recommended for functions like swap(), main(), move constructors, move assignment operators and destructors, it is a clear indication of the developer's intention and should be respected.

WARNING! This check may be expensive on large source files.

Options

FunctionsThatShouldNotThrow

Comma separated list containing function names which should not throw. An example value for this parameter can be WinMain which adds function WinMain() in the Windows API to the list of the functions which should not throw. Default value is an empty string.

IgnoredExceptions

Comma separated list containing type names which are not counted as thrown exceptions in the check. Default value is an empty string.

bugprone-fold-init-type

The check flags type mismatches in folds like std::accumulate that might result in loss of precision. std::accumulate folds an input range into an initial value using the type of the latter, with operator+ by default. This can cause loss of precision through:

  • Truncation: The following code uses a floating point range and an int initial value, so truncation will happen at every application of operator+ and the result will be 0, which might not be what the user expected.

    auto a = {0.5f, 0.5f, 0.5f, 0.5f};
    return std::accumulate(std::begin(a), std::end(a), 0);
  • Overflow: The following code also returns 0.

    auto a = {65536LL * 65536 * 65536};
    return std::accumulate(std::begin(a), std::end(a), 0);

bugprone-forward-declaration-namespace

Checks if an unused forward declaration is in a wrong namespace.

The check inspects all unused forward declarations and checks if there is any declaration/definition with the same name existing, which could indicate that the forward declaration is in a potentially wrong namespace.

namespace na { struct A; }
namespace nb { struct A {}; }
nb::A a;
// warning : no definition found for 'A', but a definition with the same name
// 'A' found in another namespace 'nb::'

This check can only generate warnings, but it can't suggest a fix at this point.

bugprone-forwarding-reference-overload

The check looks for perfect forwarding constructors that can hide copy or move constructors. If a non const lvalue reference is passed to the constructor, the forwarding reference parameter will be a better match than the const reference parameter of the copy constructor, so the perfect forwarding constructor will be called, which can be confusing. For detailed description of this issue see: Scott Meyers, Effective Modern C++, Item 26.

Consider the following example:

class Person {
public:
  // C1: perfect forwarding ctor
  template<typename T>
  explicit Person(T&& n) {}

  // C2: perfect forwarding ctor with parameter default value
  template<typename T>
  explicit Person(T&& n, int x = 1) {}

  // C3: perfect forwarding ctor guarded with enable_if
  template<typename T, typename X = enable_if_t<is_special<T>, void>>
  explicit Person(T&& n) {}

  // C4: variadic perfect forwarding ctor guarded with enable_if
  template<typename... A,
    enable_if_t<is_constructible_v<tuple<string, int>, A&&...>, int> = 0>
  explicit Person(A&&... a) {}

  // C5: perfect forwarding ctor guarded with requires expression
  template<typename T>
  requires requires { is_special<T>; }
  explicit Person(T&& n) {}

  // C6: perfect forwarding ctor guarded with concept requirement
  template<Special T>
  explicit Person(T&& n) {}

  // (possibly compiler generated) copy ctor
  Person(const Person& rhs);
};

The check warns for constructors C1 and C2, because those can hide copy and move constructors. We suppress warnings if the copy and the move constructors are both disabled (deleted or private), because there is nothing the perfect forwarding constructor could hide in this case. We also suppress warnings for constructors like C3-C6 that are guarded with an enable_if or a concept, assuming the programmer was aware of the possible hiding.

Background

For deciding whether a constructor is guarded with enable_if, we consider the types of the constructor parameters, the default values of template type parameters and the types of non-type template parameters with a default literal value. If any part of these types is std::enable_if or std::enable_if_t, we assume the constructor is guarded.

bugprone-implicit-widening-of-multiplication-result

The check diagnoses instances where a result of a multiplication is implicitly widened, and suggests (with fix-it) to either silence the code by making widening explicit, or to perform the multiplication in a wider type, to avoid the widening afterwards.

This is mainly useful when operating on very large buffers. For example, consider:

void zeroinit(char* base, unsigned width, unsigned height) {
  for(unsigned row = 0; row != height; ++row) {
    for(unsigned col = 0; col != width; ++col) {
      char* ptr = base + row * width + col;
      *ptr = 0;
    }
  }
}

This is fine in general, but if width * height overflows, you end up wrapping back to the beginning of base instead of processing the entire requested buffer.

Indeed, this only matters for pretty large buffers (4GB+), but that can happen very easily for example in image processing, where for that to happen you "only" need a ~269MPix image.

Options

UseCXXStaticCastsInCppSources

When suggesting fix-its for C++ code, should C++-style static_cast<>()'s be suggested, or C-style casts. Defaults to true.

UseCXXHeadersInCppSources

When suggesting to include the appropriate header in C++ code, should <cstddef> header be suggested, or <stddef.h>. Defaults to true.

IgnoreConstantIntExpr

If the multiplication operands are compile-time constants (like literals or are constexpr) and fit within the source expression type, do not emit a diagnostic or suggested fix. Ā Only considers expressions where the source expression is a signed integer type. Ā Defaults to false.

Examples:

long mul(int a, int b) {
  return a * b; // warning: performing an implicit widening conversion to type 'long' of a multiplication performed in type 'int'
}

char* ptr_add(char *base, int a, int b) {
  return base + a * b; // warning: result of multiplication in type 'int' is used as a pointer offset after an implicit widening conversion to type 'ssize_t'
}

char ptr_subscript(char *base, int a, int b) {
  return base[a * b]; // warning: result of multiplication in type 'int' is used as a pointer offset after an implicit widening conversion to type 'ssize_t'
}

bugprone-inaccurate-erase

Checks for inaccurate use of the erase() method.

Algorithms like remove() do not actually remove any element from the container but return an iterator to the first redundant element at the end of the container. These redundant elements must be removed using the erase() method. This check warns when not all of the elements will be removed due to using an inappropriate overload.

For example, the following code erases only one element:

std::vector<int> xs;
...
xs.erase(std::remove(xs.begin(), xs.end(), 10));

Call the two-argument overload of erase() to remove the subrange:

std::vector<int> xs;
...
xs.erase(std::remove(xs.begin(), xs.end(), 10), xs.end());

bugprone-inc-dec-in-conditions

Detects when a variable is both incremented/decremented and referenced inside a complex condition and suggests moving them outside to avoid ambiguity in the variable's value.

When a variable is modified and also used in a complex condition, it can lead to unexpected behavior. The side-effect of changing the variable's value within the condition can make the code difficult to reason about. Additionally, the developer's intended timing for the modification of the variable may not be clear, leading to misunderstandings and errors. This can be particularly problematic when the condition involves logical operators like && and ||, where the order of evaluation can further complicate the situation.

Consider the following example:

int i = 0;
// ...
if (i++ < 5 && i > 0) {
  // do something
}

In this example, the result of the expression may not be what the developer intended. The original intention of the developer could be to increment i after the entire condition is evaluated, but in reality, i will be incremented before i > 0 is executed. This can lead to unexpected behavior and bugs in the code. To fix this issue, the developer should separate the increment operation from the condition and perform it separately. For example, they can increment i in a separate statement before or after the condition is evaluated. This ensures that the value of i is predictable and consistent throughout the code.

int i = 0;
// ...
i++;
if (i <= 5 && i > 0) {
  // do something
}

Another common issue occurs when multiple increments or decrements are performed on the same variable inside a complex condition. For example:

int i = 4;
// ...
if (i++ < 5 || --i > 2) {
  // do something
}

There is a potential issue with this code due to the order of evaluation in C++. The || operator used in the condition statement guarantees that if the first operand evaluates to true, the second operand will not be evaluated. This means that if i were initially 4, the first operand i < 5 would evaluate to true and the second operand i > 2 would not be evaluated. As a result, the decrement operation --i would not be executed and i would hold value 5, which may not be the intended behavior for the developer.

To avoid this potential issue, the both increment and decrement operation on i should be moved outside the condition statement.

bugprone-incorrect-enable-if

Detects incorrect usages of std::enable_if that don't name the nested type type.

In C++11 introduced std::enable_if as a convenient way to leverage SFINAE. One form of using std::enable_if is to declare an unnamed template type parameter with a default type equal to typename std::enable_if<condition>::type. If the author forgets to name the nested type type, then the code will always consider the candidate template even if the condition is not met.

Below are some examples of code using std::enable_if correctly and incorrect examples that this check flags.

template <typename T, typename = typename std::enable_if<T::some_trait>::type>
void valid_usage() { ... }

template <typename T, typename = std::enable_if_t<T::some_trait>>
void valid_usage_with_trait_helpers() { ... }

// The below code is not a correct application of SFINAE. Even if
// T::some_trait is not true, the function will still be considered in the
// set of function candidates. It can either incorrectly select the function
// when it should not be a candidates, and/or lead to hard compile errors
// if the body of the template does not compile if the condition is not
// satisfied.
template <typename T, typename = std::enable_if<T::some_trait>>
void invalid_usage() { ... }

// The tool suggests the following replacement for 'invalid_usage':
template <typename T, typename = typename std::enable_if<T::some_trait>::type>
void fixed_invalid_usage() { ... }

C++14 introduced the trait helper std::enable_if_t which reduces the likelihood of this error. C++20 introduces constraints, which generally supersede the use of std::enable_if. See modernize-type-traits for another tool that will replace std::enable_if with std::enable_if_t, and see modernize-use-constraints for another tool that replaces std::enable_if with C++20 constraints. Consider these newer mechanisms where possible.

bugprone-incorrect-roundings

Checks the usage of patterns known to produce incorrect rounding. Programmers often use:

(int)(double_expression + 0.5)

to round the double expression to an integer. The problem with this:

  1. It is unnecessarily slow.
  2. It is incorrect. The number 0.499999975 (smallest representable float number below 0.5) rounds to 1.0. Even worse behavior for negative numbers where both -0.5f and -1.4f both round to 0.0.

bugprone-infinite-loop

Finds obvious infinite loops (loops where the condition variable is not changed at all).

Finding infinite loops is well-known to be impossible (halting problem). However, it is possible to detect some obvious infinite loops, for example, if the loop condition is not changed. This check detects such loops. A loop is considered infinite if it does not have any loop exit statement (break, continue, goto, return, throw or a call to a function called as [[noreturn]]) and all of the following conditions hold for every variable in the condition:

  • It is a local variable.
  • It has no reference or pointer aliases.
  • It is not a structure or class member.

Furthermore, the condition must not contain a function call to consider the loop infinite since functions may return different values for different calls.

For example, the following loop is considered infinite i is not changed in the body:

int i = 0, j = 0;
while (i < 10) {
  ++j;
}

bugprone-integer-division

Finds cases where integer division in a floating point context is likely to cause unintended loss of precision.

No reports are made if divisions are part of the following expressions:

  • operands of operators expecting integral or bool types,
  • call expressions of integral or bool types, and
  • explicit cast expressions to integral or bool types,

as these are interpreted as signs of deliberateness from the programmer.

Examples:

float floatFunc(float);
int intFunc(int);
double d;
int i = 42;

// Warn, floating-point values expected.
d = 32 * 8 / (2 + i);
d = 8 * floatFunc(1 + 7 / 2);
d = i / (1 << 4);

// OK, no integer division.
d = 32 * 8.0 / (2 + i);
d = 8 * floatFunc(1 + 7.0 / 2);
d = (double)i / (1 << 4);

// OK, there are signs of deliberateness.
d = 1 << (i / 2);
d = 9 + intFunc(6 * i / 32);
d = (int)(i / 32) - 8;

bugprone-lambda-function-name

Checks for attempts to get the name of a function from within a lambda expression. The name of a lambda is always something like operator(), which is almost never what was intended.

Example:

void FancyFunction() {
  [] { printf("Called from %s\n", __func__); }();
  [] { printf("Now called from %s\n", __FUNCTION__); }();
}

Output:

Called from operator()
Now called from operator()

Likely intended output:

Called from FancyFunction
Now called from FancyFunction

Options

IgnoreMacros

The value true specifies that attempting to get the name of a function from within a macro should not be diagnosed. The default value is false.

bugprone-macro-parentheses

Finds macros that can have unexpected behavior due to missing parentheses.

Macros are expanded by the preprocessor as-is. As a result, there can be unexpected behavior; operators may be evaluated in unexpected order and unary operators may become binary operators, etc.

When the replacement list has an expression, it is recommended to surround it with parentheses. This ensures that the macro result is evaluated completely before it is used.

It is also recommended to surround macro arguments in the replacement list with parentheses. This ensures that the argument value is calculated properly.

This check corresponds to the CERT C Coding Standard rule PRE20-C. Macro replacement lists should be parenthesized.

bugprone-macro-repeated-side-effects

Checks for repeated argument with side effects in macros.

bugprone-misplaced-operator-in-strlen-in-alloc

Finds cases where 1 is added to the string in the argument to strlen(), strnlen(), strnlen_s(), wcslen(), wcsnlen(), and wcsnlen_s() instead of the result and the value is used as an argument to a memory allocation function (malloc(), calloc(), realloc(), alloca()) or the new[] operator in C++. The check detects error cases even if one of these functions (except the new[] operator) is called by a constant function pointer. Cases where 1 is added both to the parameter and the result of the strlen()-like function are ignored, as are cases where the whole addition is surrounded by extra parentheses.

C example code:

void bad_malloc(char *str) {
  char *c = (char*) malloc(strlen(str + 1));
}

The suggested fix is to add 1 to the return value of strlen() and not to its argument. In the example above the fix would be

char *c = (char*) malloc(strlen(str) + 1);

C++ example code:

void bad_new(char *str) {
  char *c = new char[strlen(str + 1)];
}

As in the C code with the malloc() function, the suggested fix is to add 1 to the return value of strlen() and not to its argument. In the example above the fix would be

char *c = new char[strlen(str) + 1];

Example for silencing the diagnostic:

void bad_malloc(char *str) {
  char *c = (char*) malloc(strlen((str + 1)));
}

bugprone-misplaced-pointer-arithmetic-in-alloc

Finds cases where an integer expression is added to or subtracted from the result of a memory allocation function (malloc(), calloc(), realloc(), alloca()) instead of its argument. The check detects error cases even if one of these functions is called by a constant function pointer.

Example code:

void bad_malloc(int n) {
  char *p = (char*) malloc(n) + 10;
}

The suggested fix is to add the integer expression to the argument of malloc and not to its result. In the example above the fix would be

char *p = (char*) malloc(n + 10);

bugprone-misplaced-widening-cast

This check will warn when there is a cast of a calculation result to a bigger type. If the intention of the cast is to avoid loss of precision then the cast is misplaced, and there can be loss of precision. Otherwise the cast is ineffective.

Example code:

long f(int x) {
    return (long)(x * 1000);
}

The result x * 1000 is first calculated using int precision. If the result exceeds int precision there is loss of precision. Then the result is casted to long.

If there is no loss of precision then the cast can be removed or you can explicitly cast to int instead.

If you want to avoid loss of precision then put the cast in a proper location, for instance:

long f(int x) {
    return (long)x * 1000;
}

Implicit casts

Forgetting to place the cast at all is at least as dangerous and at least as common as misplacing it. If CheckImplicitCasts is enabled the check also detects these cases, for instance:

long f(int x) {
    return x * 1000;
}

Floating point

Currently warnings are only written for integer conversion. No warning is written for this code:

double f(float x) {
    return (double)(x * 10.0f);
}

Options

CheckImplicitCasts

If true, enables detection of implicit casts. Default is false.

bugprone-move-forwarding-reference

Warns if std::move is called on a forwarding reference, for example:

template <typename T>
void foo(T&& t) {
  bar(std::move(t));
}

Forwarding references should typically be passed to std::forward instead of std::move, and this is the fix that will be suggested.

(A forwarding reference is an rvalue reference of a type that is a deduced function template argument.)

In this example, the suggested fix would be

bar(std::forward<T>(t));

Background

Code like the example above is sometimes written with the expectation that T&& will always end up being an rvalue reference, no matter what type is deduced for T, and that it is therefore not possible to pass an lvalue to foo(). However, this is not true. Consider this example:

std::string s = "Hello, world";
foo(s);

This code compiles and, after the call to foo(), s is left in an indeterminate state because it has been moved from. This may be surprising to the caller of foo() because no std::move was used when calling foo().

The reason for this behavior lies in the special rule for template argument deduction on function templates like foo() -- i.e. on function templates that take an rvalue reference argument of a type that is a deduced function template argument. (See section [temp.deduct.call]/3 in the C++11 standard.)

If foo() is called on an lvalue (as in the example above), then T is deduced to be an lvalue reference. In the example, T is deduced to be std::string &. The type of the argument t therefore becomes std::string& &&; by the reference collapsing rules, this collapses to std::string&.

This means that the foo(s) call passes s as an lvalue reference, and foo() ends up moving s and thereby placing it into an indeterminate state.

bugprone-multi-level-implicit-pointer-conversion

Detects implicit conversions between pointers of different levels of indirection.

Conversions between pointer types of different levels of indirection can be dangerous and may lead to undefined behavior, particularly if the converted pointer is later cast to a type with a different level of indirection. For example, converting a pointer to a pointer to an int (int**) to a void* can result in the loss of information about the original level of indirection, which can cause problems when attempting to use the converted pointer. If the converted pointer is later cast to a type with a different level of indirection and dereferenced, it may lead to access violations, memory corruption, or other undefined behavior.

Consider the following example:

void foo(void* ptr);

int main() {
  int x = 42;
  int* ptr = &x;
  int** ptr_ptr = &ptr;
  foo(ptr_ptr); // warning will trigger here
  return 0;
}

In this example, foo() is called with ptr_ptr as its argument. However, ptr_ptr is a int** pointer, while foo() expects a void* pointer. This results in an implicit pointer level conversion, which could cause issues if foo() dereferences the pointer assuming it's a int* pointer.

Using an explicit cast is a recommended solution to prevent issues caused by implicit pointer level conversion, as it allows the developer to explicitly state their intention and show their reasoning for the type conversion. Additionally, it is recommended that developers thoroughly check and verify the safety of the conversion before using an explicit cast. This extra level of caution can help catch potential issues early on in the development process, improving the overall reliability and maintainability of the code.

bugprone-multiple-new-in-one-expression

Finds multiple new operator calls in a single expression, where the allocated memory by the first new may leak if the second allocation fails and throws exception.

C++ does often not specify the exact order of evaluation of the operands of an operator or arguments of a function. Therefore if a first allocation succeeds and a second fails, in an exception handler it is not possible to tell which allocation has failed and free the memory. Even if the order is fixed the result of a first new may be stored in a temporary location that is not reachable at the time when a second allocation fails. It is best to avoid any expression that contains more than one operator new call, if exception handling is used to check for allocation errors.

Different rules apply for are the short-circuit operators || and && and the , operator, where evaluation of one side must be completed before the other starts. Expressions of a list-initialization (initialization or construction using { and } characters) are evaluated in fixed order. Similarly, condition of a ? operator is evaluated before the branches are evaluated.

The check reports warning if two new calls appear in one expression at different sides of an operator, or if new calls appear in different arguments of a function call (that can be an object construction with () syntax). These new calls can be nested at any level. For any warning to be emitted the new calls should be in a code block where exception handling is used with catch for std::bad_alloc or std::exception. At ||, &&, ,, ? (condition and one branch) operators no warning is emitted. No warning is emitted if both of the memory allocations are not assigned to a variable or not passed directly to a function. The reason is that in this case the memory may be intentionally not freed or the allocated objects can be self-destructing objects.

Examples:

struct A {
  int Var;
};
struct B {
  B();
  B(A *);
  int Var;
};
struct C {
  int *X1;
  int *X2;
};

void f(A *, B *);
int f1(A *);
int f1(B *);
bool f2(A *);

void foo() {
  A *PtrA;
  B *PtrB;
  try {
    // Allocation of 'B'/'A' may fail after memory for 'A'/'B' was allocated.
    f(new A, new B); // warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception; order of these allocations is undefined

    // List (aggregate) initialization is used.
    C C1{new int, new int}; // no warning

    // Allocation of 'B'/'A' may fail after memory for 'A'/'B' was allocated but not yet passed to function 'f1'.
    int X = f1(new A) + f1(new B); // warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception; order of these allocations is undefined

    // Allocation of 'B' may fail after memory for 'A' was allocated.
    // From C++17 on memory for 'B' is allocated first but still may leak if allocation of 'A' fails.
    PtrB = new B(new A); // warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception

    // 'new A' and 'new B' may be performed in any order.
    // 'new B'/'new A' may fail after memory for 'A'/'B' was allocated but not assigned to 'PtrA'/'PtrB'.
    (PtrA = new A)->Var = (PtrB = new B)->Var; // warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception; order of these allocations is undefined

    // Evaluation of 'f2(new A)' must be finished before 'f1(new B)' starts.
    // If 'new B' fails the allocated memory for 'A' is supposedly handled correctly because function 'f2' could take the ownership.
    bool Z = f2(new A) || f1(new B); // no warning

    X = (f2(new A) ? f1(new A) : f1(new B)); // no warning

    // No warning if the result of both allocations is not passed to a function
    // or stored in a variable.
    (new A)->Var = (new B)->Var; // no warning

    // No warning if at least one non-throwing allocation is used.
    f(new(std::nothrow) A, new B); // no warning
  } catch(std::bad_alloc) {
  }

  // No warning if the allocation is outside a try block (or no catch handler exists for std::bad_alloc).
  // (The fact if exceptions can escape from 'foo' is not taken into account.)
  f(new A, new B); // no warning
}

bugprone-multiple-statement-macro

Detect multiple statement macros that are used in unbraced conditionals. Only the first statement of the macro will be inside the conditional and the other ones will be executed unconditionally.

Example:

#define INCREMENT_TWO(x, y) (x)++; (y)++
if (do_increment)
  INCREMENT_TWO(a, b);  // (b)++ will be executed unconditionally.

bugprone-narrowing-conversions

The bugprone-narrowing-conversions check is an alias, please see cppcoreguidelines-narrowing-conversions for more information.

bugprone-no-escape

Finds pointers with the noescape attribute that are captured by an asynchronously-executed block. The block arguments in dispatch_async() and dispatch_after() are guaranteed to escape, so it is an error if a pointer with the noescape attribute is captured by one of these blocks.

The following is an example of an invalid use of the noescape attribute.

void foo(__attribute__((noescape)) int *p) {
  dispatch_async(queue, ^{
    *p = 123;
  });
});

bugprone-non-zero-enum-to-bool-conversion

Detect implicit and explicit casts of enum type into bool where enum type doesn't have a zero-value enumerator. If the enum is used only to hold values equal to its enumerators, then conversion to bool will always result in true value. This can lead to unnecessary code that reduces readability and maintainability and can result in bugs.

May produce false positives if the enum is used to store other values (used as a bit-mask or zero-initialized on purpose). To deal with them, // NOLINT or casting first to the underlying type before casting to bool can be used.

It is important to note that this check will not generate warnings if the definition of the enumeration type is not available. Additionally, C++11 enumeration classes are supported by this check.

Overall, this check serves to improve code quality and readability by identifying and flagging instances where implicit or explicit casts from enumeration types to boolean could cause potential issues.

Example

enum EStatus {
  OK = 1,
  NOT_OK,
  UNKNOWN
};

void process(EStatus status) {
  if (!status) {
    // this true-branch won't be executed
    return;
  }
  // proceed with "valid data"
}

Options

EnumIgnoreList

Option is used to ignore certain enum types when checking for implicit/explicit casts to bool. It accepts a semicolon-separated list of (fully qualified) enum type names or regular expressions that match the enum type names. The default value is an empty string, which means no enums will be ignored.

bugprone-not-null-terminated-result

Finds function calls where it is possible to cause a not null-terminated result. Usually the proper length of a string is strlen(src) + 1 or equal length of this expression, because the null terminator needs an extra space. Without the null terminator it can result in undefined behavior when the string is read.

The following and their respective wchar_t based functions are checked:

memcpy, memcpy_s, memchr, memmove, memmove_s, strerror_s, strncmp, strxfrm

The following is a real-world example where the programmer forgot to increase the passed third argument, which is size_t length. That is why the length of the allocated memory is not enough to hold the null terminator.

static char *stringCpy(const std::string &str) {
  char *result = reinterpret_cast<char *>(malloc(str.size()));
  memcpy(result, str.data(), str.size());
  return result;
}

In addition to issuing warnings, fix-it rewrites all the necessary code. It also tries to adjust the capacity of the destination array:

static char *stringCpy(const std::string &str) {
  char *result = reinterpret_cast<char *>(malloc(str.size() + 1));
  strcpy(result, str.data());
  return result;
}

Note: It cannot guarantee to rewrite every of the path-sensitive memory allocations.

Transformation rules of 'memcpy()'

It is possible to rewrite the memcpy() and memcpy_s() calls as the following four functions: Ā strcpy(), strncpy(), strcpy_s(), strncpy_s(), where the latter two are the safer versions of the former two. It rewrites the wchar_t based memory handler functions respectively.

Rewrite based on the destination array

  • If copy to the destination array cannot overflow [1] the new function should be the older copy function (ending with cpy), because it is more efficient than the safe version.
  • If copy to the destination array can overflow [1] and WantToUseSafeFunctions is set to true and it is possible to obtain the capacity of the destination array then the new function could be the safe version (ending with cpy_s).
  • If the new function is could be safe version and C++ files are analyzed and the destination array is plain char/wchar_t without un/signed then the length of the destination array can be omitted.
  • If the new function is could be safe version and the destination array is un/signed it needs to be casted to plain char */wchar_t *.
[1] It is possible to overflow:
  • If the capacity of the destination array is unknown.
  • If the given length is equal to the destination array's capacity.

Rewrite based on the length of the source string

  • If the given length is strlen(source) or equal length of this expression then the new function should be the older copy function (ending with cpy), as it is more efficient than the safe version (ending with cpy_s).
  • Otherwise we assume that the programmer wanted to copy 'N' characters, so the new function is ncpy-like which copies 'N' characters.

Transformations with 'strlen()' or equal length of this expression

It transforms the wchar_t based memory and string handler functions respectively (where only strerror_s does not have wchar_t based alias).

Memory handler functions

memcpy Please visit the Transformation rules of 'memcpy()' section.

memchr Usually there is a C-style cast and it is needed to be removed, because the new function strchr's return type is correct. The given length is going to be removed.

memmove If safe functions are available the new function is memmove_s, which has a new second argument which is the length of the destination array, it is adjusted, and the length of the source string is incremented by one. If safe functions are not available the given length is incremented by one.

memmove_s The given length is incremented by one.

String handler functions

strerror_s The given length is incremented by one.

strncmp If the third argument is the first or the second argument's length + 1 it has to be truncated without the + 1 operation.

strxfrm The given length is incremented by one.

Options

WantToUseSafeFunctions

The value true specifies that the target environment is considered to implement '_s' suffixed memory and string handler functions which are safer than older versions (e.g. 'memcpy_s()'). The default value is true.

bugprone-optional-value-conversion

Detects potentially unintentional and redundant conversions where a value is extracted from an optional-like type and then used to create a new instance of the same optional-like type.

These conversions might be the result of developer oversight, leftovers from code refactoring, or other situations that could lead to unintended exceptions or cases where the resulting optional is always initialized, which might be unexpected behavior.

To illustrate, consider the following problematic code snippet:

#include <optional>

void print(std::optional<int>);

int main()
{
  std::optional<int> opt;
  // ...

  // Unintentional conversion from std::optional<int> to int and back to
  // std::optional<int>:
  print(opt.value());

  // ...
}

A better approach would be to directly pass opt to the print function without extracting its value:

#include <optional>

void print(std::optional<int>);

int main()
{
  std::optional<int> opt;
  // ...

  // Proposed code: Directly pass the std::optional<int> to the print
  // function.
  print(opt);

  // ...
}

By passing opt directly to the print function, unnecessary conversions are avoided, and potential unintended behavior or exceptions are minimized.

Value extraction using operator * is matched by default. The support for non-standard optional types such as boost::optional or absl::optional may be limited.

Options

OptionalTypes

Semicolon-separated list of (fully qualified) optional type names or regular expressions that match the optional types. Default value is ::std::optional;::absl::optional;::boost::optional.

ValueMethods

Semicolon-separated list of (fully qualified) method names or regular expressions that match the methods. Default value is ::value$;::get$.

bugprone-parent-virtual-call

Detects and fixes calls to grand-...parent virtual methods instead of calls to overridden parent's virtual methods.

struct A {
  int virtual foo() {...}
};

struct B: public A {
  int foo() override {...}
};

struct C: public B {
  int foo() override { A::foo(); }
//                     ^^^^^^^^
// warning: qualified name A::foo refers to a member overridden in subclass; did you mean 'B'?  [bugprone-parent-virtual-call]
};

bugprone-pointer-arithmetic-on-polymorphic-object

Finds pointer arithmetic performed on classes that contain a virtual function.

Pointer arithmetic on polymorphic objects where the pointer's static type is different from its dynamic type is undefined behavior, as the two types could have different sizes, and thus the vtable pointer could point to an invalid address.

Finding pointers where the static type contains a virtual member function is a good heuristic, as the pointer is likely to point to a different, derived object.

Example:

struct Base {
  virtual void ~Base();
};

struct Derived : public Base {};

void foo() {
  Base *b = new Derived[10];

  b += 1;
  // warning: pointer arithmetic on class that declares a virtual function can
  // result in undefined behavior if the dynamic type differs from the
  // pointer type

  delete[] static_cast<Derived*>(b);
}

Options

IgnoreInheritedVirtualFunctions

When true, objects that only inherit a virtual function are not checked. Classes that do not declare a new virtual function are excluded by default, as they make up the majority of false positives. Default: false.

void bar() {
  Base *b = new Base[10];
  b += 1; // warning, as Base declares a virtual destructor

  delete[] b;

  Derived *d = new Derived[10]; // Derived overrides the destructor, and
                                // declares no other virtual functions
  d += 1; // warning only if IgnoreVirtualDeclarationsOnly is set to false

  delete[] d;
}

References

This check corresponds to the SEI Cert rule CTR56-CPP. Do not use pointer arithmetic on polymorphic objects.

bugprone-posix-return

Checks if any calls to pthread_* or posix_* functions (except posix_openpt) expect negative return values. These functions return either 0 on success or an errno on failure, which is positive only.

Example buggy usage looks like:

if (posix_fadvise(...) < 0) {

This will never happen as the return value is always non-negative. A simple fix could be:

if (posix_fadvise(...) > 0) {

bugprone-redundant-branch-condition

Finds condition variables in nested if statements that were also checked in the outer if statement and were not changed.

Simple example:

bool onFire = isBurning();
if (onFire) {
  if (onFire)
    scream();
}

Here onFire is checked both in the outer if and the inner if statement without a possible change between the two checks. The check warns for this code and suggests removal of the second checking of variable onFire.

The checker also detects redundant condition checks if the condition variable is an operand of a logical "and" (&&) or a logical "or" (||) operator:

bool onFire = isBurning();
if (onFire) {
  if (onFire && peopleInTheBuilding > 0)
    scream();
}
bool onFire = isBurning();
if (onFire) {
  if (onFire || isCollapsing())
    scream();
}

In the first case (logical "and") the suggested fix is to remove the redundant condition variable and keep the other side of the &&. In the second case (logical "or") the whole if is removed similarly to the simple case on the top.

The condition of the outer if statement may also be a logical "and" (&&) expression:

bool onFire = isBurning();
if (onFire && fireFighters < 10) {
  if (someOtherCondition()) {
    if (onFire)
      scream();
  }
}

The error is also detected if both the outer statement is a logical "and" (&&) and the inner statement is a logical "and" (&&) or "or" (||). The inner if statement does not have to be a direct descendant of the outer one.

No error is detected if the condition variable may have been changed between the two checks:

bool onFire = isBurning();
if (onFire) {
  tryToExtinguish(onFire);
  if (onFire && peopleInTheBuilding > 0)
    scream();
}

Every possible change is considered, thus if the condition variable is not a local variable of the function, it is a volatile or it has an alias (pointer or reference) then no warning is issued.

Known limitations

The else branch is not checked currently for negated condition variable:

bool onFire = isBurning();
if (onFire) {
  scream();
} else {
  if (!onFire) {
    continueWork();
  }
}

The checker currently only detects redundant checking of single condition variables. More complex expressions are not checked:

if (peopleInTheBuilding == 1) {
  if (peopleInTheBuilding == 1) {
    doSomething();
  }
}

bugprone-reserved-identifier

cert-dcl37-c and cert-dcl51-cpp redirect here as an alias for this check.

Checks for usages of identifiers reserved for use by the implementation.

The C and C++ standards both reserve the following names for such use:

  • identifiers that begin with an underscore followed by an uppercase letter;
  • identifiers in the global namespace that begin with an underscore.

The C standard additionally reserves names beginning with a double underscore, while the C++ standard strengthens this to reserve names with a double underscore occurring anywhere.

Violating the naming rules above results in undefined behavior.

namespace NS {
  void __f(); // name is not allowed in user code
  using _Int = int; // same with this
  #define cool__macro // also this
}
int _g(); // disallowed in global namespace only

The check can also be inverted, i.e. it can be configured to flag any identifier that is _not_ a reserved identifier. This mode is for use by e.g. standard library implementors, to ensure they don't infringe on the user namespace.

This check does not (yet) check for other reserved names, e.g. macro names identical to language keywords, and names specifically reserved by language standards, e.g. C++ 'zombie names' and C future library directions.

This check corresponds to CERT C Coding Standard rule DCL37-C. Do not declare or define a reserved identifier as well as its C++ counterpart, DCL51-CPP. Do not declare or define a reserved identifier.

Options

Invert

If true, inverts the check, i.e. flags names that are not reserved. Default is false.

AllowedIdentifiers

Semicolon-separated list of regular expressions that the check ignores. Default is an empty list.

bugprone-return-const-ref-from-parameter

Detects return statements that return a constant reference parameter as constant reference. This may cause use-after-free errors if the caller uses xvalues as arguments.

In C++, constant reference parameters can accept xvalues which will be destructed after the call. When the function returns such a parameter also as constant reference, then the returned reference can be used after the object it refers to has been destroyed.

Example

struct S {
  int v;
  S(int);
  ~S();
};

const S &fn(const S &a) {
  return a;
}

const S& s = fn(S{1});
s.v; // use after free

bugprone-shared-ptr-array-mismatch

Finds initializations of C++ shared pointers to non-array type that are initialized with an array.

If a shared pointer std::shared_ptr<T> is initialized with a new-expression new T[] the memory is not deallocated correctly. The pointer uses plain delete in this case to deallocate the target memory. Instead a delete[] call is needed. A std::shared_ptr<T[]> calls the correct delete operator.

The check offers replacement of shared_ptr<T> to shared_ptr<T[]> if it is used at a single variable declaration (one variable in one statement).

Example:

std::shared_ptr<Foo> x(new Foo[10]); // -> std::shared_ptr<Foo[]> x(new Foo[10]);
//                     ^ warning: shared pointer to non-array is initialized with array [bugprone-shared-ptr-array-mismatch]
std::shared_ptr<Foo> x1(new Foo), x2(new Foo[10]); // no replacement
//                                   ^ warning: shared pointer to non-array is initialized with array [bugprone-shared-ptr-array-mismatch]

std::shared_ptr<Foo> x3(new Foo[10], [](const Foo *ptr) { delete[] ptr; }); // no warning

struct S {
  std::shared_ptr<Foo> x(new Foo[10]); // no replacement in this case
  //                     ^ warning: shared pointer to non-array is initialized with array [bugprone-shared-ptr-array-mismatch]
};

This check partially covers the CERT C++ Coding Standard rule MEM51-CPP. Properly deallocate dynamically allocated resources However, only the std::shared_ptr case is detected by this check.

bugprone-signal-handler

Finds specific constructs in signal handler functions that can cause undefined behavior. The rules for what is allowed differ between C++ language versions.

Checked signal handler rules for C:

  • Calls to non-asynchronous-safe functions are not allowed.

Checked signal handler rules for up to and including C++14:

  • Calls to non-asynchronous-safe functions are not allowed.
  • C++-specific code constructs are not allowed in signal handlers. In other words, only the common subset of C and C++ is allowed to be used.
  • Calls to functions with non-C linkage are not allowed (including the signal handler itself).

The check is disabled on C++17 and later.

Asynchronous-safety is determined by comparing the function's name against a set of known functions. In addition, the function must come from a system header include and in a global namespace. The (possible) arguments passed to the function are not checked. Any function that cannot be determined to be asynchronous-safe is assumed to be non-asynchronous-safe by the check, including user functions for which only the declaration is visible. Calls to user-defined functions with visible definitions are checked recursively.

This check implements the CERT C Coding Standard rule SIG30-C. Call only asynchronous-safe functions within signal handlers and the rule MSC54-CPP. A signal handler must be a plain old function. It has the alias names cert-sig30-c and cert-msc54-cpp.

Options

AsyncSafeFunctionSet

Selects which set of functions is considered as asynchronous-safe (and therefore allowed in signal handlers). It can be set to the following values:

minimal

Selects a minimal set that is defined in the CERT SIG30-C rule. and includes functions abort(), _Exit(), quick_exit() and signal().

POSIX

Selects a larger set of functions that is listed in POSIX.1-2017 (see this link for more information). The following functions are included: _Exit, _exit, abort, accept, access, aio_error, aio_return, aio_suspend, alarm, bind, cfgetispeed, cfgetospeed, cfsetispeed, cfsetospeed, chdir, chmod, chown, clock_gettime, close, connect, creat, dup, dup2, execl, execle, execv, execve, faccessat, fchdir, fchmod, fchmodat, fchown, fchownat, fcntl, fdatasync, fexecve, ffs, fork, fstat, fstatat, fsync, ftruncate, futimens, getegid, geteuid, getgid, getgroups, getpeername, getpgrp, getpid, getppid, getsockname, getsockopt, getuid, htonl, htons, kill, link, linkat, listen, longjmp, lseek, lstat, memccpy, memchr, memcmp, memcpy, memmove, memset, mkdir, mkdirat, mkfifo, mkfifoat, mknod, mknodat, ntohl, ntohs, open, openat, pause, pipe, poll, posix_trace_event, pselect, pthread_kill, pthread_self, pthread_sigmask, quick_exit, raise, read, readlink, readlinkat, recv, recvfrom, recvmsg, rename, renameat, rmdir, select, sem_post, send, sendmsg, sendto, setgid, setpgid, setsid, setsockopt, setuid, shutdown, sigaction, sigaddset, sigdelset, sigemptyset, sigfillset, sigismember, siglongjmp, signal, sigpause, sigpending, sigprocmask, sigqueue, sigset, sigsuspend, sleep, sockatmark, socket, socketpair, stat, stpcpy, stpncpy, strcat, strchr, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strnlen, strpbrk, strrchr, strspn, strstr, strtok_r, symlink, symlinkat, tcdrain, tcflow, tcflush, tcgetattr, tcgetpgrp, tcsendbreak, tcsetattr, tcsetpgrp, time, timer_getoverrun, timer_gettime, timer_settime, times, umask, uname, unlink, unlinkat, utime, utimensat, utimes, wait, waitpid, wcpcpy, wcpncpy, wcscat, wcschr, wcscmp, wcscpy, wcscspn, wcslen, wcsncat, wcsncmp, wcsncpy, wcsnlen, wcspbrk, wcsrchr, wcsspn, wcsstr, wcstok, wmemchr, wmemcmp, wmemcpy, wmemmove, wmemset, write

The function quick_exit is not included in the POSIX list but it is included here in the set of safe functions.

The default value is POSIX.

bugprone-signed-char-misuse

cert-str34-c redirects here as an alias for this check. For the CERT alias, the DiagnoseSignedUnsignedCharComparisons option is set to false.

Finds those signed char -> integer conversions which might indicate a programming error. The basic problem with the signed char, that it might store the non-ASCII characters as negative values. This behavior can cause a misunderstanding of the written code both when an explicit and when an implicit conversion happens.

When the code contains an explicit signed char -> integer conversion, the human programmer probably expects that the converted value matches with the character code (a value from [0..255]), however, the actual value is in [-128..127] interval. To avoid this kind of misinterpretation, the desired way of converting from a signed char to an integer value is converting to unsigned char first, which stores all the characters in the positive [0..255] interval which matches the known character codes.

In case of implicit conversion, the programmer might not actually be aware that a conversion happened and char value is used as an integer. There are some use cases when this unawareness might lead to a functionally imperfect code. For example, checking the equality of a signed char and an unsigned char variable is something we should avoid in C++ code. During this comparison, the two variables are converted to integers which have different value ranges. For signed char, the non-ASCII characters are stored as a value in [-128..-1] interval, while the same characters are stored in the [128..255] interval for an unsigned char.

It depends on the actual platform whether plain char is handled as signed char by default and so it is caught by this check or not. To change the default behavior you can use -funsigned-char and -fsigned-char compilation options.

Currently, this check warns in the following cases: - signed char is assigned to an integer variable - signed char and unsigned char are compared with equality/inequality operator - signed char is converted to an integer in the array subscript

See also: STR34-C. Cast characters to unsigned char before converting to larger integer sizes

A good example from the CERT description when a char variable is used to read from a file that might contain non-ASCII characters. The problem comes up when the code uses the -1 integer value as EOF, while the 255 character code is also stored as -1 in two's complement form of char type. See a simple example of this below. This code stops not only when it reaches the end of the file, but also when it gets a character with the 255 code.

#define EOF (-1)

int read(void) {
  char CChar;
  int IChar = EOF;

  if (readChar(CChar)) {
    IChar = CChar;
  }
  return IChar;
}

A proper way to fix the code above is converting the char variable to an unsigned char value first.

#define EOF (-1)

int read(void) {
  char CChar;
  int IChar = EOF;

  if (readChar(CChar)) {
    IChar = static_cast<unsigned char>(CChar);
  }
  return IChar;
}

Another use case is checking the equality of two char variables with different signedness. Inside the non-ASCII value range this comparison between a signed char and an unsigned char always returns false.

bool compare(signed char SChar, unsigned char USChar) {
  if (SChar == USChar)
    return true;
  return false;
}

The easiest way to fix this kind of comparison is casting one of the arguments, so both arguments will have the same type.

bool compare(signed char SChar, unsigned char USChar) {
  if (static_cast<unsigned char>(SChar) == USChar)
    return true;
  return false;
}
CharTypdefsToIgnore

A semicolon-separated list of typedef names. In this list, we can list typedefs for char or signed char, which will be ignored by the check. This is useful when a typedef introduces an integer alias like sal_Int8 or int8_t. In this case, human misinterpretation is not an issue.

DiagnoseSignedUnsignedCharComparisons

When true, the check will warn on signed char/unsigned char comparisons, otherwise these comparisons are ignored. By default, this option is set to true.

bugprone-sizeof-container

The check finds usages of sizeof on expressions of STL container types. Most likely the user wanted to use .size() instead.

All class/struct types declared in namespace std:: having a const size() method are considered containers, with the exception of std::bitset and std::array.

Examples:

std::string s;
int a = 47 + sizeof(s); // warning: sizeof() doesn't return the size of the container. Did you mean .size()?

int b = sizeof(std::string); // no warning, probably intended.

std::string array_of_strings[10];
int c = sizeof(array_of_strings) / sizeof(array_of_strings[0]); // no warning, definitely intended.

std::array<int, 3> std_array;
int d = sizeof(std_array); // no warning, probably intended.

bugprone-sizeof-expression

The check finds usages of sizeof expressions which are most likely errors.

The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. Misuse of this operator may be leading to errors and possible software vulnerabilities.

Suspicious usage of 'sizeof(K)'

A common mistake is to query the sizeof of an integer literal. This is equivalent to query the size of its type (probably int). The intent of the programmer was probably to simply get the integer and not its size.

#define BUFLEN 42
char buf[BUFLEN];
memset(buf, 0, sizeof(BUFLEN));  // sizeof(42) ==> sizeof(int)

Suspicious usage of 'sizeof(expr)'

In cases, where there is an enum or integer to represent a type, a common mistake is to query the sizeof on the integer or enum that represents the type that should be used by sizeof. This results in the size of the integer and not of the type the integer represents:

enum data_type {
  FLOAT_TYPE,
  DOUBLE_TYPE
};

struct data {
  data_type type;
  void* buffer;
  data_type get_type() {
    return type;
  }
};

void f(data d, int numElements) {
  // should be sizeof(float) or sizeof(double), depending on d.get_type()
  int numBytes = numElements * sizeof(d.get_type());
  ...
}

Suspicious usage of 'sizeof(this)'

The this keyword is evaluated to a pointer to an object of a given type. The expression sizeof(this) is returning the size of a pointer. The programmer most likely wanted the size of the object and not the size of the pointer.

class Point {
  [...]
  size_t size() { return sizeof(this); }  // should probably be sizeof(*this)
  [...]
};

Suspicious usage of 'sizeof(char*)'

There is a subtle difference between declaring a string literal with char* A = "" and char A[] = "". The first case has the type char* instead of the aggregate type char[]. Using sizeof on an object declared with char* type is returning the size of a pointer instead of the number of characters (bytes) in the string literal.

const char* kMessage = "Hello World!";      // const char kMessage[] = "...";
void getMessage(char* buf) {
  memcpy(buf, kMessage, sizeof(kMessage));  // sizeof(char*)
}

Suspicious usage of 'sizeof(A*)'

A common mistake is to compute the size of a pointer instead of its pointee. These cases may occur because of explicit cast or implicit conversion.

int A[10];
memset(A, 0, sizeof(A + 0));

struct Point point;
memset(point, 0, sizeof(&point));

Suspicious usage of 'sizeof(...)/sizeof(...)'

Dividing sizeof expressions is typically used to retrieve the number of elements of an aggregate. This check warns on incompatible or suspicious cases.

In the following example, the entity has 10-bytes and is incompatible with the type int which has 4 bytes.

char buf[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };  // sizeof(buf) => 10
void getMessage(char* dst) {
  memcpy(dst, buf, sizeof(buf) / sizeof(int));  // sizeof(int) => 4  [incompatible sizes]
}

In the following example, the expression sizeof(Values) is returning the size of char*. One can easily be fooled by its declaration, but in parameter declaration the size '10' is ignored and the function is receiving a char*.

char OrderedValues[10] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };
return CompareArray(char Values[10]) {
  return memcmp(OrderedValues, Values, sizeof(Values)) == 0;  // sizeof(Values) ==> sizeof(char*) [implicit cast to char*]
}

Suspicious 'sizeof' by 'sizeof' expression

Multiplying sizeof expressions typically makes no sense and is probably a logic error. In the following example, the programmer used * instead of /.

const char kMessage[] = "Hello World!";
void getMessage(char* buf) {
  memcpy(buf, kMessage, sizeof(kMessage) * sizeof(char));  //  sizeof(kMessage) / sizeof(char)
}

This check may trigger on code using the arraysize macro. The following code is working correctly but should be simplified by using only the sizeof operator.

extern Object objects[100];
void InitializeObjects() {
  memset(objects, 0, arraysize(objects) * sizeof(Object));  // sizeof(objects)
}

Suspicious usage of 'sizeof(sizeof(...))'

Getting the sizeof of a sizeof makes no sense and is typically an error hidden through macros.

#define INT_SZ sizeof(int)
int buf[] = { 42 };
void getInt(int* dst) {
  memcpy(dst, buf, sizeof(INT_SZ));  // sizeof(sizeof(int)) is suspicious.
}

Options

WarnOnSizeOfConstant

When true, the check will warn on an expression like sizeof(CONSTANT). Default is true.

WarnOnSizeOfIntegerExpression

When true, the check will warn on an expression like sizeof(expr) where the expression results in an integer. Default is false.

WarnOnSizeOfThis

When true, the check will warn on an expression like sizeof(this). Default is true.

WarnOnSizeOfCompareToConstant

When true, the check will warn on an expression like sizeof(expr) <= k for a suspicious constant k while k is 0 or greater than 0x8000. Default is true.

WarnOnSizeOfPointerToAggregate

When true, the check will warn when the argument of sizeof is either a pointer-to-aggregate type, an expression returning a pointer-to-aggregate value or an expression that returns a pointer from an array-to-pointer conversion (that may be implicit or explicit, for example array + 2 or (int *)array). Default is true.

WarnOnSizeOfPointer

When true, the check will report all expressions where the argument of sizeof is an expression that produces a pointer (except for a few idiomatic expressions that are probably intentional and correct). This detects occurrences of CWE 467. Default is false.

bugprone-spuriously-wake-up-functions

Finds cnd_wait, cnd_timedwait, wait, wait_for, or wait_until function calls when the function is not invoked from a loop that checks whether a condition predicate holds or the function has a condition parameter.

if (condition_predicate) {
    condition.wait(lk);
}
if (condition_predicate) {
    if (thrd_success != cnd_wait(&condition, &lock)) {
    }
}

This check corresponds to the CERT C++ Coding Standard rule CON54-CPP. Wrap functions that can spuriously wake up in a loop. and CERT C Coding Standard rule CON36-C. Wrap functions that can spuriously wake up in a loop.

bugprone-standalone-empty

Warns when empty() is used on a range and the result is ignored. Suggests clear() if it is an existing member function.

The empty() method on several common ranges returns a Boolean indicating whether or not the range is empty, but is often mistakenly interpreted as a way to clear the contents of a range. Some ranges offer a clear() method for this purpose. This check warns when a call to empty returns a result that is ignored, and suggests replacing it with a call to clear() if it is available as a member function of the range.

For example, the following code could be used to indicate whether a range is empty or not, but the result is ignored:

std::vector<int> v;
...
v.empty();

A call to clear() would appropriately clear the contents of the range:

std::vector<int> v;
...
v.clear();

Limitations:

  • Doesn't warn if empty() is defined and used with the ignore result in the class template definition (for example in the library implementation). These error cases can be caught with [[nodiscard]] attribute.

bugprone-string-constructor

Finds string constructors that are suspicious and probably errors.

A common mistake is to swap parameters to the 'fill' string-constructor.

Examples:

std::string str('x', 50); // should be str(50, 'x')

Calling the string-literal constructor with a length bigger than the literal is suspicious and adds extra random characters to the string.

Examples:

std::string("test", 200);   // Will include random characters after "test".
std::string_view("test", 200);

Creating an empty string from constructors with parameters is considered suspicious. The programmer should use the empty constructor instead.

Examples:

std::string("test", 0);   // Creation of an empty string.
std::string_view("test", 0);

Options

WarnOnLargeLength

When true, the check will warn on a string with a length greater than LargeLengthThreshold. Default is true.

LargeLengthThreshold

An integer specifying the large length threshold. Default is 0x800000.

StringNames

Default is ::std::basic_string;::std::basic_string_view.

Semicolon-delimited list of class names to apply this check to. By default ::std::basic_string applies to std::string and std::wstring. Set to e.g. ::std::basic_string;llvm::StringRef;QString to perform this check on custom classes.

bugprone-string-integer-assignment

The check finds assignments of an integer to std::basic_string<CharT> (std::string, std::wstring, etc.). The source of the problem is the following assignment operator of std::basic_string<CharT>:

basic_string& operator=( CharT ch );

Numeric types can be implicitly casted to character types.

std::string s;
int x = 5965;
s = 6;
s = x;

Use the appropriate conversion functions or character literals.

std::string s;
int x = 5965;
s = '6';
s = std::to_string(x);

In order to suppress false positives, use an explicit cast.

std::string s;
s = static_cast<char>(6);

bugprone-string-literal-with-embedded-nul

Finds occurrences of string literal with embedded NUL character and validates their usage.

Invalid escaping

Special characters can be escaped within a string literal by using their hexadecimal encoding like \x42. A common mistake is to escape them like this \0x42 where the \0 stands for the NUL character.

const char* Example[] = "Invalid character: \0x12 should be \x12";
const char* Bytes[] = "\x03\0x02\0x01\0x00\0xFF\0xFF\0xFF";

Truncated literal

String-like classes can manipulate strings with embedded NUL as they are keeping track of the bytes and the length. This is not the case for a char* (NUL-terminated) string.

A common mistake is to pass a string-literal with embedded NUL to a string constructor expecting a NUL-terminated string. The bytes after the first NUL character are truncated.

std::string str("abc\0def");  // "def" is truncated
str += "\0";                  // This statement is doing nothing
if (str == "\0abc") return;   // This expression is always true

bugprone-stringview-nullptr

Checks for various ways that the const CharT* constructor of std::basic_string_view can be passed a null argument and replaces them with the default constructor in most cases. For the comparison operators, braced initializer list does not compile so instead a call to .empty() or the empty string literal are used, where appropriate.

This prevents code from invoking behavior which is unconditionally undefined. The single-argument const CharT* constructor does not check for the null case before dereferencing its input. The standard is slated to add an explicitly-deleted overload to catch some of these cases: wg21.link/p2166

To catch the additional cases of NULL (which expands to __null) and 0, first run the modernize-use-nullptr check to convert the callers to nullptr.

std::string_view sv = nullptr;

sv = nullptr;

bool is_empty = sv == nullptr;
bool isnt_empty = sv != nullptr;

accepts_sv(nullptr);

accepts_sv({{}});  // A

accepts_sv({nullptr, 0});  // B

is translated into...

std::string_view sv = {};

sv = {};

bool is_empty = sv.empty();
bool isnt_empty = !sv.empty();

accepts_sv("");

accepts_sv("");  // A

accepts_sv({nullptr, 0});  // B
NOTE:

The source pattern with trailing comment "A" selects the (const CharT*) constructor overload and then value-initializes the pointer, causing a null dereference. It happens to not include the nullptr literal, but it is still within the scope of this ClangTidy check.

NOTE:

The source pattern with trailing comment "B" selects the (const CharT*, size_type) constructor which is perfectly valid, since the length argument is 0. It is not changed by this ClangTidy check.

bugprone-suspicious-enum-usage

The checker detects various cases when an enum is probably misused (as a bitmask ).

1.

When "ADD" or "bitwise OR" is used between two enum which come from different types and these types value ranges are not disjoint.

The following cases will be investigated only using StrictMode. We regard the enum as a (suspicious) bitmask if the three conditions below are true at the same time:

  • at most half of the elements of the enum are non pow-of-2 numbers (because of short enumerations)
  • there is another non pow-of-2 number than the enum constant representing all choices (the result "bitwise OR" operation of all enum elements)
  • enum type variable/enumconstant is used as an argument of a + or "bitwise OR " operator

So whenever the non pow-of-2 element is used as a bitmask element we diagnose a misuse and give a warning.

2.

Investigating the right hand side of += and |= operator.

3.

Check only the enum value side of a | and + operator if one of them is not enum val.

4.

Check both side of | or + operator where the enum values are from the same enum type.

Examples:

enum { A, B, C };
enum { D, E, F = 5 };
enum { G = 10, H = 11, I = 12 };

unsigned flag;
flag =
    A |
    H; // OK, disjoint value intervals in the enum types ->probably good use.
flag = B | F; // Warning, have common values so they are probably misused.

// Case 2:
enum Bitmask {
  A = 0,
  B = 1,
  C = 2,
  D = 4,
  E = 8,
  F = 16,
  G = 31 // OK, real bitmask.
};

enum Almostbitmask {
  AA = 0,
  BB = 1,
  CC = 2,
  DD = 4,
  EE = 8,
  FF = 16,
  GG // Problem, forgot to initialize.
};

unsigned flag = 0;
flag |= E; // OK.
flag |=
    EE; // Warning at the decl, and note that it was used here as a bitmask.

Options

StrictMode

Default value: 0. When non-null the suspicious bitmask usage will be investigated additionally to the different enum usage check.

bugprone-suspicious-include

The check detects various cases when an include refers to what appears to be an implementation file, which often leads to hard-to-track-down ODR violations.

Examples:

#include "Dinosaur.hpp"     // OK, .hpp files tend not to have definitions.
#include "Pterodactyl.h"    // OK, .h files tend not to have definitions.
#include "Velociraptor.cpp" // Warning, filename is suspicious.
#include_next <stdio.c>     // Warning, filename is suspicious.

bugprone-suspicious-memory-comparison

Finds potentially incorrect calls to memcmp() based on properties of the arguments. The following cases are covered:

Case 1: Non-standard-layout type

Comparing the object representations of non-standard-layout objects may not properly compare the value representations.

Case 2: Types with no unique object representation

Objects with the same value may not have the same object representation. This may be caused by padding or floating-point types.

See also: EXP42-C. Do not compare padding data and FLP37-C. Do not use object representations to compare floating-point values

This check is also related to and partially overlaps the CERT C++ Coding Standard rules OOP57-CPP. Prefer special member functions and overloaded operators to C Standard Library functions and EXP62-CPP. Do not access the bits of an object representation that are not part of the object's value representation

cert-exp42-c redirects here as an alias of this check.

bugprone-suspicious-memset-usage

This check finds memset() calls with potential mistakes in their arguments. Considering the function as void* memset(void* destination, int fill_value, size_t byte_count), the following cases are covered:

Case 1: Fill value is a character ``'0'``

Filling up a memory area with ASCII code 48 characters is not customary, possibly integer zeroes were intended instead. The check offers a replacement of '0' with 0. Memsetting character pointers with '0' is allowed.

Case 2: Fill value is truncated

Memset converts fill_value to unsigned char before using it. If fill_value is out of unsigned character range, it gets truncated and memory will not contain the desired pattern.

Case 3: Byte count is zero

Calling memset with a literal zero in its byte_count argument is likely to be unintended and swapped with fill_value. The check offers to swap these two arguments.

Corresponding cpplint.py check name: runtime/memset.

Examples:

void foo() {
  int i[5] = {1, 2, 3, 4, 5};
  int *ip = i;
  char c = '1';
  char *cp = &c;
  int v = 0;

  // Case 1
  memset(ip, '0', 1); // suspicious
  memset(cp, '0', 1); // OK

  // Case 2
  memset(ip, 0xabcd, 1); // fill value gets truncated
  memset(ip, 0x00, 1);   // OK

  // Case 3
  memset(ip, sizeof(int), v); // zero length, potentially swapped
  memset(ip, 0, 1);           // OK
}

bugprone-suspicious-missing-comma

String literals placed side-by-side are concatenated at translation phase 6 (after the preprocessor). This feature is used to represent long string literal on multiple lines.

For instance, the following declarations are equivalent:

const char* A[] = "This is a test";
const char* B[] = "This" " is a "    "test";

A common mistake done by programmers is to forget a comma between two string literals in an array initializer list.

const char* Test[] = {
  "line 1",
  "line 2"     // Missing comma!
  "line 3",
  "line 4",
  "line 5"
};

The array contains the string "line 2line3" at offset 1 (i.e. Test[1]). Clang won't generate warnings at compile time.

This check may warn incorrectly on cases like:

const char* SupportedFormat[] = {
  "Error %s",
  "Code " PRIu64,   // May warn here.
  "Warning %s",
};

Options

SizeThreshold

An unsigned integer specifying the minimum size of a string literal to be considered by the check. Default is 5U.

RatioThreshold

A string specifying the maximum threshold ratio [0, 1.0] of suspicious string literals to be considered. Default is ".2".

MaxConcatenatedTokens

An unsigned integer specifying the maximum number of concatenated tokens. Default is 5U.

bugprone-suspicious-realloc-usage

This check finds usages of realloc where the return value is assigned to the same expression as passed to the first argument: p = realloc(p, size); The problem with this construct is that if realloc fails it returns a null pointer but does not deallocate the original memory. If no other variable is pointing to it, the original memory block is not available any more for the program to use or free. In either case p = realloc(p, size); indicates bad coding style and can be replaced by q = realloc(p, size);.

The pointer expression (used at realloc) can be a variable or a field member of a data structure, but can not contain function calls or unresolved types.

In obvious cases when the pointer used at realloc is assigned to another variable before the realloc call, no warning is emitted. This happens only if a simple expression in form of q = p or void *q = p is found in the same function where p = realloc(p, ...) is found. The assignment has to be before the call to realloc (but otherwise at any place) in the same function. This suppression works only if p is a single variable.

Examples:

struct A {
  void *p;
};

A &getA();

void foo(void *p, A *a, int new_size) {
  p = realloc(p, new_size); // warning: 'p' may be set to null if 'realloc' fails, which may result in a leak of the original buffer
  a->p = realloc(a->p, new_size); // warning: 'a->p' may be set to null if 'realloc' fails, which may result in a leak of the original buffer
  getA().p = realloc(getA().p, new_size); // no warning
}

void foo1(void *p, int new_size) {
  void *p1 = p;
  p = realloc(p, new_size); // no warning
}

bugprone-suspicious-semicolon

Finds most instances of stray semicolons that unexpectedly alter the meaning of the code. More specifically, it looks for if, while, for and for-range statements whose body is a single semicolon, and then analyzes the context of the code (e.g. indentation) in an attempt to determine whether that is intentional.

if (x < y);
{
  x++;
}

Here the body of the if statement consists of only the semicolon at the end of the first line, and x will be incremented regardless of the condition.

while ((line = readLine(file)) != NULL);
  processLine(line);

As a result of this code, processLine() will only be called once, when the while loop with the empty body exits with line == NULL. The indentation of the code indicates the intention of the programmer.

if (x >= y);
x -= y;

While the indentation does not imply any nesting, there is simply no valid reason to have an if statement with an empty body (but it can make sense for a loop). So this check issues a warning for the code above.

To solve the issue remove the stray semicolon or in case the empty body is intentional, reflect this using code indentation or put the semicolon in a new line. For example:

while (readWhitespace());
  Token t = readNextToken();

Here the second line is indented in a way that suggests that it is meant to be the body of the while loop - whose body is in fact empty, because of the semicolon at the end of the first line.

Either remove the indentation from the second line:

while (readWhitespace());
Token t = readNextToken();

... or move the semicolon from the end of the first line to a new line:

while (readWhitespace())
  ;

  Token t = readNextToken();

In this case the check will assume that you know what you are doing, and will not raise a warning.

bugprone-suspicious-string-compare

Find suspicious usage of runtime string comparison functions. This check is valid in C and C++.

Checks for calls with implicit comparator and proposed to explicitly add it.

if (strcmp(...))       // Implicitly compare to zero
if (!strcmp(...))      // Won't warn
if (strcmp(...) != 0)  // Won't warn

Checks that compare function results (i.e., strcmp) are compared to valid constant. The resulting value is

<  0    when lower than,
>  0    when greater than,
== 0    when equals.

A common mistake is to compare the result to 1 or -1.

if (strcmp(...) == -1)  // Incorrect usage of the returned value.

Additionally, the check warns if the results value is implicitly cast to a suspicious non-integer type. It's happening when the returned value is used in a wrong context.

if (strcmp(...) < 0.)  // Incorrect usage of the returned value.

Options

WarnOnImplicitComparison

When true, the check will warn on implicit comparison. true by default.

WarnOnLogicalNotComparison

When true, the check will warn on logical not comparison. false by default.

StringCompareLikeFunctions

A string specifying the comma-separated names of the extra string comparison functions. Default is an empty string. The check will detect the following string comparison functions: __builtin_memcmp, __builtin_strcasecmp, __builtin_strcmp, __builtin_strncasecmp, __builtin_strncmp, _mbscmp, _mbscmp_l, _mbsicmp, _mbsicmp_l, _mbsnbcmp, _mbsnbcmp_l, _mbsnbicmp, _mbsnbicmp_l, _mbsncmp, _mbsncmp_l, _mbsnicmp, _mbsnicmp_l, _memicmp, _memicmp_l, _stricmp, _stricmp_l, _strnicmp, _strnicmp_l, _wcsicmp, _wcsicmp_l, _wcsnicmp, _wcsnicmp_l, lstrcmp, lstrcmpi, memcmp, memicmp, strcasecmp, strcmp, strcmpi, stricmp, strncasecmp, strncmp, strnicmp, wcscasecmp, wcscmp, wcsicmp, wcsncmp, wcsnicmp, wmemcmp.

bugprone-suspicious-stringview-data-usage

Identifies suspicious usages of std::string_view::data() that could lead to reading out-of-bounds data due to inadequate or incorrect string null termination.

It warns when the result of data() is passed to a constructor or function without also passing the corresponding result of size() or length() member function. Such usage can lead to unintended behavior, particularly when assuming the data pointed to by data() is null-terminated.

The absence of a c_str() method in std::string_view often leads developers to use data() as a substitute, especially when interfacing with C APIs that expect null-terminated strings. However, since data() does not guarantee null termination, this can result in unintended behavior if the API relies on proper null termination for correct string interpretation.

In today's programming landscape, this scenario can occur when implicitly converting an std::string_view to an std::string. Since the constructor in std::string designed for string-view-like objects is explicit, attempting to pass an std::string_view to a function expecting an std::string will result in a compilation error. As a workaround, developers may be tempted to utilize the .data() method to achieve compilation, introducing potential risks.

For instance:

void printString(const std::string& str) {
  std::cout << "String: " << str << std::endl;
}

void something(std::string_view sv) {
  printString(sv.data());
}

In this example, directly passing sv to the printString function would lead to a compilation error due to the explicit nature of the std::string constructor. Consequently, developers might opt for sv.data() to resolve the compilation error, albeit introducing potential hazards as discussed.

StringViewTypes

Option allows users to specify custom string view-like types for analysis. It accepts a semicolon-separated list of type names or regular expressions matching these types. Default value is: ::std::basic_string_view;::llvm::StringRef.

AllowedCallees

Specifies methods, functions, or classes where the result of .data() is passed to. Allows to exclude such calls from the analysis. Accepts a semicolon-separated list of names or regular expressions matching these entities. Default value is: empty string.

bugprone-swapped-arguments

Finds potentially swapped arguments by examining implicit conversions. It analyzes the types of the arguments being passed to a function and compares them to the expected types of the corresponding parameters. If there is a mismatch or an implicit conversion that indicates a potential swap, a warning is raised.

void printNumbers(int a, float b);

int main() {
  // Swapped arguments: float passed as int, int as float)
  printNumbers(10.0f, 5);
  return 0;
}

Covers a wide range of implicit conversions, including: - User-defined conversions - Conversions from floating-point types to boolean or integral types - Conversions from integral types to boolean or floating-point types - Conversions from boolean to integer types or floating-point types - Conversions from (member) pointers to boolean

It is important to note that for most argument swaps, the types need to match exactly. However, there are exceptions to this rule. Specifically, when the swapped argument is of integral type, an exact match is not always necessary. Implicit casts from other integral types are also accepted. Similarly, when dealing with floating-point arguments, implicit casts between different floating-point types are considered acceptable.

To avoid confusion, swaps where both swapped arguments are of integral types or both are of floating-point types do not trigger the warning. In such cases, it's assumed that the developer intentionally used different integral or floating-point types and does not raise a warning. This approach prevents false positives and provides flexibility in handling situations where varying integral or floating-point types are intentionally utilized.

bugprone-switch-missing-default-case

Ensures that switch statements without default cases are flagged, focuses only on covering cases with non-enums where the compiler may not issue warnings.

Switch statements without a default case can lead to unexpected behavior and incomplete handling of all possible cases. When a switch statement lacks a default case, if a value is encountered that does not match any of the specified cases, the program will continue execution without any defined behavior or handling.

This check helps identify switch statements that are missing a default case, allowing developers to ensure that all possible cases are handled properly. Adding a default case allows for graceful handling of unexpected or unmatched values, reducing the risk of program errors and unexpected behavior.

Example:

// Example 1:
// warning: switching on non-enum value without default case may not cover all cases
switch (i) {
case 0:
  break;
}

// Example 2:
enum E { eE1 };
E e = eE1;
switch (e) { // no-warning
case eE1:
  break;
}

// Example 3:
int i = 0;
switch (i) { // no-warning
case 0:
  break;
default:
  break;
}
NOTE:

Enum types are already covered by compiler warnings (comes under -Wswitch) when a switch statement does not handle all enum values. This check focuses on non-enum types where the compiler warnings may not be present.

SEE ALSO:

The CppCoreGuideline ES.79 provide guidelines on switch statements, including the recommendation to always provide a default case.

bugprone-terminating-continue

Detects do while loops with a condition always evaluating to false that have a continue statement, as this continue terminates the loop effectively.

void f() {
do {
  // some code
  continue; // terminating continue
  // some other code
} while(false);

bugprone-throw-keyword-missing

Warns about a potentially missing throw keyword. If a temporary object is created, but the object's type derives from (or is the same as) a class that has 'EXCEPTION', 'Exception' or 'exception' in its name, we can assume that the programmer's intention was to throw that object.

Example:

void f(int i) {
  if (i < 0) {
    // Exception is created but is not thrown.
    std::runtime_error("Unexpected argument");
  }
}

bugprone-too-small-loop-variable

Detects those for loops that have a loop variable with a "too small" type which means this type can't represent all values which are part of the iteration range.

int main() {
  long size = 294967296l;
  for (short i = 0; i < size; ++i) {}
}

This for loop is an infinite loop because the short type can't represent all values in the [0..size] interval.

In a real use case size means a container's size which depends on the user input.

int doSomething(const std::vector& items) {
  for (short i = 0; i < items.size(); ++i) {}
}

This algorithm works for a small amount of objects, but will lead to freeze for a larger user input.

It's recommended to enable the compiler warning -Wtautological-constant-out-of-range-compare as well, since check does not inspect compile-time constant loop boundaries to avoid overlaps with the warning.

MagnitudeBitsUpperLimit

Upper limit for the magnitude bits of the loop variable. If it's set the check filters out those catches in which the loop variable's type has more magnitude bits as the specified upper limit. The default value is 16. For example, if the user sets this option to 31 (bits), then a 32-bit unsigned int is ignored by the check, however a 32-bit int is not (A 32-bit signed int has 31 magnitude bits).

int main() {
  long size = 294967296l;
  for (unsigned i = 0; i < size; ++i) {} // no warning with MagnitudeBitsUpperLimit = 31 on a system where unsigned is 32-bit
  for (int i = 0; i < size; ++i) {} // warning with MagnitudeBitsUpperLimit = 31 on a system where int is 32-bit
}

bugprone-unchecked-optional-access

Note: This check uses a flow-sensitive static analysis to produce its results. Therefore, it may be more resource intensive (RAM, CPU) than the average clang-tidy check.

This check identifies unsafe accesses to values contained in std::optional<T>, absl::optional<T>, base::Optional<T>, or folly::Optional<T> objects. Below we will refer to all these types collectively as optional<T>.

An access to the value of an optional<T> occurs when one of its value, operator*, or operator-> member functions is invoked. Ā To align with common misconceptions, the check considers these member functions as equivalent, even though there are subtle differences related to exceptions versus undefined behavior. See Additional notes, below, for more information on this topic.

An access to the value of an optional<T> is considered safe if and only if code in the local scope (for example, a function body) ensures that the optional<T> has a value in all possible execution paths that can reach the access. That should happen either through an explicit check, using the optional<T>::has_value member function, or by constructing the optional<T> in a way that shows that it unambiguously holds a value (e.g using std::make_optional which always returns a populated std::optional<T>).

Below we list some examples, starting with unsafe optional access patterns, followed by safe access patterns.

Unsafe access patterns

Access the value without checking if it exists

The check flags accesses to the value that are not locally guarded by existence check:

void f(std::optional<int> opt) {
  use(*opt); // unsafe: it is unclear whether `opt` has a value.
}

Access the value in the wrong branch

The check is aware of the state of an optional object in different branches of the code. For example:

void f(std::optional<int> opt) {
  if (opt.has_value()) {
  } else {
    use(opt.value()); // unsafe: it is clear that `opt` does *not* have a value.
  }
}

Assume a function result to be stable

The check is aware that function results might not be stable. That is, consecutive calls to the same function might return different values. For example:

void f(Foo foo) {
  if (foo.opt().has_value()) {
    use(*foo.opt()); // unsafe: it is unclear whether `foo.opt()` has a value.
  }
}

Rely on invariants of uncommon APIs

The check is unaware of invariants of uncommon APIs. For example:

void f(Foo foo) {
  if (foo.HasProperty("bar")) {
    use(*foo.GetProperty("bar")); // unsafe: it is unclear whether `foo.GetProperty("bar")` has a value.
  }
}

Check if a value exists, then pass the optional to another function

The check relies on local reasoning. The check and value access must both happen in the same function. An access is considered unsafe even if the caller of the function performing the access ensures that the optional has a value. For example:

void g(std::optional<int> opt) {
  use(*opt); // unsafe: it is unclear whether `opt` has a value.
}

void f(std::optional<int> opt) {
  if (opt.has_value()) {
    g(opt);
  }
}

Safe access patterns

Check if a value exists, then access the value

The check recognizes all straightforward ways for checking if a value exists and accessing the value contained in an optional object. For example:

void f(std::optional<int> opt) {
  if (opt.has_value()) {
    use(*opt);
  }
}

Check if a value exists, then access the value from a copy

The criteria that the check uses is semantic, not syntactic. It recognizes when a copy of the optional object being accessed is known to have a value. For example:

void f(std::optional<int> opt1) {
  if (opt1.has_value()) {
    std::optional<int> opt2 = opt1;
    use(*opt2);
  }
}

Ensure that a value exists using common macros

The check is aware of common macros like CHECK and DCHECK. Those can be used to ensure that an optional object has a value. For example:

void f(std::optional<int> opt) {
  DCHECK(opt.has_value());
  use(*opt);
}

Ensure that a value exists, then access the value in a correlated branch

The check is aware of correlated branches in the code and can figure out when an optional object is ensured to have a value on all execution paths that lead to an access. For example:

void f(std::optional<int> opt) {
  bool safe = false;
  if (opt.has_value() && SomeOtherCondition()) {
    safe = true;
  }
  // ... more code...
  if (safe) {
    use(*opt);
  }
}

Stabilize function results

Since function results are not assumed to be stable across calls, it is best to store the result of the function call in a local variable and use that variable to access the value. For example:

void f(Foo foo) {
  if (const auto& foo_opt = foo.opt(); foo_opt.has_value()) {
    use(*foo_opt);
  }
}

Do not rely on uncommon-API invariants

When uncommon APIs guarantee that an optional has contents, do not rely on it -- instead, check explicitly that the optional object has a value. For example:

void f(Foo foo) {
  if (const auto& property = foo.GetProperty("bar")) {
    use(*property);
  }
}

instead of the HasProperty, GetProperty pairing we saw above.

Do not rely on caller-performed checks

If you know that all of a function's callers have checked that an optional argument has a value, either change the function to take the value directly or check the optional again in the local scope of the callee. For example:

void g(int val) {
  use(val);
}

void f(std::optional<int> opt) {
  if (opt.has_value()) {
    g(*opt);
  }
}

and

struct S {
  std::optional<int> opt;
  int x;
};

void g(const S &s) {
  if (s.opt.has_value() && s.x > 10) {
    use(*s.opt);
}

void f(S s) {
  if (s.opt.has_value()) {
    g(s);
  }
}

Additional notes

Aliases created via using declarations

The check is aware of aliases of optional types that are created via using declarations. For example:

using OptionalInt = std::optional<int>;

void f(OptionalInt opt) {
  use(opt.value()); // unsafe: it is unclear whether `opt` has a value.
}

Lambdas

The check does not currently report unsafe optional accesses in lambdas. A future version will expand the scope to lambdas, following the rules outlined above. It is best to follow the same principles when using optionals in lambdas.

Access with operator*() vs. value()

Given that value() has well-defined behavior (either throwing an exception or terminating the program), why treat it the same as operator*() which causes undefined behavior (UB)? That is, why is it considered unsafe to access an optional with value(), if it's not provably populated with a value? Ā For that matter, why is CHECK() followed by operator*() any better than value(), given that they are semantically equivalent (on configurations that disable exceptions)?

The answer is that we assume most users do not realize the difference between value() and operator*(). Shifting to operator*() and some form of explicit value-presence check or explicit program termination has two advantages:

  • Readability. The check, and any potential side effects like program shutdown, are very clear in the code. Separating access from checks can actually make the checks more obvious.
  • Performance. A single check can cover many or even all accesses within scope. This gives the user the best of both worlds -- the safety of a dynamic check, but without incurring redundant costs.

bugprone-undefined-memory-manipulation

Finds calls of memory manipulation functions memset(), memcpy() and memmove() on non-TriviallyCopyable objects resulting in undefined behavior.

Using memory manipulation functions on non-TriviallyCopyable objects can lead to a range of subtle and challenging issues in C++ code. The most immediate concern is the potential for undefined behavior, where the state of the object may become corrupted or invalid. This can manifest as crashes, data corruption, or unexpected behavior at runtime, making it challenging to identify and diagnose the root cause. Additionally, misuse of memory manipulation functions can bypass essential object-specific operations, such as constructors and destructors, leading to resource leaks or improper initialization.

For example, when using memcpy to copy std::string, pointer data is being copied, and it can result in a double free issue.

#include <cstring>
#include <string>

int main() {
    std::string source = "Hello";
    std::string destination;

    std::memcpy(&destination, &source, sizeof(std::string));

    // Undefined behavior may occur here, during std::string destructor call.
    return 0;
}

bugprone-undelegated-constructor

Finds creation of temporary objects in constructors that look like a function call to another constructor of the same class.

The user most likely meant to use a delegating constructor or base class initializer.

bugprone-unhandled-exception-at-new

Finds calls to new with missing exception handler for std::bad_alloc.

Calls to new may throw exceptions of type std::bad_alloc that should be handled. Alternatively, the nonthrowing form of new can be used. The check verifies that the exception is handled in the function that calls new.

If a nonthrowing version is used or the exception is allowed to propagate out of the function no warning is generated.

The exception handler is checked if it catches a std::bad_alloc or std::exception exception type, or all exceptions (catch-all). The check assumes that any user-defined operator new is either noexcept or may throw an exception of type std::bad_alloc (or one derived from it). Other exception class types are not taken into account.

int *f() noexcept {
  int *p = new int[1000]; // warning: missing exception handler for allocation failure at 'new'
  // ...
  return p;
}
int *f1() { // not 'noexcept'
  int *p = new int[1000]; // no warning: exception can be handled outside
                          // of this function
  // ...
  return p;
}

int *f2() noexcept {
  try {
    int *p = new int[1000]; // no warning: exception is handled
    // ...
    return p;
  } catch (std::bad_alloc &) {
    // ...
  }
  // ...
}

int *f3() noexcept {
  int *p = new (std::nothrow) int[1000]; // no warning: "nothrow" is used
  // ...
  return p;
}

bugprone-unhandled-self-assignment

cert-oop54-cpp redirects here as an alias for this check. For the CERT alias, the WarnOnlyIfThisHasSuspiciousField option is set to false.

Finds user-defined copy assignment operators which do not protect the code against self-assignment either by checking self-assignment explicitly or using the copy-and-swap or the copy-and-move method.

By default, this check searches only those classes which have any pointer or C array field to avoid false positives. In case of a pointer or a C array, it's likely that self-copy assignment breaks the object if the copy assignment operator was not written with care.

See also: OOP54-CPP. Gracefully handle self-copy assignment

A copy assignment operator must prevent that self-copy assignment ruins the object state. A typical use case is when the class has a pointer field and the copy assignment operator first releases the pointed object and then tries to assign it:

class T {
int* p;

public:
  T(const T &rhs) : p(rhs.p ? new int(*rhs.p) : nullptr) {}
  ~T() { delete p; }

  // ...

  T& operator=(const T &rhs) {
    delete p;
    p = new int(*rhs.p);
    return *this;
  }
};

There are two common C++ patterns to avoid this problem. The first is the self-assignment check:

class T {
int* p;

public:
  T(const T &rhs) : p(rhs.p ? new int(*rhs.p) : nullptr) {}
  ~T() { delete p; }

  // ...

  T& operator=(const T &rhs) {
    if(this == &rhs)
      return *this;

    delete p;
    p = new int(*rhs.p);
    return *this;
  }
};

The second one is the copy-and-swap method when we create a temporary copy (using the copy constructor) and then swap this temporary object with this:

class T {
int* p;

public:
  T(const T &rhs) : p(rhs.p ? new int(*rhs.p) : nullptr) {}
  ~T() { delete p; }

  // ...

  void swap(T &rhs) {
    using std::swap;
    swap(p, rhs.p);
  }

  T& operator=(const T &rhs) {
    T(rhs).swap(*this);
    return *this;
  }
};

There is a third pattern which is less common. Let's call it the copy-and-move method when we create a temporary copy (using the copy constructor) and then move this temporary object into this (needs a move assignment operator):

class T {
int* p;

public:
  T(const T &rhs) : p(rhs.p ? new int(*rhs.p) : nullptr) {}
  ~T() { delete p; }

  // ...

  T& operator=(const T &rhs) {
    T t = rhs;
    *this = std::move(t);
    return *this;
  }

  T& operator=(T &&rhs) {
    p = rhs.p;
    rhs.p = nullptr;
    return *this;
  }
};
WarnOnlyIfThisHasSuspiciousField

When true, the check will warn only if the container class of the copy assignment operator has any suspicious fields (pointer or C array). This option is set to true by default.

bugprone-unique-ptr-array-mismatch

Finds initializations of C++ unique pointers to non-array type that are initialized with an array.

If a pointer std::unique_ptr<T> is initialized with a new-expression new T[] the memory is not deallocated correctly. A plain delete is used in this case to deallocate the target memory. Instead a delete[] call is needed. A std::unique_ptr<T[]> uses the correct delete operator. The check does not emit warning if an unique_ptr with user-specified deleter type is used.

The check offers replacement of unique_ptr<T> to unique_ptr<T[]> if it is used at a single variable declaration (one variable in one statement).

Example:

std::unique_ptr<Foo> x(new Foo[10]); // -> std::unique_ptr<Foo[]> x(new Foo[10]);
//                     ^ warning: unique pointer to non-array is initialized with array
std::unique_ptr<Foo> x1(new Foo), x2(new Foo[10]); // no replacement
//                                   ^ warning: unique pointer to non-array is initialized with array

D d;
std::unique_ptr<Foo, D> x3(new Foo[10], d); // no warning (custom deleter used)

struct S {
  std::unique_ptr<Foo> x(new Foo[10]); // no replacement in this case
  //                     ^ warning: unique pointer to non-array is initialized with array
};

This check partially covers the CERT C++ Coding Standard rule MEM51-CPP. Properly deallocate dynamically allocated resources However, only the std::unique_ptr case is detected by this check.

bugprone-unsafe-functions

Checks for functions that have safer, more secure replacements available, or are considered deprecated due to design flaws. The check heavily relies on the functions from the Annex K. "Bounds-checking interfaces" of C11.

The check implements the following rules from the CERT C Coding Standard:

cert-msc24-c and cert-msc33-c redirect here as aliases of this check.

Unsafe functions

If Annex K. is available, a replacement from Annex K. is suggested for the following functions:

asctime, asctime_r, bsearch, ctime, fopen, fprintf, freopen, fscanf, fwprintf, fwscanf, getenv, gets, gmtime, localtime, mbsrtowcs, mbstowcs, memcpy, memmove, memset, printf, qsort, scanf, Ā snprintf, sprintf, Ā sscanf, strcat, strcpy, strerror, strlen, strncat, strncpy, strtok, swprintf, swscanf, vfprintf, vfscanf, vfwprintf, vfwscanf, vprintf, vscanf, vsnprintf, vsprintf, vsscanf, vswprintf, vswscanf, vwprintf, vwscanf, wcrtomb, wcscat, wcscpy, wcslen, wcsncat, wcsncpy, wcsrtombs, wcstok, wcstombs, wctomb, wmemcpy, wmemmove, wprintf, wscanf.

If Annex K. is not available, replacements are suggested only for the following functions from the previous list:

  • asctime, asctime_r, suggested replacement: strftime
  • gets, suggested replacement: fgets

The following functions are always checked, regardless of Annex K availability:

  • rewind, suggested replacement: fseek
  • setbuf, suggested replacement: setvbuf

If ReportMoreUnsafeFunctions is enabled, the following functions are also checked:

  • bcmp, suggested replacement: memcmp
  • bcopy, suggested replacement: memcpy_s if Annex K is available, or memcpy
  • bzero, suggested replacement: memset_s if Annex K is available, or memset
  • getpw, suggested replacement: getpwuid
  • vfork, suggested replacement: posix_spawn

Although mentioned in the associated CERT rules, the following functions are ignored by the check:

atof, atoi, atol, atoll, tmpfile.

The availability of Annex K is determined based on the following macros:

  • __STDC_LIB_EXT1__: feature macro, which indicates the presence of Annex K. "Bounds-checking interfaces" in the library implementation
  • __STDC_WANT_LIB_EXT1__: user-defined macro, which indicates that the user requests the functions from Annex K. to be defined.

Both macros have to be defined to suggest replacement functions from Annex K. __STDC_LIB_EXT1__ is defined by the library implementation, and __STDC_WANT_LIB_EXT1__ must be defined to 1 by the user before including any system headers.

Options

ReportMoreUnsafeFunctions

When true, additional functions from widely used APIs (such as POSIX) are added to the list of reported functions. See the main documentation of the check for the complete list as to what this option enables. Default is true.

Examples

#ifndef __STDC_LIB_EXT1__
#error "Annex K is not supported by the current standard library implementation."
#endif

#define __STDC_WANT_LIB_EXT1__ 1

#include <string.h> // Defines functions from Annex K.
#include <stdio.h>

enum { BUFSIZE = 32 };

void Unsafe(const char *Msg) {
  static const char Prefix[] = "Error: ";
  static const char Suffix[] = "\n";
  char Buf[BUFSIZE] = {0};

  strcpy(Buf, Prefix); // warning: function 'strcpy' is not bounds-checking; 'strcpy_s' should be used instead.
  strcat(Buf, Msg);    // warning: function 'strcat' is not bounds-checking; 'strcat_s' should be used instead.
  strcat(Buf, Suffix); // warning: function 'strcat' is not bounds-checking; 'strcat_s' should be used instead.
  if (fputs(buf, stderr) < 0) {
    // error handling
    return;
  }
}

void UsingSafeFunctions(const char *Msg) {
  static const char Prefix[] = "Error: ";
  static const char Suffix[] = "\n";
  char Buf[BUFSIZE] = {0};

  if (strcpy_s(Buf, BUFSIZE, Prefix) != 0) {
    // error handling
    return;
  }

  if (strcat_s(Buf, BUFSIZE, Msg) != 0) {
    // error handling
    return;
  }

  if (strcat_s(Buf, BUFSIZE, Suffix) != 0) {
    // error handling
    return;
  }

  if (fputs(Buf, stderr) < 0) {
    // error handling
    return;
  }
}

bugprone-unused-local-non-trivial-variable

Warns when a local non trivial variable is unused within a function. The following types of variables are excluded from this check:

  • trivial and trivially copyable
  • references and pointers
  • exception variables in catch clauses
  • static or thread local
  • structured bindings
  • variables with [[maybe_unused]] attribute

This check can be configured to warn on all non-trivial variables by setting IncludeTypes to .*, and excluding specific types using ExcludeTypes.

In the this example, my_lock would generate a warning that it is unused.

std::mutex my_lock;
// my_lock local variable is never used

In the next example, future2 would generate a warning that it is unused.

std::future<MyObject> future1;
std::future<MyObject> future2;
// ...
MyObject foo = future1.get();
// future2 is not used.

Options

IncludeTypes

Semicolon-separated list of regular expressions matching types of variables to check. By default the following types are checked:

  • ::std::.*mutex
  • ::std::future
  • ::std::basic_string
  • ::std::basic_regex
  • ::std::basic_istringstream
  • ::std::basic_stringstream
  • ::std::bitset
  • ::std::filesystem::path
ExcludeTypes

A semicolon-separated list of regular expressions matching types that are excluded from the IncludeTypes matches. By default it is an empty list.

bugprone-unused-raii

Finds temporaries that look like RAII objects.

The canonical example for this is a scoped lock.

{
  scoped_lock(&global_mutex);
  critical_section();
}

The destructor of the scoped_lock is called before the critical_section is entered, leaving it unprotected.

We apply a number of heuristics to reduce the false positive count of this check:

  • Ignore code expanded from macros. Testing frameworks make heavy use of this.
  • Ignore types with trivial destructors. They are very unlikely to be RAII objects and there's no difference when they are deleted.
  • Ignore objects at the end of a compound statement (doesn't change behavior).
  • Ignore objects returned from a call.

bugprone-unused-return-value

Warns on unused function return values. The checked functions can be configured.

Operator overloading with assignment semantics are ignored.

Options

CheckedFunctions

Semicolon-separated list of functions to check. This parameter supports regexp. The function is checked if the name and scope matches, with any arguments. By default the following functions are checked: ^::std::async$, ^::std::launder$, ^::std::remove$, ^::std::remove_if$, ^::std::unique$, ^::std::unique_ptr::release$, ^::std::basic_string::empty$, ^::std::vector::empty$, ^::std::back_inserter$, ^::std::distance$, ^::std::find$, ^::std::find_if$, ^::std::inserter$, ^::std::lower_bound$, ^::std::make_pair$, ^::std::map::count$, ^::std::map::find$, ^::std::map::lower_bound$, ^::std::multimap::equal_range$, ^::std::multimap::upper_bound$, ^::std::set::count$, ^::std::set::find$, ^::std::setfill$, ^::std::setprecision$, ^::std::setw$, ^::std::upper_bound$, ^::std::vector::at$, ^::bsearch$, ^::ferror$, ^::feof$, ^::isalnum$, ^::isalpha$, ^::isblank$, ^::iscntrl$, ^::isdigit$, ^::isgraph$, ^::islower$, ^::isprint$, ^::ispunct$, ^::isspace$, ^::isupper$, ^::iswalnum$, ^::iswprint$, ^::iswspace$, ^::isxdigit$, ^::memchr$, ^::memcmp$, ^::strcmp$, ^::strcoll$, ^::strncmp$, ^::strpbrk$, ^::strrchr$, ^::strspn$, ^::strstr$, ^::wcscmp$, ^::access$, ^::bind$, ^::connect$, ^::difftime$, ^::dlsym$, ^::fnmatch$, ^::getaddrinfo$, ^::getopt$, ^::htonl$, ^::htons$, ^::iconv_open$, ^::inet_addr$, isascii$, isatty$, ^::mmap$, ^::newlocale$, ^::openat$, ^::pathconf$, ^::pthread_equal$, ^::pthread_getspecific$, ^::pthread_mutex_trylock$, ^::readdir$, ^::readlink$, ^::recvmsg$, ^::regexec$, ^::scandir$, ^::semget$, ^::setjmp$, ^::shm_open$, ^::shmget$, ^::sigismember$, ^::strcasecmp$, ^::strsignal$, ^::ttyname$

  • std::async(). Not using the return value makes the call synchronous.
  • std::launder(). Not using the return value usually means that the function interface was misunderstood by the programmer. Only the returned pointer is "laundered", not the argument.
  • std::remove(), std::remove_if() and std::unique(). The returned iterator indicates the boundary between elements to keep and elements to be removed. Not using the return value means that the information about which elements to remove is lost.
  • std::unique_ptr::release(). Not using the return value can lead to resource leaks if the same pointer isn't stored anywhere else. Often, ignoring the release() return value indicates that the programmer confused the function with reset().
  • std::basic_string::empty() and std::vector::empty(). Not using the return value often indicates that the programmer confused the function with clear().
CheckedReturnTypes

Semicolon-separated list of function return types to check. By default the following function return types are checked: ^::std::error_code$, ^::std::error_condition$, ^::std::errc$, ^::std::expected$, ^::boost::system::error_code$

AllowCastToVoid

Controls whether casting return values to void is permitted. Default: false.

cert-err33-c is an alias of this check that checks a fixed and large set of standard library functions.

bugprone-use-after-move

Warns if an object is used after it has been moved, for example:

std::string str = "Hello, world!\n";
std::vector<std::string> messages;
messages.emplace_back(std::move(str));
std::cout << str;

The last line will trigger a warning that str is used after it has been moved.

The check does not trigger a warning if the object is reinitialized after the move and before the use. For example, no warning will be output for this code:

messages.emplace_back(std::move(str));
str = "Greetings, stranger!\n";
std::cout << str;

Subsections below explain more precisely what exactly the check considers to be a move, use, and reinitialization.

The check takes control flow into account. A warning is only emitted if the use can be reached from the move. This means that the following code does not produce a warning:

if (condition) {
  messages.emplace_back(std::move(str));
} else {
  std::cout << str;
}

On the other hand, the following code does produce a warning:

for (int i = 0; i < 10; ++i) {
  std::cout << str;
  messages.emplace_back(std::move(str));
}

(The use-after-move happens on the second iteration of the loop.)

In some cases, the check may not be able to detect that two branches are mutually exclusive. For example (assuming that i is an int):

if (i == 1) {
  messages.emplace_back(std::move(str));
}
if (i == 2) {
  std::cout << str;
}

In this case, the check will erroneously produce a warning, even though it is not possible for both the move and the use to be executed. More formally, the analysis is flow-sensitive but not path-sensitive.

Silencing erroneous warnings

An erroneous warning can be silenced by reinitializing the object after the move:

if (i == 1) {
  messages.emplace_back(std::move(str));
  str = "";
}
if (i == 2) {
  std::cout << str;
}

If you want to avoid the overhead of actually reinitializing the object, you can create a dummy function that causes the check to assume the object was reinitialized:

template <class T>
void IS_INITIALIZED(T&) {}

You can use this as follows:

if (i == 1) {
  messages.emplace_back(std::move(str));
}
if (i == 2) {
  IS_INITIALIZED(str);
  std::cout << str;
}

The check will not output a warning in this case because passing the object to a function as a non-const pointer or reference counts as a reinitialization (see section Reinitialization below).

Unsequenced moves, uses, and reinitializations

In many cases, C++ does not make any guarantees about the order in which sub-expressions of a statement are evaluated. This means that in code like the following, it is not guaranteed whether the use will happen before or after the move:

void f(int i, std::vector<int> v);
std::vector<int> v = { 1, 2, 3 };
f(v[1], std::move(v));

In this kind of situation, the check will note that the use and move are unsequenced.

The check will also take sequencing rules into account when reinitializations occur in the same statement as moves or uses. A reinitialization is only considered to reinitialize a variable if it is guaranteed to be evaluated after the move and before the use.

Move

The check currently only considers calls of std::move on local variables or function parameters. It does not check moves of member variables or global variables.

Any call of std::move on a variable is considered to cause a move of that variable, even if the result of std::move is not passed to an rvalue reference parameter.

This means that the check will flag a use-after-move even on a type that does not define a move constructor or move assignment operator. This is intentional. Developers may use std::move on such a type in the expectation that the type will add move semantics in the future. If such a std::move has the potential to cause a use-after-move, we want to warn about it even if the type does not implement move semantics yet.

Furthermore, if the result of std::move is passed to an rvalue reference parameter, this will always be considered to cause a move, even if the function that consumes this parameter does not move from it, or if it does so only conditionally. For example, in the following situation, the check will assume that a move always takes place:

std::vector<std::string> messages;
void f(std::string &&str) {
  // Only remember the message if it isn't empty.
  if (!str.empty()) {
    messages.emplace_back(std::move(str));
  }
}
std::string str = "";
f(std::move(str));

The check will assume that the last line causes a move, even though, in this particular case, it does not. Again, this is intentional.

There is one special case: A call to std::move inside a try_emplace call is conservatively assumed not to move. This is to avoid spurious warnings, as the check has no way to reason about the bool returned by try_emplace.

When analyzing the order in which moves, uses and reinitializations happen (see section Unsequenced moves, uses, and reinitializations), the move is assumed to occur in whichever function the result of the std::move is passed to.

The check also handles perfect-forwarding with std::forward so the following code will also trigger a use-after-move warning.

void consume(int);

void f(int&& i) {
  consume(std::forward<int>(i));
  consume(std::forward<int>(i)); // use-after-move
}

Use

Any occurrence of the moved variable that is not a reinitialization (see below) is considered to be a use.

An exception to this are objects of type std::unique_ptr, std::shared_ptr and std::weak_ptr, which have defined move behavior (objects of these classes are guaranteed to be empty after they have been moved from). Therefore, an object of these classes will only be considered to be used if it is dereferenced, i.e. if operator*, operator-> or operator[] (in the case of std::unique_ptr<T []>) is called on it.

If multiple uses occur after a move, only the first of these is flagged.

Reinitialization

The check considers a variable to be reinitialized in the following cases:

  • The variable occurs on the left-hand side of an assignment.
  • The variable is passed to a function as a non-const pointer or non-const lvalue reference. (It is assumed that the variable may be an out-parameter for the function.)
  • clear() or assign() is called on the variable and the variable is of one of the standard container types basic_string, vector, deque, forward_list, list, set, map, multiset, multimap, unordered_set, unordered_map, unordered_multiset, unordered_multimap.
  • reset() is called on the variable and the variable is of type std::unique_ptr, std::shared_ptr or std::weak_ptr.
  • A member function marked with the [[clang::reinitializes]] attribute is called on the variable.

If the variable in question is a struct and an individual member variable of that struct is written to, the check does not consider this to be a reinitialization -- even if, eventually, all member variables of the struct are written to. For example:

struct S {
  std::string str;
  int i;
};
S s = { "Hello, world!\n", 42 };
S s_other = std::move(s);
s.str = "Lorem ipsum";
s.i = 99;

The check will not consider s to be reinitialized after the last line; instead, the line that assigns to s.str will be flagged as a use-after-move. This is intentional as this pattern of reinitializing a struct is error-prone. For example, if an additional member variable is added to S, it is easy to forget to add the reinitialization for this additional member. Instead, it is safer to assign to the entire struct in one go, and this will also avoid the use-after-move warning.

bugprone-virtual-near-miss

Warn if a function is a near miss (i.e. the name is very similar and the function signature is the same) to a virtual function from a base class.

Example:

struct Base {
  virtual void func();
};

struct Derived : Base {
  virtual void funk();
  // warning: 'Derived::funk' has a similar name and the same signature as virtual method 'Base::func'; did you mean to override it?
};

cert-con36-c

The cert-con36-c check is an alias, please see bugprone-spuriously-wake-up-functions for more information.

cert-con54-cpp

The cert-con54-cpp check is an alias, please see bugprone-spuriously-wake-up-functions for more information.

cert-ctr56-cpp

The cert-ctr56-cpp check is an alias, please see bugprone-pointer-arithmetic-on-polymorphic-object for more information.

cert-dcl03-c

The cert-dcl03-c check is an alias, please see misc-static-assert for more information.

cert-dcl16-c

The cert-dcl16-c check is an alias, please see readability-uppercase-literal-suffix for more information.

cert-dcl37-c

The cert-dcl37-c check is an alias, please see bugprone-reserved-identifier for more information.

cert-dcl50-cpp

This check flags all function definitions (but not declarations) of C-style variadic functions.

This check corresponds to the CERT C++ Coding Standard rule DCL50-CPP. Do not define a C-style variadic function.

cert-dcl51-cpp

The cert-dcl51-cpp check is an alias, please see bugprone-reserved-identifier for more information.

cert-dcl54-cpp

The cert-dcl54-cpp check is an alias, please see misc-new-delete-overloads for more information.

cert-dcl58-cpp

Modification of the std or posix namespace can result in undefined behavior. This check warns for such modifications. The std (or posix) namespace is allowed to be extended with (class or function) template specializations that depend on an user-defined type (a type that is not defined in the standard system headers).

The check detects the following (user provided) declarations in namespace std or posix:

  • Anything that is not a template specialization.
  • Explicit specializations of any standard library function template or class template, if it does not have any user-defined type as template argument.
  • Explicit specializations of any member function of a standard library class template.
  • Explicit specializations of any member function template of a standard library class or class template.
  • Explicit or partial specialization of any member class template of a standard library class or class template.

Examples:

namespace std {
  int x; // warning: modification of 'std' namespace can result in undefined behavior [cert-dcl58-cpp]
}

namespace posix::a { // warning: modification of 'posix' namespace can result in undefined behavior
}

template <>
struct ::std::hash<long> { // warning: modification of 'std' namespace can result in undefined behavior
  unsigned long operator()(const long &K) const {
    return K;
  }
};

struct MyData { long data; };

template <>
struct ::std::hash<MyData> { // no warning: specialization with user-defined type
  unsigned long operator()(const MyData &K) const {
    return K.data;
  }
};

namespace std {
  template <>
  void swap<bool>(bool &a, bool &b); // warning: modification of 'std' namespace can result in undefined behavior

  template <>
  bool less<void>::operator()<MyData &&, MyData &&>(MyData &&, MyData &&) const { // warning: modification of 'std' namespace can result in undefined behavior
    return true;
  }
}

This check corresponds to the CERT C++ Coding Standard rule DCL58-CPP. Do not modify the standard namespaces.

cert-dcl59-cpp

The cert-dcl59-cpp check is an alias, please see google-build-namespaces for more information.

cert-env33-c

This check flags calls to system(), popen(), and _popen(), which execute a command processor. It does not flag calls to system() with a null pointer argument, as such a call checks for the presence of a command processor but does not actually attempt to execute a command.

This check corresponds to the CERT C Coding Standard rule ENV33-C. Do not call system().

cert-err09-cpp

The cert-err09-cpp check is an alias, please see misc-throw-by-value-catch-by-reference for more information.

This check corresponds to the CERT C++ Coding Standard recommendation ERR09-CPP. Throw anonymous temporaries. However, all of the CERT recommendations have been removed from public view, and so their justification for the behavior of this check requires an account on their wiki to view.

cert-err33-c

Warns on unused function return values. Many of the standard library functions return a value that indicates if the call was successful. Ignoring the returned value can cause unexpected behavior if an error has occurred. The following functions are checked:

  • aligned_alloc()
  • asctime_s()
  • at_quick_exit()
  • atexit()
  • bsearch()
  • bsearch_s()
  • btowc()
  • c16rtomb()
  • c32rtomb()
  • calloc()
  • clock()
  • cnd_broadcast()
  • cnd_init()
  • cnd_signal()
  • cnd_timedwait()
  • cnd_wait()
  • ctime_s()
  • fclose()
  • fflush()
  • fgetc()
  • fgetpos()
  • fgets()
  • fgetwc()
  • fopen()
  • fopen_s()
  • fprintf()
  • fprintf_s()
  • fputc()
  • fputs()
  • fputwc()
  • fputws()
  • fread()
  • freopen()
  • freopen_s()
  • fscanf()
  • fscanf_s()
  • fseek()
  • fsetpos()
  • ftell()
  • fwprintf()
  • fwprintf_s()
  • fwrite()
  • fwscanf()
  • fwscanf_s()
  • getc()
  • getchar()
  • getenv()
  • getenv_s()
  • gets_s()
  • getwc()
  • getwchar()
  • gmtime()
  • gmtime_s()
  • localtime()
  • localtime_s()
  • malloc()
  • mbrtoc16()
  • mbrtoc32()
  • mbsrtowcs()
  • mbsrtowcs_s()
  • mbstowcs()
  • mbstowcs_s()
  • memchr()
  • mktime()
  • mtx_init()
  • mtx_lock()
  • mtx_timedlock()
  • mtx_trylock()
  • mtx_unlock()
  • printf_s()
  • putc()
  • putwc()
  • raise()
  • realloc()
  • remove()
  • rename()
  • setlocale()
  • setvbuf()
  • scanf()
  • scanf_s()
  • signal()
  • snprintf()
  • snprintf_s()
  • sprintf()
  • sprintf_s()
  • sscanf()
  • sscanf_s()
  • strchr()
  • strerror_s()
  • strftime()
  • strpbrk()
  • strrchr()
  • strstr()
  • strtod()
  • strtof()
  • strtoimax()
  • strtok()
  • strtok_s()
  • strtol()
  • strtold()
  • strtoll()
  • strtoumax()
  • strtoul()
  • strtoull()
  • strxfrm()
  • swprintf()
  • swprintf_s()
  • swscanf()
  • swscanf_s()
  • thrd_create()
  • thrd_detach()
  • thrd_join()
  • thrd_sleep()
  • time()
  • timespec_get()
  • tmpfile()
  • tmpfile_s()
  • tmpnam()
  • tmpnam_s()
  • tss_create()
  • tss_get()
  • tss_set()
  • ungetc()
  • ungetwc()
  • vfprintf()
  • vfprintf_s()
  • vfscanf()
  • vfscanf_s()
  • vfwprintf()
  • vfwprintf_s()
  • vfwscanf()
  • vfwscanf_s()
  • vprintf_s()
  • vscanf()
  • vscanf_s()
  • vsnprintf()
  • vsnprintf_s()
  • vsprintf()
  • vsprintf_s()
  • vsscanf()
  • vsscanf_s()
  • vswprintf()
  • vswprintf_s()
  • vswscanf()
  • vswscanf_s()
  • vwprintf_s()
  • vwscanf()
  • vwscanf_s()
  • wcrtomb()
  • wcschr()
  • wcsftime()
  • wcspbrk()
  • wcsrchr()
  • wcsrtombs()
  • wcsrtombs_s()
  • wcsstr()
  • wcstod()
  • wcstof()
  • wcstoimax()
  • wcstok()
  • wcstok_s()
  • wcstol()
  • wcstold()
  • wcstoll()
  • wcstombs()
  • wcstombs_s()
  • wcstoumax()
  • wcstoul()
  • wcstoull()
  • wcsxfrm()
  • wctob()
  • wctrans()
  • wctype()
  • wmemchr()
  • wprintf_s()
  • wscanf()
  • wscanf_s()

This check is an alias of check bugprone-unused-return-value with a fixed set of functions.

Suppressing issues by casting to void is enabled by default and can be disabled by setting AllowCastToVoid option to false.

The check corresponds to a part of CERT C Coding Standard rule ERR33-C. Detect and handle standard library errors. The list of checked functions is taken from the rule, with following exception:

  • The check can not differentiate if a function is called with NULL argument. Therefore the following functions are not checked: mblen, mbrlen, mbrtowc, mbtowc, wctomb, wctomb_s

cert-err34-c

This check flags calls to string-to-number conversion functions that do not verify the validity of the conversion, such as atoi() or scanf(). It does not flag calls to strtol(), or other, related conversion functions that do perform better error checking.

#include <stdlib.h>

void func(const char *buff) {
  int si;

  if (buff) {
    si = atoi(buff); /* 'atoi' used to convert a string to an integer, but function will
                         not report conversion errors; consider using 'strtol' instead. */
  } else {
    /* Handle error */
  }
}

This check corresponds to the CERT C Coding Standard rule ERR34-C. Detect errors when converting a string to a number.

cert-err52-cpp

This check flags all call expressions involving setjmp() and longjmp().

This check corresponds to the CERT C++ Coding Standard rule ERR52-CPP. Do not use setjmp() or longjmp().

cert-err58-cpp

This check flags all static or thread_local variable declarations where the initializer for the object may throw an exception.

This check corresponds to the CERT C++ Coding Standard rule ERR58-CPP. Handle all exceptions thrown before main() begins executing.

cert-err60-cpp

This check flags all throw expressions where the exception object is not nothrow copy constructible.

This check corresponds to the CERT C++ Coding Standard rule ERR60-CPP. Exception objects must be nothrow copy constructible.

cert-err61-cpp

The cert-err61-cpp check is an alias, please see misc-throw-by-value-catch-by-reference for more information.

cert-exp42-c

The cert-exp42-c check is an alias, please see bugprone-suspicious-memory-comparison for more information.

cert-fio38-c

The cert-fio38-c check is an alias, please see misc-non-copyable-objects for more information.

cert-flp30-c

This check flags for loops where the induction expression has a floating-point type.

This check corresponds to the CERT C Coding Standard rule FLP30-C. Do not use floating-point variables as loop counters.

cert-flp37-c

The cert-flp37-c check is an alias, please see bugprone-suspicious-memory-comparison for more information.

cert-int09-c

The cert-int09-c check is an alias, please see readability-enum-initial-value for more information.

cert-mem57-cpp

This check flags uses of default operator new where the type has extended alignment (an alignment greater than the fundamental alignment). (The default operator new is guaranteed to provide the correct alignment if the requested alignment is less or equal to the fundamental alignment). Only cases are detected (by design) where the operator new is not user-defined and is not a placement new (the reason is that in these cases we assume that the user provided the correct memory allocation).

This check corresponds to the CERT C++ Coding Standard rule MEM57-CPP. Avoid using default operator new for over-aligned types.

cert-msc24-c

The cert-msc24-c check is an alias, please see bugprone-unsafe-functions for more information.

cert-msc30-c

The cert-msc30-c check is an alias, please see cert-msc50-cpp for more information.

cert-msc32-c

The cert-msc32-c check is an alias, please see cert-msc51-cpp for more information.

cert-msc33-c

The cert-msc33-c check is an alias, please see bugprone-unsafe-functions for more information.

cert-msc50-cpp

Pseudorandom number generators use mathematical algorithms to produce a sequence of numbers with good statistical properties, but the numbers produced are not genuinely random. The std::rand() function takes a seed (number), runs a mathematical operation on it and returns the result. By manipulating the seed the result can be predictable. This check warns for the usage of std::rand().

cert-msc51-cpp

This check flags all pseudo-random number engines, engine adaptor instantiations and srand() when initialized or seeded with default argument, constant expression or any user-configurable type. Pseudo-random number engines seeded with a predictable value may cause vulnerabilities e.g. in security protocols. This is a CERT security rule, see MSC51-CPP. Ensure your random number generator is properly seeded and MSC32-C. Properly seed pseudorandom number generators.

Examples:

void foo() {
  std::mt19937 engine1; // Diagnose, always generate the same sequence
  std::mt19937 engine2(1); // Diagnose
  engine1.seed(); // Diagnose
  engine2.seed(1); // Diagnose

  std::time_t t;
  engine1.seed(std::time(&t)); // Diagnose, system time might be controlled by user

  int x = atoi(argv[1]);
  std::mt19937 engine3(x);  // Will not warn
}

Options

DisallowedSeedTypes

A comma-separated list of the type names which are disallowed. Default values are time_t, std::time_t.

cert-msc54-cpp

The cert-msc54-cpp check is an alias, please see bugprone-signal-handler for more information.

cert-oop11-cpp

The cert-oop11-cpp check is an alias, please see performance-move-constructor-init for more information.

This check corresponds to the CERT C++ Coding Standard recommendation OOP11-CPP. Do not copy-initialize members or base classes from a move constructor. However, all of the CERT recommendations have been removed from public view, and so their justification for the behavior of this check requires an account on their wiki to view.

cert-oop54-cpp

The cert-oop54-cpp check is an alias, please see bugprone-unhandled-self-assignment for more information.

cert-oop57-cpp

Flags use of the C standard library functions memset, memcpy and memcmp and similar derivatives on non-trivial types.

Options

MemSetNames

Specify extra functions to flag that act similarly to memset. Specify names in a semicolon delimited list. Default is an empty string. The check will detect the following functions: memset, std::memset.

MemCpyNames

Specify extra functions to flag that act similarly to memcpy. Specify names in a semicolon delimited list. Default is an empty string. The check will detect the following functions: std::memcpy, memcpy, std::memmove, memmove, std::strcpy, strcpy, memccpy, stpncpy, strncpy.

MemCmpNames

Specify extra functions to flag that act similarly to memcmp. Specify names in a semicolon delimited list. Default is an empty string. The check will detect the following functions: std::memcmp, memcmp, std::strcmp, strcmp, strncmp.

This check corresponds to the CERT C++ Coding Standard rule OOP57-CPP. Prefer special member functions and overloaded operators to C Standard Library functions.

cert-oop58-cpp

Finds assignments to the copied object and its direct or indirect members in copy constructors and copy assignment operators.

This check corresponds to the CERT C Coding Standard rule OOP58-CPP. Copy operations must not mutate the source object.

cert-pos44-c

The cert-pos44-c check is an alias, please see bugprone-bad-signal-to-kill-thread for more information.

cert-pos47-c

The cert-pos47-c check is an alias, please see concurrency-thread-canceltype-asynchronous for more information.

cert-sig30-c

The cert-sig30-c check is an alias, please see bugprone-signal-handler for more information.

cert-str34-c

The cert-str34-c check is an alias, please see bugprone-signed-char-misuse for more information.

clang-analyzer-core.BitwiseShift

Finds cases where bitwise shift operation causes undefined behaviour.

The clang-analyzer-core.BitwiseShift check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.CallAndMessage

Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers).

The clang-analyzer-core.CallAndMessage check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.DivideZero

Check for division by zero.

The clang-analyzer-core.DivideZero check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.NonNullParamChecker

Check for null pointers passed as arguments to a function whose arguments are references or marked with the 'nonnull' attribute.

The clang-analyzer-core.NonNullParamChecker check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.NullDereference

Check for dereferences of null pointers.

The clang-analyzer-core.NullDereference check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.StackAddressEscape

Check that addresses to stack memory do not escape the function.

The clang-analyzer-core.StackAddressEscape check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.UndefinedBinaryOperatorResult

Check for undefined results of binary operators.

The clang-analyzer-core.UndefinedBinaryOperatorResult check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.VLASize

Check for declarations of VLA of undefined or zero size.

The clang-analyzer-core.VLASize check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.uninitialized.ArraySubscript

Check for uninitialized values used as array subscripts.

The clang-analyzer-core.uninitialized.ArraySubscript check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.uninitialized.Assign

Check for assigning uninitialized values.

The clang-analyzer-core.uninitialized.Assign check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.uninitialized.Branch

Check for uninitialized values used as branch conditions.

The clang-analyzer-core.uninitialized.Branch check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.uninitialized.CapturedBlockVariable

Check for blocks that capture uninitialized values.

The clang-analyzer-core.uninitialized.CapturedBlockVariable check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.uninitialized.NewArraySize

Check if the size of the array in a new[] expression is undefined.

The clang-analyzer-core.uninitialized.NewArraySize check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-core.uninitialized.UndefReturn

Check for uninitialized values being returned to the caller.

The clang-analyzer-core.uninitialized.UndefReturn check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-cplusplus.ArrayDelete

Reports destructions of arrays of polymorphic objects that are destructed as their base class.

The clang-analyzer-cplusplus.ArrayDelete check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-cplusplus.InnerPointer

Check for inner pointers of C++ containers used after re/deallocation.

The clang-analyzer-cplusplus.InnerPointer check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-cplusplus.Move

Find use-after-move bugs in C++.

The clang-analyzer-cplusplus.Move check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-cplusplus.NewDelete

Check for double-free and use-after-free problems. Traces memory managed by new/delete.

The clang-analyzer-cplusplus.NewDelete check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-cplusplus.NewDeleteLeaks

Check for memory leaks. Traces memory managed by new/delete.

The clang-analyzer-cplusplus.NewDeleteLeaks check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-cplusplus.PlacementNew

Check if default placement new is provided with pointers to sufficient storage capacity.

The clang-analyzer-cplusplus.PlacementNew check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-cplusplus.PureVirtualCall

Check pure virtual function calls during construction/destruction.

The clang-analyzer-cplusplus.PureVirtualCall check is an alias of Clang Static Analyzer cplusplus.PureVirtualCall.

clang-analyzer-cplusplus.StringChecker

Checks C++ std::string bugs.

The clang-analyzer-cplusplus.StringChecker check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-deadcode.DeadStores

Check for values stored to variables that are never read afterwards.

The clang-analyzer-deadcode.DeadStores check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-fuchsia.HandleChecker

A Checker that detect leaks related to Fuchsia handles.

The clang-analyzer-fuchsia.HandleChecker check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-nullability.NullPassedToNonnull

Warns when a null pointer is passed to a pointer which has a _Nonnull type.

The clang-analyzer-nullability.NullPassedToNonnull check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-nullability.NullReturnedFromNonnull

Warns when a null pointer is returned from a function that has _Nonnull return type.

The clang-analyzer-nullability.NullReturnedFromNonnull check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-nullability.NullableDereferenced

Warns when a nullable pointer is dereferenced.

The clang-analyzer-nullability.NullableDereferenced check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-nullability.NullablePassedToNonnull

Warns when a nullable pointer is passed to a pointer which has a _Nonnull type.

The clang-analyzer-nullability.NullablePassedToNonnull check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-nullability.NullableReturnedFromNonnull

Warns when a nullable pointer is returned from a function that has _Nonnull return type.

The clang-analyzer-nullability.NullableReturnedFromNonnull check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.core.EnumCastOutOfRange

Check integer to enumeration casts for out of range values.

The clang-analyzer-optin.core.EnumCastOutOfRange check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.cplusplus.UninitializedObject

Reports uninitialized fields after object construction.

The clang-analyzer-optin.cplusplus.UninitializedObject check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.cplusplus.VirtualCall

Check virtual function calls during construction/destruction.

The clang-analyzer-optin.cplusplus.VirtualCall check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.mpi.MPI-Checker

Checks MPI code.

The clang-analyzer-optin.mpi.MPI-Checker check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.osx.OSObjectCStyleCast

Checker for C-style casts of OSObjects.

The clang-analyzer-optin.osx.OSObjectCStyleCast check is an alias of Clang Static Analyzer optin.osx.OSObjectCStyleCast.

clang-analyzer-optin.osx.cocoa.localizability.EmptyLocalizationContextChecker

Check that NSLocalizedString macros include a comment for context.

The clang-analyzer-optin.osx.cocoa.localizability.EmptyLocalizationContextChecker check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.osx.cocoa.localizability.NonLocalizedStringChecker

Warns about uses of non-localized NSStrings passed to UI methods expecting localized NSStrings.

The clang-analyzer-optin.osx.cocoa.localizability.NonLocalizedStringChecker check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.performance.GCDAntipattern

Check for performance anti-patterns when using Grand Central Dispatch.

The clang-analyzer-optin.performance.GCDAntipattern check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.performance.Padding

Check for excessively padded structs.

The clang-analyzer-optin.performance.Padding check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.portability.UnixAPI

Finds implementation-defined behavior in UNIX/Posix functions.

The clang-analyzer-optin.portability.UnixAPI check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-optin.taint.TaintedAlloc

Check for memory allocations, where the size parameter might be a tainted (attacker controlled) value.

The clang-analyzer-optin.taint.TaintedAlloc check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.API

Check for proper uses of various Apple APIs.

The clang-analyzer-osx.API check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.MIG

Find violations of the Mach Interface Generator calling convention.

The clang-analyzer-osx.MIG check is an alias of Clang Static Analyzer osx.MIG.

clang-analyzer-osx.NumberObjectConversion

Check for erroneous conversions of objects representing numbers into numbers.

The clang-analyzer-osx.NumberObjectConversion check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.OSObjectRetainCount

Check for leaks and improper reference count management for OSObject.

The clang-analyzer-osx.OSObjectRetainCount check is an alias of Clang Static Analyzer osx.OSObjectRetainCount.

clang-analyzer-osx.ObjCProperty

Check for proper uses of Objective-C properties.

The clang-analyzer-osx.ObjCProperty check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.SecKeychainAPI

Check for proper uses of Secure Keychain APIs.

The clang-analyzer-osx.SecKeychainAPI check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.AtSync

Check for nil pointers used as mutexes for @synchronized.

The clang-analyzer-osx.cocoa.AtSync check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.AutoreleaseWrite

Warn about potentially crashing writes to autoreleasing objects from different autoreleasing pools in Objective-C.

The clang-analyzer-osx.cocoa.AutoreleaseWrite check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.ClassRelease

Check for sending 'retain', 'release', or 'autorelease' directly to a Class.

The clang-analyzer-osx.cocoa.ClassRelease check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.Dealloc

Warn about Objective-C classes that lack a correct implementation of -dealloc.

The clang-analyzer-osx.cocoa.Dealloc check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.IncompatibleMethodTypes

Warn about Objective-C method signatures with type incompatibilities.

The clang-analyzer-osx.cocoa.IncompatibleMethodTypes check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.Loops

Improved modeling of loops using Cocoa collection types.

The clang-analyzer-osx.cocoa.Loops check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.MissingSuperCall

Warn about Objective-C methods that lack a necessary call to super.

The clang-analyzer-osx.cocoa.MissingSuperCall check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.NSAutoreleasePool

Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode.

The clang-analyzer-osx.cocoa.NSAutoreleasePool check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.NSError

Check usage of NSError** parameters.

The clang-analyzer-osx.cocoa.NSError check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.NilArg

Check for prohibited nil arguments to ObjC method calls.

The clang-analyzer-osx.cocoa.NilArg check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.NonNilReturnValue

Model the APIs that are guaranteed to return a non-nil value.

The clang-analyzer-osx.cocoa.NonNilReturnValue check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.ObjCGenerics

Check for type errors when using Objective-C generics.

The clang-analyzer-osx.cocoa.ObjCGenerics check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.RetainCount

Check for leaks and improper reference count management.

The clang-analyzer-osx.cocoa.RetainCount check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.RunLoopAutoreleaseLeak

Check for leaked memory in autorelease pools that will never be drained.

The clang-analyzer-osx.cocoa.RunLoopAutoreleaseLeak check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.SelfInit

Check that 'self' is properly initialized inside an initializer method.

The clang-analyzer-osx.cocoa.SelfInit check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.SuperDealloc

Warn about improper use of '[super dealloc]' in Objective-C.

The clang-analyzer-osx.cocoa.SuperDealloc check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.UnusedIvars

Warn about private ivars that are never used.

The clang-analyzer-osx.cocoa.UnusedIvars check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.cocoa.VariadicMethodTypes

Check for passing non-Objective-C types to variadic collection initialization methods that expect only Objective-C types.

The clang-analyzer-osx.cocoa.VariadicMethodTypes check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.coreFoundation.CFError

Check usage of CFErrorRef* parameters.

The clang-analyzer-osx.coreFoundation.CFError check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.coreFoundation.CFNumber

Check for proper uses of CFNumber APIs.

The clang-analyzer-osx.coreFoundation.CFNumber check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.coreFoundation.CFRetainRelease

Check for null arguments to CFRetain/CFRelease/CFMakeCollectable.

The clang-analyzer-osx.coreFoundation.CFRetainRelease check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.coreFoundation.containers.OutOfBounds

Checks for index out-of-bounds when using 'CFArray' API.

The clang-analyzer-osx.coreFoundation.containers.OutOfBounds check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-osx.coreFoundation.containers.PointerSizedValues

Warns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values.

The clang-analyzer-osx.coreFoundation.containers.PointerSizedValues check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.FloatLoopCounter

Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP).

The clang-analyzer-security.FloatLoopCounter check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.PutenvStackArray

Finds calls to the function 'putenv' which pass a pointer to an automatic (stack-allocated) array as the argument.

The clang-analyzer-security.PutenvStackArray check is an alias of Clang Static Analyzer security.PutenvStackArray.

clang-analyzer-security.SetgidSetuidOrder

Warn on possible reversed order of 'setgid(getgid()))' and 'setuid(getuid())' (CERT: POS36-C).

The clang-analyzer-security.SetgidSetuidOrder check is an alias of Clang Static Analyzer security.SetgidSetuidOrder.

clang-analyzer-security.cert.env.InvalidPtr

Finds usages of possibly invalidated pointers.

The clang-analyzer-security.cert.env.InvalidPtr check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling

Warn on uses of unsecure or deprecated buffer manipulating functions.

The clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.UncheckedReturn

Warn on uses of functions whose return values must be always checked.

The clang-analyzer-security.insecureAPI.UncheckedReturn check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.bcmp

Warn on uses of the 'bcmp' function.

The clang-analyzer-security.insecureAPI.bcmp check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.bcopy

Warn on uses of the 'bcopy' function.

The clang-analyzer-security.insecureAPI.bcopy check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.bzero

Warn on uses of the 'bzero' function.

The clang-analyzer-security.insecureAPI.bzero check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.decodeValueOfObjCType

Warn on uses of the '-decodeValueOfObjCType:at:' method.

The clang-analyzer-security.insecureAPI.decodeValueOfObjCType check is an alias of Clang Static Analyzer security.insecureAPI.decodeValueOfObjCType.

clang-analyzer-security.insecureAPI.getpw

Warn on uses of the 'getpw' function.

The clang-analyzer-security.insecureAPI.getpw check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.gets

Warn on uses of the 'gets' function.

The clang-analyzer-security.insecureAPI.gets check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.mkstemp

Warn when 'mkstemp' is passed fewer than 6 X's in the format string.

The clang-analyzer-security.insecureAPI.mkstemp check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.mktemp

Warn on uses of the 'mktemp' function.

The clang-analyzer-security.insecureAPI.mktemp check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.rand

Warn on uses of the 'rand', 'random', and related functions.

The clang-analyzer-security.insecureAPI.rand check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.strcpy

Warn on uses of the 'strcpy' and 'strcat' functions.

The clang-analyzer-security.insecureAPI.strcpy check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-security.insecureAPI.vfork

Warn on uses of the 'vfork' function.

The clang-analyzer-security.insecureAPI.vfork check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.API

Check calls to various UNIX/Posix functions.

The clang-analyzer-unix.API check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.BlockInCriticalSection

Check for calls to blocking functions inside a critical section.

The clang-analyzer-unix.BlockInCriticalSection check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.Errno

Check for improper use of 'errno'.

The clang-analyzer-unix.Errno check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.Malloc

Check for memory leaks, double free, and use-after-free problems. Traces memory managed by malloc()/free().

The clang-analyzer-unix.Malloc check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.MallocSizeof

Check for dubious malloc arguments involving sizeof.

The clang-analyzer-unix.MallocSizeof check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.MismatchedDeallocator

Check for mismatched deallocators.

The clang-analyzer-unix.MismatchedDeallocator check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.StdCLibraryFunctions

Check for invalid arguments of C standard library functions, and apply relations between arguments and return value.

The clang-analyzer-unix.StdCLibraryFunctions check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.Stream

Check stream handling functions.

The clang-analyzer-unix.Stream check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.Vfork

Check for proper usage of vfork.

The clang-analyzer-unix.Vfork check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.cstring.BadSizeArg

Check the size argument passed into C string functions for common erroneous patterns.

The clang-analyzer-unix.cstring.BadSizeArg check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-unix.cstring.NullArg

Check for null pointers being passed as arguments to C string functions.

The clang-analyzer-unix.cstring.NullArg check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-valist.CopyToSelf

Check for va_lists which are copied onto itself.

The clang-analyzer-valist.CopyToSelf check is an alias of Clang Static Analyzer valist.CopyToSelf.

clang-analyzer-valist.Uninitialized

Check for usages of uninitialized (or already released) va_lists.

The clang-analyzer-valist.Uninitialized check is an alias of Clang Static Analyzer valist.Uninitialized.

clang-analyzer-valist.Unterminated

Check for va_lists which are not released by a va_end call.

The clang-analyzer-valist.Unterminated check is an alias of Clang Static Analyzer valist.Unterminated.

clang-analyzer-webkit.NoUncountedMemberChecker

Check for no uncounted member variables.

The clang-analyzer-webkit.NoUncountedMemberChecker check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-webkit.RefCntblBaseVirtualDtor

Check for any ref-countable base class having virtual destructor.

The clang-analyzer-webkit.RefCntblBaseVirtualDtor check is an alias, please see Clang Static Analyzer Available Checkers for more information.

clang-analyzer-webkit.UncountedLambdaCapturesChecker

Check uncounted lambda captures.

The clang-analyzer-webkit.UncountedLambdaCapturesChecker check is an alias, please see Clang Static Analyzer Available Checkers for more information.

concurrency-mt-unsafe

Checks for some thread-unsafe functions against a black list of known-to-be-unsafe functions. Usually they access static variables without synchronization (e.g. gmtime(3)) or utilize signals in a racy way. The set of functions to check is specified with the FunctionSet option.

Note that using some thread-unsafe functions may be still valid in concurrent programming if only a single thread is used (e.g. setenv(3)), however, some functions may track a state in global variables which would be clobbered by subsequent (non-parallel, but concurrent) calls to a related function. E.g. the following code suffers from unprotected accesses to a global state:

// getnetent(3) maintains global state with DB connection, etc.
// If a concurrent green thread calls getnetent(3), the global state is corrupted.
netent = getnetent();
yield();
netent = getnetent();

Examples:

tm = gmtime(timep); // uses a global buffer

sleep(1); // implementation may use SIGALRM
FunctionSet

Specifies which functions in libc should be considered thread-safe, possible values are posix, glibc, or any.

posix means POSIX defined thread-unsafe functions. POSIX.1-2001 in "2.9.1 Thread-Safety" defines that all functions specified in the standard are thread-safe except a predefined list of thread-unsafe functions.

Glibc defines some of them as thread-safe (e.g. dirname(3)), but adds non-POSIX thread-unsafe ones (e.g. getopt_long(3)). Glibc's list is compiled from GNU web documentation with a search for MT-Safe tag: https://www.gnu.org/software/libc/manual/html_node/POSIX-Safety-Concepts.html

If you want to identify thread-unsafe API for at least one libc or unsure which libc will be used, use any (default).

concurrency-thread-canceltype-asynchronous

Finds pthread_setcanceltype function calls where a thread's cancellation type is set to asynchronous. Asynchronous cancellation type (PTHREAD_CANCEL_ASYNCHRONOUS) is generally unsafe, use type PTHREAD_CANCEL_DEFERRED instead which is the default. Even with deferred cancellation, a cancellation point in an asynchronous signal handler may still be acted upon and the effect is as if it was an asynchronous cancellation.

pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, &oldtype);

This check corresponds to the CERT C Coding Standard rule POS47-C. Do not use threads that can be canceled asynchronously.

cert-pos47-c redirects here as an alias of this check.

cppcoreguidelines-avoid-c-arrays

The cppcoreguidelines-avoid-c-arrays check is an alias, please see modernize-avoid-c-arrays for more information.

cppcoreguidelines-avoid-capturing-lambda-coroutines

Flags C++20 coroutine lambdas with non-empty capture lists that may cause use-after-free errors and suggests avoiding captures or ensuring the lambda closure object has a guaranteed lifetime.

This check implements CP.51 from the C++ Core Guidelines.

Using coroutine lambdas with non-empty capture lists can be risky, as capturing variables can lead to accessing freed memory after the first suspension point. This issue can occur even with refcounted smart pointers and copyable types. When a lambda expression creates a coroutine, it results in a closure object with storage, which is often on the stack and will eventually go out of scope. When the closure object goes out of scope, its captures also go out of scope. While normal lambdas finish executing before this happens, coroutine lambdas may resume from suspension after the closure object has been destructed, resulting in use-after-free memory access for all captures.

Consider the following example:

int value = get_value();
std::shared_ptr<Foo> sharedFoo = get_foo();
{
    const auto lambda = [value, sharedFoo]() -> std::future<void>
    {
        co_await something();
        // "sharedFoo" and "value" have already been destroyed
        // the "shared" pointer didn't accomplish anything
    };
    lambda();
} // the lambda closure object has now gone out of scope

In this example, the lambda object is defined with two captures: value and sharedFoo. When lambda() is called, the lambda object is created on the stack, and the captures are copied into the closure object. When the coroutine is suspended, the lambda object goes out of scope, and the closure object is destroyed. When the coroutine is resumed, the captured variables may have been destroyed, resulting in use-after-free bugs.

In conclusion, the use of coroutine lambdas with non-empty capture lists can lead to use-after-free errors when resuming the coroutine after the closure object has been destroyed. This check helps prevent such errors by flagging C++20 coroutine lambdas with non-empty capture lists and suggesting avoiding captures or ensuring the lambda closure object has a guaranteed lifetime.

Following these guidelines can help ensure the safe and reliable use of coroutine lambdas in C++ code.

cppcoreguidelines-avoid-const-or-ref-data-members

This check warns when structs or classes that are copyable or movable, and have const-qualified or reference (lvalue or rvalue) data members. Having such members is rarely useful, and makes the class only copy-constructible but not copy-assignable.

Examples:

// Bad, const-qualified member
struct Const {
  const int x;
}

// Good:
class Foo {
 public:
  int get() const { return x; }
 private:
  int x;
};

// Bad, lvalue reference member
struct Ref {
  int& x;
};

// Good:
struct Foo {
  int* x;
  std::unique_ptr<int> x;
  std::shared_ptr<int> x;
  gsl::not_null<int*> x;
};

// Bad, rvalue reference member
struct RefRef {
  int&& x;
};

This check implements C.12 from the C++ Core Guidelines.

Further reading: Data members: Never const.

cppcoreguidelines-avoid-do-while

Warns when using do-while loops. They are less readable than plain while loops, since the termination condition is at the end and the condition is not checked prior to the first iteration. This can lead to subtle bugs.

This check implements ES.75 from the C++ Core Guidelines.

Examples:

int x;
do {
    std::cin >> x;
    // ...
} while (x < 0);

Options

IgnoreMacros

Ignore the check when analyzing macros. This is useful for safely defining function-like macros:

#define FOO_BAR(x) \
do { \
  foo(x); \
  bar(x); \
} while(0)

Defaults to false.

cppcoreguidelines-avoid-goto

The usage of goto for control flow is error prone and should be replaced with looping constructs. Only forward jumps in nested loops are accepted.

This check implements ES.76 from the C++ Core Guidelines and 6.3.1 from High Integrity C++ Coding Standard.

For more information on why to avoid programming with goto you can read the famous paper A Case against the GO TO Statement..

The check diagnoses goto for backward jumps in every language mode. These should be replaced with C/C++ looping constructs.

// Bad, handwritten for loop.
int i = 0;
// Jump label for the loop
loop_start:
do_some_operation();

if (i < 100) {
  ++i;
  goto loop_start;
}

// Better
for(int i = 0; i < 100; ++i)
  do_some_operation();

Modern C++ needs goto only to jump out of nested loops.

for(int i = 0; i < 100; ++i) {
  for(int j = 0; j < 100; ++j) {
    if (i * j > 500)
      goto early_exit;
  }
}

early_exit:
some_operation();

All other uses of goto are diagnosed in C++.

cppcoreguidelines-avoid-magic-numbers

The cppcoreguidelines-avoid-magic-numbers check is an alias, please see readability-magic-numbers for more information.

cppcoreguidelines-avoid-non-const-global-variables

Finds non-const global variables as described in I.2 of C++ Core Guidelines. As R.6 of C++ Core Guidelines is a duplicate of rule I.2 it also covers that rule.

char a;  // Warns!
const char b =  0;

namespace some_namespace
{
    char c;  // Warns!
    const char d = 0;
}

char * c_ptr1 = &some_namespace::c;  // Warns!
char *const c_const_ptr = &some_namespace::c;  // Warns!
char & c_reference = some_namespace::c;  // Warns!

class Foo  // No Warnings inside Foo, only namespace scope is covered
{
public:
    char e = 0;
    const char f = 0;
protected:
    char g = 0;
private:
    char h = 0;
};

The variables a, c, c_ptr1, c_const_ptr and c_reference will all generate warnings since they are either a non-const globally accessible variable, a pointer or a reference providing global access to non-const data or both.

Options

AllowInternalLinkage

When set to true, static non-const variables and variables in anonymous namespaces will not generate a warning. The default value is false.

cppcoreguidelines-avoid-reference-coroutine-parameters

Warns when a coroutine accepts reference parameters. After a coroutine suspend point, references could be dangling and no longer valid. Instead, pass parameters as values.

Examples:

std::future<int> someCoroutine(int& val) {
  co_await ...;
  // When the coroutine is resumed, 'val' might no longer be valid.
  if (val) ...
}

This check implements CP.53 from the C++ Core Guidelines.

cppcoreguidelines-c-copy-assignment-signature

The cppcoreguidelines-c-copy-assignment-signature check is an alias, please see misc-unconventional-assign-operator for more information.

cppcoreguidelines-explicit-virtual-functions

The cppcoreguidelines-explicit-virtual-functions check is an alias, please see modernize-use-override for more information.

cppcoreguidelines-init-variables

Checks whether there are local variables that are declared without an initial value. These may lead to unexpected behavior if there is a code path that reads the variable before assigning to it.

This rule is part of the Type safety (Type.5) profile and ES.20 from the C++ Core Guidelines.

Only integers, booleans, floats, doubles and pointers are checked. The fix option initializes all detected values with the value of zero. An exception is float and double types, which are initialized to NaN.

As an example a function that looks like this:

void function() {
  int x;
  char *txt;
  double d;

  // Rest of the function.
}

Would be rewritten to look like this:

#include <math.h>

void function() {
  int x = 0;
  char *txt = nullptr;
  double d = NAN;

  // Rest of the function.
}

It warns for the uninitialized enum case, but without a FixIt:

enum A {A1, A2, A3};
enum A_c : char { A_c1, A_c2, A_c3 };
enum class B { B1, B2, B3 };
enum class B_i : int { B_i1, B_i2, B_i3 };
void function() {
  A a;     // Warning: variable 'a' is not initialized
  A_c a_c; // Warning: variable 'a_c' is not initialized
  B b;     // Warning: variable 'b' is not initialized
  B_i b_i; // Warning: variable 'b_i' is not initialized
}

Options

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

MathHeader

A string specifying the header to include to get the definition of NAN. Default is <math.h>.

cppcoreguidelines-interfaces-global-init

This check flags initializers of globals that access extern objects, and therefore can lead to order-of-initialization problems.

This check implements I.22 from the C++ Core Guidelines.

Note that currently this does not flag calls to non-constexpr functions, and therefore globals could still be accessed from functions themselves.

cppcoreguidelines-macro-to-enum

The cppcoreguidelines-macro-to-enum check is an alias, please see modernize-macro-to-enum for more information.

cppcoreguidelines-macro-usage

Finds macro usage that is considered problematic because better language constructs exist for the task.

The relevant sections in the C++ Core Guidelines are ES.31, and ES.32.

Examples:

#define C 0
#define F1(x, y) ((a) > (b) ? (a) : (b))
#define F2(...) (__VA_ARGS__)
#define F3(x, y) x##y
#define COMMA ,
#define NORETURN [[noreturn]]
#define DEPRECATED attribute((deprecated))
#if LIB_EXPORTS
#define DLLEXPORTS __declspec(dllexport)
#else
#define DLLEXPORTS __declspec(dllimport)
#endif

results in the following warnings:

4 warnings generated.
test.cpp:1:9: warning: macro 'C' used to declare a constant; consider using a 'constexpr' constant [cppcoreguidelines-macro-usage]
#define C 0
        ^
test.cpp:2:9: warning: function-like macro 'F1' used; consider a 'constexpr' template function [cppcoreguidelines-macro-usage]
#define F1(x, y) ((a) > (b) ? (a) : (b))
        ^
test.cpp:3:9: warning: variadic macro 'F2' used; consider using a 'constexpr' variadic template function [cppcoreguidelines-macro-usage]
#define F2(...) (__VA_ARGS__)
        ^

Options

AllowedRegexp

A regular expression to filter allowed macros. For example DEBUG*|LIBTORRENT*|TORRENT*|UNI* could be applied to filter libtorrent. Default value is ^DEBUG_*.

CheckCapsOnly

Boolean flag to warn on all macros except those with CAPS_ONLY names. This option is intended to ease introduction of this check into older code bases. Default value is false.

IgnoreCommandLineMacros

Boolean flag to toggle ignoring command-line-defined macros. Default value is true.

cppcoreguidelines-misleading-capture-default-by-value

Warns when lambda specify a by-value capture default and capture this.

By-value capture defaults in member functions can be misleading about whether data members are captured by value or reference. This occurs because specifying the capture default [=] actually captures the this pointer by value, not the data members themselves. As a result, data members are still indirectly accessed via the captured this pointer, which essentially means they are being accessed by reference. Therefore, even when using [=], data members are effectively captured by reference, which might not align with the user's expectations.

Examples:

struct AClass {
  int member;
  void misleadingLogic() {
    int local = 0;
    member = 0;
    auto f = [=]() mutable {
      local += 1;
      member += 1;
    };
    f();
    // Here, local is 0 but member is 1
  }

  void clearLogic() {
    int local = 0;
    member = 0;
    auto f = [this, local]() mutable {
      local += 1;
      member += 1;
    };
    f();
    // Here, local is 0 but member is 1
  }
};

This check implements F.54 from the C++ Core Guidelines.

cppcoreguidelines-missing-std-forward

Warns when a forwarding reference parameter is not forwarded inside the function body.

Example:

template <class T>
void wrapper(T&& t) {
  impl(std::forward<T>(t), 1, 2); // Correct
}

template <class T>
void wrapper2(T&& t) {
  impl(t, 1, 2); // Oops - should use std::forward<T>(t)
}

template <class T>
void wrapper3(T&& t) {
  impl(std::move(t), 1, 2); // Also buggy - should use std::forward<T>(t)
}

template <class F>
void wrapper_function(F&& f) {
  std::forward<F>(f)(1, 2); // Correct
}

template <class F>
void wrapper_function2(F&& f) {
  f(1, 2); // Incorrect - may not invoke the desired qualified function operator
}

This check implements F.19 from the C++ Core Guidelines.

cppcoreguidelines-narrowing-conversions

Checks for silent narrowing conversions, e.g: int i = 0; i += 0.1;. While the issue is obvious in this former example, it might not be so in the following: void MyClass::f(double d) { int_member_ += d; }.

This check implements ES.46 from the C++ Core Guidelines.

We enforce only part of the guideline, more specifically, we flag narrowing conversions from:
  • an integer to a narrower integer (e.g. char to unsigned char) if WarnOnIntegerNarrowingConversion Option is set,
  • an integer to a narrower floating-point (e.g. uint64_t to float) if WarnOnIntegerToFloatingPointNarrowingConversion Option is set,
  • a floating-point to an integer (e.g. double to int),
  • a floating-point to a narrower floating-point (e.g. double to float) if WarnOnFloatingPointNarrowingConversion Option is set.
This check will flag:
  • All narrowing conversions that are not marked by an explicit cast (c-style or static_cast). For example: int i = 0; i += 0.1;, void f(int); f(0.1);,
  • All applications of binary operators with a narrowing conversions. For example: int i; i+= 0.1;.

Options

WarnOnIntegerNarrowingConversion

When true, the check will warn on narrowing integer conversion (e.g. int to size_t). true by default.

WarnOnIntegerToFloatingPointNarrowingConversion

When true, the check will warn on narrowing integer to floating-point conversion (e.g. size_t to double). true by default.

WarnOnFloatingPointNarrowingConversion

When true, the check will warn on narrowing floating point conversion (e.g. double to float). true by default.

WarnWithinTemplateInstantiation

When true, the check will warn on narrowing conversions within template instantiations. false by default.

WarnOnEquivalentBitWidth

When true, the check will warn on narrowing conversions that arise from casting between types of equivalent bit width. (e.g. int n = uint(0); or long long n = double(0);) true by default.

IgnoreConversionFromTypes

Narrowing conversions from any type in this semicolon-separated list will be ignored. This may be useful to weed out commonly occurring, but less commonly problematic assignments such as int n = std::vector<char>().size(); or int n = std::difference(it1, it2);. The default list is empty, but one suggested list for a legacy codebase would be size_t;ptrdiff_t;size_type;difference_type.

PedanticMode

When true, the check will warn on assigning a floating point constant to an integer value even if the floating point value is exactly representable in the destination type (e.g. int i = 1.0;). false by default.

FAQ

  • What does "narrowing conversion from 'int' to 'float'" mean?

An IEEE754 Floating Point number can represent all integer values in the range [-2^PrecisionBits, 2^PrecisionBits] where PrecisionBits is the number of bits in the mantissa.

For float this would be [-2^23, 2^23], where int can represent values in the range [-2^31, 2^31-1].

  • What does "implementation-defined" mean?

You may have encountered messages like "narrowing conversion from 'unsigned int' to signed type 'int' is implementation-defined". The C/C++ standard does not mandate two's complement for signed integers, and so the compiler is free to define what the semantics are for converting an unsigned integer to signed integer. Clang's implementation uses the two's complement format.

cppcoreguidelines-no-malloc

This check handles C-Style memory management using malloc(), realloc(), calloc() and free(). It warns about its use and tries to suggest the use of an appropriate RAII object. Furthermore, it can be configured to check against a user-specified list of functions that are used for memory management (e.g. posix_memalign()).

This check implements R.10 from the C++ Core Guidelines.

There is no attempt made to provide fix-it hints, since manual resource management isn't easily transformed automatically into RAII.

// Warns each of the following lines.
// Containers like std::vector or std::string should be used.
char* some_string = (char*) malloc(sizeof(char) * 20);
char* some_string = (char*) realloc(sizeof(char) * 30);
free(some_string);

int* int_array = (int*) calloc(30, sizeof(int));

// Rather use a smartpointer or stack variable.
struct some_struct* s = (struct some_struct*) malloc(sizeof(struct some_struct));

Options

Allocations

Semicolon-separated list of fully qualified names of memory allocation functions. Defaults to ::malloc;::calloc.

Deallocations

Semicolon-separated list of fully qualified names of memory allocation functions. Defaults to ::free.

Reallocations

Semicolon-separated list of fully qualified names of memory allocation functions. Defaults to ::realloc.

cppcoreguidelines-no-suspend-with-lock

Flags coroutines that suspend while a lock guard is in scope at the suspension point.

When a coroutine suspends, any mutexes held by the coroutine will remain locked until the coroutine resumes and eventually destructs the lock guard. This can lead to long periods with a mutex held and runs the risk of deadlock.

Instead, locks should be released before suspending a coroutine.

This check only checks suspending coroutines while a lock_guard is in scope; it does not consider manual locking or unlocking of mutexes, e.g., through calls to std::mutex::lock().

Examples:

future bad_coro() {
  std::lock_guard lock{mtx};
  ++some_counter;
  co_await something(); // Suspending while holding a mutex
}

future good_coro() {
  {
    std::lock_guard lock{mtx};
    ++some_counter;
  }
  // Destroy the lock_guard to release the mutex before suspending the coroutine
  co_await something(); // Suspending while holding a mutex
}

This check implements CP.52 from the C++ Core Guidelines.

cppcoreguidelines-noexcept-destructor

This check implements C.37 from the C++ Core Guidelines.

The cppcoreguidelines-noexcept-destructor check is an alias, please see performance-noexcept-destructor for more information.

cppcoreguidelines-noexcept-move-operations

This check implements C.66 from the C++ Core Guidelines.

The cppcoreguidelines-noexcept-move-operations check is an alias, please see performance-noexcept-move-constructor for more information.

cppcoreguidelines-noexcept-swap

This check implements C.83 , C.84 and C.85 from the C++ Core Guidelines.

The cppcoreguidelines-noexcept-swap check is an alias, please see performance-noexcept-swap for more information.

cppcoreguidelines-non-private-member-variables-in-classes

The cppcoreguidelines-non-private-member-variables-in-classes check is an alias, please see misc-non-private-member-variables-in-classes for more information.

cppcoreguidelines-owning-memory

This check implements the type-based semantics of gsl::owner<T*>, which allows static analysis on code, that uses raw pointers to handle resources like dynamic memory, but won't introduce RAII concepts.

This check implements I.11, C.33, R.3 and GSL.Views from the C++ Core Guidelines. The definition of a gsl::owner<T*> is straight forward

namespace gsl { template <typename T> owner = T; }

It is therefore simple to introduce the owner even without using an implementation of the Guideline Support Library.

All checks are purely type based and not (yet) flow sensitive.

The following examples will demonstrate the correct and incorrect initializations of owners, assignment is handled the same way. Note that both new and malloc()-like resource functions are considered to produce resources.

// Creating an owner with factory functions is checked.
gsl::owner<int*> function_that_returns_owner() { return gsl::owner<int*>(new int(42)); }

// Dynamic memory must be assigned to an owner
int* Something = new int(42); // BAD, will be caught
gsl::owner<int*> Owner = new int(42); // Good
gsl::owner<int*> Owner = new int[42]; // Good as well

// Returned owner must be assigned to an owner
int* Something = function_that_returns_owner(); // Bad, factory function
gsl::owner<int*> Owner = function_that_returns_owner(); // Good, result lands in owner

// Something not a resource or owner should not be assigned to owners
int Stack = 42;
gsl::owner<int*> Owned = &Stack; // Bad, not a resource assigned

In the case of dynamic memory as resource, only gsl::owner<T*> variables are allowed to be deleted.

// Example Bad, non-owner as resource handle, will be caught.
int* NonOwner = new int(42); // First warning here, since new must land in an owner
delete NonOwner; // Second warning here, since only owners are allowed to be deleted

// Example Good, Ownership correctly stated
gsl::owner<int*> Owner = new int(42); // Good
delete Owner; // Good as well, statically enforced, that only owners get deleted

The check will furthermore ensure, that functions, that expect a gsl::owner<T*> as argument get called with either a gsl::owner<T*> or a newly created resource.

void expects_owner(gsl::owner<int*> o) { delete o; }

// Bad Code
int NonOwner = 42;
expects_owner(&NonOwner); // Bad, will get caught

// Good Code
gsl::owner<int*> Owner = new int(42);
expects_owner(Owner); // Good
expects_owner(new int(42)); // Good as well, recognized created resource

// Port legacy code for better resource-safety
gsl::owner<FILE*> File = fopen("my_file.txt", "rw+");
FILE* BadFile = fopen("another_file.txt", "w"); // Bad, warned

// ... use the file

fclose(File); // Ok, File is annotated as 'owner<>'
fclose(BadFile); // BadFile is not an 'owner<>', will be warned

Options

LegacyResourceProducers

Semicolon-separated list of fully qualified names of legacy functions that create resources but cannot introduce gsl::owner<>. Defaults to ::malloc;::aligned_alloc;::realloc;::calloc;::fopen;::freopen;::tmpfile.

LegacyResourceConsumers

Semicolon-separated list of fully qualified names of legacy functions expecting resource owners as pointer arguments but cannot introduce gsl::owner<>. Defaults to ::free;::realloc;::freopen;::fclose.

Limitations

Using gsl::owner<T*> in a typedef or alias is not handled correctly.

using heap_int = gsl::owner<int*>;
heap_int allocated = new int(42); // False positive!

The gsl::owner<T*> is declared as a templated type alias. In template functions and classes, like in the example below, the information of the type aliases gets lost. Therefore using gsl::owner<T*> in a heavy templated code base might lead to false positives.

Known code constructs that do not get diagnosed correctly are:

  • std::exchange
  • std::vector<gsl::owner<T*>>

    // This template function works as expected. Type information doesn't get lost.
    template <typename T>
    void delete_owner(gsl::owner<T*> owned_object) {
      delete owned_object; // Everything alright
    }
    
    gsl::owner<int*> function_that_returns_owner() { return gsl::owner<int*>(new int(42)); }
    
    // Type deduction does not work for auto variables.
    // This is caught by the check and will be noted accordingly.
    auto OwnedObject = function_that_returns_owner(); // Type of OwnedObject will be int*
    
    // Problematic function template that looses the typeinformation on owner
    template <typename T>
    void bad_template_function(T some_object) {
      // This line will trigger the warning, that a non-owner is assigned to an owner
      gsl::owner<T*> new_owner = some_object;
    }
    
    // Calling the function with an owner still yields a false positive.
    bad_template_function(gsl::owner<int*>(new int(42)));
    
    
    // The same issue occurs with templated classes like the following.
    template <typename T>
    class OwnedValue {
    public:
      const T getValue() const { return _val; }
    private:
      T _val;
    };
    
    // Code, that yields a false positive.
    OwnedValue<gsl::owner<int*>> Owner(new int(42)); // Type deduction yield T -> int *
    // False positive, getValue returns int* and not gsl::owner<int*>
    gsl::owner<int*> OwnedInt = Owner.getValue();

Another limitation of the current implementation is only the type based checking. Suppose you have code like the following:

// Two owners with assigned resources
gsl::owner<int*> Owner1 = new int(42);
gsl::owner<int*> Owner2 = new int(42);

Owner2 = Owner1; // Conceptual Leak of initial resource of Owner2!
Owner1 = nullptr;

The semantic of a gsl::owner<T*> is mostly like a std::unique_ptr<T>, therefore assignment of two gsl::owner<T*> is considered a move, which requires that the resource Owner2 must have been released before the assignment. This kind of condition could be caught in later improvements of this check with flowsensitive analysis. Currently, the Clang Static Analyzer catches this bug for dynamic memory, but not for general types of resources.

cppcoreguidelines-prefer-member-initializer

Finds member initializations in the constructor body which can be Ā converted into member initializers of the constructor instead. This not only improves the readability of the code but also positively affects its performance. Class-member assignments inside a control statement or following the first control statement are ignored.

This check implements C.49 from the C++ Core Guidelines.

Please note, that this check does not enforce rule C.48 from the C++ Core Guidelines. For that purpose see check modernize-use-default-member-init.

Example 1

class C {
  int n;
  int m;
public:
  C() {
    n = 1; // Literal in default constructor
    if (dice())
      return;
    m = 1;
  }
};

Here n can be initialized in the constructor initializer list, unlike m, as m's initialization follows a control statement (if):

class C {
  int n;
  int m;
public:
  C(): n(1) {
    if (dice())
      return;
    m = 1;
  }
};

Example 2

class C {
  int n;
  int m;
public:
  C(int nn, int mm) {
    n = nn; // Neither default constructor nor literal
    if (dice())
      return;
    m = mm;
  }
};

Here n can be initialized in the constructor initializer list, unlike m, as m's initialization follows a control statement (if):

C(int nn, int mm) : n(nn) {
  if (dice())
    return;
  m = mm;
}

cppcoreguidelines-pro-bounds-array-to-pointer-decay

This check flags all array to pointer decays.

Pointers should not be used as arrays. span<T> is a bounds-checked, safe alternative to using pointers to access arrays.

This rule is part of the Bounds safety (Bounds 3) profile from the C++ Core Guidelines.

cppcoreguidelines-pro-bounds-constant-array-index

This check flags all array subscript expressions on static arrays and std::arrays that either do not have a constant integer expression index or are out of bounds (for std::array). For out-of-bounds checking of static arrays, see the -Warray-bounds Clang diagnostic.

This rule is part of the Bounds safety (Bounds 2) profile from the C++ Core Guidelines.

Optionally, this check can generate fixes using gsl::at for indexing.

Options

GslHeader

The check can generate fixes after this option has been set to the name of the include file that contains gsl::at(), e.g. "gsl/gsl.h".

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

cppcoreguidelines-pro-bounds-pointer-arithmetic

This check flags all usage of pointer arithmetic, because it could lead to an invalid pointer. Subtraction of two pointers is not flagged by this check.

Pointers should only refer to single objects, and pointer arithmetic is fragile and easy to get wrong. span<T> is a bounds-checked, safe type for accessing arrays of data.

This rule is part of the Bounds safety (Bounds 1) profile from the C++ Core Guidelines.

cppcoreguidelines-pro-type-const-cast

Imposes limitations on the use of const_cast within C++ code. It depends on the StrictMode option setting to determine whether it should flag all instances of const_cast or only those that remove either const or volatile qualifier.

Modifying a variable that has been declared as const in C++ is generally considered undefined behavior, and this remains true even when using const_cast. In C++, the const qualifier indicates that a variable is intended to be read-only, and the compiler enforces this by disallowing any attempts to change the value of that variable.

Removing the volatile qualifier in C++ can have serious consequences. This qualifier indicates that a variable's value can change unpredictably, and removing it may lead to undefined behavior, optimization problems, and debugging challenges. It's essential to retain the volatile qualifier in situations where the variable's volatility is a crucial aspect of program correctness and reliability.

This rule is part of the Type safety (Type 3) profile and ES.50: Donā€™t cast away const rule from the C++ Core Guidelines.

Options

StrictMode

When this setting is set to true, it means that any usage of const_cast is not allowed. On the other hand, when it's set to false, it permits casting to const or volatile types. Default value is false.

cppcoreguidelines-pro-type-cstyle-cast

This check flags all use of C-style casts that perform a static_cast downcast, const_cast, or reinterpret_cast.

Use of these casts can violate type safety and cause the program to access a variable that is actually of type X to be accessed as if it were of an unrelated type Z. Note that a C-style (T)expression cast means to perform the first of the following that is possible: a const_cast, a static_cast, a static_cast followed by a const_cast, a reinterpret_cast, or a reinterpret_cast followed by a const_cast. This rule bans (T)expression only when used to perform an unsafe cast.

This rule is part of the Type safety (Type.4) profile from the C++ Core Guidelines.

cppcoreguidelines-pro-type-member-init

The check flags user-provided constructor definitions that do not initialize all fields that would be left in an undefined state by default construction, e.g. builtins, pointers and record types without user-provided default constructors containing at least one such type. If these fields aren't initialized, the constructor will leave some of the memory in an undefined state.

For C++11 it suggests fixes to add in-class field initializers. For older versions it inserts the field initializers into the constructor initializer list. It will also initialize any direct base classes that need to be zeroed in the constructor initializer list.

The check takes assignment of fields in the constructor body into account but generates false positives for fields initialized in methods invoked in the constructor body.

The check also flags variables with automatic storage duration that have record types without a user-provided constructor and are not initialized. The suggested fix is to zero initialize the variable via {} for C++11 and beyond or = {} for older language versions.

Options

IgnoreArrays

If set to true, the check will not warn about array members that are not zero-initialized during construction. For performance critical code, it may be important to not initialize fixed-size array members. Default is false.

UseAssignment

If set to true, the check will provide fix-its with literal initializers ( int i = 0; ) instead of curly braces ( int i{}; ).

This rule is part of the Type safety (Type.6) profile from the C++ Core Guidelines.

cppcoreguidelines-pro-type-reinterpret-cast

This check flags all uses of reinterpret_cast in C++ code.

Use of these casts can violate type safety and cause the program to access a variable that is actually of type X to be accessed as if it were of an unrelated type Z.

This rule is part of the Type safety (Type.1.1) profile from the C++ Core Guidelines.

cppcoreguidelines-pro-type-static-cast-downcast

This check flags all usages of static_cast, where a base class is casted to a derived class. In those cases, a fix-it is provided to convert the cast to a dynamic_cast.

Use of these casts can violate type safety and cause the program to access a variable that is actually of type X to be accessed as if it were of an unrelated type Z.

This rule is part of the Type safety (Type.2) profile from the C++ Core Guidelines.

Options

StrictMode

When set to false, no warnings are emitted for casts on non-polymorphic types. Default is true.

cppcoreguidelines-pro-type-union-access

This check flags all access to members of unions. Passing unions as a whole is not flagged.

Reading from a union member assumes that member was the last one written, and writing to a union member assumes another member with a nontrivial destructor had its destructor called. This is fragile because it cannot generally be enforced to be safe in the language and so relies on programmer discipline to get it right.

This rule is part of the Type safety (Type.7) profile from the C++ Core Guidelines.

cppcoreguidelines-pro-type-vararg

This check flags all calls to c-style vararg functions and all use of va_arg.

To allow for SFINAE use of vararg functions, a call is not flagged if a literal 0 is passed as the only vararg argument or function is used in unevaluated context.

Passing to varargs assumes the correct type will be read. This is fragile because it cannot generally be enforced to be safe in the language and so relies on programmer discipline to get it right.

This rule is part of the Type safety (Type.8) profile from the C++ Core Guidelines.

cppcoreguidelines-rvalue-reference-param-not-moved

Warns when an rvalue reference function parameter is never moved within the function body.

Rvalue reference parameters indicate a parameter that should be moved with std::move from within the function body. Any such parameter that is never moved is confusing and potentially indicative of a buggy program.

Example:

void logic(std::string&& Input) {
  std::string Copy(Input); // Oops - forgot to std::move
}

Note that parameters that are unused and marked as such will not be diagnosed.

Example:

void conditional_use([[maybe_unused]] std::string&& Input) {
  // No diagnostic here since Input is unused and marked as such
}

Options

AllowPartialMove

If set to true, the check accepts std::move calls containing any subexpression containing the parameter. CppCoreGuideline F.18 officially mandates that the parameter itself must be moved. Default is false.

// 'p' is flagged by this check if and only if AllowPartialMove is false
void move_members_of(pair<Obj, Obj>&& p) {
  pair<Obj, Obj> other;
  other.first = std::move(p.first);
  other.second = std::move(p.second);
}

// 'p' is never flagged by this check
void move_whole_pair(pair<Obj, Obj>&& p) {
  pair<Obj, Obj> other = std::move(p);
}
IgnoreUnnamedParams

If set to true, the check ignores unnamed rvalue reference parameters. Default is false.

IgnoreNonDeducedTemplateTypes

If set to true, the check ignores non-deduced template type rvalue reference parameters. Default is false.

template <class T>
struct SomeClass {
  // Below, 'T' is not deduced and 'T&&' is an rvalue reference type.
  // This will be flagged if and only if IgnoreNonDeducedTemplateTypes is
  // false. One suggested fix would be to specialize the class for 'T' and
  // 'T&' separately (e.g., see std::future), or allow only one of 'T' or
  // 'T&' instantiations of SomeClass (e.g., see std::optional).
  SomeClass(T&& t) { }
};

// Never flagged, since 'T' is a forwarding reference in a deduced context
template <class T>
void forwarding_ref(T&& t) {
  T other = std::forward<T>(t);
}

This check implements F.18 from the C++ Core Guidelines.

cppcoreguidelines-slicing

Flags slicing of member variables or vtable. Slicing happens when copying a derived object into a base object: the members of the derived object (both member variables and virtual member functions) will be discarded. This can be misleading especially for member function slicing, for example:

struct B { int a; virtual int f(); };
struct D : B { int b; int f() override; };

void use(B b) {  // Missing reference, intended?
  b.f();  // Calls B::f.
}

D d;
use(d);  // Slice.

This check implements ES.63 and C.145 from the C++ Core Guidelines.

cppcoreguidelines-special-member-functions

The check finds classes where some but not all of the special member functions are defined.

By default the compiler defines a copy constructor, copy assignment operator, move constructor, move assignment operator and destructor. The default can be suppressed by explicit user-definitions. The relationship between which functions will be suppressed by definitions of other functions is complicated and it is advised that all five are defaulted or explicitly defined.

Note that defining a function with = delete is considered to be a definition.

This check implements C.21 from the C++ Core Guidelines.

Options

AllowSoleDefaultDtor

When set to true (default is false), this check will only trigger on destructors if they are defined and not defaulted.

struct A { // This is fine.
  virtual ~A() = default;
};

struct B { // This is not fine.
  ~B() {}
};

struct C {
  // This is not checked, because the destructor might be defaulted in
  // another translation unit.
  ~C();
};
AllowMissingMoveFunctions

When set to true (default is false), this check doesn't flag classes which define no move operations at all. It still flags classes which define only one of either move constructor or move assignment operator. With this option enabled, the following class won't be flagged:

struct A {
  A(const A&);
  A& operator=(const A&);
  ~A();
};
AllowMissingMoveFunctionsWhenCopyIsDeleted

When set to true (default is false), this check doesn't flag classes which define deleted copy operations but don't define move operations. This flag is related to Google C++ Style Guide Copyable and Movable Types. With this option enabled, the following class won't be flagged:

struct A {
  A(const A&) = delete;
  A& operator=(const A&) = delete;
  ~A();
};
AllowImplicitlyDeletedCopyOrMove

When set to true (default is false), this check doesn't flag classes which implicitly delete copy or move operations. With this option enabled, the following class won't be flagged:

struct A : boost::noncopyable {
  ~A() { std::cout << "dtor\n"; }
};

cppcoreguidelines-use-default-member-init

This check implements C.48 from the C++ Core Guidelines.

The cppcoreguidelines-use-default-member-init check is an alias, please see modernize-use-default-member-init for more information.

cppcoreguidelines-virtual-class-destructor

Finds virtual classes whose destructor is neither public and virtual nor protected and non-virtual. A virtual class's destructor should be specified in one of these ways to prevent undefined behavior.

This check implements C.35 from the C++ Core Guidelines.

Note that this check will diagnose a class with a virtual method regardless of whether the class is used as a base class or not.

Fixes are available for user-declared and implicit destructors that are either public and non-virtual or protected and virtual. No fixes are offered for private destructors. There, the decision whether to make them private and virtual or protected and non-virtual depends on the use case and is thus left to the user.

Example

For example, the following classes/structs get flagged by the check since they violate guideline C.35:

struct Foo {        // NOK, protected destructor should not be virtual
  virtual void f();
protected:
  virtual ~Foo(){}
};

class Bar {         // NOK, public destructor should be virtual
  virtual void f();
public:
  ~Bar(){}
};

This would be rewritten to look like this:

struct Foo {        // OK, destructor is not virtual anymore
  virtual void f();
protected:
  ~Foo(){}
};

class Bar {         // OK, destructor is now virtual
  virtual void f();
public:
  virtual ~Bar(){}
};

darwin-avoid-spinlock

Finds usages of OSSpinlock, which is deprecated due to potential livelock problems.

This check will detect following function invocations:

  • OSSpinlockLock
  • OSSpinlockTry
  • OSSpinlockUnlock

The corresponding information about the problem of OSSpinlock: https://blog.postmates.com/why-spinlocks-are-bad-on-ios-b69fc5221058

darwin-dispatch-once-nonstatic

Finds declarations of dispatch_once_t variables without static or global storage. The behavior of using dispatch_once_t predicates with automatic or dynamic storage is undefined by libdispatch, and should be avoided.

It is a common pattern to have functions initialize internal static or global data once when the function runs, but programmers have been known to miss the static on the dispatch_once_t predicate, leading to an uninitialized flag value at the mercy of the stack.

Programmers have also been known to make dispatch_once_t variables be members of structs or classes, with the intent to lazily perform some expensive struct or class member initialization only once; however, this violates the libdispatch requirements.

See the discussion section of Apple's dispatch_once documentation for more information.

fuchsia-default-arguments-calls

Warns if a function or method is called with default arguments.

For example, given the declaration:

int foo(int value = 5) { return value; }

A function call expression that uses a default argument will be diagnosed. Calling it without defaults will not cause a warning:

foo();  // warning
foo(0); // no warning

See the features disallowed in Fuchsia at https://fuchsia.dev/fuchsia-src/development/languages/c-cpp/cxx?hl=en

fuchsia-default-arguments-declarations

Warns if a function or method is declared with default parameters.

For example, the declaration:

int foo(int value = 5) { return value; }

will cause a warning.

See the features disallowed in Fuchsia at https://fuchsia.dev/fuchsia-src/development/languages/c-cpp/cxx?hl=en

fuchsia-header-anon-namespaces

The fuchsia-header-anon-namespaces check is an alias, please see google-build-namespace for more information.

fuchsia-multiple-inheritance

Warns if a class inherits from multiple classes that are not pure virtual.

For example, declaring a class that inherits from multiple concrete classes is disallowed:

class Base_A {
public:
  virtual int foo() { return 0; }
};

class Base_B {
public:
  virtual int bar() { return 0; }
};

// Warning
class Bad_Child1 : public Base_A, Base_B {};

A class that inherits from a pure virtual is allowed:

class Interface_A {
public:
  virtual int foo() = 0;
};

class Interface_B {
public:
  virtual int bar() = 0;
};

// No warning
class Good_Child1 : public Interface_A, Interface_B {
  virtual int foo() override { return 0; }
  virtual int bar() override { return 0; }
};

See the features disallowed in Fuchsia at https://fuchsia.dev/fuchsia-src/development/languages/c-cpp/cxx?hl=en

fuchsia-overloaded-operator

Warns if an operator is overloaded, except for the assignment (copy and move) operators.

For example:

int operator+(int);     // Warning

B &operator=(const B &Other);  // No warning
B &operator=(B &&Other) // No warning

See the features disallowed in Fuchsia at https://fuchsia.dev/fuchsia-src/development/languages/c-cpp/cxx?hl=en

fuchsia-statically-constructed-objects

Warns if global, non-trivial objects with static storage are constructed, unless the object is statically initialized with a constexpr constructor or has no explicit constructor.

For example:

class A {};

class B {
public:
  B(int Val) : Val(Val) {}
private:
  int Val;
};

class C {
public:
  constexpr C(int Val) : Val(Val) {}
  C(int Val1, int Val2) : Val(Val1+Val2) {}

private:
  int Val;
};

static A a;         // No warning, as there is no explicit constructor
static C c(0);      // No warning, as constructor is constexpr

static B b(0);      // Warning, as constructor is not constexpr
static C c2(0, 1);  // Warning, as constructor is not constexpr

static int i;       // No warning, as it is trivial

extern int get_i();
static C c3(get_i());// Warning, as the constructor is dynamically initialized

See the features disallowed in Fuchsia at https://fuchsia.dev/fuchsia-src/development/languages/c-cpp/cxx?hl=en

fuchsia-trailing-return

Functions that have trailing returns are disallowed, except for those using decltype specifiers and lambda with otherwise unutterable return types.

For example:

// No warning
int add_one(const int arg) { return arg; }

// Warning
auto get_add_one() -> int (*)(const int) {
  return add_one;
}

Exceptions are made for lambdas and decltype specifiers:

// No warning
auto lambda = [](double x, double y) -> double {return x + y;};

// No warning
template <typename T1, typename T2>
auto fn(const T1 &lhs, const T2 &rhs) -> decltype(lhs + rhs) {
  return lhs + rhs;
}

See the features disallowed in Fuchsia at https://fuchsia.dev/fuchsia-src/development/languages/c-cpp/cxx?hl=en

fuchsia-virtual-inheritance

Warns if classes are defined with virtual inheritance.

For example, classes should not be defined with virtual inheritance:

class B : public virtual A {};   // warning

See the features disallowed in Fuchsia at https://fuchsia.dev/fuchsia-src/development/languages/c-cpp/cxx?hl=en

google-build-explicit-make-pair

Check that make_pair's template arguments are deduced.

G++ 4.6 in C++11 mode fails badly if make_pair's template arguments are specified explicitly, and such use isn't intended in any case.

Corresponding cpplint.py check name: build/explicit_make_pair.

google-build-namespaces

cert-dcl59-cpp redirects here as an alias for this check. fuchsia-header-anon-namespaces redirects here as an alias for this check.

Finds anonymous namespaces in headers.

https://google.github.io/styleguide/cppguide.html#Namespaces

Corresponding cpplint.py check name: build/namespaces.

google-build-using-namespace

Finds using namespace directives.

The check implements the following rule of the Google C++ Style Guide:

You may not use a using-directive to make all names from a namespace available.

// Forbidden -- This pollutes the namespace.
using namespace foo;

Corresponding cpplint.py check name: build/namespaces.

google-default-arguments

Checks that default arguments are not given for virtual methods.

See https://google.github.io/styleguide/cppguide.html#Default_Arguments

google-explicit-constructor

Checks that constructors callable with a single argument and conversion operators are marked explicit to avoid the risk of unintentional implicit conversions.

Consider this example:

struct S {
  int x;
  operator bool() const { return true; }
};

bool f() {
  S a{1};
  S b{2};
  return a == b;
}

The function will return true, since the objects are implicitly converted to bool before comparison, which is unlikely to be the intent.

The check will suggest inserting explicit before the constructor or conversion operator declaration. However, copy and move constructors should not be explicit, as well as constructors taking a single initializer_list argument.

This code:

struct S {
  S(int a);
  explicit S(const S&);
  operator bool() const;
  ...

will become

struct S {
  explicit S(int a);
  S(const S&);
  explicit operator bool() const;
  ...

See https://google.github.io/styleguide/cppguide.html#Explicit_Constructors

google-global-names-in-headers

Flag global namespace pollution in header files. Right now it only triggers on using declarations and directives.

The relevant style guide section is https://google.github.io/styleguide/cppguide.html#Namespaces.

google-objc-avoid-nsobject-new

Finds calls to +new or overrides of it, which are prohibited by the Google Objective-C style guide.

The Google Objective-C style guide forbids calling +new or overriding it in class implementations, preferring +alloc and -init methods to instantiate objects.

An example:

NSDate *now = [NSDate new];
Foo *bar = [Foo new];

Instead, code should use +alloc/-init or class factory methods.

NSDate *now = [NSDate date];
Foo *bar = [[Foo alloc] init];

This check corresponds to the Google Objective-C Style Guide rule Do Not Use +new.

google-objc-avoid-throwing-exception

Finds uses of throwing exceptions usages in Objective-C files.

For the same reason as the Google C++ style guide, we prefer not throwing exceptions from Objective-C code.

The corresponding C++ style guide rule: https://google.github.io/styleguide/cppguide.html#Exceptions

Instead, prefer passing in NSError ** and return BOOL to indicate success or failure.

A counterexample:

- (void)readFile {
  if ([self isError]) {
    @throw [NSException exceptionWithName:...];
  }
}

Instead, returning an error via NSError ** is preferred:

- (BOOL)readFileWithError:(NSError **)error {
  if ([self isError]) {
    *error = [NSError errorWithDomain:...];
    return NO;
  }
  return YES;
}

The corresponding style guide rule: https://google.github.io/styleguide/objcguide.html#avoid-throwing-exceptions

google-objc-function-naming

Finds function declarations in Objective-C files that do not follow the pattern described in the Google Objective-C Style Guide.

The corresponding style guide rule can be found here: https://google.github.io/styleguide/objcguide.html#function-names

All function names should be in Pascal case. Functions whose storage class is not static should have an appropriate prefix.

The following code sample does not follow this pattern:

static bool is_positive(int i) { return i > 0; }
bool IsNegative(int i) { return i < 0; }

The sample above might be corrected to the following code:

static bool IsPositive(int i) { return i > 0; }
bool *ABCIsNegative(int i) { return i < 0; }

google-objc-global-variable-declaration

Finds global variable declarations in Objective-C files that do not follow the pattern of variable names in Google's Objective-C Style Guide.

The corresponding style guide rule: https://google.github.io/styleguide/objcguide.html#variable-names

All the global variables should follow the pattern of g[A-Z].* (variables) or k[A-Z].* (constants). The check will suggest a variable name that follows the pattern if it can be inferred from the original name.

For code:

static NSString* myString = @"hello";

The fix will be:

static NSString* gMyString = @"hello";

Another example of constant:

static NSString* const myConstString = @"hello";

The fix will be:

static NSString* const kMyConstString = @"hello";

However for code that prefixed with non-alphabetical characters like:

static NSString* __anotherString = @"world";

The check will give a warning message but will not be able to suggest a fix. The user needs to fix it on their own.

google-readability-avoid-underscore-in-googletest-name

Checks whether there are underscores in googletest test suite names and test names in test macros:

  • TEST
  • TEST_F
  • TEST_P
  • TYPED_TEST
  • TYPED_TEST_P

The FRIEND_TEST macro is not included.

For example:

TEST(TestSuiteName, Illegal_TestName) {}
TEST(Illegal_TestSuiteName, TestName) {}

would trigger the check. Underscores are not allowed in test suite name nor test names.

The DISABLED_ prefix, which may be used to disable test suites and individual tests, is removed from the test suite name and test name before checking for underscores.

This check does not propose any fixes.

google-readability-braces-around-statements

The google-readability-braces-around-statements check is an alias, please see readability-braces-around-statements for more information.

google-readability-casting

Finds usages of C-style casts.

https://google.github.io/styleguide/cppguide.html#Casting

Corresponding cpplint.py check name: readability/casting.

This check is similar to -Wold-style-cast, but it suggests automated fixes in some cases. The reported locations should not be different from the ones generated by -Wold-style-cast.

google-readability-function-size

The google-readability-function-size check is an alias, please see readability-function-size for more information.

google-readability-namespace-comments

The google-readability-namespace-comments check is an alias, please see llvm-namespace-comment for more information.

google-readability-todo

Finds TODO comments without a username or bug number.

The relevant style guide section is https://google.github.io/styleguide/cppguide.html#TODO_Comments.

Corresponding cpplint.py check: readability/todo

google-runtime-int

Finds uses of short, long and long long and suggest replacing them with u?intXX(_t)?.

The corresponding style guide rule: https://google.github.io/styleguide/cppguide.html#Integer_Types.

Corresponding cpplint.py check: runtime/int.

Options

UnsignedTypePrefix

A string specifying the unsigned type prefix. Default is uint.

SignedTypePrefix

A string specifying the signed type prefix. Default is int.

TypeSuffix

A string specifying the type suffix. Default is an empty string.

google-runtime-operator

Finds overloads of unary operator &.

https://google.github.io/styleguide/cppguide.html#Operator_Overloading

Corresponding cpplint.py check name: runtime/operator.

google-upgrade-googletest-case

Finds uses of deprecated Google Test version 1.9 APIs with names containing case and replaces them with equivalent APIs with suite.

All names containing case are being replaced to be consistent with the meanings of "test case" and "test suite" as used by the International Software Testing Qualifications Board and ISO 29119.

The new names are a part of Google Test version 1.9 (release pending). It is recommended that users update their dependency to version 1.9 and then use this check to remove deprecated names.

The affected APIs are:

  • Member functions of testing::Test, testing::TestInfo, testing::TestEventListener, testing::UnitTest, and any type inheriting from these types
  • The macros TYPED_TEST_CASE, TYPED_TEST_CASE_P, REGISTER_TYPED_TEST_CASE_P, and INSTANTIATE_TYPED_TEST_CASE_P
  • The type alias testing::TestCase

Examples of fixes created by this check:

class FooTest : public testing::Test {
public:
  static void SetUpTestCase();
  static void TearDownTestCase();
};

TYPED_TEST_CASE(BarTest, BarTypes);

becomes

class FooTest : public testing::Test {
public:
  static void SetUpTestSuite();
  static void TearDownTestSuite();
};

TYPED_TEST_SUITE(BarTest, BarTypes);

For better consistency of user code, the check renames both virtual and non-virtual member functions with matching names in derived types. The check tries to provide only a warning when a fix cannot be made safely, as is the case with some template and macro uses.

hicpp-avoid-c-arrays

The hicpp-avoid-c-arrays check is an alias, please see modernize-avoid-c-arrays for more information. It partly enforces the rule 4.1.1.

hicpp-avoid-goto

The hicpp-avoid-goto check is an alias, please see cppcoreguidelines-avoid-goto for more information. It enforces the rule 6.3.1.

hicpp-braces-around-statements

The hicpp-braces-around-statements check is an alias, please see readability-braces-around-statements for more information. It enforces the rule 6.1.1.

hicpp-deprecated-headers

The hicpp-deprecated-headers check is an alias, please see modernize-deprecated-headers for more information. It enforces the rule 1.3.3.

hicpp-exception-baseclass

Ensure that every value that in a throw expression is an instance of std::exception.

This enforces rule 15.1 of the High Integrity C++ Coding Standard.

class custom_exception {};

void throwing() noexcept(false) {
  // Problematic throw expressions.
  throw int(42);
  throw custom_exception();
}

class mathematical_error : public std::exception {};

void throwing2() noexcept(false) {
  // These kind of throws are ok.
  throw mathematical_error();
  throw std::runtime_error();
  throw std::exception();
}

hicpp-explicit-conversions

This check is an alias for google-explicit-constructor. Used to enforce parts of rule 5.4.1. This check will enforce that constructors and conversion operators are marked explicit. Other forms of casting checks are implemented in other places. The following checks can be used to check for more forms of casting:

  • cppcoreguidelines-pro-type-static-cast-downcast
  • cppcoreguidelines-pro-type-reinterpret-cast
  • cppcoreguidelines-pro-type-const-cast
  • cppcoreguidelines-pro-type-cstyle-cast

hicpp-function-size

This check is an alias for readability-function-size. Useful to enforce multiple sections on function complexity.

hicpp-ignored-remove-result

Ensure that the result of std::remove, std::remove_if and std::unique are not ignored according to rule 17.5.1.

The mutating algorithms std::remove, std::remove_if and both overloads of std::unique operate by swapping or moving elements of the range they are operating over. On completion, they return an iterator to the last valid element. In the majority of cases the correct behavior is to use this result as the first operand in a call to std::erase.

This check is a subset of bugprone-unused-return-value and depending on used options it can be superfluous to enable both checks.

Options

AllowCastToVoid

Controls whether casting return values to void is permitted. Default: true.

hicpp-invalid-access-moved

This check is an alias for bugprone-use-after-move.

Implements parts of the rule 8.4.1 to check if moved-from objects are accessed.

hicpp-member-init

This check is an alias for cppcoreguidelines-pro-type-member-init. Implements the check for rule 12.4.2 to initialize class members in the right order.

hicpp-move-const-arg

The hicpp-move-const-arg check is an alias, please see performance-move-const-arg for more information. It enforces the rule 17.3.1.

hicpp-multiway-paths-covered

This check discovers situations where code paths are not fully-covered. It furthermore suggests using if instead of switch if the code will be more clear. The rule 6.1.2 and rule 6.1.4 of the High Integrity C++ Coding Standard are enforced.

if-else if chains that miss a final else branch might lead to unexpected program execution and be the result of a logical error. If the missing else branch is intended you can leave it empty with a clarifying comment. This warning can be noisy on some code bases, so it is disabled by default.

void f1() {
  int i = determineTheNumber();

   if(i > 0) {
     // Some Calculation
   } else if (i < 0) {
     // Precondition violated or something else.
   }
   // ...
}

Similar arguments hold for switch statements which do not cover all possible code paths.

// The missing default branch might be a logical error. It can be kept empty
// if there is nothing to do, making it explicit.
void f2(int i) {
  switch (i) {
  case 0: // something
    break;
  case 1: // something else
    break;
  }
  // All other numbers?
}

// Violates this rule as well, but already emits a compiler warning (-Wswitch).
enum Color { Red, Green, Blue, Yellow };
void f3(enum Color c) {
  switch (c) {
  case Red: // We can't drive for now.
    break;
  case Green:  // We are allowed to drive.
    break;
  }
  // Other cases missing
}

The rule 6.1.4 requires every switch statement to have at least two case labels other than a default label. Otherwise, the switch could be better expressed with an if statement. Degenerated switch statements without any labels are caught as well.

// Degenerated switch that could be better written as `if`
int i = 42;
switch(i) {
  case 1: // do something here
  default: // do something else here
}

// Should rather be the following:
if (i == 1) {
  // do something here
}
else {
  // do something here
}
// A completely degenerated switch will be diagnosed.
int i = 42;
switch(i) {}

Options

WarnOnMissingElse

Boolean flag that activates a warning for missing else branches. Default is false.

hicpp-named-parameter

This check is an alias for readability-named-parameter.

Implements rule 8.2.1.

hicpp-new-delete-operators

This check is an alias for misc-new-delete-overloads. Implements rule 12.3.1 to ensure the new and delete operators have the correct signature.

hicpp-no-array-decay

The hicpp-no-array-decay check is an alias, please see cppcoreguidelines-pro-bounds-array-to-pointer-decay for more information. It enforces the rule 4.1.1.

hicpp-no-assembler

Checks for assembler statements. Use of inline assembly should be avoided since it restricts the portability of the code.

This enforces rule 7.5.1 of the High Integrity C++ Coding Standard.

hicpp-no-malloc

The hicpp-no-malloc check is an alias, please see cppcoreguidelines-no-malloc for more information. It enforces the rule 5.3.2.

hicpp-noexcept-move

This check is an alias for performance-noexcept-move-constructor. Checks rule 12.5.4 to mark move assignment and move construction noexcept.

hicpp-signed-bitwise

Finds uses of bitwise operations on signed integer types, which may lead to undefined or implementation defined behavior.

The according rule is defined in the High Integrity C++ Standard, Section 5.6.1.

Options

IgnorePositiveIntegerLiterals

If this option is set to true, the check will not warn on bitwise operations with positive integer literals, e.g. ~0, 2 << 1, etc. Default value is false.

hicpp-special-member-functions

This check is an alias for cppcoreguidelines-special-member-functions. Checks that special member functions have the correct signature, according to rule 12.5.7.

hicpp-static-assert

The hicpp-static-assert check is an alias, please see misc-static-assert for more information. It enforces the rule 7.1.10.

hicpp-undelegated-constructor

This check is an alias for bugprone-undelegated-constructor. Partially implements rule 12.4.5 to find misplaced constructor calls inside a constructor.

struct Ctor {
  Ctor();
  Ctor(int);
  Ctor(int, int);
  Ctor(Ctor *i) {
    // All Ctor() calls result in a temporary object
    Ctor(); // did you intend to call a delegated constructor?
    Ctor(0); // did you intend to call a delegated constructor?
    Ctor(1, 2); // did you intend to call a delegated constructor?
    foo();
  }
};

hicpp-uppercase-literal-suffix

The hicpp-uppercase-literal-suffix check is an alias, please see readability-uppercase-literal-suffix for more information.

Partially implements rule 4.2.1 to ensure that the U suffix is writeln properly.

hicpp-use-auto

The hicpp-use-auto check is an alias, please see modernize-use-auto for more information. It enforces the rule 7.1.8.

hicpp-use-emplace

The hicpp-use-emplace check is an alias, please see modernize-use-emplace for more information. It enforces the rule 17.4.2.

hicpp-use-equals-default

This check is an alias for modernize-use-equals-default. Implements rule 12.5.1 to explicitly default special member functions.

hicpp-use-equals-delete

This check is an alias for modernize-use-equals-delete. Implements rule 12.5.1 to explicitly default or delete special member functions.

hicpp-use-noexcept

The hicpp-use-noexcept check is an alias, please see modernize-use-noexcept for more information. It enforces the rule 1.3.5.

hicpp-use-nullptr

The hicpp-use-nullptr check is an alias, please see modernize-use-nullptr for more information. It enforces the rule 2.5.3.

hicpp-use-override

This check is an alias for modernize-use-override. Implements rule 10.2.1 to declare a virtual function override when overriding.

hicpp-vararg

The hicpp-vararg check is an alias, please see cppcoreguidelines-pro-type-vararg for more information. It enforces the rule 14.1.1.

linuxkernel-must-check-errs

Checks Linux kernel code to see if it uses the results from the functions in linux/err.h. Also checks to see if code uses the results from functions that directly return a value from one of these error functions.

This is important in the Linux kernel because ERR_PTR, PTR_ERR, IS_ERR, IS_ERR_OR_NULL, ERR_CAST, and PTR_ERR_OR_ZERO return values must be checked, since positive pointers and negative error codes are being used in the same context. These functions are marked with __attribute__((warn_unused_result)), but some kernel versions do not have this warning enabled for clang.

Examples:

/* Trivial unused call to an ERR function */
PTR_ERR_OR_ZERO(some_function_call());

/* A function that returns ERR_PTR. */
void *fn() { ERR_PTR(-EINVAL); }

/* An invalid use of fn. */
fn();

llvm-else-after-return

The llvm-else-after-return check is an alias, please see readability-else-after-return for more information.

llvm-header-guard

Finds and fixes header guards that do not adhere to LLVM style.

llvm-include-order

Checks the correct order of #includes.

See https://llvm.org/docs/CodingStandards.html#include-style

llvm-namespace-comment

google-readability-namespace-comments redirects here as an alias for this check.

Checks that long namespaces have a closing comment.

https://llvm.org/docs/CodingStandards.html#namespace-indentation

https://google.github.io/styleguide/cppguide.html#Namespaces

namespace n1 {
void f();
}

// becomes

namespace n1 {
void f();
}  // namespace n1

Options

ShortNamespaceLines

Requires the closing brace of the namespace definition to be followed by a closing comment if the body of the namespace has more than ShortNamespaceLines lines of code. The value is an unsigned integer that defaults to 1U.

SpacesBeforeComments

An unsigned integer specifying the number of spaces before the comment closing a namespace definition. Default is 1U.

llvm-prefer-isa-or-dyn-cast-in-conditionals

Looks at conditionals and finds and replaces cases of cast<>, which will assert rather than return a null pointer, and dyn_cast<> where the return value is not captured. Additionally, finds and replaces cases that match the pattern var && isa<X>(var), where var is evaluated twice.

// Finds these:
if (auto x = cast<X>(y)) {}
// is replaced by:
if (auto x = dyn_cast<X>(y)) {}

if (cast<X>(y)) {}
// is replaced by:
if (isa<X>(y)) {}

if (dyn_cast<X>(y)) {}
// is replaced by:
if (isa<X>(y)) {}

if (var && isa<T>(var)) {}
// is replaced by:
if (isa_and_nonnull<T>(var.foo())) {}

// Other cases are ignored, e.g.:
if (auto f = cast<Z>(y)->foo()) {}
if (cast<Z>(y)->foo()) {}
if (X.cast(y)) {}

llvm-prefer-register-over-unsigned

Finds historical use of unsigned to hold vregs and physregs and rewrites them to use Register.

Currently this works by finding all variables of unsigned integer type whose initializer begins with an implicit cast from Register to unsigned.

void example(MachineOperand &MO) {
  unsigned Reg = MO.getReg();
  ...
}

becomes:

void example(MachineOperand &MO) {
  Register Reg = MO.getReg();
  ...
}

llvm-qualified-auto

The llvm-qualified-auto check is an alias, please see readability-qualified-auto for more information.

llvm-twine-local

Looks for local Twine variables which are prone to use after frees and should be generally avoided.

static Twine Moo = Twine("bark") + "bah";

// becomes

static std::string Moo = (Twine("bark") + "bah").str();

llvmlibc-callee-namespace

Checks all calls resolve to functions within correct namespace.

// Implementation inside the LIBC_NAMESPACE namespace.
// Correct if:
// - LIBC_NAMESPACE is a macro
// - LIBC_NAMESPACE expansion starts with `__llvm_libc`
namespace LIBC_NAMESPACE {

// Allow calls with the fully qualified name.
LIBC_NAMESPACE::strlen("hello");

// Allow calls to compiler provided functions.
(void)__builtin_abs(-1);

// Bare calls are allowed as long as they resolve to the correct namespace.
strlen("world");

// Disallow calling into functions in the global namespace.
::strlen("!");

} // namespace LIBC_NAMESPACE

llvmlibc-implementation-in-namespace

Checks that all declarations in the llvm-libc implementation are within the correct namespace.

// Implementation inside the LIBC_NAMESPACE_DECL namespace.
// Correct if:
// - LIBC_NAMESPACE_DECL is a macro
// - LIBC_NAMESPACE_DECL expansion starts with `[[gnu::visibility("hidden")]] __llvm_libc`
namespace LIBC_NAMESPACE_DECL {
    void LLVM_LIBC_ENTRYPOINT(strcpy)(char *dest, const char *src) {}
    // Namespaces within LIBC_NAMESPACE_DECL namespace are allowed.
    namespace inner {
        int localVar = 0;
    }
    // Functions with C linkage are allowed.
    extern "C" void str_fuzz() {}
}

// Incorrect: implementation not in the LIBC_NAMESPACE_DECL namespace.
void LLVM_LIBC_ENTRYPOINT(strcpy)(char *dest, const char *src) {}

// Incorrect: outer most namespace is not the LIBC_NAMESPACE_DECL macro.
namespace something_else {
    void LLVM_LIBC_ENTRYPOINT(strcpy)(char *dest, const char *src) {}
}

// Incorrect: outer most namespace expansion does not start with `[[gnu::visibility("hidden")]] __llvm_libc`.
#define LIBC_NAMESPACE_DECL custom_namespace
namespace LIBC_NAMESPACE_DECL {
    void LLVM_LIBC_ENTRYPOINT(strcpy)(char *dest, const char *src) {}
}

llvmlibc-inline-function-decl

Checks that all implicitly and explicitly inline functions in header files are tagged with the LIBC_INLINE macro, except for functions implicit to classes or deleted functions. See the libc style guide for more information about this macro.

llvmlibc-restrict-system-libc-headers

Finds includes of system libc headers not provided by the compiler within llvm-libc implementations.

#include <stdio.h>            // Not allowed because it is part of system libc.
#include <stddef.h>           // Allowed because it is provided by the compiler.
#include "internal/stdio.h"   // Allowed because it is NOT part of system libc.

This check is necessary because accidentally including system libc headers can lead to subtle and hard to detect bugs. For example consider a system libc whose dirent struct has slightly different field ordering than llvm-libc. While this will compile successfully, this can cause issues during runtime because they are ABI incompatible.

Options

Includes

A string containing a comma separated glob list of allowed include filenames. Similar to the -checks glob list for running clang-tidy itself, the two wildcard characters are * and -, to include and exclude globs, respectively. The default is -*, which disallows all includes.

This can be used to allow known safe includes such as Linux development headers. See portability-restrict-system-includes for more details.

misc-confusable-identifiers

Warn about confusable identifiers, i.e. identifiers that are visually close to each other, but use different Unicode characters. This detects a potential attack described in CVE-2021-42574.

Example:

int fo; // Initial character is U+0066 (LATIN SMALL LETTER F).
int šŸo; // Initial character is U+1D41F (MATHEMATICAL BOLD SMALL F) not U+0066 (LATIN SMALL LETTER F).

misc-const-correctness

This check implements detection of local variables which could be declared as const but are not. Declaring variables as const is required or recommended by many coding guidelines, such as: ES.25 from the C++ Core Guidelines and AUTOSAR C++14 Rule A7-1-1 (6.7.1 Specifiers).

Please note that this check's analysis is type-based only. Variables that are not modified but used to create a non-const handle that might escape the scope are not diagnosed as potential const.

// Declare a variable, which is not ``const`` ...
int i = 42;
// but use it as read-only. This means that `i` can be declared ``const``.
int result = i * i;       // Before transformation
int const result = i * i; // After transformation

The check can analyze values, pointers and references but not (yet) pointees:

// Normal values like built-ins or objects.
int potential_const_int = 42;       // Before transformation
int const potential_const_int = 42; // After transformation
int copy_of_value = potential_const_int;

MyClass could_be_const;       // Before transformation
MyClass const could_be_const; // After transformation
could_be_const.const_qualified_method();

// References can be declared const as well.
int &reference_value = potential_const_int;       // Before transformation
int const& reference_value = potential_const_int; // After transformation
int another_copy = reference_value;

// The similar semantics of pointers are not (yet) analyzed.
int *pointer_variable = &potential_const_int; // _NO_ 'const int *pointer_variable' suggestion.
int last_copy = *pointer_variable;

The automatic code transformation is only applied to variables that are declared in single declarations. You may want to prepare your code base with readability-isolate-declaration first.

Note that there is the check cppcoreguidelines-avoid-non-const-global-variables to enforce const correctness on all globals.

Known Limitations

The check does not run on C code.

The check will not analyze templated variables or variables that are instantiation dependent. Different instantiations can result in different const correctness properties and in general it is not possible to find all instantiations of a template. The template might be used differently in an independent translation unit.

Pointees can not be analyzed for constness yet. The following code shows this limitation.

// Declare a variable that will not be modified.
int constant_value = 42;

// Declare a pointer to that variable, that does not modify either, but misses 'const'.
// Could be 'const int *pointer_to_constant = &constant_value;'
int *pointer_to_constant = &constant_value;

// Usage:
int result = 520 * 120 * (*pointer_to_constant);

This limitation affects the capability to add const to methods which is not possible, too.

Options

AnalyzeValues (default = true)

Enable or disable the analysis of ordinary value variables, like int i = 42;

// Warning
int i = 42;
// No warning
int const i = 42;

// Warning
int a[] = {42, 42, 42};
// No warning
int const a[] = {42, 42, 42};
AnalyzeReferences (default = true)

Enable or disable the analysis of reference variables, like int &ref = i;

int i = 42;
// Warning
int& ref = i;
// No warning
int const& ref = i;
WarnPointersAsValues (default = false)

This option enables the suggestion for const of the pointer itself. Pointer values have two possibilities to be const, the pointer and the value pointing to.

int value = 42;

// Warning
const int * pointer_variable = &value;
// No warning
const int *const pointer_variable = &value;
TransformValues (default = true)

Provides fixit-hints for value types that automatically add const if its a single declaration.

// Before
int value = 42;
// After
int const value = 42;

// Before
int a[] = {42, 42, 42};
// After
int const a[] = {42, 42, 42};

// Result is modified later in its life-time. No diagnostic and fixit hint will be emitted.
int result = value * 3;
result -= 10;
TransformReferences (default = true)

Provides fixit-hints for reference types that automatically add const if its a single declaration.

// This variable could still be a constant. But because there is a non-const reference to
// it, it can not be transformed (yet).
int value = 42;
// The reference 'ref_value' is not modified and can be made 'const int &ref_value = value;'
// Before
int &ref_value = value;
// After
int const &ref_value = value;

// Result is modified later in its life-time. No diagnostic and fixit hint will be emitted.
int result = ref_value * 3;
result -= 10;
TransformPointersAsValues (default = false)

Provides fixit-hints for pointers if their pointee is not changed. This does not analyze if the value-pointed-to is unchanged!

Requires 'WarnPointersAsValues' to be 'true'.

int value = 42;

// Before
const int * pointer_variable = &value;
// After
const int *const pointer_variable = &value;

// Before
const int * a[] = {&value, &value};
// After
const int *const a[] = {&value, &value};

// Before
int *ptr_value = &value;
// After
int *const ptr_value = &value;

int result = 100 * (*ptr_value); // Does not modify the pointer itself.
// This modification of the pointee is still allowed and not diagnosed.
*ptr_value = 0;

// The following pointer may not become a 'int *const'.
int *changing_pointee = &value;
changing_pointee = &result;

misc-coroutine-hostile-raii

Detects when objects of certain hostile RAII types persists across suspension points in a coroutine. Such hostile types include scoped-lockable types and types belonging to a configurable denylist.

Some objects require that they be destroyed on the same thread that created them. Traditionally this requirement was often phrased as "must be a local variable", under the assumption that local variables always work this way. However this is incorrect with C++20 coroutines, since an intervening co_await may cause the coroutine to suspend and later be resumed on another thread.

The lifetime of an object that requires being destroyed on the same thread must not encompass a co_await or co_yield point. If you create/destroy an object, you must do so without allowing the coroutine to suspend in the meantime.

Following types are considered as hostile:

  • Scoped-lockable types: A scoped-lockable object persisting across a suspension point is problematic as the lock held by this object could be unlocked by a different thread. This would be undefined behaviour. This includes all types annotated with the scoped_lockable attribute.
  • Types belonging to a configurable denylist.
// Call some async API while holding a lock.
task coro() {
  const std::lock_guard l(&mu_);

  // Oops! The async Bar function may finish on a different
  // thread from the one that created the lock_guard (and called
  // Mutex::Lock). After suspension, Mutex::Unlock will be called on the wrong thread.
  co_await Bar();
}

Options

RAIITypesList

A semicolon-separated list of qualified types which should not be allowed to persist across suspension points. Eg: my::lockable; a::b;::my::other::lockable; The default value of this option is "std::lock_guard;std::scoped_lock".

AllowedAwaitablesList

A semicolon-separated list of qualified types of awaitables types which can be safely awaited while having hostile RAII objects in scope.

co_await-ing an expression of awaitable type is considered safe if the awaitable type is part of this list. RAII objects persisting across such a co_await expression are considered safe and hence are not flagged.

Example usage:

// Consider option AllowedAwaitablesList = "safe_awaitable"
struct safe_awaitable {
  bool await_ready() noexcept { return false; }
  void await_suspend(std::coroutine_handle<>) noexcept {}
  void await_resume() noexcept {}
};
auto wait() { return safe_awaitable{}; }

task coro() {
  // This persists across both the co_await's but is not flagged
  // because the awaitable is considered safe to await on.
  const std::lock_guard l(&mu_);
  co_await safe_awaitable{};
  co_await wait();
}

Eg: my::safe::awaitable;other::awaitable The default value of this option is empty string "".

misc-definitions-in-headers

Finds non-extern non-inline function and variable definitions in header files, which can lead to potential ODR violations in case these headers are included from multiple translation units.

// Foo.h
int a = 1; // Warning: variable definition.
extern int d; // OK: extern variable.

namespace N {
  int e = 2; // Warning: variable definition.
}

// Warning: variable definition.
const char* str = "foo";

// OK: internal linkage variable definitions are ignored for now.
// Although these might also cause ODR violations, we can be less certain and
// should try to keep the false-positive rate down.
static int b = 1;
const int c = 1;
const char* const str2 = "foo";
constexpr int k = 1;
namespace { int x = 1; }

// Warning: function definition.
int g() {
  return 1;
}

// OK: inline function definition is allowed to be defined multiple times.
inline int e() {
  return 1;
}

class A {
public:
  int f1() { return 1; } // OK: implicitly inline member function definition is allowed.
  int f2();

  static int d;
};

// Warning: not an inline member function definition.
int A::f2() { return 1; }

// OK: class static data member declaration is allowed.
int A::d = 1;

// OK: function template is allowed.
template<typename T>
T f3() {
  T a = 1;
  return a;
}

// Warning: full specialization of a function template is not allowed.
template <>
int f3() {
  int a = 1;
  return a;
}

template <typename T>
struct B {
  void f1();
};

// OK: member function definition of a class template is allowed.
template <typename T>
void B<T>::f1() {}

class CE {
  constexpr static int i = 5; // OK: inline variable definition.
};

inline int i = 5; // OK: inline variable definition.

constexpr int f10() { return 0; } // OK: constexpr function implies inline.

// OK: C++14 variable templates are inline.
template <class T>
constexpr T pi = T(3.1415926L);

When clang-tidy is invoked with the --fix-notes option, this check provides fixes that automatically add the inline keyword to discovered functions. Please note that the addition of the inline keyword to variables is not currently supported by this check.

misc-header-include-cycle

Check detects cyclic #include dependencies between user-defined headers.

// Header A.hpp
#pragma once
#include "B.hpp"

// Header B.hpp
#pragma once
#include "C.hpp"

// Header C.hpp
#pragma once
#include "A.hpp"

// Include chain: A->B->C->A

Header files are a crucial part of many C++ programs as they provide a way to organize declarations and definitions shared across multiple source files. However, header files can also create problems when they become entangled in complex dependency cycles. Such cycles can cause issues with compilation times, unnecessary rebuilds, and make it harder to understand the overall structure of the code.

To address these issues, a check has been developed to detect cyclic dependencies between header files, also known as "include cycles". An include cycle occurs when a header file A includes header file B, and B (or any subsequent included header file) includes back header file A, resulting in a circular dependency cycle.

This check operates at the preprocessor level and specifically analyzes user-defined headers and their dependencies. It focuses solely on detecting include cycles while disregarding other types or function dependencies. This specialized analysis helps identify and prevent issues related to header file organization.

By detecting include cycles early in the development process, developers can identify and resolve these issues before they become more difficult and time-consuming to fix. This can lead to faster compile times, improved code quality, and a more maintainable codebase overall. Additionally, by ensuring that header files are organized in a way that avoids cyclic dependencies, developers can make their code easier to understand and modify over time.

It's worth noting that only user-defined headers their dependencies are analyzed, System includes such as standard library headers and third-party library headers are excluded. System includes are usually well-designed and free of include cycles, and ignoring them helps to focus on potential issues within the project's own codebase. This limitation doesn't diminish the ability to detect #include cycles within the analyzed code.

Developers should carefully review any warnings or feedback provided by this solution. While the analysis aims to identify and prevent include cycles, there may be situations where exceptions or modifications are necessary. It's important to exercise judgment and consider the specific context of the codebase when making adjustments.

Options

IgnoredFilesList

Provides a way to exclude specific files/headers from the warnings raised by a check. This can be achieved by specifying a semicolon-separated list of regular expressions or filenames. This option can be used as an alternative to //NOLINT when using it is not possible. The default value of this option is an empty string, indicating that no files are ignored by default.

misc-include-cleaner

Checks for unused and missing includes. Generates findings only for the main file of a translation unit. Findings correspond to https://clangd.llvm.org/design/include-cleaner.

Example:

// foo.h
class Foo{};
// bar.h
#include "baz.h"
class Bar{};
// baz.h
class Baz{};
// main.cc
#include "bar.h" // OK: uses class Bar from bar.h
#include "foo.h" // warning: unused include "foo.h"
Bar bar;
Baz baz; // warning: missing include "baz.h"

Options

IgnoreHeaders

A semicolon-separated list of regexes to disable insertion/removal of header files that match this regex as a suffix. Ā E.g., foo/.* disables insertion/removal for all headers under the directory foo. By default, no headers will be ignored.

DeduplicateFindings

A boolean that controls whether the check should deduplicate findings for the same symbol. Defaults to true.

misc-misleading-bidirectional

Warn about unterminated bidirectional unicode sequence, detecting potential attack as described in the Trojan Source attack.

Example:

#include <iostream>

int main() {
    bool isAdmin = false;
    /*ā€® } ā¦if (isAdmin)ā© ā¦ begin admins only */
        std::cout << "You are an admin.\n";
    /* end admins only ā€® { ā¦*/
    return 0;
}

misc-misleading-identifier

Finds identifiers that contain Unicode characters with right-to-left direction, which can be confusing as they may change the understanding of a whole statement line, as described in Trojan Source.

An example of such misleading code follows:

#include <stdio.h>

short int א = (short int)0;
short int ג = (short int)12345;

int main() {
  int א = ג; // a local variable, set to zero?
  printf("ג is %d\n", ג);
  printf("א is %d\n", א);
}

misc-misplaced-const

This check diagnoses when a const qualifier is applied to a typedef/ using to a pointer type rather than to the pointee, because such constructs are often misleading to developers because the const applies to the pointer rather than the pointee.

For instance, in the following code, the resulting type is int * const rather than const int *:

typedef int *int_ptr;
void f(const int_ptr ptr) {
  *ptr = 0; // potentially quite unexpectedly the int can be modified here
  ptr = 0; // does not compile
}

The check does not diagnose when the underlying typedef/using type is a pointer to a const type or a function pointer type. This is because the const qualifier is less likely to be mistaken because it would be redundant (or disallowed) on the underlying pointee type.

misc-new-delete-overloads

cert-dcl54-cpp redirects here as an alias for this check.

The check flags overloaded operator new() and operator delete() functions that do not have a corresponding free store function defined within the same scope. For instance, the check will flag a class implementation of a non-placement operator new() when the class does not also define a non-placement operator delete() function as well.

The check does not flag implicitly-defined operators, deleted or private operators, or placement operators.

This check corresponds to CERT C++ Coding Standard rule DCL54-CPP. Overload allocation and deallocation functions as a pair in the same scope.

misc-no-recursion

Finds strongly connected functions (by analyzing the call graph for SCC's (Strongly Connected Components) that are loops), diagnoses each function in the cycle, and displays one example of a possible call graph loop (recursion).

References:

Limitations:

  • The check does not handle calls done through function pointers
  • The check does not handle C++ destructors

misc-non-copyable-objects

cert-fio38-c redirects here as an alias for this check.

The check flags dereferences and non-pointer declarations of objects that are not meant to be passed by value, such as C FILE objects or POSIX pthread_mutex_t objects.

This check corresponds to CERT C++ Coding Standard rule FIO38-C. Do not copy a FILE object.

misc-non-private-member-variables-in-classes

cppcoreguidelines-non-private-member-variables-in-classes redirects here as an alias for this check.

Finds classes that contain non-static data members in addition to user-declared non-static member functions and diagnose all data members declared with a non-public access specifier. The data members should be declared as private and accessed through member functions instead of exposed to derived classes or class consumers.

Options

IgnoreClassesWithAllMemberVariablesBeingPublic

Allows to completely ignore classes if all the member variables in that class a declared with a public access specifier.

IgnorePublicMemberVariables

Allows to ignore (not diagnose) all the member variables declared with a public access specifier.

misc-redundant-expression

Detect redundant expressions which are typically errors due to copy-paste.

Depending on the operator expressions may be

  • redundant,
  • always true,
  • always false,
  • always a constant (zero or one).

Examples:

((x+1) | (x+1))             // (x+1) is redundant
(p->x == p->x)              // always true
(p->x < p->x)               // always false
(speed - speed + 1 == 12)   // speed - speed is always zero

misc-static-assert

cert-dcl03-c redirects here as an alias for this check.

Replaces assert() with static_assert() if the condition is evaluable at compile time.

The condition of static_assert() is evaluated at compile time which is safer and more efficient.

misc-throw-by-value-catch-by-reference

cert-err09-cpp and cert-err61-cpp redirect here as aliases of this check.

Finds violations of the rule "Throw by value, catch by reference" presented for example in "C++ Coding Standards" by H. Sutter and A. Alexandrescu, as well as the CERT C++ Coding Standard rule ERR61-CPP. Catch exceptions by lvalue reference.

Exceptions:
  • Throwing string literals will not be flagged despite being a pointer. They are not susceptible to slicing and the usage of string literals is idiomatic.
  • Catching character pointers (char, wchar_t, unicode character types) will not be flagged to allow catching string literals.
  • Moved named values will not be flagged as not throwing an anonymous temporary. In this case we can be sure that the user knows that the object can't be accessed outside catch blocks handling the error.
  • Throwing function parameters will not be flagged as not throwing an anonymous temporary. This allows helper functions for throwing.
  • Re-throwing caught exception variables will not be flagged as not throwing an anonymous temporary. Although this can usually be done by just writing throw; it happens often enough in real code.

Options

CheckThrowTemporaries

Triggers detection of violations of the CERT recommendation ERR09-CPP. Throw anonymous temporaries. Default is true.

WarnOnLargeObject

Also warns for any large, trivial object caught by value. Catching a large object by value is not dangerous but affects the performance negatively. The maximum size of an object allowed to be caught without warning can be set using the MaxSize option. Default is false.

MaxSize

Determines the maximum size of an object allowed to be caught without warning. Only applicable if WarnOnLargeObject is set to true. If the option is set by the user to std::numeric_limits<uint64_t>::max() then it reverts to the default value. Default is the size of size_t.

misc-unconventional-assign-operator

Finds declarations of assign operators with the wrong return and/or argument types and definitions with good return type but wrong return statements.

  • The return type must be Class&.
  • The assignment may be from the class type by value, const lvalue reference, non-const rvalue reference, or from a completely different type (e.g. int).
  • Private and deleted operators are ignored.
  • The operator must always return *this.

This check implements AUTOSAR C++14 Rule A13-2-1.

misc-uniqueptr-reset-release

Find and replace unique_ptr::reset(release()) with std::move().

Example:

std::unique_ptr<Foo> x, y;
x.reset(y.release()); -> x = std::move(y);

If y is already rvalue, std::move() is not added. x and y can also be std::unique_ptr<Foo>*.

Options

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

misc-unused-alias-decls

Finds unused namespace alias declarations.

namespace my_namespace {
class C {};
}
namespace unused_alias = ::my_namespace;

misc-unused-parameters

Finds unused function parameters. Unused parameters may signify a bug in the code (e.g. when a different parameter is used instead). The suggested fixes either comment parameter name out or remove the parameter completely, if all callers of the function are in the same translation unit and can be updated.

The check is similar to the -Wunused-parameter compiler diagnostic and can be used to prepare a codebase to enabling of that diagnostic. By default the check is more permissive (see StrictMode).

void a(int i) { /*some code that doesn't use `i`*/ }

// becomes

void a(int  /*i*/) { /*some code that doesn't use `i`*/ }
static void staticFunctionA(int i);
static void staticFunctionA(int i) { /*some code that doesn't use `i`*/ }

// becomes

static void staticFunctionA()
static void staticFunctionA() { /*some code that doesn't use `i`*/ }

Options

StrictMode

When false (default value), the check will ignore trivially unused parameters, i.e. when the corresponding function has an empty body (and in case of constructors - no constructor initializers). When the function body is empty, an unused parameter is unlikely to be unnoticed by a human reader, and there's basically no place for a bug to hide.

IgnoreVirtual

Determines whether virtual method parameters should be inspected. Set to true to ignore them. Default is false.

misc-unused-using-decls

Finds unused using declarations.

Unused using` declarations in header files will not be diagnosed since these using declarations are part of the header's public API. Allowed header file extensions can be configured via the global option HeaderFileExtensions.

Example:

// main.cpp
namespace n { class C; }
using n::C;  // Never actually used.

misc-use-anonymous-namespace

Finds instances of static functions or variables declared at global scope that could instead be moved into an anonymous namespace.

Anonymous namespaces are the "superior alternative" according to the C++ Standard. static was proposed for deprecation, but later un-deprecated to keep C compatibility [1]. static is an overloaded term with different meanings in different contexts, so it can create confusion.

The following uses of static will not be diagnosed:

  • Functions or variables in header files, since anonymous namespaces in headers is considered an antipattern. Allowed header file extensions can be configured via the global option HeaderFileExtensions.
  • const or constexpr variables, since they already have implicit internal linkage in C++.

Examples:

// Bad
static void foo();
static int x;

// Good
namespace {
  void foo();
  int x;
} // namespace

[1] Undeprecating static

misc-use-internal-linkage

Detects variables and functions that can be marked as static or moved into an anonymous namespace to enforce internal linkage.

Static functions and variables are scoped to a single file. Marking functions and variables as static helps to better remove dead code. In addition, it gives the compiler more information and allows for more aggressive optimizations.

Example:

int v1; // can be marked as static

void fn1(); // can be marked as static

namespace {
  // already in anonymous namespace
  int v2;
  void fn2();
}
// already declared as extern
extern int v2;

Options

FixMode

Selects what kind of a fix the check should provide. The default is UseStatic.

None

Don't fix automatically.

UseStatic

Add static for internal linkage variable and function.

modernize-avoid-bind

The check finds uses of std::bind and boost::bind and replaces them with lambdas. Lambdas will use value-capture unless reference capture is explicitly requested with std::ref or boost::ref.

It supports arbitrary callables including member functions, function objects, and free functions, and all variations thereof. Anything that you can pass to the first argument of bind should be diagnosable. Currently, the only known case where a fix-it is unsupported is when the same placeholder is specified multiple times in the parameter list.

Given:

int add(int x, int y) { return x + y; }

Then:

void f() {
  int x = 2;
  auto clj = std::bind(add, x, _1);
}

is replaced by:

void f() {
  int x = 2;
  auto clj = [=](auto && arg1) { return add(x, arg1); };
}

std::bind can be hard to read and can result in larger object files and binaries due to type information that will not be produced by equivalent lambdas.

Options

PermissiveParameterList

If the option is set to true, the check will append auto&&... to the end of every placeholder parameter list. Without this, it is possible for a fix-it to perform an incorrect transformation in the case where the result of the bind is used in the context of a type erased functor such as std::function which allows mismatched arguments. For example:

int add(int x, int y) { return x + y; }
int foo() {
  std::function<int(int,int)> ignore_args = std::bind(add, 2, 2);
  return ignore_args(3, 3);
}

is valid code, and returns 4. The actual values passed to ignore_args are simply ignored. Without PermissiveParameterList, this would be transformed into

int add(int x, int y) { return x + y; }
int foo() {
  std::function<int(int,int)> ignore_args = [] { return add(2, 2); }
  return ignore_args(3, 3);
}

which will not compile, since the lambda does not contain an operator() that accepts 2 arguments. With permissive parameter list, it instead generates

int add(int x, int y) { return x + y; }
int foo() {
  std::function<int(int,int)> ignore_args = [](auto&&...) { return add(2, 2); }
  return ignore_args(3, 3);
}

which is correct.

This check requires using C++14 or higher to run.

modernize-avoid-c-arrays

cppcoreguidelines-avoid-c-arrays redirects here as an alias for this check.

hicpp-avoid-c-arrays redirects here as an alias for this check.

Finds C-style array types and recommend to use std::array<> / std::vector<>. All types of C arrays are diagnosed.

However, fix-it are potentially dangerous in header files and are therefore not emitted right now.

int a[] = {1, 2}; // warning: do not declare C-style arrays, use std::array<> instead

int b[1]; // warning: do not declare C-style arrays, use std::array<> instead

void foo() {
  int c[b[0]]; // warning: do not declare C VLA arrays, use std::vector<> instead
}

template <typename T, int Size>
class array {
  T d[Size]; // warning: do not declare C-style arrays, use std::array<> instead

  int e[1]; // warning: do not declare C-style arrays, use std::array<> instead
};

array<int[4], 2> d; // warning: do not declare C-style arrays, use std::array<> instead

using k = int[4]; // warning: do not declare C-style arrays, use std::array<> instead

However, the extern "C" code is ignored, since it is common to share such headers between C code, and C++ code.

// Some header
extern "C" {

int f[] = {1, 2}; // not diagnosed

int j[1]; // not diagnosed

inline void bar() {
  {
    int j[j[0]]; // not diagnosed
  }
}

}

Similarly, the main() function is ignored. Its second and third parameters can be either char* argv[] or char** argv, but cannot be std::array<>.

AllowStringArrays

When set to true (default is false), variables of character array type with deduced length, initialized directly from string literals, will be ignored. This option doesn't affect cases where length can't be deduced, resembling pointers, as seen in class members and parameters. Example:

const char name[] = "Some name";

modernize-concat-nested-namespaces

Checks for use of nested namespaces such as namespace a { namespace b { ... } } and suggests changing to the more concise syntax introduced in C++17: namespace a::b { ... }. Inline namespaces are not modified.

For example:

namespace n1 {
namespace n2 {
void t();
}
}

namespace n3 {
namespace n4 {
namespace n5 {
void t();
}
}
namespace n6 {
namespace n7 {
void t();
}
}
}

// in c++20
namespace n8 {
inline namespace n9 {
void t();
}
}

Will be modified to:

namespace n1::n2 {
void t();
}

namespace n3 {
namespace n4::n5 {
void t();
}
namespace n6::n7 {
void t();
}
}

// in c++20
namespace n8::inline n9 {
void t();
}

modernize-deprecated-headers

Some headers from C library were deprecated in C++ and are no longer welcome in C++ codebases. Some have no effect in C++. For more details refer to the C++14 Standard [depr.c.headers] section.

This check replaces C standard library headers with their C++ alternatives and removes redundant ones.

// C++ source file...
#include <assert.h>
#include <stdbool.h>

// becomes

#include <cassert>
// No 'stdbool.h' here.

Important note: the Standard doesn't guarantee that the C++ headers declare all the same functions in the global namespace. The check in its current form can break the code that uses library symbols from the global namespace.

  • <assert.h>
  • <complex.h>
  • <ctype.h>
  • <errno.h>
  • <fenv.h> Ā  Ā  // deprecated since C++11
  • <float.h>
  • <inttypes.h>
  • <limits.h>
  • <locale.h>
  • <math.h>
  • <setjmp.h>
  • <signal.h>
  • <stdarg.h>
  • <stddef.h>
  • <stdint.h>
  • <stdio.h>
  • <stdlib.h>
  • <string.h>
  • <tgmath.h> Ā  // deprecated since C++11
  • <time.h>
  • <uchar.h> Ā  Ā // deprecated since C++11
  • <wchar.h>
  • <wctype.h>

If the specified standard is older than C++11 the check will only replace headers deprecated before C++11, otherwise -- every header that appeared in the previous list.

These headers don't have effect in C++:

  • <iso646.h>
  • <stdalign.h>
  • <stdbool.h>

The checker ignores include directives within extern "C" { ... } blocks, since a library might want to expose some API for C and C++ libraries.

// C++ source file...
extern "C" {
#include <assert.h>  // Left intact.
#include <stdbool.h> // Left intact.
}

Options

CheckHeaderFile

clang-tidy cannot know if the header file included by the currently analyzed C++ source file is not included by any other C source files. Hence, to omit false-positives and wrong fixit-hints, we ignore emitting reports into header files. One can set this option to true if they know that the header files in the project are only used by C++ source file. Default is false.

modernize-deprecated-ios-base-aliases

Detects usage of the deprecated member types of std::ios_base and replaces those that have a non-deprecated equivalent.

Deprecated member typeReplacement
std::ios_base::io_statestd::ios_base::iostate
std::ios_base::open_modestd::ios_base::openmode
std::ios_base::seek_dirstd::ios_base::seekdir
std::ios_base::streamoff
std::ios_base::streampos

modernize-loop-convert

This check converts for(...; ...; ...) loops to use the new range-based loops in C++11.

Three kinds of loops can be converted:

  • Loops over statically allocated arrays.
  • Loops over containers, using iterators.
  • Loops over array-like containers, using operator[] and at().

MinConfidence option

risky

In loops where the container expression is more complex than just a reference to a declared expression (a variable, function, enum, etc.), and some part of it appears elsewhere in the loop, we lower our confidence in the transformation due to the increased risk of changing semantics. Transformations for these loops are marked as risky, and thus will only be converted if the minimum required confidence level is set to risky.

int arr[10][20];
int l = 5;

for (int j = 0; j < 20; ++j)
  int k = arr[l][j] + l; // using l outside arr[l] is considered risky

for (int i = 0; i < obj.getVector().size(); ++i)
  obj.foo(10); // using 'obj' is considered risky

See Range-based loops evaluate end() only once for an example of an incorrect transformation when the minimum required confidence level is set to risky.

reasonable (Default)

If a loop calls .end() or .size() after each iteration, the transformation for that loop is marked as reasonable, and thus will be converted if the required confidence level is set to reasonable (default) or lower.

// using size() is considered reasonable
for (int i = 0; i < container.size(); ++i)
  cout << container[i];

safe

Any other loops that do not match the above criteria to be marked as risky or reasonable are marked safe, and thus will be converted if the required confidence level is set to safe or lower.

int arr[] = {1,2,3};

for (int i = 0; i < 3; ++i)
  cout << arr[i];

Example

Original:

const int N = 5;
int arr[] = {1,2,3,4,5};
vector<int> v;
v.push_back(1);
v.push_back(2);
v.push_back(3);

// safe conversion
for (int i = 0; i < N; ++i)
  cout << arr[i];

// reasonable conversion
for (vector<int>::iterator it = v.begin(); it != v.end(); ++it)
  cout << *it;

// reasonable conversion
for (vector<int>::iterator it = begin(v); it != end(v); ++it)
  cout << *it;

// reasonable conversion
for (vector<int>::iterator it = std::begin(v); it != std::end(v); ++it)
  cout << *it;

// reasonable conversion
for (int i = 0; i < v.size(); ++i)
  cout << v[i];

// reasonable conversion
for (int i = 0; i < size(v); ++i)
  cout << v[i];

After applying the check with minimum confidence level set to reasonable (default):

const int N = 5;
int arr[] = {1,2,3,4,5};
vector<int> v;
v.push_back(1);
v.push_back(2);
v.push_back(3);

// safe conversion
for (auto & elem : arr)
  cout << elem;

// reasonable conversion
for (auto & elem : v)
  cout << elem;

// reasonable conversion
for (auto & elem : v)
  cout << elem;

Reverse Iterator Support

The converter is also capable of transforming iterator loops which use rbegin and rend for looping backwards over a container. Out of the box this will automatically happen in C++20 mode using the ranges library, however the check can be configured to work without C++20 by specifying a function to reverse a range and optionally the header file where that function lives.

UseCxx20ReverseRanges

When set to true convert loops when in C++20 or later mode using std::ranges::reverse_view. Default value is true.

MakeReverseRangeFunction

Specify the function used to reverse an iterator pair, the function should accept a class with rbegin and rend methods and return a class with begin and end methods that call the rbegin and rend methods respectively. Common examples are ranges::reverse_view and llvm::reverse. Default value is an empty string.

MakeReverseRangeHeader

Specifies the header file where MakeReverseRangeFunction is declared. For the previous examples this option would be set to range/v3/view/reverse.hpp and llvm/ADT/STLExtras.h respectively. If this is an empty string and MakeReverseRangeFunction is set, the check will proceed on the assumption that the function is already available in the translation unit. This can be wrapped in angle brackets to signify to add the include as a system include. Default value is an empty string.

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

Limitations

There are certain situations where the tool may erroneously perform transformations that remove information and change semantics. Users of the tool should be aware of the behavior and limitations of the check outlined by the cases below.

Comments inside loop headers

Comments inside the original loop header are ignored and deleted when transformed.

for (int i = 0; i < N; /* This will be deleted */ ++i) { }

Range-based loops evaluate end() only once

The C++11 range-based for loop calls .end() only once during the initialization of the loop. If in the original loop .end() is called after each iteration the semantics of the transformed loop may differ.

// The following is semantically equivalent to the C++11 range-based for loop,
// therefore the semantics of the header will not change.
for (iterator it = container.begin(), e = container.end(); it != e; ++it) { }

// Instead of calling .end() after each iteration, this loop will be
// transformed to call .end() only once during the initialization of the loop,
// which may affect semantics.
for (iterator it = container.begin(); it != container.end(); ++it) { }

As explained above, calling member functions of the container in the body of the loop is considered risky. If the called member function modifies the container the semantics of the converted loop will differ due to .end() being called only once.

bool flag = false;
for (vector<T>::iterator it = vec.begin(); it != vec.end(); ++it) {
  // Add a copy of the first element to the end of the vector.
  if (!flag) {
    // This line makes this transformation 'risky'.
    vec.push_back(*it);
    flag = true;
  }
  cout << *it;
}

The original code above prints out the contents of the container including the newly added element while the converted loop, shown below, will only print the original contents and not the newly added element.

bool flag = false;
for (auto & elem : vec) {
  // Add a copy of the first element to the end of the vector.
  if (!flag) {
    // This line makes this transformation 'risky'
    vec.push_back(elem);
    flag = true;
  }
  cout << elem;
}

Semantics will also be affected if .end() has side effects. For example, in the case where calls to .end() are logged the semantics will change in the transformed loop if .end() was originally called after each iteration.

iterator end() {
  num_of_end_calls++;
  return container.end();
}

Overloaded operator->() with side effects

Similarly, if operator->() was overloaded to have side effects, such as logging, the semantics will change. If the iterator's operator->() was used in the original loop it will be replaced with <container element>.<member> instead due to the implicit dereference as part of the range-based for loop. Therefore any side effect of the overloaded operator->() will no longer be performed.

for (iterator it = c.begin(); it != c.end(); ++it) {
  it->func(); // Using operator->()
}
// Will be transformed to:
for (auto & elem : c) {
  elem.func(); // No longer using operator->()
}

Pointers and references to containers

While most of the check's risk analysis is dedicated to determining whether the iterator or container was modified within the loop, it is possible to circumvent the analysis by accessing and modifying the container through a pointer or reference.

If the container were directly used instead of using the pointer or reference the following transformation would have only been applied at the risky level since calling a member function of the container is considered risky. The check cannot identify expressions associated with the container that are different than the one used in the loop header, therefore the transformation below ends up being performed at the safe level.

vector<int> vec;

vector<int> *ptr = &vec;
vector<int> &ref = vec;

for (vector<int>::iterator it = vec.begin(), e = vec.end(); it != e; ++it) {
  if (!flag) {
    // Accessing and modifying the container is considered risky, but the risk
    // level is not raised here.
    ptr->push_back(*it);
    ref.push_back(*it);
    flag = true;
  }
}

OpenMP

As range-based for loops are only available since OpenMP 5, this check should not be used on code with a compatibility requirement of OpenMP prior to version 5. It is intentional that this check does not make any attempts to exclude incorrect diagnostics on OpenMP for loops prior to OpenMP 5.

To prevent this check to be applied (and to break) OpenMP for loops but still be applied to non-OpenMP for loops the usage of NOLINT (see Suppressing Undesired Diagnostics) on the specific for loops is recommended.

modernize-macro-to-enum

Replaces groups of adjacent macros with an unscoped anonymous enum. Using an unscoped anonymous enum ensures that everywhere the macro token was used previously, the enumerator name may be safely used.

This check can be used to enforce the C++ core guideline Enum.1: Prefer enumerations over macros, within the constraints outlined below.

Potential macros for replacement must meet the following constraints:

  • Macros must expand only to integral literal tokens or expressions of literal tokens. Ā The expression may contain any of the unary operators -, +, ~ or !, any of the binary operators ,, -, +, *, /, %, &, |, ^, <, >, <=, >=, ==, !=, ||, &&, <<, >> or <=>, the ternary operator ?: and its GNU extension. Parenthesized expressions are also recognized. Ā This recognizes most valid expressions. Ā In particular, expressions with the sizeof operator are not recognized.
  • Macros must be defined on sequential source file lines, or with only comment lines in between macro definitions.
  • Macros must all be defined in the same source file.
  • Macros must not be defined within a conditional compilation block. (Conditional include guards are exempt from this constraint.)
  • Macros must not be defined adjacent to other preprocessor directives.
  • Macros must not be used in any conditional preprocessing directive.
  • Macros must not be used as arguments to other macros.
  • Macros must not be undefined.
  • Macros must be defined at the top-level, not inside any declaration or definition.

Each cluster of macros meeting the above constraints is presumed to be a set of values suitable for replacement by an anonymous enum. From there, a developer can give the anonymous enum a name and continue refactoring to a scoped enum if desired. Ā Comments on the same line as a macro definition or between subsequent macro definitions are preserved in the output. Ā No formatting is assumed in the provided replacements, although clang-tidy can optionally format all fixes.

WARNING:

Initializing expressions are assumed to be valid initializers for an enum. Ā C requires that enum values fit into an int, but this may not be the case for some accepted constant expressions. For instance 1 << 40 will not fit into an int when the size of an int is 32 bits.

Examples:

#define RED   0xFF0000
#define GREEN 0x00FF00
#define BLUE  0x0000FF

#define TM_NONE (-1) // No method selected.
#define TM_ONE 1    // Use tailored method one.
#define TM_TWO 2    // Use tailored method two.  Method two
                    // is preferable to method one.
#define TM_THREE 3  // Use tailored method three.

becomes

enum {
RED = 0xFF0000,
GREEN = 0x00FF00,
BLUE = 0x0000FF
};

enum {
TM_NONE = (-1), // No method selected.
TM_ONE = 1,    // Use tailored method one.
TM_TWO = 2,    // Use tailored method two.  Method two
                    // is preferable to method one.
TM_THREE = 3  // Use tailored method three.
};

modernize-make-shared

This check finds the creation of std::shared_ptr objects by explicitly calling the constructor and a new expression, and replaces it with a call to std::make_shared.

auto my_ptr = std::shared_ptr<MyPair>(new MyPair(1, 2));

// becomes

auto my_ptr = std::make_shared<MyPair>(1, 2);

This check also finds calls to std::shared_ptr::reset() with a new expression, and replaces it with a call to std::make_shared.

my_ptr.reset(new MyPair(1, 2));

// becomes

my_ptr = std::make_shared<MyPair>(1, 2);

Options

MakeSmartPtrFunction

A string specifying the name of make-shared-ptr function. Default is std::make_shared.

MakeSmartPtrFunctionHeader

A string specifying the corresponding header of make-shared-ptr function. Default is memory.

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

IgnoreMacros

If set to true, the check will not give warnings inside macros. Default is true.

IgnoreDefaultInitialization

If set to non-zero, the check does not suggest edits that will transform default initialization into value initialization, as this can cause performance regressions. Default is 1.

modernize-make-unique

This check finds the creation of std::unique_ptr objects by explicitly calling the constructor and a new expression, and replaces it with a call to std::make_unique, introduced in C++14.

auto my_ptr = std::unique_ptr<MyPair>(new MyPair(1, 2));

// becomes

auto my_ptr = std::make_unique<MyPair>(1, 2);

This check also finds calls to std::unique_ptr::reset() with a new expression, and replaces it with a call to std::make_unique.

my_ptr.reset(new MyPair(1, 2));

// becomes

my_ptr = std::make_unique<MyPair>(1, 2);

Options

MakeSmartPtrFunction

A string specifying the name of make-unique-ptr function. Default is std::make_unique.

MakeSmartPtrFunctionHeader

A string specifying the corresponding header of make-unique-ptr function. Default is <memory>.

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

IgnoreMacros

If set to true, the check will not give warnings inside macros. Default is true.

IgnoreDefaultInitialization

If set to non-zero, the check does not suggest edits that will transform default initialization into value initialization, as this can cause performance regressions. Default is 1.

modernize-min-max-use-initializer-list

Replaces nested std::min and std::max calls with an initializer list where applicable.

For instance, consider the following code:

int a = std::max(std::max(i, j), k);

The check will transform the above code to:

int a = std::max({i, j, k});

Performance Considerations

While this check simplifies the code and makes it more readable, it may cause performance degradation for non-trivial types due to the need to copy objects into the initializer list.

To avoid this, it is recommended to use std::ref or std::cref for non-trivial types:

std::string b = std::max({std::ref(i), std::ref(j), std::ref(k)});

Options

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

IgnoreNonTrivialTypes

A boolean specifying whether to ignore non-trivial types. Default is true.

IgnoreTrivialTypesOfSizeAbove

An integer specifying the size (in bytes) above which trivial types are ignored. Default is 32.

modernize-pass-by-value

With move semantics added to the language and the standard library updated with move constructors added for many types it is now interesting to take an argument directly by value, instead of by const-reference, and then copy. This check allows the compiler to take care of choosing the best way to construct the copy.

The transformation is usually beneficial when the calling code passes an rvalue and assumes the move construction is a cheap operation. This short example illustrates how the construction of the value happens:

void foo(std::string s);
std::string get_str();

void f(const std::string &str) {
  foo(str);       // lvalue  -> copy construction
  foo(get_str()); // prvalue -> move construction
}
NOTE:

Currently, only constructors are transformed to make use of pass-by-value. Contributions that handle other situations are welcome!

Pass-by-value in constructors

Replaces the uses of const-references constructor parameters that are copied into class fields. The parameter is then moved with std::move().

Since std::move() is a library function declared in <utility> it may be necessary to add this include. The check will add the include directive when necessary.

 #include <string>

 class Foo {
 public:
-  Foo(const std::string &Copied, const std::string &ReadOnly)
-    : Copied(Copied), ReadOnly(ReadOnly)
+  Foo(std::string Copied, const std::string &ReadOnly)
+    : Copied(std::move(Copied)), ReadOnly(ReadOnly)
   {}

 private:
   std::string Copied;
   const std::string &ReadOnly;
 };

 std::string get_cwd();

 void f(const std::string &Path) {
   // The parameter corresponding to 'get_cwd()' is move-constructed. By
   // using pass-by-value in the Foo constructor we managed to avoid a
   // copy-construction.
   Foo foo(get_cwd(), Path);
 }

If the parameter is used more than once no transformation is performed since moved objects have an undefined state. It means the following code will be left untouched:

#include <string>

void pass(const std::string &S);

struct Foo {
  Foo(const std::string &S) : Str(S) {
    pass(S);
  }

  std::string Str;
};

Known limitations

A situation where the generated code can be wrong is when the object referenced is modified before the assignment in the init-list through a "hidden" reference.

Example:

 std::string s("foo");

 struct Base {
   Base() {
     s = "bar";
   }
 };

 struct Derived : Base {
-  Derived(const std::string &S) : Field(S)
+  Derived(std::string S) : Field(std::move(S))
   { }

   std::string Field;
 };

 void f() {
-  Derived d(s); // d.Field holds "bar"
+  Derived d(s); // d.Field holds "foo"
 }

Note about delayed template parsing

When delayed template parsing is enabled, constructors part of templated contexts; templated constructors, constructors in class templates, constructors of inner classes of template classes, etc., are not transformed. Delayed template parsing is enabled by default on Windows as a Microsoft extension: Clang Compiler User's Manual - Microsoft extensions.

Delayed template parsing can be enabled using the -fdelayed-template-parsing flag and disabled using -fno-delayed-template-parsing.

Example:

  template <typename T> class C {
    std::string S;

  public:
=  // using -fdelayed-template-parsing (default on Windows)
=  C(const std::string &S) : S(S) {}

+  // using -fno-delayed-template-parsing (default on non-Windows systems)
+  C(std::string S) : S(std::move(S)) {}
  };
SEE ALSO:

For more information about the pass-by-value idiom, read: Want Speed? Pass by Value.

Options

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

ValuesOnly

When true, the check only warns about copied parameters that are already passed by value. Default is false.

modernize-raw-string-literal

This check selectively replaces string literals containing escaped characters with raw string literals.

Example:

const char *const Quotes{"embedded \"quotes\""};
const char *const Paragraph{"Line one.\nLine two.\nLine three.\n"};
const char *const SingleLine{"Single line.\n"};
const char *const TrailingSpace{"Look here -> \n"};
const char *const Tab{"One\tTwo\n"};
const char *const Bell{"Hello!\a  And welcome!"};
const char *const Path{"C:\\Program Files\\Vendor\\Application.exe"};
const char *const RegEx{"\\w\\([a-z]\\)"};

becomes

const char *const Quotes{R"(embedded "quotes")"};
const char *const Paragraph{"Line one.\nLine two.\nLine three.\n"};
const char *const SingleLine{"Single line.\n"};
const char *const TrailingSpace{"Look here -> \n"};
const char *const Tab{"One\tTwo\n"};
const char *const Bell{"Hello!\a  And welcome!"};
const char *const Path{R"(C:\Program Files\Vendor\Application.exe)"};
const char *const RegEx{R"(\w\([a-z]\))"};

The presence of any of the following escapes can cause the string to be converted to a raw string literal: \\, \', \", \?, and octal or hexadecimal escapes for printable ASCII characters.

A string literal containing only escaped newlines is a common way of writing lines of text output. Introducing physical newlines with raw string literals in this case is likely to impede readability. These string literals are left unchanged.

An escaped horizontal tab, form feed, or vertical tab prevents the string literal from being converted. The presence of a horizontal tab, form feed or vertical tab in source code is not visually obvious.

DelimiterStem

Custom delimiter to escape characters in raw string literals. It is used in the following construction: R"stem_delimiter(contents)stem_delimiter". The default value is lit.

ReplaceShorterLiterals

Controls replacing shorter non-raw string literals with longer raw string literals. Setting this option to true enables the replacement. The default value is false (shorter literals are not replaced).

modernize-redundant-void-arg

Find and remove redundant void argument lists.

Examples:
Initial codeCode with applied fixes
int f(void);int f();
int (*f(void))(void);int (*f())();
typedef int (*f_t(void))(void);typedef int (*f_t())();
void (C::*p)(void);void (C::*p)();
C::C(void) {}C::C() {}
C::~C(void) {}C::~C() {}

modernize-replace-auto-ptr

This check replaces the uses of the deprecated class std::auto_ptr by std::unique_ptr (introduced in C++11). The transfer of ownership, done by the copy-constructor and the assignment operator, is changed to match std::unique_ptr usage by using explicit calls to std::move().

Migration example:

-void take_ownership_fn(std::auto_ptr<int> int_ptr);
+void take_ownership_fn(std::unique_ptr<int> int_ptr);

 void f(int x) {
-  std::auto_ptr<int> a(new int(x));
-  std::auto_ptr<int> b;
+  std::unique_ptr<int> a(new int(x));
+  std::unique_ptr<int> b;

-  b = a;
-  take_ownership_fn(b);
+  b = std::move(a);
+  take_ownership_fn(std::move(b));
 }

Since std::move() is a library function declared in <utility> it may be necessary to add this include. The check will add the include directive when necessary.

Known Limitations

  • If headers modification is not activated or if a header is not allowed to be changed this check will produce broken code (compilation error), where the headers' code will stay unchanged while the code using them will be changed.
  • Client code that declares a reference to an std::auto_ptr coming from code that can't be migrated (such as a header coming from a 3rd party library) will produce a compilation error after migration. This is because the type of the reference will be changed to std::unique_ptr but the type returned by the library won't change, binding a reference to std::unique_ptr from an std::auto_ptr. This pattern doesn't make much sense and usually std::auto_ptr are stored by value (otherwise what is the point in using them instead of a reference or a pointer?).

     // <3rd-party header...>
     std::auto_ptr<int> get_value();
     const std::auto_ptr<int> & get_ref();
    
     // <calling code (with migration)...>
    -std::auto_ptr<int> a(get_value());
    +std::unique_ptr<int> a(get_value()); // ok, unique_ptr constructed from auto_ptr
    
    -const std::auto_ptr<int> & p = get_ptr();
    +const std::unique_ptr<int> & p = get_ptr(); // won't compile
  • Non-instantiated templates aren't modified.

    template <typename X>
    void f() {
        std::auto_ptr<X> p;
    }
    
    // only 'f<int>()' (or similar) will trigger the replacement.

Options

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

modernize-replace-disallow-copy-and-assign-macro

Finds macro expansions of DISALLOW_COPY_AND_ASSIGN(Type) and replaces them with a deleted copy constructor and a deleted assignment operator.

Before the delete keyword was introduced in C++11 it was common practice to declare a copy constructor and an assignment operator as private members. This effectively makes them unusable to the public API of a class.

With the advent of the delete keyword in C++11 we can abandon the private access of the copy constructor and the assignment operator and delete the methods entirely.

When running this check on a code like this:

class Foo {
private:
  DISALLOW_COPY_AND_ASSIGN(Foo);
};

It will be transformed to this:

class Foo {
private:
  Foo(const Foo &) = delete;
  const Foo &operator=(const Foo &) = delete;
};

Known Limitations

  • Notice that the migration example above leaves the private access specification untouched. You might want to run the check modernize-use-equals-delete to get warnings for deleted functions in private sections.

Options

MacroName

A string specifying the macro name whose expansion will be replaced. Default is DISALLOW_COPY_AND_ASSIGN.

See: https://en.cppreference.com/w/cpp/language/function#Deleted_functions

modernize-replace-random-shuffle

This check will find occurrences of std::random_shuffle and replace it with std::shuffle. In C++17 std::random_shuffle will no longer be available and thus we need to replace it.

Below are two examples of what kind of occurrences will be found and two examples of what it will be replaced with.

std::vector<int> v;

// First example
std::random_shuffle(vec.begin(), vec.end());

// Second example
std::random_shuffle(vec.begin(), vec.end(), randomFunc);

Both of these examples will be replaced with:

std::shuffle(vec.begin(), vec.end(), std::mt19937(std::random_device()()));

The second example will also receive a warning that randomFunc is no longer supported in the same way as before so if the user wants the same functionality, the user will need to change the implementation of the randomFunc.

One thing to be aware of here is that std::random_device is quite expensive to initialize. So if you are using the code in a performance critical place, you probably want to initialize it elsewhere. Another thing is that the seeding quality of the suggested fix is quite poor: std::mt19937 has an internal state of 624 32-bit integers, but is only seeded with a single integer. So if you require higher quality randomness, you should consider seeding better, for example:

std::shuffle(v.begin(), v.end(), []() {
  std::mt19937::result_type seeds[std::mt19937::state_size];
  std::random_device device;
  std::uniform_int_distribution<typename std::mt19937::result_type> dist;
  std::generate(std::begin(seeds), std::end(seeds), [&] { return dist(device); });
  std::seed_seq seq(std::begin(seeds), std::end(seeds));
  return std::mt19937(seq);
}());

modernize-return-braced-init-list

Replaces explicit calls to the constructor in a return with a braced initializer list. This way the return type is not needlessly duplicated in the function definition and the return statement.

Foo bar() {
  Baz baz;
  return Foo(baz);
}

// transforms to:

Foo bar() {
  Baz baz;
  return {baz};
}

modernize-shrink-to-fit

Replace copy and swap tricks on shrinkable containers with the shrink_to_fit() method call.

The shrink_to_fit() method is more readable and more effective than the copy and swap trick to reduce the capacity of a shrinkable container. Note that, the shrink_to_fit() method is only available in C++11 and up.

modernize-type-traits

Converts standard library type traits of the form traits<...>::type and traits<...>::value into traits_t<...> and traits_v<...> respectively.

For example:

std::is_integral<T>::value
std::is_same<int, float>::value
typename std::add_const<T>::type
std::make_signed<unsigned>::type

Would be converted into:

std::is_integral_v<T>
std::is_same_v<int, float>
std::add_const_t<T>
std::make_signed_t<unsigned>

Options

IgnoreMacros

If true don't diagnose traits defined in macros.

Note: Fixes will never be emitted for code inside of macros.

#define IS_SIGNED(T) std::is_signed<T>::value

Defaults to false.

modernize-unary-static-assert

The check diagnoses any static_assert declaration with an empty string literal and provides a fix-it to replace the declaration with a single-argument static_assert declaration.

The check is only applicable for C++17 and later code.

The following code:

void f_textless(int a) {
  static_assert(sizeof(a) <= 10, "");
}

is replaced by:

void f_textless(int a) {
  static_assert(sizeof(a) <= 10);
}

modernize-use-auto

This check is responsible for using the auto type specifier for variable declarations to improve code readability and maintainability. For example:

std::vector<int>::iterator I = my_container.begin();

// transforms to:

auto I = my_container.begin();

The auto type specifier will only be introduced in situations where the variable type matches the type of the initializer expression. In other words auto should deduce the same type that was originally spelled in the source. However, not every situation should be transformed:

int val = 42;
InfoStruct &I = SomeObject.getInfo();

// Should not become:

auto val = 42;
auto &I = SomeObject.getInfo();

In this example using auto for builtins doesn't improve readability. In other situations it makes the code less self-documenting impairing readability and maintainability. As a result, auto is used only introduced in specific situations described below.

Iterators

Iterator type specifiers tend to be long and used frequently, especially in loop constructs. Since the functions generating iterators have a common format, the type specifier can be replaced without obscuring the meaning of code while improving readability and maintainability.

for (std::vector<int>::iterator I = my_container.begin(),
                                E = my_container.end();
     I != E; ++I) {
}

// becomes

for (auto I = my_container.begin(), E = my_container.end(); I != E; ++I) {
}

The check will only replace iterator type-specifiers when all of the following conditions are satisfied:

  • The iterator is for one of the standard containers in std namespace:

    • array
    • deque
    • forward_list
    • list
    • vector
    • map
    • multimap
    • set
    • multiset
    • unordered_map
    • unordered_multimap
    • unordered_set
    • unordered_multiset
    • queue
    • priority_queue
    • stack
  • The iterator is one of the possible iterator types for standard containers:

    • iterator
    • reverse_iterator
    • const_iterator
    • const_reverse_iterator
  • In addition to using iterator types directly, typedefs or other ways of referring to those types are also allowed. However, implementation-specific types for which a type like std::vector<int>::iterator is itself a typedef will not be transformed. Consider the following examples:

    // The following direct uses of iterator types will be transformed.
    std::vector<int>::iterator I = MyVec.begin();
    {
      using namespace std;
      list<int>::iterator I = MyList.begin();
    }
    
    // The type specifier for J would transform to auto since it's a typedef
    // to a standard iterator type.
    typedef std::map<int, std::string>::const_iterator map_iterator;
    map_iterator J = MyMap.begin();
    
    // The following implementation-specific iterator type for which
    // std::vector<int>::iterator could be a typedef would not be transformed.
    __gnu_cxx::__normal_iterator<int*, std::vector> K = MyVec.begin();
  • The initializer for the variable being declared is not a braced initializer list. Otherwise, use of auto would cause the type of the variable to be deduced as std::initializer_list.

New expressions

Frequently, when a pointer is declared and initialized with new, the pointee type is written twice: in the declaration type and in the new expression. In this case, the declaration type can be replaced with auto improving readability and maintainability.

TypeName *my_pointer = new TypeName(my_param);

// becomes

auto *my_pointer = new TypeName(my_param);

The check will also replace the declaration type in multiple declarations, if the following conditions are satisfied:

  • All declared variables have the same type (i.e. all of them are pointers to the same type).
  • All declared variables are initialized with a new expression.
  • The types of all the new expressions are the same than the pointee of the declaration type.

    TypeName *my_first_pointer = new TypeName, *my_second_pointer = new TypeName;
    
    // becomes
    
    auto *my_first_pointer = new TypeName, *my_second_pointer = new TypeName;

Cast expressions

Frequently, when a variable is declared and initialized with a cast, the variable type is written twice: in the declaration type and in the cast expression. In this case, the declaration type can be replaced with auto improving readability and maintainability.

TypeName *my_pointer = static_cast<TypeName>(my_param);

// becomes

auto *my_pointer = static_cast<TypeName>(my_param);

The check handles static_cast, dynamic_cast, const_cast, reinterpret_cast, functional casts, C-style casts and function templates that behave as casts, such as llvm::dyn_cast, boost::lexical_cast and gsl::narrow_cast. Calls to function templates are considered to behave as casts if the first template argument is explicit and is a type, and the function returns that type, or a pointer or reference to it.

Known Limitations

  • If the initializer is an explicit conversion constructor, the check will not replace the type specifier even though it would be safe to do so.
  • User-defined iterators are not handled at this time.

Options

MinTypeNameLength

If the option is set to non-zero (default 5), the check will ignore type names having a length less than the option value. The option affects expressions only, not iterators. Spaces between multi-lexeme type names (long int) are considered as one. If the RemoveStars option (see below) is set to true, then *s in the type are also counted as a part of the type name.

// MinTypeNameLength = 0, RemoveStars=0

int a = static_cast<int>(foo());            // ---> auto a = ...
// length(bool *) = 4
bool *b = new bool;                         // ---> auto *b = ...
unsigned c = static_cast<unsigned>(foo());  // ---> auto c = ...

// MinTypeNameLength = 5, RemoveStars=0

int a = static_cast<int>(foo());                 // ---> int  a = ...
bool b = static_cast<bool>(foo());               // ---> bool b = ...
bool *pb = static_cast<bool*>(foo());            // ---> bool *pb = ...
unsigned c = static_cast<unsigned>(foo());       // ---> auto c = ...
// length(long <on-or-more-spaces> int) = 8
long int d = static_cast<long int>(foo());       // ---> auto d = ...

// MinTypeNameLength = 5, RemoveStars=1

int a = static_cast<int>(foo());                 // ---> int  a = ...
// length(int * * ) = 5
int **pa = static_cast<int**>(foo());            // ---> auto pa = ...
bool b = static_cast<bool>(foo());               // ---> bool b = ...
bool *pb = static_cast<bool*>(foo());            // ---> auto pb = ...
unsigned c = static_cast<unsigned>(foo());       // ---> auto c = ...
long int d = static_cast<long int>(foo());       // ---> auto d = ...
RemoveStars

If the option is set to true (default is false), the check will remove stars from the non-typedef pointer types when replacing type names with auto. Otherwise, the check will leave stars. For example:

TypeName *my_first_pointer = new TypeName, *my_second_pointer = new TypeName;

// RemoveStars = 0

auto *my_first_pointer = new TypeName, *my_second_pointer = new TypeName;

// RemoveStars = 1

auto my_first_pointer = new TypeName, my_second_pointer = new TypeName;

modernize-use-bool-literals

Finds integer literals which are cast to bool.

bool p = 1;
bool f = static_cast<bool>(1);
std::ios_base::sync_with_stdio(0);
bool x = p ? 1 : 0;

// transforms to

bool p = true;
bool f = true;
std::ios_base::sync_with_stdio(false);
bool x = p ? true : false;

Options

IgnoreMacros

If set to true, the check will not give warnings inside macros. Default is true.

modernize-use-constraints

Replace std::enable_if with C++20 requires clauses.

std::enable_if is a SFINAE mechanism for selecting the desired function or class template based on type traits or other requirements. enable_if changes the meta-arity of the template, and has other adverse side effects in the code. C++20 introduces concepts and constraints as a cleaner language provided solution to achieve the same outcome.

This check finds some common std::enable_if patterns that can be replaced by C++20 requires clauses. The tool can replace some of these patterns automatically, otherwise, the tool will emit a diagnostic without a replacement. The tool can detect the following std::enable_if patterns

  1. std::enable_if in the return type of a function
  2. std::enable_if as the trailing template parameter for function templates

Other uses, for example, in class templates for function parameters, are not currently supported by this tool. Other variants such as boost::enable_if are not currently supported by this tool.

Below are some examples of code using std::enable_if.

// enable_if in function return type
template <typename T>
std::enable_if_t<T::some_trait, int> only_if_t_has_the_trait() { ... }

// enable_if in the trailing template parameter
template <typename T, std::enable_if_t<T::some_trait, int> = 0>
void another_version() { ... }

template <typename T>
typename std::enable_if<T::some_value, Obj>::type existing_constraint() requires (T::another_value) {
  return Obj{};
}

template <typename T, std::enable_if_t<T::some_trait, int> = 0>
struct my_class {};

The tool will replace the above code with,

// warning: use C++20 requires constraints instead of enable_if [modernize-use-constraints]
template <typename T>
int only_if_t_has_the_trait() requires T::some_trait { ... }

// warning: use C++20 requires constraints instead of enable_if [modernize-use-constraints]
template <typename T>
void another_version() requires T::some_trait { ... }

// The tool will emit a diagnostic for the following, but will
// not attempt to replace the code.
// warning: use C++20 requires constraints instead of enable_if [modernize-use-constraints]
template <typename T>
typename std::enable_if<T::some_value, Obj>::type existing_constraint() requires (T::another_value) {
  return Obj{};
}

// The tool will not emit a diagnostic or attempt to replace the code.
template <typename T, std::enable_if_t<T::some_trait, int> = 0>
struct my_class {};
NOTE:

System headers are not analyzed by this check.

modernize-use-default

This check has been renamed to modernize-use-equals-default.

modernize-use-default-member-init

This check converts constructors' member initializers into the new default member initializers in C++11. Other member initializers that match the default member initializer are removed. This can reduce repeated code or allow use of '= default'.

struct A {
  A() : i(5), j(10.0) {}
  A(int i) : i(i), j(10.0) {}
  int i;
  double j;
};

// becomes

struct A {
  A() {}
  A(int i) : i(i) {}
  int i{5};
  double j{10.0};
};
NOTE:

Only converts member initializers for built-in types, enums, and pointers. The readability-redundant-member-init check will remove redundant member initializers for classes.

Options

UseAssignment

If this option is set to true (default is false), the check will initialize members with an assignment. For example:

struct A {
  A() {}
  A(int i) : i(i) {}
  int i = 5;
  double j = 10.0;
};
IgnoreMacros

If this option is set to true (default is true), the check will not warn about members declared inside macros.

modernize-use-designated-initializers

Finds initializer lists for aggregate types which could be written as designated initializers instead.

With plain initializer lists, it is very easy to introduce bugs when adding new fields in the middle of a struct or class type. The same confusion might arise when changing the order of fields.

C++20 supports the designated initializer syntax for aggregate types. By applying it, we can always be sure that aggregates are constructed correctly, because every variable being initialized is referenced by its name.

Example:

struct S { int i, j; };

is an aggregate type that should be initialized as

S s{.i = 1, .j = 2};

instead of

S s{1, 2};

which could easily become an issue when i and j are swapped in the declaration of S.

Even when compiling in a language version older than C++20, depending on your compiler, designated initializers are potentially supported. Therefore, the check is by default restricted to C99/C++20 and above. Check out the options -Wc99-designator to get support for mixed designators in initializer list in C and -Wc++20-designator for support of designated initializers in older C++ language modes.

Options

IgnoreMacros

The value false specifies that components of initializer lists expanded from macros are not checked. The default value is true.

IgnoreSingleElementAggregates

The value false specifies that even initializers for aggregate types with only a single element should be checked. The default value is true.

RestrictToPODTypes

The value true specifies that only Plain Old Data (POD) types shall be checked. This makes the check applicable to even older C++ standards. The default value is false.

StrictCStandardCompliance

When set to false, the check will not restrict itself to C99 and above. The default value is true.

StrictCppStandardCompliance

When set to false, the check will not restrict itself to C++20 and above. The default value is true.

modernize-use-emplace

The check flags insertions to an STL-style container done by calling the push_back, push, or push_front methods with an explicitly-constructed temporary of the container element type. In this case, the corresponding emplace equivalent methods result in less verbose and potentially more efficient code. Ā Right now the check doesn't support insert. It also doesn't support insert functions for associative containers because replacing insert with emplace may result in speed regression, but it might get support with some addition flag in the future.

The ContainersWithPushBack, ContainersWithPush, and ContainersWithPushFront options are used to specify the container types that support the push_back, push, and push_front operations respectively. The default values for these options are as follows:

  • ContainersWithPushBack: std::vector, std::deque, and std::list.
  • ContainersWithPush: std::stack, std::queue, and std::priority_queue.
  • ContainersWithPushFront: std::forward_list, std::list, and std::deque.

This check also reports when an emplace-like method is improperly used, for example using emplace_back while also calling a constructor. This creates a temporary that requires at best a move and at worst a copy. Almost all emplace-like functions in the STL are covered by this, with try_emplace on std::map and std::unordered_map being the exception as it behaves slightly differently than all the others. More containers can be added with the EmplacyFunctions option, so long as the container defines a value_type type, and the emplace-like functions construct a value_type object.

Before:

std::vector<MyClass> v;
v.push_back(MyClass(21, 37));
v.emplace_back(MyClass(21, 37));

std::vector<std::pair<int, int>> w;

w.push_back(std::pair<int, int>(21, 37));
w.push_back(std::make_pair(21L, 37L));
w.emplace_back(std::make_pair(21L, 37L));

After:

std::vector<MyClass> v;
v.emplace_back(21, 37);
v.emplace_back(21, 37);

std::vector<std::pair<int, int>> w;
w.emplace_back(21, 37);
w.emplace_back(21L, 37L);
w.emplace_back(21L, 37L);

By default, the check is able to remove unnecessary std::make_pair and std::make_tuple calls from push_back calls on containers of std::pair and std::tuple. Custom tuple-like types can be modified by the TupleTypes option; custom make functions can be modified by the TupleMakeFunctions option.

The other situation is when we pass arguments that will be converted to a type inside a container.

Before:

std::vector<boost::optional<std::string> > v;
v.push_back("abc");

After:

std::vector<boost::optional<std::string> > v;
v.emplace_back("abc");

In some cases the transformation would be valid, but the code wouldn't be exception safe. In this case the calls of push_back won't be replaced.

std::vector<std::unique_ptr<int>> v;
v.push_back(std::unique_ptr<int>(new int(0)));
auto *ptr = new int(1);
v.push_back(std::unique_ptr<int>(ptr));

This is because replacing it with emplace_back could cause a leak of this pointer if emplace_back would throw exception before emplacement (e.g. not enough memory to add a new element).

For more info read item 42 - "Consider emplacement instead of insertion." of Scott Meyers "Effective Modern C++".

The default smart pointers that are considered are std::unique_ptr, std::shared_ptr, std::auto_ptr. To specify other smart pointers or other classes use the SmartPointers option.

Check also doesn't fire if any argument of the constructor call would be:

  • a bit-field (bit-fields can't bind to rvalue/universal reference)
  • a new expression (to avoid leak)
  • if the argument would be converted via derived-to-base cast.

This check requires C++11 or higher to run.

Options

ContainersWithPushBack

Semicolon-separated list of class names of custom containers that support push_back.

ContainersWithPush

Semicolon-separated list of class names of custom containers that support push.

ContainersWithPushFront

Semicolon-separated list of class names of custom containers that support push_front.

IgnoreImplicitConstructors

When true, the check will ignore implicitly constructed arguments of push_back, e.g.

std::vector<std::string> v;
v.push_back("a"); // Ignored when IgnoreImplicitConstructors is `true`.

Default is false.

SmartPointers

Semicolon-separated list of class names of custom smart pointers.

TupleTypes

Semicolon-separated list of std::tuple-like class names.

TupleMakeFunctions

Semicolon-separated list of std::make_tuple-like function names. Those function calls will be removed from push_back calls and turned into emplace_back.

EmplacyFunctions

Semicolon-separated list of containers without their template parameters and some emplace-like method of the container. Example: vector::emplace_back. Those methods will be checked for improper use and the check will report when a temporary is unnecessarily created.

Example

std::vector<MyTuple<int, bool, char>> x;
x.push_back(MakeMyTuple(1, false, 'x'));
x.emplace_back(MakeMyTuple(1, false, 'x'));

transforms to:

std::vector<MyTuple<int, bool, char>> x;
x.emplace_back(1, false, 'x');
x.emplace_back(1, false, 'x');

when TupleTypes is set to MyTuple, TupleMakeFunctions is set to MakeMyTuple, and EmplacyFunctions is set to vector::emplace_back.

modernize-use-equals-default

This check replaces default bodies of special member functions with = default;. The explicitly defaulted function declarations enable more opportunities in optimization, because the compiler might treat explicitly defaulted functions as trivial.

struct A {
  A() {}
  ~A();
};
A::~A() {}

// becomes

struct A {
  A() = default;
  ~A();
};
A::~A() = default;
NOTE:

Move-constructor and move-assignment operator are not supported yet.

Options

IgnoreMacros

If set to true, the check will not give warnings inside macros and will ignore special members with bodies contain macros or preprocessor directives. Default is true.

modernize-use-equals-delete

Identifies unimplemented private special member functions, and recommends using = delete for them. Additionally, it recommends relocating any deleted member function from the private to the public section.

Before the introduction of C++11, the primary method to effectively "erase" a particular function involved declaring it as private without providing a definition. This approach would result in either a compiler error (when attempting to call a private function) or a linker error (due to an undefined reference).

However, subsequent to the advent of C++11, a more conventional approach emerged for achieving this purpose. It involves flagging functions as = delete and keeping them in the public section of the class.

To prevent false positives, this check is only active within a translation unit where all other member functions have been implemented. The check will generate partial fixes by introducing = delete, but the user is responsible for manually relocating functions to the public section.

// Example: bad
class A {
 private:
  A(const A&);
  A& operator=(const A&);
};

// Example: good
class A {
 public:
  A(const A&) = delete;
  A& operator=(const A&) = delete;
};
IgnoreMacros

If this option is set to true (default is true), the check will not warn about functions declared inside macros.

modernize-use-nodiscard

Adds [[nodiscard]] attributes (introduced in C++17) to member functions in order to highlight at compile time which return values should not be ignored.

Member functions need to satisfy the following conditions to be considered by this check:

  • no [[nodiscard]], [[noreturn]], __attribute__((warn_unused_result)), [[clang::warn_unused_result]] nor [[gcc::warn_unused_result]] attribute,
  • non-void return type,
  • non-template return types,
  • const member function,
  • non-variadic functions,
  • no non-const reference parameters,
  • no pointer parameters,
  • no template parameters,
  • no template function parameters,
  • not be a member of a class with mutable member variables,
  • no Lambdas,
  • no conversion functions.

Such functions have no means of altering any state or passing values other than via the return type. Unless the member functions are altering state via some external call (e.g. I/O).

Example

bool empty() const;
bool empty(int i) const;

transforms to:

[[nodiscard]] bool empty() const;
[[nodiscard]] bool empty(int i) const;

Options

ReplacementString

Specifies a macro to use instead of [[nodiscard]]. This is useful when maintaining source code that needs to compile with a pre-C++17 compiler.

Example

bool empty() const;
bool empty(int i) const;

transforms to:

NO_DISCARD bool empty() const;
NO_DISCARD bool empty(int i) const;
if the ReplacementString option is set to NO_DISCARD.
NOTE:

If the ReplacementString is not a C++ attribute, but instead a macro, then that macro must be defined in scope or the fix-it will not be applied.

NOTE:

For alternative __attribute__ syntax options to mark functions as [[nodiscard]] in non-c++17 source code. See https://clang.llvm.org/docs/AttributeReference.html#nodiscard-warn-unused-result

modernize-use-noexcept

This check replaces deprecated dynamic exception specifications with the appropriate noexcept specification (introduced in C++11). By default this check will replace throw() with noexcept, and throw(<exception>[,...]) or throw(...) with noexcept(false).

Example

void foo() throw();
void bar() throw(int) {}

transforms to:

void foo() noexcept;
void bar() noexcept(false) {}

Options

ReplacementString

Users can use ReplacementString to specify a macro to use instead of noexcept. This is useful when maintaining source code that uses custom exception specification marking other than noexcept. Fix-it hints will only be generated for non-throwing specifications.

Example

void bar() throw(int);
void foo() throw();

transforms to:

void bar() throw(int);  // No fix-it generated.
void foo() NOEXCEPT;

if the ReplacementString option is set to NOEXCEPT.

UseNoexceptFalse

Enabled by default, disabling will generate fix-it hints that remove throwing dynamic exception specs, e.g., throw(<something>), completely without providing a replacement text, except for destructors and delete operators that are noexcept(true) by default.

Example

void foo() throw(int) {}

struct bar {
  void foobar() throw(int);
  void operator delete(void *ptr) throw(int);
  void operator delete[](void *ptr) throw(int);
  ~bar() throw(int);
}

transforms to:

void foo() {}

struct bar {
  void foobar();
  void operator delete(void *ptr) noexcept(false);
  void operator delete[](void *ptr) noexcept(false);
  ~bar() noexcept(false);
}

if the UseNoexceptFalse option is set to false.

modernize-use-nullptr

The check converts the usage of null pointer constants (e.g. NULL, 0) to use the new C++11 and C23 nullptr keyword.

Example

void assignment() {
  char *a = NULL;
  char *b = 0;
  char c = 0;
}

int *ret_ptr() {
  return 0;
}

transforms to:

void assignment() {
  char *a = nullptr;
  char *b = nullptr;
  char c = 0;
}

int *ret_ptr() {
  return nullptr;
}

Options

IgnoredTypes

Semicolon-separated list of regular expressions to match pointer types for which implicit casts will be ignored. Default value: std::_CmpUnspecifiedParam::;^std::__cmp_cat::__unspec.

NullMacros

Comma-separated list of macro names that will be transformed along with NULL. By default this check will only replace the NULL macro and will skip any similar user-defined macros.

Example

#define MY_NULL (void*)0
void assignment() {
  void *p = MY_NULL;
}

transforms to:

#define MY_NULL NULL
void assignment() {
  int *p = nullptr;
}

if the NullMacros option is set to MY_NULL.

modernize-use-override

Adds override (introduced in C++11) to overridden virtual functions and removes virtual from those functions as it is not required.

virtual on non base class implementations was used to help indicate to the user that a function was virtual. C++ compilers did not use the presence of this to signify an overridden function.

In C++11 override and final keywords were introduced to allow overridden functions to be marked appropriately. Their presence allows compilers to verify that an overridden function correctly overrides a base class implementation.

This can be useful as compilers can generate a compile time error when:

  • The base class implementation function signature changes.
  • The user has not created the override with the correct signature.

Options

IgnoreDestructors

If set to true, this check will not diagnose destructors. Default is false.

IgnoreTemplateInstantiations

If set to true, instructs this check to ignore virtual function overrides that are part of template instantiations. Default is false.

AllowOverrideAndFinal

If set to true, this check will not diagnose override as redundant with final. This is useful when code will be compiled by a compiler with warning/error checking flags requiring override explicitly on overridden members, such as gcc -Wsuggest-override/gcc -Werror=suggest-override. Default is false.

OverrideSpelling

Specifies a macro to use instead of override. This is useful when maintaining source code that also needs to compile with a pre-C++11 compiler.

FinalSpelling

Specifies a macro to use instead of final. This is useful when maintaining source code that also needs to compile with a pre-C++11 compiler.

NOTE:

For more information on the use of override see https://en.cppreference.com/w/cpp/language/override

modernize-use-ranges

Detects calls to standard library iterator algorithms that could be replaced with a ranges version instead.

Example

auto Iter1 = std::find(Items.begin(), Items.end(), 0);
auto AreSame = std::equal(Items1.cbegin(), Items1.cend(),
                          std::begin(Items2), std::end(Items2));

Transforms to:

auto Iter1 = std::ranges::find(Items, 0);
auto AreSame = std::ranges::equal(Items1, Items2);

Supported algorithms

Calls to the following std library algorithms are checked:

std::adjacent_find, std::all_of, std::any_of, std::binary_search, std::copy_backward, std::copy_if, std::copy, std::destroy, std::equal_range, std::equal, std::fill, std::find_end, std::find_if_not, std::find_if, std::find, std::for_each, std::generate, std::includes, std::inplace_merge, std::iota, std::is_heap_until, std::is_heap, std::is_partitioned, std::is_permutation, std::is_sorted_until, std::is_sorted, std::lexicographical_compare, std::lower_bound, std::make_heap, std::max_element, std::merge, std::min_element, std::minmax_element, std::mismatch, std::move_backward, std::move, std::next_permutation, std::none_of, std::partial_sort_copy, std::partition_copy, std::partition_point, std::partition, std::pop_heap, std::prev_permutation, std::push_heap, std::remove_copy_if, std::remove_copy, std::remove, std::remove_if, std::replace_if, std::replace, std::reverse_copy, std::reverse, std::rotate, std::rotate_copy, std::sample, std::search, std::set_difference, std::set_intersection, std::set_symmetric_difference, std::set_union, std::shift_left, std::shift_right, std::sort_heap, std::sort, std::stable_partition, std::stable_sort, std::transform, std::uninitialized_copy, std::uninitialized_default_construct, std::uninitialized_fill, std::uninitialized_move, std::uninitialized_value_construct, std::unique_copy, std::unique, std::upper_bound.

Reverse Iteration

If calls are made using reverse iterators on containers, The code will be fixed using the std::views::reverse adaptor.

auto AreSame = std::equal(Items1.rbegin(), Items1.rend(),
                          std::crbegin(Items2), std::crend(Items2));

Transforms to:

auto AreSame = std::ranges::equal(std::ranges::reverse_view(Items1),
                                  std::ranges::reverse_view(Items2));

Options

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

UseReversePipe

When true (default false), fixes which involve reverse ranges will use the pipe adaptor syntax instead of the function syntax.

std::find(Items.rbegin(), Items.rend(), 0);

Transforms to:

std::ranges::find(Items | std::views::reverse, 0);

modernize-use-starts-ends-with

Checks for common roundabout ways to express starts_with and ends_with and suggests replacing with starts_with when the method is available. Notably, this will work with std::string and std::string_view.

std::string s = "...";
if (s.find("prefix") == 0) { /* do something */ }
if (s.rfind("prefix", 0) == 0) { /* do something */ }
if (s.compare(0, strlen("prefix"), "prefix") == 0) { /* do something */ }

becomes

std::string s = "...";
if (s.starts_with("prefix")) { /* do something */ }
if (s.starts_with("prefix")) { /* do something */ }
if (s.starts_with("prefix")) { /* do something */ }

modernize-use-std-format

Converts calls to absl::StrFormat, or other functions via configuration options, to C++20's std::format, or another function via a configuration option, modifying the format string appropriately and removing now-unnecessary calls to std::string::c_str() and std::string::data().

For example, it turns lines like

return absl::StrFormat("The %s is %3d", description.c_str(), value);

into:

return std::format("The {} is {:3}", description, value);

The check uses the same format-string-conversion algorithm as modernize-use-std-print and its shortcomings are described in the documentation for that check.

Options

StrictMode

When true, the check will add casts when converting from variadic functions and printing signed or unsigned integer types (including fixed-width integer types from <cstdint>, ptrdiff_t, size_t and ssize_t) as the opposite signedness to ensure that the output would matches that of a simple wrapper for std::sprintf that accepted a C-style variable argument list. For example, with StrictMode enabled,

extern std::string strprintf(const char *format, ...);
int i = -42;
unsigned int u = 0xffffffff;
return strprintf("%d %u\n", i, u);

would be converted to

return std::format("{} {}\n", static_cast<unsigned int>(i), static_cast<int>(u));

to ensure that the output will continue to be the unsigned representation of -42 and the signed representation of 0xffffffff (often 4294967254 and -1 respectively). When false (which is the default), these casts will not be added which may cause a change in the output. Note that this option makes no difference for the default value of StrFormatLikeFunctions since absl::StrFormat takes a function parameter pack and is not a variadic function.

StrFormatLikeFunctions

A semicolon-separated list of (fully qualified) function names to replace, with the requirement that the first parameter contains the printf-style format string and the arguments to be formatted follow immediately afterwards. The default value for this option is absl::StrFormat.

ReplacementFormatFunction

The function that will be used to replace the function set by the StrFormatLikeFunctions option rather than the default std::format. It is expected that the function provides an interface that is compatible with std::format. A suitable candidate would be fmt::format.

FormatHeader

The header that must be included for the declaration of ReplacementFormatFunction so that a #include directive can be added if required. If ReplacementFormatFunction is std::format then this option will default to <format>, otherwise this option will default to nothing and no #include directive will be added.

modernize-use-std-numbers

Finds constants and function calls to math functions that can be replaced with C++20's mathematical constants from the numbers header and offers fix-it hints. Does not match the use of variables with that value, and instead, offers a replacement for the definition of those variables. Function calls that match the pattern of how the constant is calculated are matched and replaced with the std::numbers constant. The use of macros gets replaced with the corresponding std::numbers constant, instead of changing the macro definition.

The following list of constants from the numbers header are supported:

  • e
  • log2e
  • log10e
  • pi
  • inv_pi
  • inv_sqrtpi
  • ln2
  • ln10
  • sqrt2
  • sqrt3
  • inv_sqrt3
  • egamma
  • phi

The list currently includes all constants as of C++20.

The replacements use the type of the matched constant and can remove explicit casts, i.e., switching between std::numbers::e, std::numbers::e_v<float> and std::numbers::e_v<long double> where appropriate.

double sqrt(double);
double log2(double);
void sink(auto&&) {}
void floatSink(float);

#define MY_PI 3.1415926

void foo() {
    const double Pi = 3.141592653589;           // const double Pi = std::numbers::pi
    const auto Use = Pi / 2;                    // no match for Pi
    static constexpr double Euler = 2.7182818;  // static constexpr double Euler = std::numbers::e;

    log2(exp(1));                               // std::numbers::log2e;
    log2(Euler);                                // std::numbers::log2e;
    1 / sqrt(MY_PI);                            // std::numbers::inv_sqrtpi;
    sink(MY_PI);                                // sink(std::numbers::pi);
    floatSink(MY_PI);                           // floatSink(std::numbers::pi);
    floatSink(static_cast<float>(MY_PI));       // floatSink(std::numbers::pi_v<float>);
}

Options

DiffThreshold

A floating point value that sets the detection threshold for when literals match a constant. A literal matches a constant if abs(literal - constant) < DiffThreshold evaluates to true. Default is 0.001.

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

modernize-use-std-print

Converts calls to printf, fprintf, absl::PrintF and absl::FPrintf to equivalent calls to C++23's std::print or std::println as appropriate, modifying the format string appropriately. The replaced and replacement functions can be customised by configuration options. Each argument that is the result of a call to std::string::c_str() and std::string::data() will have that now-unnecessary call removed in a similar manner to the readability-redundant-string-cstr check.

In other words, it turns lines like:

fprintf(stderr, "The %s is %3d\n", description.c_str(), value);

into:

std::println(stderr, "The {} is {:3}", description, value);

If the ReplacementPrintFunction or ReplacementPrintlnFunction options are left, or assigned to their default values then this check is only enabled with -std=c++23 or later.

The check doesn't do a bad job, but it's not perfect. In particular:

  • It assumes that the format string is correct for the arguments. If you get any warnings when compiling with -Wformat then misbehaviour is possible.
  • At the point that the check runs, the AST contains a single StringLiteral for the format string and any macro expansion, token pasting, adjacent string literal concatenation and escaping has been handled. Although it's possible for the check to automatically put the escapes back, they may not be exactly as they were written (e.g. "\x0a" will become "\n" and "ab" "cd" will become "abcd".) This is helpful since it means that the PRIx macros from <inttypes.h> are removed correctly.
  • It supports field widths, precision, positional arguments, leading zeros, leading +, alignment and alternative forms.
  • Use of any unsupported flags or specifiers will cause the entire statement to be left alone and a warning to be emitted. Particular unsupported features are:

    • The %' flag for thousands separators.
    • The glibc extension %m.
  • printf and similar functions return the number of characters printed. std::print does not. This means that any invocations that use the return value will not be converted. Unfortunately this currently includes explicitly-casting to void. Deficiencies in this check mean that any invocations inside GCC compound statements cannot be converted even if the resulting value is not used.

If conversion would be incomplete or unsafe then the entire invocation will be left unchanged.

If the call is deemed suitable for conversion then:

  • printf, fprintf, absl::PrintF, absl::FPrintF and any functions specified by the PrintfLikeFunctions option or FprintfLikeFunctions are replaced with the function specified by the ReplacementPrintlnFunction option if the format string ends with \n or ReplacementPrintFunction otherwise.
  • the format string is rewritten to use the std::formatter language. If a \n is found at the end of the format string not preceded by r then it is removed and ReplacementPrintlnFunction is used rather than ReplacementPrintFunction.
  • any arguments that corresponded to %p specifiers that std::formatter wouldn't accept are wrapped in a static_cast to const void *.
  • any arguments that corresponded to %s specifiers where the argument is of signed char or unsigned char type are wrapped in a reinterpret_cast<const char *>.
  • any arguments where the format string and the parameter differ in signedness will be wrapped in an appropriate static_cast if StrictMode is enabled.
  • any arguments that end in a call to std::string::c_str() or std::string::data() will have that call removed.

Options

StrictMode

When true, the check will add casts when converting from variadic functions like printf and printing signed or unsigned integer types (including fixed-width integer types from <cstdint>, ptrdiff_t, size_t and ssize_t) as the opposite signedness to ensure that the output matches that of printf. This does not apply when converting from non-variadic functions such as absl::PrintF and fmt::printf. For example, with StrictMode enabled:

int i = -42;
unsigned int u = 0xffffffff;
printf("%d %u\n", i, u);

would be converted to:

std::print("{} {}\n", static_cast<unsigned int>(i), static_cast<int>(u));

to ensure that the output will continue to be the unsigned representation of -42 and the signed representation of 0xffffffff (often 4294967254 and -1 respectively.) When false (which is the default), these casts will not be added which may cause a change in the output.

PrintfLikeFunctions

A semicolon-separated list of (fully qualified) function names to replace, with the requirement that the first parameter contains the printf-style format string and the arguments to be formatted follow immediately afterwards. If neither this option nor FprintfLikeFunctions are set then the default value for this option is printf; absl::PrintF, otherwise it is empty.

FprintfLikeFunctions

A semicolon-separated list of (fully qualified) function names to replace, with the requirement that the first parameter is retained, the second parameter contains the printf-style format string and the arguments to be formatted follow immediately afterwards. If neither this option nor PrintfLikeFunctions are set then the default value for this option is fprintf; absl::FPrintF, otherwise it is empty.

ReplacementPrintFunction

The function that will be used to replace printf, fprintf etc. during conversion rather than the default std::print when the originalformat string does not end with \n. It is expected that the function provides an interface that is compatible with std::print. A suitable candidate would be fmt::print.

ReplacementPrintlnFunction

The function that will be used to replace printf, fprintf etc. during conversion rather than the default std::println when the original format string ends with \n. It is expected that the function provides an interface that is compatible with std::println. A suitable candidate would be fmt::println.

PrintHeader

The header that must be included for the declaration of ReplacementPrintFunction so that a #include directive can be added if required. If ReplacementPrintFunction is std::print then this option will default to <print>, otherwise this option will default to nothing and no #include directive will be added.

modernize-use-trailing-return-type

Rewrites function signatures to use a trailing return type (introduced in C++11). This transformation is purely stylistic. The return type before the function name is replaced by auto and inserted after the function parameter list (and qualifiers).

Example

int f1();
inline int f2(int arg) noexcept;
virtual float f3() const && = delete;

transforms to:

auto f1() -> int;
inline auto f2(int arg) -> int noexcept;
virtual auto f3() const && -> float = delete;

Known Limitations

The following categories of return types cannot be rewritten currently:

  • function pointers
  • member function pointers
  • member pointers

Unqualified names in the return type might erroneously refer to different entities after the rewrite. Preventing such errors requires a full lookup of all unqualified names present in the return type in the scope of the trailing return type location. This location includes e.g. function parameter names and members of the enclosing class (including all inherited classes). Such a lookup is currently not implemented.

Given the following piece of code

struct S { long long value; };
S f(unsigned S) { return {S * 2}; }
class CC {
  int S;
  struct S m();
};
S CC::m() { return {0}; }

a careless rewrite would produce the following output:

struct S { long long value; };
auto f(unsigned S) -> S { return {S * 2}; } // error
class CC {
  int S;
  auto m() -> struct S;
};
auto CC::m() -> S { return {0}; } // error

This code fails to compile because the S in the context of f refers to the equally named function parameter. Similarly, the S in the context of m refers to the equally named class member. The check can currently only detect and avoid a clash with a function parameter name.

modernize-use-transparent-functors

Prefer transparent functors to non-transparent ones. When using transparent functors, the type does not need to be repeated. The code is easier to read, maintain and less prone to errors. It is not possible to introduce unwanted conversions.

// Non-transparent functor
std::map<int, std::string, std::greater<int>> s;

// Transparent functor.
std::map<int, std::string, std::greater<>> s;

// Non-transparent functor
using MyFunctor = std::less<MyType>;

It is not always a safe transformation though. The following case will be untouched to preserve the semantics.

// Non-transparent functor
std::map<const char *, std::string, std::greater<std::string>> s;

Options

SafeMode

If the option is set to true, the check will not diagnose cases where using a transparent functor cannot be guaranteed to produce identical results as the original code. The default value for this option is false.

This check requires using C++14 or higher to run.

modernize-use-uncaught-exceptions

This check will warn on calls to std::uncaught_exception and replace them with calls to std::uncaught_exceptions, since std::uncaught_exception was deprecated in C++17.

Below are a few examples of what kind of occurrences will be found and what they will be replaced with.

#define MACRO1 std::uncaught_exception
#define MACRO2 std::uncaught_exception

int uncaught_exception() {
  return 0;
}

int main() {
  int res;

  res = uncaught_exception();
  // No warning, since it is not the deprecated function from namespace std

  res = MACRO2();
  // Warning, but will not be replaced

  res = std::uncaught_exception();
  // Warning and replaced

  using std::uncaught_exception;
  // Warning and replaced

  res = uncaught_exception();
  // Warning and replaced
}

After applying the fixes the code will look like the following:

#define MACRO1 std::uncaught_exception
#define MACRO2 std::uncaught_exception

int uncaught_exception() {
  return 0;
}

int main() {
  int res;

  res = uncaught_exception();

  res = MACRO2();

  res = std::uncaught_exceptions();

  using std::uncaught_exceptions;

  res = uncaught_exceptions();
}

modernize-use-using

The check converts the usage of typedef with using keyword.

Before:

typedef int variable;

class Class{};
typedef void (Class::* MyPtrType)() const;

typedef struct { int a; } R_t, *R_p;

After:

using variable = int;

class Class{};
using MyPtrType = void (Class::*)() const;

using R_t = struct { int a; };
using R_p = R_t*;

The checker ignores typedef within extern "C" { ... } blocks.

extern "C" {
  typedef int InExternC; // Left intact.
}

This check requires using C++11 or higher to run.

Options

IgnoreMacros

If set to true, the check will not give warnings inside macros. Default is true.

IgnoreExternC

If set to true, the check will not give warning inside extern "C"`scope. Default is `false

mpi-buffer-deref

This check verifies if a buffer passed to an MPI (Message Passing Interface) function is sufficiently dereferenced. Buffers should be passed as a single pointer or array. As MPI function signatures specify void * for their buffer types, insufficiently dereferenced buffers can be passed, like for example as double pointers or multidimensional arrays, without a compiler warning emitted.

Examples:

// A double pointer is passed to the MPI function.
char *buf;
MPI_Send(&buf, 1, MPI_CHAR, 0, 0, MPI_COMM_WORLD);

// A multidimensional array is passed to the MPI function.
short buf[1][1];
MPI_Send(buf, 1, MPI_SHORT, 0, 0, MPI_COMM_WORLD);

// A pointer to an array is passed to the MPI function.
short *buf[1];
MPI_Send(buf, 1, MPI_SHORT, 0, 0, MPI_COMM_WORLD);

mpi-type-mismatch

This check verifies if buffer type and MPI (Message Passing Interface) datatype pairs match for used MPI functions. All MPI datatypes defined by the MPI standard (3.1) are verified by this check. User defined typedefs, custom MPI datatypes and null pointer constants are skipped, in the course of verification.

Example:

// In this case, the buffer type matches MPI datatype.
char buf;
MPI_Send(&buf, 1, MPI_CHAR, 0, 0, MPI_COMM_WORLD);

// In the following case, the buffer type does not match MPI datatype.
int buf;
MPI_Send(&buf, 1, MPI_CHAR, 0, 0, MPI_COMM_WORLD);

objc-assert-equals

Finds improper usages of XCTAssertEqual and XCTAssertNotEqual and replaces them with XCTAssertEqualObjects or XCTAssertNotEqualObjects.

This makes tests less fragile, as many improperly rely on pointer equality for strings that have equal values. Ā This assumption is not guaranteed by the language.

objc-avoid-nserror-init

Finds improper initialization of NSError objects.

According to Apple developer document, we should always use factory method errorWithDomain:code:userInfo: to create new NSError objects instead of [NSError alloc] init]. Otherwise it will lead to a warning message during runtime.

The corresponding information about NSError creation: https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/ErrorHandlingCocoa/CreateCustomizeNSError/CreateCustomizeNSError.html

objc-dealloc-in-category

Finds implementations of -dealloc in Objective-C categories. The category implementation will override any -dealloc in the class implementation, potentially causing issues.

Classes implement -dealloc to perform important actions to deallocate an object. If a category on the class implements -dealloc, it will override the class's implementation and unexpected deallocation behavior may occur.

objc-forbidden-subclassing

Finds Objective-C classes which are subclasses of classes which are not designed to be subclassed.

By default, includes a list of Objective-C classes which are publicly documented as not supporting subclassing.

NOTE:

Instead of using this check, for code under your control, you should add __attribute__((objc_subclassing_restricted)) before your @interface declarations to ensure the compiler prevents others from subclassing your Objective-C classes. See https://clang.llvm.org/docs/AttributeReference.html#objc-subclassing-restricted

Options

ForbiddenSuperClassNames

Semicolon-separated list of names of Objective-C classes which do not support subclassing.

Defaults to ABNewPersonViewController;ABPeoplePickerNavigationController;ABPersonViewController;ABUnknownPersonViewController;NSHashTable;NSMapTable;NSPointerArray;NSPointerFunctions;NSTimer;UIActionSheet;UIAlertView;UIImagePickerController;UITextInputMode;UIWebView.

objc-missing-hash

Finds Objective-C implementations that implement -isEqual: without also appropriately implementing -hash.

Apple documentation highlights that objects that are equal must have the same hash value: https://developer.apple.com/documentation/objectivec/1418956-nsobject/1418795-isequal?language=objc

Note that the check only verifies the presence of -hash in scenarios where its omission could result in unexpected behavior. The verification of the implementation of -hash is the responsibility of the developer, e.g., through the addition of unit tests to verify the implementation.

objc-nsdate-formatter

When NSDateFormatter is used to convert an NSDate type to a String type, the user can specify a custom format string. Certain format specifiers are undesirable despite being legal. See http://www.unicode.org/reports/tr35/tr35-dates.html#Date_Format_Patterns for all legal date patterns.

This checker reports as warnings the following string patterns in a date format specifier:

  1. yyyy + ww : Calendar year specified with week of a week year (unless YYYY is also specified).

    • Example 1: Input Date: 29 December 2014 ; Format String: yyyy-ww;
      Output string: 2014-01 (Wrong because itā€™s not the first week of 2014)
    • Example 2: Input Date: 29 December 2014 ; Format String: dd-MM-yyyy (ww-YYYY);
      Output string: 29-12-2014 (01-2015) (This is correct)
  2. F without ee/EE : Numeric day of week in a month without actual day.

    • Example: Input Date: 29 December 2014 ; Format String: F-MM;
      Output string: 5-12 (Wrong because it reads as 5th ___ of Dec in English)
  3. F without MM : Numeric day of week in a month without month.

    • Example: Input Date: 29 December 2014 ; Format String: F-EE
      Output string: 5-Mon (Wrong because it reads as 5th Mon of ___ in English)
  4. WW without MM : Week of the month without the month.

    • Example: Input Date: 29 December 2014 ; Format String: WW-yyyy
      Output string: 05-2014 (Wrong because it reads as 5th Week of ___ in English)
  5. YYYY + QQ : Week year specified with quarter of normal year (unless yyyy is also specified).

    • Example 1: Input Date: 29 December 2014 ; Format String: YYYY-QQ
      Output string: 2015-04 (Wrong because itā€™s not the 4th quarter of 2015)
    • Example 2: Input Date: 29 December 2014 ; Format String: ww-YYYY (QQ-yyyy)
      Output string: 01-2015 (04-2014) (This is correct)
  6. YYYY + MM : Ā Week year specified with Month of a calendar year (unless yyyy is also specified).

    • Example 1: Input Date: 29 December 2014 ; Format String: YYYY-MM
      Output string: 2015-12 (Wrong because itā€™s not the 12th month of 2015)
    • Example 2: Input Date: 29 December 2014 ; Format String: ww-YYYY (MM-yyyy)
      Output string: 01-2015 (12-2014) (This is correct)
  7. YYYY + DD : Week year with day of a calendar year (unless yyyy is also specified).

    • Example 1: Input Date: 29 December 2014 ; Format String: YYYY-DD
      Output string: 2015-363 (Wrong because itā€™s not the 363rd day of 2015)
    • Example 2: Input Date: 29 December 2014 ; Format String: ww-YYYY (DD-yyyy)
      Output string: 01-2015 (363-2014) (This is correct)
  8. YYYY + WW : Week year with week of a calendar year (unless yyyy is also specified).

    • Example 1: Input Date: 29 December 2014 ; Format String: YYYY-WW
      Output string: 2015-05 (Wrong because itā€™s not the 5th week of 2015)
    • Example 2: Input Date: 29 December 2014 ; Format String: ww-YYYY (WW-MM-yyyy)
      Output string: 01-2015 (05-12-2014) (This is correct)
  9. YYYY + F : Week year with day of week in a calendar month (unless yyyy is also specified).

    • Example 1: Input Date: 29 December 2014 ; Format String: YYYY-ww-F-EE
      Output string: 2015-01-5-Mon (Wrong because itā€™s not the 5th Monday of January in 2015)
    • Example 2: Input Date: 29 December 2014 ; Format String: ww-YYYY (F-EE-MM-yyyy)
      Output string: 01-2015 (5-Mon-12-2014) (This is correct)

objc-nsinvocation-argument-lifetime

Finds calls to NSInvocation methods under ARC that don't have proper argument object lifetimes. When passing Objective-C objects as parameters to the NSInvocation methods getArgument:atIndex: and getReturnValue:, the values are copied by value into the argument pointer, which leads to incorrect releasing behavior if the object pointers are not declared __unsafe_unretained.

For code:

id arg;
[invocation getArgument:&arg atIndex:2];

__strong id returnValue;
[invocation getReturnValue:&returnValue];

The fix will be:

__unsafe_unretained id arg;
[invocation getArgument:&arg atIndex:2];

__unsafe_unretained id returnValue;
[invocation getReturnValue:&returnValue];

The check will warn on being passed instance variable references that have lifetimes other than __unsafe_unretained, but does not propose a fix:

// "id _returnValue" is declaration of instance variable of class.
[invocation getReturnValue:&self->_returnValue];

objc-property-declaration

Finds property declarations in Objective-C files that do not follow the pattern of property names in Apple's programming guide. The property name should be in the format of Lower Camel Case.

For code:

@property(nonatomic, assign) int LowerCamelCase;

The fix will be:

@property(nonatomic, assign) int lowerCamelCase;

The check will only fix 'CamelCase' to 'camelCase'. In some other cases we will only provide warning messages since the property name could be complicated. Users will need to come up with a proper name by their own.

This check also accepts special acronyms as prefixes or suffixes. Such prefixes or suffixes will suppress the Lower Camel Case check according to the guide: https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CodingGuidelines/Articles/NamingBasics.html#//apple_ref/doc/uid/20001281-1002931-BBCFHEAB

For a full list of well-known acronyms: https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CodingGuidelines/Articles/APIAbbreviations.html#//apple_ref/doc/uid/20001285-BCIHCGAE

The corresponding style rule: https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CodingGuidelines/Articles/NamingIvarsAndTypes.html#//apple_ref/doc/uid/20001284-1001757

The check will also accept property declared in category with a prefix of lowercase letters followed by a '_' to avoid naming conflict. For example:

@property(nonatomic, assign) int abc_lowerCamelCase;

The corresponding style rule: https://developer.apple.com/library/content/qa/qa1908/_index.html

objc-super-self

Finds invocations of -self on super instances in initializers of subclasses of NSObject and recommends calling a superclass initializer instead.

Invoking -self on super instances in initializers is a common programmer error when the programmer's original intent is to call a superclass initializer. Failing to call a superclass initializer breaks initializer chaining and can result in invalid object initialization.

openmp-exception-escape

Analyzes OpenMP Structured Blocks and checks that no exception escapes out of the Structured Block it was thrown in.

As per the OpenMP specification, a structured block is an executable statement, possibly compound, with a single entry at the top and a single exit at the bottom. Which means, throw may not be used to 'exit' out of the structured block. If an exception is not caught in the same structured block it was thrown in, the behavior is undefined.

FIXME: this check does not model SEH, setjmp/longjmp.

WARNING! This check may be expensive on large source files.

Options

IgnoredExceptions

Comma-separated list containing type names which are not counted as thrown exceptions in the check. Default value is an empty string.

openmp-use-default-none

Finds OpenMP directives that are allowed to contain a default clause, but either don't specify it or the clause is specified but with the kind other than none, and suggests to use the default(none) clause.

Using default(none) clause forces developers to explicitly specify data sharing attributes for the variables referenced in the construct, thus making it obvious which variables are referenced, and what is their data sharing attribute, thus increasing readability and possibly making errors easier to spot.

Example

// ``for`` directive cannot have ``default`` clause, no diagnostics.
void n0(const int a) {
#pragma omp for
  for (int b = 0; b < a; b++)
    ;
}

// ``parallel`` directive.

// ``parallel`` directive can have ``default`` clause, but said clause is not
// specified, diagnosed.
void p0_0() {
#pragma omp parallel
  ;
  // WARNING: OpenMP directive ``parallel`` does not specify ``default``
  //          clause. Consider specifying ``default(none)`` clause.
}

// ``parallel`` directive can have ``default`` clause, and said clause is
// specified, with ``none`` kind, all good.
void p0_1() {
#pragma omp parallel default(none)
  ;
}

// ``parallel`` directive can have ``default`` clause, and said clause is
// specified, but with ``shared`` kind, which is not ``none``, diagnose.
void p0_2() {
#pragma omp parallel default(shared)
  ;
  // WARNING: OpenMP directive ``parallel`` specifies ``default(shared)``
  //          clause. Consider using ``default(none)`` clause instead.
}

// ``parallel`` directive can have ``default`` clause, and said clause is
// specified, but with ``firstprivate`` kind, which is not ``none``, diagnose.
void p0_3() {
#pragma omp parallel default(firstprivate)
  ;
  // WARNING: OpenMP directive ``parallel`` specifies ``default(firstprivate)``
  //          clause. Consider using ``default(none)`` clause instead.
}

performance-avoid-endl

Checks for uses of std::endl on streams and suggests using the newline character '\n' instead.

Rationale: Using std::endl on streams can be less efficient than using the newline character '\n' because std::endl performs two operations: it writes a newline character to the output stream and then flushes the stream buffer. Writing a single newline character using '\n' does not trigger a flush, which can improve performance. In addition, flushing the stream buffer can cause additional overhead when working with streams that are buffered.

Example:

Consider the following code:

#include <iostream>

int main() {
  std::cout << "Hello" << std::endl;
}

Which gets transformed into:

#include <iostream>

int main() {
  std::cout << "Hello" << '\n';
}

This code writes a single newline character to the std::cout stream without flushing the stream buffer.

Additionally, it is important to note that the standard C++ streams (like std::cerr, std::wcerr, std::clog and std::wclog) always flush after a write operation, unless std::ios_base::sync_with_stdio is set to false. regardless of whether std::endl or '\n' is used. Therefore, using '\n' with these streams will not result in any performance gain, but it is still recommended to use '\n' for consistency and readability.

If you do need to flush the stream buffer, you can use std::flush explicitly like this:

#include <iostream>

int main() {
  std::cout << "Hello\n" << std::flush;
}

performance-enum-size

Recommends the smallest possible underlying type for an enum or enum class based on the range of its enumerators. Analyzes the values of the enumerators in an enum or enum class, including signed values, to recommend the smallest possible underlying type that can represent all the values of the enum. The suggested underlying types are the integral types std::uint8_t, std::uint16_t, and std::uint32_t for unsigned types, and std::int8_t, std::int16_t, and std::int32_t for signed types. Using the suggested underlying types can help reduce the memory footprint of the program and improve performance in some cases.

For example:

// BEFORE
enum Color {
    RED = -1,
    GREEN = 0,
    BLUE = 1
};

std::optional<Color> color_opt;

The Color enum uses the default underlying type, which is int in this case, and its enumerators have values of -1, 0, and 1. Additionally, the std::optional<Color> object uses 8 bytes due to padding (platform dependent).

// AFTER
enum Color : std:int8_t {
    RED = -1,
    GREEN = 0,
    BLUE = 1
}

std::optional<Color> color_opt;

In the revised version of the Color enum, the underlying type has been changed to std::int8_t. The enumerator RED has a value of -1, which can be represented by a signed 8-bit integer.

By using a smaller underlying type, the memory footprint of the Color enum is reduced from 4 bytes to 1 byte. The revised version of the std::optional<Color> object would only require 2 bytes (due to lack of padding), since it contains a single byte for the Color enum and a single byte for the bool flag that indicates whether the optional value is set.

Reducing the memory footprint of an enum can have significant benefits in terms of memory usage and cache performance. However, it's important to consider the trade-offs and potential impact on code readability and maintainability.

Enums without enumerators (empty) are excluded from analysis.

Requires C++11 or above. Does not provide auto-fixes.

Options

EnumIgnoreList

Option is used to ignore certain enum types. It accepts a semicolon-separated list of (fully qualified) enum type names or regular expressions that match the enum type names. The default value is an empty string, which means no enums will be ignored.

performance-faster-string-find

Optimize calls to std::string::find() and friends when the needle passed is a single character string literal. The character literal overload is more efficient.

Examples:

str.find("A");

// becomes

str.find('A');

Options

StringLikeClasses

Semicolon-separated list of names of string-like classes. By default only ::std::basic_string and ::std::basic_string_view are considered. The check will only consider member functions named find, rfind, find_first_of, find_first_not_of, find_last_of, or find_last_not_of within these classes.

performance-for-range-copy

Finds C++11 for ranges where the loop variable is copied in each iteration but it would suffice to obtain it by const reference.

The check is only applied to loop variables of types that are expensive to copy which means they are not trivially copyable or have a non-trivial copy constructor or destructor.

To ensure that it is safe to replace the copy with a const reference the following heuristic is employed:

  1. The loop variable is const qualified.
  2. The loop variable is not const, but only const methods or operators are invoked on it, or it is used as const reference or value argument in constructors or function calls.

Options

WarnOnAllAutoCopies

When true, warns on any use of auto as the type of the range-based for loop variable. Default is false.

AllowedTypes

A semicolon-separated list of names of types allowed to be copied in each iteration. Regular expressions are accepted, e.g. [Rr]ef(erence)?$ matches every type with suffix Ref, ref, Reference and reference. The default is empty. If a name in the list contains the sequence :: it is matched against the qualified typename (i.e. namespace::Type, otherwise it is matched against only the type name (i.e. Type).

performance-implicit-cast-in-loop

This check has been renamed to performance-implicit-conversion-in-loop.

performance-implicit-conversion-in-loop

This warning appears in a range-based loop with a loop variable of const ref type where the type of the variable does not match the one returned by the iterator. This means that an implicit conversion happens, which can for example result in expensive deep copies.

Example:

map<int, vector<string>> my_map;
for (const pair<int, vector<string>>& p : my_map) {}
// The iterator type is in fact pair<const int, vector<string>>, which means
// that the compiler added a conversion, resulting in a copy of the vectors.

The easiest solution is usually to use const auto& instead of writing the type manually.

performance-inefficient-algorithm

Warns on inefficient use of STL algorithms on associative containers.

Associative containers implement some of the algorithms as methods which should be preferred to the algorithms in the algorithm header. The methods can take advantage of the order of the elements.

std::set<int> s;
auto it = std::find(s.begin(), s.end(), 43);

// becomes

auto it = s.find(43);
std::set<int> s;
auto c = std::count(s.begin(), s.end(), 43);

// becomes

auto c = s.count(43);

performance-inefficient-string-concatenation

This check warns about the performance overhead arising from concatenating strings using the operator+, for instance:

std::string a("Foo"), b("Bar");
a = a + b;

Instead of this structure you should use operator+= or std::string's (std::basic_string) class member function append(). For instance:

std::string a("Foo"), b("Baz");
for (int i = 0; i < 20000; ++i) {
    a = a + "Bar" + b;
}

Could be rewritten in a greatly more efficient way like:

std::string a("Foo"), b("Baz");
for (int i = 0; i < 20000; ++i) {
    a.append("Bar").append(b);
}

And this can be rewritten too:

void f(const std::string&) {}
std::string a("Foo"), b("Baz");
void g() {
    f(a + "Bar" + b);
}

In a slightly more efficient way like:

void f(const std::string&) {}
std::string a("Foo"), b("Baz");
void g() {
    f(std::string(a).append("Bar").append(b));
}

Options

StrictMode

When false, the check will only check the string usage in while, for and for-range statements. Default is false.

performance-inefficient-vector-operation

Finds possible inefficient std::vector operations (e.g. push_back, emplace_back) that may cause unnecessary memory reallocations.

It can also find calls that add element to protobuf repeated field in a loop without calling Reserve() before the loop. Calling Reserve() first can avoid unnecessary memory reallocations.

Currently, the check only detects following kinds of loops with a single statement body:

  • Counter-based for loops start with 0:

    std::vector<int> v;
    for (int i = 0; i < n; ++i) {
      v.push_back(n);
      // This will trigger the warning since the push_back may cause multiple
      // memory reallocations in v. This can be avoid by inserting a 'reserve(n)'
      // statement before the for statement.
    }
    
    SomeProto p;
    for (int i = 0; i < n; ++i) {
      p.add_xxx(n);
      // This will trigger the warning since the add_xxx may cause multiple memory
      // reallocations. This can be avoid by inserting a
      // 'p.mutable_xxx().Reserve(n)' statement before the for statement.
    }
  • For-range loops like for (range-declaration : range_expression), the type of range_expression can be std::vector, std::array, std::deque, std::set, std::unordered_set, std::map, std::unordered_set:

    std::vector<int> data;
    std::vector<int> v;
    
    for (auto element : data) {
      v.push_back(element);
      // This will trigger the warning since the 'push_back' may cause multiple
      // memory reallocations in v. This can be avoid by inserting a
      // 'reserve(data.size())' statement before the for statement.
    }

Options

VectorLikeClasses

Semicolon-separated list of names of vector-like classes. By default only ::std::vector is considered.

EnableProto

When true, the check will also warn on inefficient operations for proto repeated fields. Otherwise, the check only warns on inefficient vector operations. Default is false.

performance-move-const-arg

The check warns

  • if std::move() is called with a constant argument,
  • if std::move() is called with an argument of a trivially-copyable type,
  • if the result of std::move() is passed as a const reference argument.

In all three cases, the check will suggest a fix that removes the std::move().

Here are examples of each of the three cases:

const string s;
return std::move(s);  // Warning: std::move of the const variable has no effect

int x;
return std::move(x);  // Warning: std::move of the variable of a trivially-copyable type has no effect

void f(const string &s);
string s;
f(std::move(s));  // Warning: passing result of std::move as a const reference argument; no move will actually happen

Options

CheckTriviallyCopyableMove

If true, enables detection of trivially copyable types that do not have a move constructor. Default is true.

CheckMoveToConstRef

If true, enables detection of std::move() passed as a const reference argument. Default is true.

performance-move-constructor-init

"cert-oop11-cpp" redirects here as an alias for this check.

The check flags user-defined move constructors that have a ctor-initializer initializing a member or base class through a copy constructor instead of a move constructor.

performance-no-automatic-move

Finds local variables that cannot be automatically moved due to constness.

Under certain conditions, local values are automatically moved out when returning from a function. A common mistake is to declare local lvalue variables const, which prevents the move.

Example [1]:

StatusOr<std::vector<int>> Cool() {
  std::vector<int> obj = ...;
  return obj;  // calls StatusOr::StatusOr(std::vector<int>&&)
}

StatusOr<std::vector<int>> NotCool() {
  const std::vector<int> obj = ...;
  return obj;  // calls `StatusOr::StatusOr(const std::vector<int>&)`
}

The former version (Cool) should be preferred over the latter (NotCool) as it will avoid allocations and potentially large memory copies.

Semantics

In the example above, StatusOr::StatusOr(T&&) have the same semantics as long as the copy and move constructors for T have the same semantics. Note that there is no guarantee that S::S(T&&) and S::S(const T&) have the same semantics for any single S, so we're not providing automated fixes for this check, and judgement should be exerted when making the suggested changes.

-Wreturn-std-move

Another case where the move cannot happen is the following:

StatusOr<std::vector<int>> Uncool() {
  std::vector<int>&& obj = ...;
  return obj;  // calls `StatusOr::StatusOr(const std::vector<int>&)`
}

In that case the fix is more consensual: just return std::move(obj). This is handled by the -Wreturn-std-move warning.

performance-no-int-to-ptr

Diagnoses every integer to pointer cast.

While casting an (integral) pointer to an integer is obvious - you just get the integral value of the pointer, casting an integer to an (integral) pointer is deceivingly different. While you will get a pointer with that integral value, if you got that integral value via a pointer-to-integer cast originally, the new pointer will lack the provenance information from the original pointer.

So while (integral) pointer to integer casts are effectively no-ops, and are transparent to the optimizer, integer to (integral) pointer casts are NOT transparent, and may conceal information from optimizer.

While that may be the intention, it is not always so. For example, let's take a look at a routine to align the pointer up to the multiple of 16: The obvious, naive implementation for that is:

char* src(char* maybe_underbiased_ptr) {
  uintptr_t maybe_underbiased_intptr = (uintptr_t)maybe_underbiased_ptr;
  uintptr_t aligned_biased_intptr = maybe_underbiased_intptr + 15;
  uintptr_t aligned_intptr = aligned_biased_intptr & (~15);
  return (char*)aligned_intptr; // warning: avoid integer to pointer casts [performance-no-int-to-ptr]
}

The check will rightfully diagnose that cast.

But when provenance concealment is not the goal of the code, but an accident, this example can be rewritten as follows, without using integer to pointer cast:

char*
tgt(char* maybe_underbiased_ptr) {
    uintptr_t maybe_underbiased_intptr = (uintptr_t)maybe_underbiased_ptr;
    uintptr_t aligned_biased_intptr = maybe_underbiased_intptr + 15;
    uintptr_t aligned_intptr = aligned_biased_intptr & (~15);
    uintptr_t bias = aligned_intptr - maybe_underbiased_intptr;
    return maybe_underbiased_ptr + bias;
}

performance-noexcept-destructor

The check flags user-defined destructors marked with noexcept(expr) where expr evaluates to false (but is not a false literal itself).

When a destructor is marked as noexcept, it assures the compiler that no exceptions will be thrown during the destruction of an object, which allows the compiler to perform certain optimizations such as omitting exception handling code.

performance-noexcept-move-constructor

The check flags user-defined move constructors and assignment operators not marked with noexcept or marked with noexcept(expr) where expr evaluates to false (but is not a false literal itself).

Move constructors of all the types used with STL containers, for example, need to be declared noexcept. Otherwise STL will choose copy constructors instead. The same is valid for move assignment operations.

performance-noexcept-swap

The check flags user-defined swap and iter_swap functions not marked with noexcept or marked with noexcept(expr) where expr evaluates to false (but is not a false literal itself).

When a swap or iter_swap function is marked as noexcept, it assures the compiler that no exceptions will be thrown during the swapping of two objects, which allows the compiler to perform certain optimizations such as omitting exception handling code.

performance-trivially-destructible

Finds types that could be made trivially-destructible by removing out-of-line defaulted destructor declarations.

struct A: TrivialType {
  ~A(); // Makes A non-trivially-destructible.
  TrivialType trivial_fields;
};
A::~A() = default;

performance-type-promotion-in-math-fn

Finds calls to C math library functions (from math.h or, in C++, cmath) with implicit float to double promotions.

For example, warns on ::sin(0.f), because this function's parameter is a double. You probably meant to call std::sin(0.f) (in C++), or sinf(0.f) (in C).

float a;
asin(a);

// becomes

float a;
std::asin(a);

performance-unnecessary-copy-initialization

Finds local variable declarations that are initialized using the copy constructor of a non-trivially-copyable type but it would suffice to obtain a const reference.

The check is only applied if it is safe to replace the copy by a const reference. This is the case when the variable is const qualified or when it is only used as a const, i.e. only const methods or operators are invoked on it, or it is used as const reference or value argument in constructors or function calls.

Example:

const string& constReference();
void Function() {
  // The warning will suggest making this a const reference.
  const string UnnecessaryCopy = constReference();
}

struct Foo {
  const string& name() const;
};
void Function(const Foo& foo) {
  // The warning will suggest making this a const reference.
  string UnnecessaryCopy1 = foo.name();
  UnnecessaryCopy1.find("bar");

  // The warning will suggest making this a const reference.
  string UnnecessaryCopy2 = UnnecessaryCopy1;
  UnnecessaryCopy2.find("bar");
}

Options

AllowedTypes

A semicolon-separated list of names of types allowed to be initialized by copying. Regular expressions are accepted, e.g. [Rr]ef(erence)?$ matches every type with suffix Ref, ref, Reference and reference. The default is empty. If a name in the list contains the sequence :: it is matched against the qualified typename (i.e. namespace::Type, otherwise it is matched against only the type name (i.e. Type).

ExcludedContainerTypes

A semicolon-separated list of names of types whose methods are allowed to return the const reference the variable is copied from. When an expensive to copy variable is copy initialized by the return value from a type on this list the check does not trigger. This can be used to exclude types known to be const incorrect or where the lifetime or immutability of returned references is not tied to mutations of the container. An example are view types that don't own the underlying data. Like for AllowedTypes above, regular expressions are accepted and the inclusion of :: determines whether the qualified typename is matched or not.

performance-unnecessary-value-param

Flags value parameter declarations of expensive to copy types that are copied for each invocation but it would suffice to pass them by const reference.

The check is only applied to parameters of types that are expensive to copy which means they are not trivially copyable or have a non-trivial copy constructor or destructor.

To ensure that it is safe to replace the value parameter with a const reference the following heuristic is employed:

  1. the parameter is const qualified;
  2. the parameter is not const, but only const methods or operators are invoked on it, or it is used as const reference or value argument in constructors or function calls.

Example:

void f(const string Value) {
  // The warning will suggest making Value a reference.
}

void g(ExpensiveToCopy Value) {
  // The warning will suggest making Value a const reference.
  Value.ConstMethd();
  ExpensiveToCopy Copy(Value);
}

If the parameter is not const, only copied or assigned once and has a non-trivial move-constructor or move-assignment operator respectively the check will suggest to move it.

Example:

void setValue(string Value) {
  Field = Value;
}

Will become:

#include <utility>

void setValue(string Value) {
  Field = std::move(Value);
}

Options

IncludeStyle

A string specifying which include-style is used, llvm or google. Default is llvm.

AllowedTypes

A semicolon-separated list of names of types allowed to be passed by value. Regular expressions are accepted, e.g. [Rr]ef(erence)?$ matches every type with suffix Ref, ref, Reference and reference. The default is empty. If a name in the list contains the sequence :: it is matched against the qualified typename (i.e. namespace::Type, otherwise it is matched against only the type name (i.e. Type).

portability-restrict-system-includes

Checks to selectively allow or disallow a configurable list of system headers.

For example:

In order to only allow zlib.h from the system you would set the options to -*,zlib.h.

#include <curses.h>       // Bad: disallowed system header.
#include <openssl/ssl.h>  // Bad: disallowed system header.
#include <zlib.h>         // Good: allowed system header.
#include "src/myfile.h"   // Good: non-system header always allowed.

In order to allow everything except zlib.h from the system you would set the options to *,-zlib.h.

#include <curses.h>       // Good: allowed system header.
#include <openssl/ssl.h>  // Good: allowed system header.
#include <zlib.h>         // Bad: disallowed system header.
#include "src/myfile.h"   // Good: non-system header always allowed.

Since the options support globbing you can use wildcarding to allow groups of headers.

-*,openssl/*.h will allow all openssl headers but disallow any others.

#include <curses.h>       // Bad: disallowed system header.
#include <openssl/ssl.h>  // Good: allowed system header.
#include <openssl/rsa.h>  // Good: allowed system header.
#include <zlib.h>         // Bad: disallowed system header.
#include "src/myfile.h"   // Good: non-system header always allowed.

Options

Includes

A string containing a comma separated glob list of allowed include filenames. Similar to the -checks glob list for running clang-tidy itself, the two wildcard characters are * and -, to include and exclude globs, respectively. The default is *, which allows all includes.

portability-simd-intrinsics

Finds SIMD intrinsics calls and suggests std::experimental::simd (P0214) alternatives.

If the option Suggest is set to true, for

_mm_add_epi32(a, b); // x86
vec_add(a, b);       // Power

the check suggests an alternative: operator+ on std::experimental::simd objects.

Otherwise, it just complains the intrinsics are non-portable (and there are P0214 alternatives).

Many architectures provide SIMD operations (e.g. x86 SSE/AVX, Power AltiVec/VSX, ARM NEON). It is common that SIMD code implementing the same algorithm, is written in multiple target-dispatching pieces to optimize for different architectures or micro-architectures.

The C++ standard proposal P0214 and its extensions cover many common SIMD operations. By migrating from target-dependent intrinsics to P0214 operations, the SIMD code can be simplified and pieces for different targets can be unified.

Refer to P0214 for introduction and motivation for the data-parallel standard library.

Options

Suggest

If this option is set to true (default is false), the check will suggest P0214 alternatives, otherwise it only points out the intrinsic function is non-portable.

Std

The namespace used to suggest P0214 alternatives. If not specified, std:: for -std=c++20 and std::experimental:: for -std=c++11.

portability-std-allocator-const

Report use of std::vector<const T> (and similar containers of const elements). These are not allowed in standard C++, and should usually be std::vector<T> instead."

Per C++ [allocator.requirements.general]: "T is any cv-unqualified object type", std::allocator<const T> is undefined. Many standard containers use std::allocator by default and therefore their const T instantiations are undefined.

libc++ defines std::allocator<const T> as an extension which will be removed in the future.

libstdc++ and MSVC do not support std::allocator<const T>:

// libstdc++ has a better diagnostic since https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48101
std::deque<const int> deque; // error: static assertion failed: std::deque must have a non-const, non-volatile value_type
std::set<const int> set; // error: static assertion failed: std::set must have a non-const, non-volatile value_type
std::vector<int* const> vector; // error: static assertion failed: std::vector must have a non-const, non-volatile value_type

// MSVC
// error C2338: static_assert failed: 'The C++ Standard forbids containers of const elements because allocator<const T> is ill-formed.'

Code bases only compiled with libc++ may accrue such undefined usage. This check finds such code and prevents backsliding while clean-up is ongoing.

readability-avoid-const-params-in-decls

Checks whether a function declaration has parameters that are top level const.

const values in declarations do not affect the signature of a function, so they should not be put there.

Examples:

void f(const string);   // Bad: const is top level.
void f(const string&);  // Good: const is not top level.

Options

IgnoreMacros

If set to true, the check will not give warnings inside macros. Default is true.

readability-avoid-nested-conditional-operator

Identifies instances of nested conditional operators in the code.

Nested conditional operators, also known as ternary operators, can contribute to reduced code readability and comprehension. So they should be split as several statements and stored the intermediate results in temporary variable.

Examples:

int NestInConditional = (condition1 ? true1 : false1) ? true2 : false2;
int NestInTrue = condition1 ? (condition2 ? true1 : false1) : false2;
int NestInFalse = condition1 ? true1 : condition2 ? true2 : false1;

This check implements part of AUTOSAR C++14 Rule A5-16-1.

readability-avoid-return-with-void-value

Finds return statements with void values used within functions with void result types.

A function with a void return type is intended to perform a task without producing a return value. Return statements with expressions could lead to confusion and may miscommunicate the function's intended behavior.

Example:

void g();
void f() {
    // ...
    return g();
}

In a long function body, the return statement suggests that the function returns a value. However, return g(); is a combination of two statements that should be written as

g();
return;

to make clear that g() is called and immediately afterwards the function returns (nothing).

In C, the same issue is detected by the compiler if the -Wpedantic mode is enabled.

Options

IgnoreMacros

The value false specifies that return statements expanded from macros are not checked. The default value is true.

StrictMode

The value false specifies that a direct return statement shall be excluded from the analysis if it is the only statement not contained in a block, like if (cond) return g();. The default value is true.

readability-avoid-unconditional-preprocessor-if

Finds code blocks that are constantly enabled or disabled in preprocessor directives by analyzing #if conditions, such as #if 0 and #if 1, etc.

#if 0
    // some disabled code
#endif

#if 1
   // some enabled code that can be disabled manually
#endif

Unconditional preprocessor directives, such as #if 0 for disabled code and #if 1 for enabled code, can lead to dead code and always enabled code, respectively. Dead code can make understanding the codebase more difficult, hinder readability, and may be a sign of unfinished functionality or abandoned features. This can cause maintenance issues, confusion for future developers, and potential compilation problems.

As a solution for both cases, consider using preprocessor macros or defines, like #ifdef DEBUGGING_ENABLED, to control code enabling or disabling. This approach provides better coordination and flexibility when working with different parts of the codebase. Alternatively, you can comment out the entire code using /* */ block comments and add a hint, such as @todo, to indicate future actions.

readability-braces-around-statements

google-readability-braces-around-statements redirects here as an alias for this check.

Checks that bodies of if statements and loops (for, do while, and while) are inside braces.

Before:

if (condition)
  statement;

After:

if (condition) {
  statement;
}

Options

ShortStatementLines

Defines the minimal number of lines that the statement should have in order to trigger this check.

The number of lines is counted from the end of condition or initial keyword (do/else) until the last line of the inner statement. Default value 0 means that braces will be added to all statements (not having them already).

readability-const-return-type

Checks for functions with a const-qualified return type and recommends removal of the const keyword. Such use of const is usually superfluous, and can prevent valuable compiler optimizations. Does not (yet) fix trailing return types.

Examples:

const int foo();
const Clazz foo();
Clazz *const foo();

Note that this applies strictly to top-level qualification, which excludes pointers or references to const values. For example, these are fine:

const int* foo();
const int& foo();
const Clazz* foo();

Options

IgnoreMacros

If set to true, the check will not give warnings inside macros. Default is true.

readability-container-contains

Finds usages of container.count() and container.find() == container.end() which should be replaced by a call to the container.contains() method introduced in C++20.

Whether an element is contained inside a container should be checked with contains instead of count/find because contains conveys the intent more clearly. Furthermore, for containers which permit multiple entries per key (multimap, multiset, ...), contains is more efficient than count because count has to do unnecessary additional work.

Examples:

Initial expressionResult
myMap.find(x) == myMap.end()!myMap.contains(x)
myMap.find(x) != myMap.end()myMap.contains(x)
if (myMap.count(x))if (myMap.contains(x))
bool exists = myMap.count(x)bool exists = myMap.contains(x)
bool exists = myMap.count(x) > 0bool exists = myMap.contains(x)
bool exists = myMap.count(x) >= 1bool exists = myMap.contains(x)
bool missing = myMap.count(x) == 0bool missing = !myMap.contains(x)

This check applies to std::set, std::unordered_set, std::map, std::unordered_map and the corresponding multi-key variants. It is only active for C++20 and later, as the contains method was only added in C++20.

readability-container-data-pointer

Finds cases where code could use data() rather than the address of the element at index 0 in a container. This pattern is commonly used to materialize a pointer to the backing data of a container. std::vector and std::string provide a data() accessor to retrieve the data pointer which should be preferred.

This also ensures that in the case that the container is empty, the data pointer access does not perform an errant memory access.

Options

IgnoredContainers

Semicolon-separated list of containers regexp for which this check won't be enforced. Default is empty.

readability-container-size-empty

Checks whether a call to the size()/length() method can be replaced with a call to empty().

The emptiness of a container should be checked using the empty() method instead of the size()/length() method. It is not guaranteed that size()/length() is a constant-time function, and it is generally more efficient and also shows clearer intent to use empty(). Furthermore some containers may implement the empty() method but not implement the size() or length() method. Using empty() whenever possible makes it easier to switch to another container in the future.

The check issues warning if a container has empty() and size() or length() methods matching following signatures:

size_type size() const;
size_type length() const;
bool empty() const;

size_type can be any kind of integer type.

ExcludedComparisonTypes

A semicolon-separated list of class names for which the check will ignore comparisons of objects with default-constructed objects of the same type. If a class is listed here, the check will not suggest using empty() instead of such comparisons for objects of that class. Default value is: ::std::array.

readability-convert-member-functions-to-static

Finds non-static member functions that can be made static because the functions don't use this.

After applying modifications as suggested by the check, running the check again might find more opportunities to mark member functions static.

After making a member function static, you might want to run the check readability-static-accessed-through-instance to replace calls like Instance.method() by Class::method().

readability-delete-null-pointer

Checks the if statements where a pointer's existence is checked and then deletes the pointer. The check is unnecessary as deleting a null pointer has no effect.

int *p;
if (p)
  delete p;

readability-duplicate-include

Looks for duplicate includes and removes them. Ā The check maintains a list of included files and looks for duplicates. Ā If a macro is defined or undefined then the list of included files is cleared.

Examples:

#include <memory>
#include <vector>
#include <memory>

becomes

#include <memory>
#include <vector>

Because of the intervening macro definitions, this code remains unchanged:

#undef NDEBUG
#include "assertion.h"
// ...code with assertions enabled

#define NDEBUG
#include "assertion.h"
// ...code with assertions disabled

readability-else-after-return

LLVM Coding Standards advises to reduce indentation where possible and where it makes understanding code easier. Early exit is one of the suggested enforcements of that. Please do not use else or else if after something that interrupts control flow - like return, break, continue, throw.

The following piece of code illustrates how the check works. This piece of code:

void foo(int Value) {
  int Local = 0;
  for (int i = 0; i < 42; i++) {
    if (Value == 1) {
      return;
    } else {
      Local++;
    }

    if (Value == 2)
      continue;
    else
      Local++;

    if (Value == 3) {
      throw 42;
    } else {
      Local++;
    }
  }
}

Would be transformed into:

void foo(int Value) {
  int Local = 0;
  for (int i = 0; i < 42; i++) {
    if (Value == 1) {
      return;
    }
    Local++;

    if (Value == 2)
      continue;
    Local++;

    if (Value == 3) {
      throw 42;
    }
    Local++;
  }
}

Options

WarnOnUnfixable

When true, emit a warning for cases where the check can't output a Fix-It. These can occur with declarations inside the else branch that would have an extended lifetime if the else branch was removed. Default value is true.

WarnOnConditionVariables

When true, the check will attempt to refactor a variable defined inside the condition of the if statement that is used in the else branch defining them just before the if statement. This can only be done if the if statement is the last statement in its parent's scope. Default value is true.

LLVM alias

There is an alias of this check called llvm-else-after-return. In that version the options WarnOnUnfixable and WarnOnConditionVariables are both set to false by default.

This check helps to enforce this LLVM Coding Standards recommendation.

readability-enum-initial-value

Enforces consistent style for enumerators' initialization, covering three styles: none, first only, or all initialized explicitly.

An inconsistent style and strictness to defining the initializing value of enumerators may cause issues if the enumeration is extended with new enumerators that obtain their integer representation implicitly.

The following three cases are accepted:

  1. No enumerators are explicit initialized.
  2. Exactly the first enumerator is explicit initialized.
  3. All enumerators are explicit initialized.

    enum A {    // (1) Valid, none of enumerators are initialized.
      a0,
      a1,
      a2,
    };
    
    enum B {    // (2) Valid, the first enumerator is initialized.
      b0 = 0,
      b1,
      b2,
    };
    
    enum C {    // (3) Valid, all of enumerators are initialized.
      c0 = 0,
      c1 = 1,
      c2 = 2,
    };
    
    enum D {    // Invalid, d1 is not explicitly initialized!
      d0 = 0,
      d1,
      d2 = 2,
    };
    
    enum E {    // Invalid, e1, e3, and e5 are not explicitly initialized.
      e0 = 0,
      e1,
      e2 = 2,
      e3,       // Dangerous, as the numeric values of e3 and e5 are both 3, and this is not explicitly visible in the code!
      e4 = 2,
      e5,
    };

This check corresponds to the CERT C Coding Standard recommendation INT09-C. Ensure enumeration constants map to unique values.

cert-int09-c redirects here as an alias of this check.

Options

AllowExplicitZeroFirstInitialValue

If set to false, the first enumerator must not be explicitly initialized to a literal 0. Default is true.

enum F {
  f0 = 0, // Not allowed if AllowExplicitZeroFirstInitialValue is false.
  f1,
  f2,
};
AllowExplicitSequentialInitialValues

If set to false, explicit initialization to sequential values are not allowed. Default is true.

enum G {
  g0 = 1, // Not allowed if AllowExplicitSequentialInitialValues is false.
  g1 = 2,
  g2 = 3,

readability-function-cognitive-complexity

Checks function Cognitive Complexity metric.

The metric is implemented as per the COGNITIVE COMPLEXITY by SonarSource specification version 1.2 (19 April 2017).

Options

Threshold

Flag functions with Cognitive Complexity exceeding this number. The default is 25.

DescribeBasicIncrements

If set to true, then for each function exceeding the complexity threshold the check will issue additional diagnostics on every piece of code (loop, if statement, etc.) which contributes to that complexity. See also the examples below. Default is true.

IgnoreMacros

If set to true, the check will ignore code inside macros. Note, that also any macro arguments are ignored, even if they should count to the complexity. As this might change in the future, this option isn't guaranteed to be forward-compatible. Default is false.

Building blocks

There are three basic building blocks of a Cognitive Complexity metric:

Increment

The following structures increase the function's Cognitive Complexity metric (by 1):

  • Conditional operators:

    • if()
    • else if()
    • else
    • cond ? true : false
  • switch()
  • Loops:
    • for()
    • C++11 range-based for()
    • while()
    • do while()
  • catch ()
  • goto LABEL, goto *(&&LABEL)),
  • sequences of binary logical operators:

    • boolean1 || boolean2
    • boolean1 && boolean2

Nesting level

While by itself the nesting level does not change the function's Cognitive Complexity metric, it is tracked, and is used by the next, third building block. The following structures increase the nesting level (by 1):

  • Conditional operators:

    • if()
    • else if()
    • else
    • cond ? true : false
  • switch()
  • Loops:
    • for()
    • C++11 range-based for()
    • while()
    • do while()
  • catch ()
  • Nested functions:

    • C++11 Lambda
    • Nested class
    • Nested struct
  • GNU statement expression
  • Apple Block Declaration

Nesting increment

This is where the previous basic building block, Nesting level, matters. The following structures increase the function's Cognitive Complexity metric by the current Nesting level:

  • Conditional operators:

    • if()
    • cond ? true : false
  • switch()
  • Loops:
    • for()
    • C++11 range-based for()
    • while()
    • do while()
  • catch ()

Examples

The simplest case. This function has Cognitive Complexity of 0.

void function0() {}

Slightly better example. This function has Cognitive Complexity of 1.

int function1(bool var) {
  if(var) // +1, nesting level +1
    return 42;
  return 0;
}

Full example. This function has Cognitive Complexity of 3.

int function3(bool var1, bool var2) {
  if(var1) { // +1, nesting level +1
    if(var2)  // +2 (1 + current nesting level of 1), nesting level +1
      return 42;
  }

  return 0;
}

In the last example, the check will flag function3 if the option Threshold is set to 2 or smaller. If the option DescribeBasicIncrements is set to true, it will additionally flag the two if statements with the amounts by which they increase to the complexity of the function and the current nesting level.

Limitations

The metric is implemented with two notable exceptions:
  • preprocessor conditionals (#ifdef, #if, #elif, #else, #endif) are not accounted for.
  • each method in a recursion cycle is not accounted for. It can't be fully implemented, because cross-translational-unit analysis would be needed, which is currently not possible in clang-tidy.

readability-function-size

google-readability-function-size redirects here as an alias for this check.

Checks for large functions based on various metrics.

Options

LineThreshold

Flag functions exceeding this number of lines. The default is none (ignore the number of lines).

StatementThreshold

Flag functions exceeding this number of statements. This may differ significantly from the number of lines for macro-heavy code. The default is 800.

BranchThreshold

Flag functions exceeding this number of control statements. The default is none (ignore the number of branches).

ParameterThreshold

Flag functions that exceed a specified number of parameters. The default is none (ignore the number of parameters).

NestingThreshold

Flag compound statements which create next nesting level after NestingThreshold. This may differ significantly from the expected value for macro-heavy code. The default is none (ignore the nesting level).

VariableThreshold

Flag functions exceeding this number of variables declared in the body. The default is none (ignore the number of variables). Please note that function parameters and variables declared in lambdas, GNU Statement Expressions, and nested class inline functions are not counted.

readability-identifier-length

This check finds variables and function parameters whose length are too short. The desired name length is configurable.

Special cases are supported for loop counters and for exception variable names.

Options

The following options are described below:

  • MinimumVariableNameLength, IgnoredVariableNames
  • MinimumParameterNameLength, IgnoredParameterNames
  • MinimumLoopCounterNameLength, IgnoredLoopCounterNames
  • MinimumExceptionNameLength, IgnoredExceptionVariableNames
MinimumVariableNameLength

All variables (other than loop counter, exception names and function parameters) are expected to have at least a length of MinimumVariableNameLength (default is 3). Setting it to 0 or 1 disables the check entirely.

int i = 42;    // warns that 'i' is too short

This check does not have any fix suggestions in the general case since variable names have semantic value.

IgnoredVariableNames

Specifies a regular expression for variable names that are to be ignored. The default value is empty, thus no names are ignored.

MinimumParameterNameLength

All function parameter names are expected to have a length of at least MinimumParameterNameLength (default is 3). Setting it to 0 or 1 disables the check entirely.

int doubler(int x)   // warns that x is too short
{
   return 2 * x;
}

This check does not have any fix suggestions in the general case since variable names have semantic value.

IgnoredParameterNames

Specifies a regular expression for parameters that are to be ignored. The default value is ^[n]$ for historical reasons.

MinimumLoopCounterNameLength

Loop counter variables are expected to have a length of at least MinimumLoopCounterNameLength characters (default is 2). Setting it to 0 or 1 disables the check entirely.

// This warns that 'q' is too short.
for (int q = 0; q < size; ++ q) {
   // ...
}
IgnoredLoopCounterNames

Specifies a regular expression for counter names that are to be ignored. The default value is ^[ijk_]$; the first three symbols for historical reasons and the last one since it is frequently used as a "don't care" value, specifically in tools such as Google Benchmark.

// This does not warn by default, for historical reasons.
for (int i = 0; i < size; ++ i) {
    // ...
}
MinimumExceptionNameLength

Exception clause variables are expected to have a length of at least MinimumExceptionNameLength (default is 2). Setting it to 0 or 1 disables the check entirely.

try {
    // ...
}
// This warns that 'e' is too short.
catch (const std::exception& x) {
    // ...
}
IgnoredExceptionVariableNames

Specifies a regular expression for exception variable names that are to be ignored. The default value is ^[e]$ mainly for historical reasons.

try {
    // ...
}
// This does not warn by default, for historical reasons.
catch (const std::exception& e) {
    // ...
}

readability-identifier-naming

Checks for identifiers naming style mismatch.

This check will try to enforce coding guidelines on the identifiers naming. It supports one of the following casing types and tries to convert from one to another if a mismatch is detected

Casing types include:

  • lower_case
  • UPPER_CASE
  • camelBack
  • CamelCase
  • camel_Snake_Back
  • Camel_Snake_Case
  • aNy_CasE
  • Leading_upper_snake_case

It also supports a fixed prefix and suffix that will be prepended or appended to the identifiers, regardless of the casing.

Many configuration options are available, in order to be able to create different rules for different kinds of identifiers. In general, the rules are falling back to a more generic rule if the specific case is not configured.

The naming of virtual methods is reported where they occur in the base class, but not where they are overridden, as it can't be fixed locally there. This also applies for pseudo-override patterns like CRTP.

Leading_upper_snake_case is a naming convention where the first word is capitalized followed by lower case word(s) separated by underscore(s) '_'. Examples include: Cap_snake_case, Cobra_case, Foo_bar_baz, and Master_copy_8gb.

Hungarian notation can be customized using different HungarianPrefix settings. The options and their corresponding values are:

  • Off - the default setting
  • On - example: int iVariable
  • LowerCase - example: int i_Variable
  • CamelCase - example: int IVariable

Options

The following options are described below:

  • AbstractClassCase, AbstractClassPrefix, AbstractClassSuffix, AbstractClassIgnoredRegexp, AbstractClassHungarianPrefix
  • AggressiveDependentMemberLookup
  • CheckAnonFieldInParent
  • ClassCase, ClassPrefix, ClassSuffix, ClassIgnoredRegexp, ClassHungarianPrefix
  • ClassConstantCase, ClassConstantPrefix, ClassConstantSuffix, ClassConstantIgnoredRegexp, ClassConstantHungarianPrefix
  • ClassMemberCase, ClassMemberPrefix, ClassMemberSuffix, ClassMemberIgnoredRegexp, ClassMemberHungarianPrefix
  • ClassMethodCase, ClassMethodPrefix, ClassMethodSuffix, ClassMethodIgnoredRegexp
  • ConceptCase, ConceptPrefix, ConceptSuffix, ConceptIgnoredRegexp
  • ConstantCase, ConstantPrefix, ConstantSuffix, ConstantIgnoredRegexp, ConstantHungarianPrefix
  • ConstantMemberCase, ConstantMemberPrefix, ConstantMemberSuffix, ConstantMemberIgnoredRegexp, ConstantMemberHungarianPrefix
  • ConstantParameterCase, ConstantParameterPrefix, ConstantParameterSuffix, ConstantParameterIgnoredRegexp, ConstantParameterHungarianPrefix
  • ConstantPointerParameterCase, ConstantPointerParameterPrefix, ConstantPointerParameterSuffix, ConstantPointerParameterIgnoredRegexp, ConstantPointerParameterHungarianPrefix
  • ConstexprFunctionCase, ConstexprFunctionPrefix, ConstexprFunctionSuffix, ConstexprFunctionIgnoredRegexp
  • ConstexprMethodCase, ConstexprMethodPrefix, ConstexprMethodSuffix, ConstexprMethodIgnoredRegexp
  • ConstexprVariableCase, ConstexprVariablePrefix, ConstexprVariableSuffix, ConstexprVariableIgnoredRegexp, ConstexprVariableHungarianPrefix
  • EnumCase, EnumPrefix, EnumSuffix, EnumIgnoredRegexp
  • EnumConstantCase, EnumConstantPrefix, EnumConstantSuffix, EnumConstantIgnoredRegexp, EnumConstantHungarianPrefix
  • FunctionCase, FunctionPrefix, FunctionSuffix, FunctionIgnoredRegexp
  • GetConfigPerFile
  • GlobalConstantCase, GlobalConstantPrefix, GlobalConstantSuffix, GlobalConstantIgnoredRegexp, GlobalConstantHungarianPrefix
  • GlobalConstantPointerCase, GlobalConstantPointerPrefix, GlobalConstantPointerSuffix, GlobalConstantPointerIgnoredRegexp, GlobalConstantPointerHungarianPrefix
  • GlobalFunctionCase, GlobalFunctionPrefix, GlobalFunctionSuffix, GlobalFunctionIgnoredRegexp
  • GlobalPointerCase, GlobalPointerPrefix, GlobalPointerSuffix, GlobalPointerIgnoredRegexp, GlobalPointerHungarianPrefix
  • GlobalVariableCase, GlobalVariablePrefix, GlobalVariableSuffix, GlobalVariableIgnoredRegexp, GlobalVariableHungarianPrefix
  • IgnoreMainLikeFunctions
  • InlineNamespaceCase, InlineNamespacePrefix, InlineNamespaceSuffix, InlineNamespaceIgnoredRegexp
  • LocalConstantCase, LocalConstantPrefix, LocalConstantSuffix, LocalConstantIgnoredRegexp, LocalConstantHungarianPrefix
  • LocalConstantPointerCase, LocalConstantPointerPrefix, LocalConstantPointerSuffix, LocalConstantPointerIgnoredRegexp, LocalConstantPointerHungarianPrefix
  • LocalPointerCase, LocalPointerPrefix, LocalPointerSuffix, LocalPointerIgnoredRegexp, LocalPointerHungarianPrefix
  • LocalVariableCase, LocalVariablePrefix, LocalVariableSuffix, LocalVariableIgnoredRegexp, LocalVariableHungarianPrefix
  • MacroDefinitionCase, MacroDefinitionPrefix, MacroDefinitionSuffix, MacroDefinitionIgnoredRegexp
  • MemberCase, MemberPrefix, MemberSuffix, MemberIgnoredRegexp, MemberHungarianPrefix
  • MethodCase, MethodPrefix, MethodSuffix, MethodIgnoredRegexp
  • NamespaceCase, NamespacePrefix, NamespaceSuffix, NamespaceIgnoredRegexp
  • ParameterCase, ParameterPrefix, ParameterSuffix, ParameterIgnoredRegexp, ParameterHungarianPrefix
  • ParameterPackCase, ParameterPackPrefix, ParameterPackSuffix, ParameterPackIgnoredRegexp
  • PointerParameterCase, PointerParameterPrefix, PointerParameterSuffix, PointerParameterIgnoredRegexp, PointerParameterHungarianPrefix
  • PrivateMemberCase, PrivateMemberPrefix, PrivateMemberSuffix, PrivateMemberIgnoredRegexp, PrivateMemberHungarianPrefix
  • PrivateMethodCase, PrivateMethodPrefix, PrivateMethodSuffix, PrivateMethodIgnoredRegexp
  • ProtectedMemberCase, ProtectedMemberPrefix, ProtectedMemberSuffix, ProtectedMemberIgnoredRegexp, ProtectedMemberHungarianPrefix
  • ProtectedMethodCase, ProtectedMethodPrefix, ProtectedMethodSuffix, ProtectedMethodIgnoredRegexp
  • PublicMemberCase, PublicMemberPrefix, PublicMemberSuffix, PublicMemberIgnoredRegexp, PublicMemberHungarianPrefix
  • PublicMethodCase, PublicMethodPrefix, PublicMethodSuffix, PublicMethodIgnoredRegexp
  • ScopedEnumConstantCase, ScopedEnumConstantPrefix, ScopedEnumConstantSuffix, ScopedEnumConstantIgnoredRegexp
  • StaticConstantCase, StaticConstantPrefix, StaticConstantSuffix, StaticConstantIgnoredRegexp, StaticConstantHungarianPrefix
  • StaticVariableCase, StaticVariablePrefix, StaticVariableSuffix, StaticVariableIgnoredRegexp, StaticVariableHungarianPrefix
  • StructCase, StructPrefix, StructSuffix, StructIgnoredRegexp
  • TemplateParameterCase, TemplateParameterPrefix, TemplateParameterSuffix, TemplateParameterIgnoredRegexp
  • TemplateTemplateParameterCase, TemplateTemplateParameterPrefix, TemplateTemplateParameterSuffix, TemplateTemplateParameterIgnoredRegexp
  • TypeAliasCase, TypeAliasPrefix, TypeAliasSuffix, TypeAliasIgnoredRegexp
  • TypedefCase, TypedefPrefix, TypedefSuffix, TypedefIgnoredRegexp
  • TypeTemplateParameterCase, TypeTemplateParameterPrefix, TypeTemplateParameterSuffix, TypeTemplateParameterIgnoredRegexp
  • UnionCase, UnionPrefix, UnionSuffix, UnionIgnoredRegexp
  • ValueTemplateParameterCase, ValueTemplateParameterPrefix, ValueTemplateParameterSuffix, ValueTemplateParameterIgnoredRegexp
  • VariableCase, VariablePrefix, VariableSuffix, VariableIgnoredRegexp, VariableHungarianPrefix
  • VirtualMethodCase, VirtualMethodPrefix, VirtualMethodSuffix, VirtualMethodIgnoredRegexp
AbstractClassCase

When defined, the check will ensure abstract class names conform to the selected casing.

AbstractClassPrefix

When defined, the check will ensure abstract class names will add the prefixed with the given value (regardless of casing).

AbstractClassIgnoredRegexp

Identifier naming checks won't be enforced for abstract class names matching this regular expression.

AbstractClassSuffix

When defined, the check will ensure abstract class names will add the suffix with the given value (regardless of casing).

AbstractClassHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • AbstractClassCase of lower_case
  • AbstractClassPrefix of pre_
  • AbstractClassSuffix of _post
  • AbstractClassHungarianPrefix of On

Identifies and/or transforms abstract class names as follows:

Before:

class ABSTRACT_CLASS {
public:
  ABSTRACT_CLASS();
};

After:

class pre_abstract_class_post {
public:
  pre_abstract_class_post();
};
AggressiveDependentMemberLookup

When set to true the check will look in dependent base classes for dependent member references that need changing. This can lead to errors with template specializations so the default value is false.

For example using values of:

  • ClassMemberCase of lower_case

Before:

template <typename T>
struct Base {
  T BadNamedMember;
};

template <typename T>
struct Derived : Base<T> {
  void reset() {
    this->BadNamedMember = 0;
  }
};

After if AggressiveDependentMemberLookup is false:

template <typename T>
struct Base {
  T bad_named_member;
};

template <typename T>
struct Derived : Base<T> {
  void reset() {
    this->BadNamedMember = 0;
  }
};

After if AggressiveDependentMemberLookup is true:

template <typename T>
struct Base {
  T bad_named_member;
};

template <typename T>
struct Derived : Base<T> {
  void reset() {
    this->bad_named_member = 0;
  }
};
CheckAnonFieldInParent

When set to true, fields in anonymous records (i.e. anonymous unions and structs) will be treated as names in the enclosing scope rather than public members of the anonymous record for the purpose of name checking.

For example:

class Foo {
private:
  union {
    int iv_;
    float fv_;
  };
};

If CheckAnonFieldInParent is false, you may get warnings that iv_ and fv_ are not coherent to public member names, because iv_ and fv_ are public members of the anonymous union. When CheckAnonFieldInParent is true, iv_ and fv_ will be treated as private data members of Foo for the purpose of name checking and thus no warnings will be emitted.

ClassCase

When defined, the check will ensure class names conform to the selected casing.

ClassPrefix

When defined, the check will ensure class names will add the prefixed with the given value (regardless of casing).

ClassIgnoredRegexp

Identifier naming checks won't be enforced for class names matching this regular expression.

ClassSuffix

When defined, the check will ensure class names will add the suffix with the given value (regardless of casing).

ClassHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ClassCase of lower_case
  • ClassPrefix of pre_
  • ClassSuffix of _post
  • ClassHungarianPrefix of On

Identifies and/or transforms class names as follows:

Before:

class FOO {
public:
  FOO();
  ~FOO();
};

After:

class pre_foo_post {
public:
  pre_foo_post();
  ~pre_foo_post();
};
ClassConstantCase

When defined, the check will ensure class constant names conform to the selected casing.

ClassConstantPrefix

When defined, the check will ensure class constant names will add the prefixed with the given value (regardless of casing).

ClassConstantIgnoredRegexp

Identifier naming checks won't be enforced for class constant names matching this regular expression.

ClassConstantSuffix

When defined, the check will ensure class constant names will add the suffix with the given value (regardless of casing).

ClassConstantHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ClassConstantCase of lower_case
  • ClassConstantPrefix of pre_
  • ClassConstantSuffix of _post
  • ClassConstantHungarianPrefix of On

Identifies and/or transforms class constant names as follows:

Before:

class FOO {
public:
  static const int CLASS_CONSTANT;
};

After:

class FOO {
public:
  static const int pre_class_constant_post;
};
ClassMemberCase

When defined, the check will ensure class member names conform to the selected casing.

ClassMemberPrefix

When defined, the check will ensure class member names will add the prefixed with the given value (regardless of casing).

ClassMemberIgnoredRegexp

Identifier naming checks won't be enforced for class member names matching this regular expression.

ClassMemberSuffix

When defined, the check will ensure class member names will add the suffix with the given value (regardless of casing).

ClassMemberHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ClassMemberCase of lower_case
  • ClassMemberPrefix of pre_
  • ClassMemberSuffix of _post
  • ClassMemberHungarianPrefix of On

Identifies and/or transforms class member names as follows:

Before:

class FOO {
public:
  static int CLASS_CONSTANT;
};

After:

class FOO {
public:
  static int pre_class_constant_post;
};
ClassMethodCase

When defined, the check will ensure class method names conform to the selected casing.

ClassMethodPrefix

When defined, the check will ensure class method names will add the prefixed with the given value (regardless of casing).

ClassMethodIgnoredRegexp

Identifier naming checks won't be enforced for class method names matching this regular expression.

ClassMethodSuffix

When defined, the check will ensure class method names will add the suffix with the given value (regardless of casing).

For example using values of:

  • ClassMethodCase of lower_case
  • ClassMethodPrefix of pre_
  • ClassMethodSuffix of _post

Identifies and/or transforms class method names as follows:

Before:

class FOO {
public:
  int CLASS_MEMBER();
};

After:

class FOO {
public:
  int pre_class_member_post();
};
ConceptCase

When defined, the check will ensure concept names conform to the selected casing.

ConceptPrefix

When defined, the check will ensure concept names will add the prefixed with the given value (regardless of casing).

ConceptIgnoredRegexp

Identifier naming checks won't be enforced for concept names matching this regular expression.

ConceptSuffix

When defined, the check will ensure concept names will add the suffix with the given value (regardless of casing).

For example using values of:

  • ConceptCase of CamelCase
  • ConceptPrefix of Pre
  • ConceptSuffix of Post

Identifies and/or transforms concept names as follows:

Before:

template<typename T> concept my_concept = requires (T t) { {t++}; };

After:

template<typename T> concept PreMyConceptPost = requires (T t) { {t++}; };
ConstantCase

When defined, the check will ensure constant names conform to the selected casing.

ConstantPrefix

When defined, the check will ensure constant names will add the prefixed with the given value (regardless of casing).

ConstantIgnoredRegexp

Identifier naming checks won't be enforced for constant names matching this regular expression.

ConstantSuffix

When defined, the check will ensure constant names will add the suffix with the given value (regardless of casing).

ConstantHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ConstantCase of lower_case
  • ConstantPrefix of pre_
  • ConstantSuffix of _post
  • ConstantHungarianPrefix of On

Identifies and/or transforms constant names as follows:

Before:

void function() { unsigned const MyConst_array[] = {1, 2, 3}; }

After:

void function() { unsigned const pre_myconst_array_post[] = {1, 2, 3}; }
ConstantMemberCase

When defined, the check will ensure constant member names conform to the selected casing.

ConstantMemberPrefix

When defined, the check will ensure constant member names will add the prefixed with the given value (regardless of casing).

ConstantMemberIgnoredRegexp

Identifier naming checks won't be enforced for constant member names matching this regular expression.

ConstantMemberSuffix

When defined, the check will ensure constant member names will add the suffix with the given value (regardless of casing).

ConstantMemberHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ConstantMemberCase of lower_case
  • ConstantMemberPrefix of pre_
  • ConstantMemberSuffix of _post
  • ConstantMemberHungarianPrefix of On

Identifies and/or transforms constant member names as follows:

Before:

class Foo {
  char const MY_ConstMember_string[4] = "123";
}

After:

class Foo {
  char const pre_my_constmember_string_post[4] = "123";
}
ConstantParameterCase

When defined, the check will ensure constant parameter names conform to the selected casing.

ConstantParameterPrefix

When defined, the check will ensure constant parameter names will add the prefixed with the given value (regardless of casing).

ConstantParameterIgnoredRegexp

Identifier naming checks won't be enforced for constant parameter names matching this regular expression.

ConstantParameterSuffix

When defined, the check will ensure constant parameter names will add the suffix with the given value (regardless of casing).

ConstantParameterHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ConstantParameterCase of lower_case
  • ConstantParameterPrefix of pre_
  • ConstantParameterSuffix of _post
  • ConstantParameterHungarianPrefix of On

Identifies and/or transforms constant parameter names as follows:

Before:

void GLOBAL_FUNCTION(int PARAMETER_1, int const CONST_parameter);

After:

void GLOBAL_FUNCTION(int PARAMETER_1, int const pre_const_parameter_post);
ConstantPointerParameterCase

When defined, the check will ensure constant pointer parameter names conform to the selected casing.

ConstantPointerParameterPrefix

When defined, the check will ensure constant pointer parameter names will add the prefixed with the given value (regardless of casing).

ConstantPointerParameterIgnoredRegexp

Identifier naming checks won't be enforced for constant pointer parameter names matching this regular expression.

ConstantPointerParameterSuffix

When defined, the check will ensure constant pointer parameter names will add the suffix with the given value (regardless of casing).

ConstantPointerParameterHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ConstantPointerParameterCase of lower_case
  • ConstantPointerParameterPrefix of pre_
  • ConstantPointerParameterSuffix of _post
  • ConstantPointerParameterHungarianPrefix of On

Identifies and/or transforms constant pointer parameter names as follows:

Before:

void GLOBAL_FUNCTION(int const *CONST_parameter);

After:

void GLOBAL_FUNCTION(int const *pre_const_parameter_post);
ConstexprFunctionCase

When defined, the check will ensure constexpr function names conform to the selected casing.

ConstexprFunctionPrefix

When defined, the check will ensure constexpr function names will add the prefixed with the given value (regardless of casing).

ConstexprFunctionIgnoredRegexp

Identifier naming checks won't be enforced for constexpr function names matching this regular expression.

ConstexprFunctionSuffix

When defined, the check will ensure constexpr function names will add the suffix with the given value (regardless of casing).

For example using values of:

  • ConstexprFunctionCase of lower_case
  • ConstexprFunctionPrefix of pre_
  • ConstexprFunctionSuffix of _post

Identifies and/or transforms constexpr function names as follows:

Before:

constexpr int CE_function() { return 3; }

After:

constexpr int pre_ce_function_post() { return 3; }
ConstexprMethodCase

When defined, the check will ensure constexpr method names conform to the selected casing.

ConstexprMethodPrefix

When defined, the check will ensure constexpr method names will add the prefixed with the given value (regardless of casing).

ConstexprMethodIgnoredRegexp

Identifier naming checks won't be enforced for constexpr method names matching this regular expression.

ConstexprMethodSuffix

When defined, the check will ensure constexpr method names will add the suffix with the given value (regardless of casing).

For example using values of:

  • ConstexprMethodCase of lower_case
  • ConstexprMethodPrefix of pre_
  • ConstexprMethodSuffix of _post

Identifies and/or transforms constexpr method names as follows:

Before:

class Foo {
public:
  constexpr int CST_expr_Method() { return 2; }
}

After:

class Foo {
public:
  constexpr int pre_cst_expr_method_post() { return 2; }
}
ConstexprVariableCase

When defined, the check will ensure constexpr variable names conform to the selected casing.

ConstexprVariablePrefix

When defined, the check will ensure constexpr variable names will add the prefixed with the given value (regardless of casing).

ConstexprVariableIgnoredRegexp

Identifier naming checks won't be enforced for constexpr variable names matching this regular expression.

ConstexprVariableSuffix

When defined, the check will ensure constexpr variable names will add the suffix with the given value (regardless of casing).

ConstexprVariableHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ConstexprVariableCase of lower_case
  • ConstexprVariablePrefix of pre_
  • ConstexprVariableSuffix of _post
  • ConstexprVariableHungarianPrefix of On

Identifies and/or transforms constexpr variable names as follows:

Before:

constexpr int ConstExpr_variable = MyConstant;

After:

constexpr int pre_constexpr_variable_post = MyConstant;
EnumCase

When defined, the check will ensure enumeration names conform to the selected casing.

EnumPrefix

When defined, the check will ensure enumeration names will add the prefixed with the given value (regardless of casing).

EnumIgnoredRegexp

Identifier naming checks won't be enforced for enumeration names matching this regular expression.

EnumSuffix

When defined, the check will ensure enumeration names will add the suffix with the given value (regardless of casing).

For example using values of:

  • EnumCase of lower_case
  • EnumPrefix of pre_
  • EnumSuffix of _post

Identifies and/or transforms enumeration names as follows:

Before:

enum FOO { One, Two, Three };

After:

enum pre_foo_post { One, Two, Three };
EnumConstantCase

When defined, the check will ensure enumeration constant names conform to the selected casing.

EnumConstantPrefix

When defined, the check will ensure enumeration constant names will add the prefixed with the given value (regardless of casing).

EnumConstantIgnoredRegexp

Identifier naming checks won't be enforced for enumeration constant names matching this regular expression.

EnumConstantSuffix

When defined, the check will ensure enumeration constant names will add the suffix with the given value (regardless of casing).

EnumConstantHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • EnumConstantCase of lower_case
  • EnumConstantPrefix of pre_
  • EnumConstantSuffix of _post
  • EnumConstantHungarianPrefix of On

Identifies and/or transforms enumeration constant names as follows:

Before:

enum FOO { One, Two, Three };

After:

enum FOO { pre_One_post, pre_Two_post, pre_Three_post };
FunctionCase

When defined, the check will ensure function names conform to the selected casing.

FunctionPrefix

When defined, the check will ensure function names will add the prefixed with the given value (regardless of casing).

FunctionIgnoredRegexp

Identifier naming checks won't be enforced for function names matching this regular expression.

FunctionSuffix

When defined, the check will ensure function names will add the suffix with the given value (regardless of casing).

For example using values of:

  • FunctionCase of lower_case
  • FunctionPrefix of pre_
  • FunctionSuffix of _post

Identifies and/or transforms function names as follows:

Before:

char MY_Function_string();

After:

char pre_my_function_string_post();
GetConfigPerFile

When true the check will look for the configuration for where an identifier is declared. Useful for when included header files use a different style. Default value is true.

GlobalConstantCase

When defined, the check will ensure global constant names conform to the selected casing.

GlobalConstantPrefix

When defined, the check will ensure global constant names will add the prefixed with the given value (regardless of casing).

GlobalConstantIgnoredRegexp

Identifier naming checks won't be enforced for global constant names matching this regular expression.

GlobalConstantSuffix

When defined, the check will ensure global constant names will add the suffix with the given value (regardless of casing).

GlobalConstantHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • GlobalConstantCase of lower_case
  • GlobalConstantPrefix of pre_
  • GlobalConstantSuffix of _post
  • GlobalConstantHungarianPrefix of On

Identifies and/or transforms global constant names as follows:

Before:

unsigned const MyConstGlobal_array[] = {1, 2, 3};

After:

unsigned const pre_myconstglobal_array_post[] = {1, 2, 3};
GlobalConstantPointerCase

When defined, the check will ensure global constant pointer names conform to the selected casing.

GlobalConstantPointerPrefix

When defined, the check will ensure global constant pointer names will add the prefixed with the given value (regardless of casing).

GlobalConstantPointerIgnoredRegexp

Identifier naming checks won't be enforced for global constant pointer names matching this regular expression.

GlobalConstantPointerSuffix

When defined, the check will ensure global constant pointer names will add the suffix with the given value (regardless of casing).

GlobalConstantPointerHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • GlobalConstantPointerCase of lower_case
  • GlobalConstantPointerPrefix of pre_
  • GlobalConstantPointerSuffix of _post
  • GlobalConstantPointerHungarianPrefix of On

Identifies and/or transforms global constant pointer names as follows:

Before:

int *const MyConstantGlobalPointer = nullptr;

After:

int *const pre_myconstantglobalpointer_post = nullptr;
GlobalFunctionCase

When defined, the check will ensure global function names conform to the selected casing.

GlobalFunctionPrefix

When defined, the check will ensure global function names will add the prefixed with the given value (regardless of casing).

GlobalFunctionIgnoredRegexp

Identifier naming checks won't be enforced for global function names matching this regular expression.

GlobalFunctionSuffix

When defined, the check will ensure global function names will add the suffix with the given value (regardless of casing).

For example using values of:

  • GlobalFunctionCase of lower_case
  • GlobalFunctionPrefix of pre_
  • GlobalFunctionSuffix of _post

Identifies and/or transforms global function names as follows:

Before:

void GLOBAL_FUNCTION(int PARAMETER_1, int const CONST_parameter);

After:

void pre_global_function_post(int PARAMETER_1, int const CONST_parameter);
GlobalPointerCase

When defined, the check will ensure global pointer names conform to the selected casing.

GlobalPointerPrefix

When defined, the check will ensure global pointer names will add the prefixed with the given value (regardless of casing).

GlobalPointerIgnoredRegexp

Identifier naming checks won't be enforced for global pointer names matching this regular expression.

GlobalPointerSuffix

When defined, the check will ensure global pointer names will add the suffix with the given value (regardless of casing).

GlobalPointerHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • GlobalPointerCase of lower_case
  • GlobalPointerPrefix of pre_
  • GlobalPointerSuffix of _post
  • GlobalPointerHungarianPrefix of On

Identifies and/or transforms global pointer names as follows:

Before:

int *GLOBAL3;

After:

int *pre_global3_post;
GlobalVariableCase

When defined, the check will ensure global variable names conform to the selected casing.

GlobalVariablePrefix

When defined, the check will ensure global variable names will add the prefixed with the given value (regardless of casing).

GlobalVariableIgnoredRegexp

Identifier naming checks won't be enforced for global variable names matching this regular expression.

GlobalVariableSuffix

When defined, the check will ensure global variable names will add the suffix with the given value (regardless of casing).

GlobalVariableHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • GlobalVariableCase of lower_case
  • GlobalVariablePrefix of pre_
  • GlobalVariableSuffix of _post
  • GlobalVariableHungarianPrefix of On

Identifies and/or transforms global variable names as follows:

Before:

int GLOBAL3;

After:

int pre_global3_post;
IgnoreMainLikeFunctions

When set to true functions that have a similar signature to main or wmain won't enforce checks on the names of their parameters. Default value is false.

InlineNamespaceCase

When defined, the check will ensure inline namespaces names conform to the selected casing.

InlineNamespacePrefix

When defined, the check will ensure inline namespaces names will add the prefixed with the given value (regardless of casing).

InlineNamespaceIgnoredRegexp

Identifier naming checks won't be enforced for inline namespaces names matching this regular expression.

InlineNamespaceSuffix

When defined, the check will ensure inline namespaces names will add the suffix with the given value (regardless of casing).

For example using values of:

  • InlineNamespaceCase of lower_case
  • InlineNamespacePrefix of pre_
  • InlineNamespaceSuffix of _post

Identifies and/or transforms inline namespaces names as follows:

Before:

namespace FOO_NS {
inline namespace InlineNamespace {
...
}
} // namespace FOO_NS

After:

namespace FOO_NS {
inline namespace pre_inlinenamespace_post {
...
}
} // namespace FOO_NS
LocalConstantCase

When defined, the check will ensure local constant names conform to the selected casing.

LocalConstantPrefix

When defined, the check will ensure local constant names will add the prefixed with the given value (regardless of casing).

LocalConstantIgnoredRegexp

Identifier naming checks won't be enforced for local constant names matching this regular expression.

LocalConstantSuffix

When defined, the check will ensure local constant names will add the suffix with the given value (regardless of casing).

LocalConstantHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • LocalConstantCase of lower_case
  • LocalConstantPrefix of pre_
  • LocalConstantSuffix of _post
  • LocalConstantHungarianPrefix of On

Identifies and/or transforms local constant names as follows:

Before:

void foo() { int const local_Constant = 3; }

After:

void foo() { int const pre_local_constant_post = 3; }
LocalConstantPointerCase

When defined, the check will ensure local constant pointer names conform to the selected casing.

LocalConstantPointerPrefix

When defined, the check will ensure local constant pointer names will add the prefixed with the given value (regardless of casing).

LocalConstantPointerIgnoredRegexp

Identifier naming checks won't be enforced for local constant pointer names matching this regular expression.

LocalConstantPointerSuffix

When defined, the check will ensure local constant pointer names will add the suffix with the given value (regardless of casing).

LocalConstantPointerHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • LocalConstantPointerCase of lower_case
  • LocalConstantPointerPrefix of pre_
  • LocalConstantPointerSuffix of _post
  • LocalConstantPointerHungarianPrefix of On

Identifies and/or transforms local constant pointer names as follows:

Before:

void foo() { int const *local_Constant = 3; }

After:

void foo() { int const *pre_local_constant_post = 3; }
LocalPointerCase

When defined, the check will ensure local pointer names conform to the selected casing.

LocalPointerPrefix

When defined, the check will ensure local pointer names will add the prefixed with the given value (regardless of casing).

LocalPointerIgnoredRegexp

Identifier naming checks won't be enforced for local pointer names matching this regular expression.

LocalPointerSuffix

When defined, the check will ensure local pointer names will add the suffix with the given value (regardless of casing).

LocalPointerHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • LocalPointerCase of lower_case
  • LocalPointerPrefix of pre_
  • LocalPointerSuffix of _post
  • LocalPointerHungarianPrefix of On

Identifies and/or transforms local pointer names as follows:

Before:

void foo() { int *local_Constant; }

After:

void foo() { int *pre_local_constant_post; }
LocalVariableCase

When defined, the check will ensure local variable names conform to the selected casing.

LocalVariablePrefix

When defined, the check will ensure local variable names will add the prefixed with the given value (regardless of casing).

LocalVariableIgnoredRegexp

Identifier naming checks won't be enforced for local variable names matching this regular expression.

For example using values of:

  • LocalVariableCase of CamelCase
  • LocalVariableIgnoredRegexp of \w{1,2}

Will exclude variables with a length less than or equal to 2 from the camel case check applied to other variables.

LocalVariableSuffix

When defined, the check will ensure local variable names will add the suffix with the given value (regardless of casing).

LocalVariableHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • LocalVariableCase of lower_case
  • LocalVariablePrefix of pre_
  • LocalVariableSuffix of _post
  • LocalVariableHungarianPrefix of On

Identifies and/or transforms local variable names as follows:

Before:

void foo() { int local_Constant; }

After:

void foo() { int pre_local_constant_post; }
MacroDefinitionCase

When defined, the check will ensure macro definitions conform to the selected casing.

MacroDefinitionPrefix

When defined, the check will ensure macro definitions will add the prefixed with the given value (regardless of casing).

MacroDefinitionIgnoredRegexp

Identifier naming checks won't be enforced for macro definitions matching this regular expression.

MacroDefinitionSuffix

When defined, the check will ensure macro definitions will add the suffix with the given value (regardless of casing).

For example using values of:

  • MacroDefinitionCase of lower_case
  • MacroDefinitionPrefix of pre_
  • MacroDefinitionSuffix of _post

Identifies and/or transforms macro definitions as follows:

Before:

#define MY_MacroDefinition

After:

#define pre_my_macro_definition_post

Note: This will not warn on builtin macros or macros defined on the command line using the -D flag.

MemberCase

When defined, the check will ensure member names conform to the selected casing.

MemberPrefix

When defined, the check will ensure member names will add the prefixed with the given value (regardless of casing).

MemberIgnoredRegexp

Identifier naming checks won't be enforced for member names matching this regular expression.

MemberSuffix

When defined, the check will ensure member names will add the suffix with the given value (regardless of casing).

MemberHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • MemberCase of lower_case
  • MemberPrefix of pre_
  • MemberSuffix of _post
  • MemberHungarianPrefix of On

Identifies and/or transforms member names as follows:

Before:

class Foo {
  char MY_ConstMember_string[4];
}

After:

class Foo {
  char pre_my_constmember_string_post[4];
}
MethodCase

When defined, the check will ensure method names conform to the selected casing.

MethodPrefix

When defined, the check will ensure method names will add the prefixed with the given value (regardless of casing).

MethodIgnoredRegexp

Identifier naming checks won't be enforced for method names matching this regular expression.

MethodSuffix

When defined, the check will ensure method names will add the suffix with the given value (regardless of casing).

For example using values of:

  • MethodCase of lower_case
  • MethodPrefix of pre_
  • MethodSuffix of _post

Identifies and/or transforms method names as follows:

Before:

class Foo {
  char MY_Method_string();
}

After:

class Foo {
  char pre_my_method_string_post();
}
NamespaceCase

When defined, the check will ensure namespace names conform to the selected casing.

NamespacePrefix

When defined, the check will ensure namespace names will add the prefixed with the given value (regardless of casing).

NamespaceIgnoredRegexp

Identifier naming checks won't be enforced for namespace names matching this regular expression.

NamespaceSuffix

When defined, the check will ensure namespace names will add the suffix with the given value (regardless of casing).

For example using values of:

  • NamespaceCase of lower_case
  • NamespacePrefix of pre_
  • NamespaceSuffix of _post

Identifies and/or transforms namespace names as follows:

Before:

namespace FOO_NS {
...
}

After:

namespace pre_foo_ns_post {
...
}
ParameterCase

When defined, the check will ensure parameter names conform to the selected casing.

ParameterPrefix

When defined, the check will ensure parameter names will add the prefixed with the given value (regardless of casing).

ParameterIgnoredRegexp

Identifier naming checks won't be enforced for parameter names matching this regular expression.

ParameterSuffix

When defined, the check will ensure parameter names will add the suffix with the given value (regardless of casing).

ParameterHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ParameterCase of lower_case
  • ParameterPrefix of pre_
  • ParameterSuffix of _post
  • ParameterHungarianPrefix of On

Identifies and/or transforms parameter names as follows:

Before:

void GLOBAL_FUNCTION(int PARAMETER_1, int const CONST_parameter);

After:

void GLOBAL_FUNCTION(int pre_parameter_post, int const CONST_parameter);
ParameterPackCase

When defined, the check will ensure parameter pack names conform to the selected casing.

ParameterPackPrefix

When defined, the check will ensure parameter pack names will add the prefixed with the given value (regardless of casing).

ParameterPackIgnoredRegexp

Identifier naming checks won't be enforced for parameter pack names matching this regular expression.

ParameterPackSuffix

When defined, the check will ensure parameter pack names will add the suffix with the given value (regardless of casing).

For example using values of:

  • ParameterPackCase of lower_case
  • ParameterPackPrefix of pre_
  • ParameterPackSuffix of _post

Identifies and/or transforms parameter pack names as follows:

Before:

template <typename... TYPE_parameters> {
  void FUNCTION(int... TYPE_parameters);
}

After:

template <typename... TYPE_parameters> {
  void FUNCTION(int... pre_type_parameters_post);
}
PointerParameterCase

When defined, the check will ensure pointer parameter names conform to the selected casing.

PointerParameterPrefix

When defined, the check will ensure pointer parameter names will add the prefixed with the given value (regardless of casing).

PointerParameterIgnoredRegexp

Identifier naming checks won't be enforced for pointer parameter names matching this regular expression.

PointerParameterSuffix

When defined, the check will ensure pointer parameter names will add the suffix with the given value (regardless of casing).

PointerParameterHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • PointerParameterCase of lower_case
  • PointerParameterPrefix of pre_
  • PointerParameterSuffix of _post
  • PointerParameterHungarianPrefix of On

Identifies and/or transforms pointer parameter names as follows:

Before:

void FUNCTION(int *PARAMETER);

After:

void FUNCTION(int *pre_parameter_post);
PrivateMemberCase

When defined, the check will ensure private member names conform to the selected casing.

PrivateMemberPrefix

When defined, the check will ensure private member names will add the prefixed with the given value (regardless of casing).

PrivateMemberIgnoredRegexp

Identifier naming checks won't be enforced for private member names matching this regular expression.

PrivateMemberSuffix

When defined, the check will ensure private member names will add the suffix with the given value (regardless of casing).

PrivateMemberHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • PrivateMemberCase of lower_case
  • PrivateMemberPrefix of pre_
  • PrivateMemberSuffix of _post
  • PrivateMemberHungarianPrefix of On

Identifies and/or transforms private member names as follows:

Before:

class Foo {
private:
  int Member_Variable;
}

After:

class Foo {
private:
  int pre_member_variable_post;
}
PrivateMethodCase

When defined, the check will ensure private method names conform to the selected casing.

PrivateMethodPrefix

When defined, the check will ensure private method names will add the prefixed with the given value (regardless of casing).

PrivateMethodIgnoredRegexp

Identifier naming checks won't be enforced for private method names matching this regular expression.

PrivateMethodSuffix

When defined, the check will ensure private method names will add the suffix with the given value (regardless of casing).

For example using values of:

  • PrivateMethodCase of lower_case
  • PrivateMethodPrefix of pre_
  • PrivateMethodSuffix of _post

Identifies and/or transforms private method names as follows:

Before:

class Foo {
private:
  int Member_Method();
}

After:

class Foo {
private:
  int pre_member_method_post();
}
ProtectedMemberCase

When defined, the check will ensure protected member names conform to the selected casing.

ProtectedMemberPrefix

When defined, the check will ensure protected member names will add the prefixed with the given value (regardless of casing).

ProtectedMemberIgnoredRegexp

Identifier naming checks won't be enforced for protected member names matching this regular expression.

ProtectedMemberSuffix

When defined, the check will ensure protected member names will add the suffix with the given value (regardless of casing).

ProtectedMemberHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ProtectedMemberCase of lower_case
  • ProtectedMemberPrefix of pre_
  • ProtectedMemberSuffix of _post
  • ProtectedMemberHungarianPrefix of On

Identifies and/or transforms protected member names as follows:

Before:

class Foo {
protected:
  int Member_Variable;
}

After:

class Foo {
protected:
  int pre_member_variable_post;
}
ProtectedMethodCase

When defined, the check will ensure protected method names conform to the selected casing.

ProtectedMethodPrefix

When defined, the check will ensure protected method names will add the prefixed with the given value (regardless of casing).

ProtectedMethodIgnoredRegexp

Identifier naming checks won't be enforced for protected method names matching this regular expression.

ProtectedMethodSuffix

When defined, the check will ensure protected method names will add the suffix with the given value (regardless of casing).

For example using values of:

  • ProtectedMethodCase of lower_case
  • ProtectedMethodPrefix of pre_
  • ProtectedMethodSuffix of _post

Identifies and/or transforms protect method names as follows:

Before:

class Foo {
protected:
  int Member_Method();
}

After:

class Foo {
protected:
  int pre_member_method_post();
}
PublicMemberCase

When defined, the check will ensure public member names conform to the selected casing.

PublicMemberPrefix

When defined, the check will ensure public member names will add the prefixed with the given value (regardless of casing).

PublicMemberIgnoredRegexp

Identifier naming checks won't be enforced for public member names matching this regular expression.

PublicMemberSuffix

When defined, the check will ensure public member names will add the suffix with the given value (regardless of casing).

PublicMemberHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • PublicMemberCase of lower_case
  • PublicMemberPrefix of pre_
  • PublicMemberSuffix of _post
  • PublicMemberHungarianPrefix of On

Identifies and/or transforms public member names as follows:

Before:

class Foo {
public:
  int Member_Variable;
}

After:

class Foo {
public:
  int pre_member_variable_post;
}
PublicMethodCase

When defined, the check will ensure public method names conform to the selected casing.

PublicMethodPrefix

When defined, the check will ensure public method names will add the prefixed with the given value (regardless of casing).

PublicMethodIgnoredRegexp

Identifier naming checks won't be enforced for public method names matching this regular expression.

PublicMethodSuffix

When defined, the check will ensure public method names will add the suffix with the given value (regardless of casing).

For example using values of:

  • PublicMethodCase of lower_case
  • PublicMethodPrefix of pre_
  • PublicMethodSuffix of _post

Identifies and/or transforms public method names as follows:

Before:

class Foo {
public:
  int Member_Method();
}

After:

class Foo {
public:
  int pre_member_method_post();
}
ScopedEnumConstantCase

When defined, the check will ensure scoped enum constant names conform to the selected casing.

ScopedEnumConstantPrefix

When defined, the check will ensure scoped enum constant names will add the prefixed with the given value (regardless of casing).

ScopedEnumConstantIgnoredRegexp

Identifier naming checks won't be enforced for scoped enum constant names matching this regular expression.

ScopedEnumConstantSuffix

When defined, the check will ensure scoped enum constant names will add the suffix with the given value (regardless of casing).

ScopedEnumConstantHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • ScopedEnumConstantCase of lower_case
  • ScopedEnumConstantPrefix of pre_
  • ScopedEnumConstantSuffix of _post
  • ScopedEnumConstantHungarianPrefix of On

Identifies and/or transforms enumeration constant names as follows:

Before:

enum class FOO { One, Two, Three };

After:

enum class FOO { pre_One_post, pre_Two_post, pre_Three_post };
StaticConstantCase

When defined, the check will ensure static constant names conform to the selected casing.

StaticConstantPrefix

When defined, the check will ensure static constant names will add the prefixed with the given value (regardless of casing).

StaticConstantIgnoredRegexp

Identifier naming checks won't be enforced for static constant names matching this regular expression.

StaticConstantSuffix

When defined, the check will ensure static constant names will add the suffix with the given value (regardless of casing).

StaticConstantHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • StaticConstantCase of lower_case
  • StaticConstantPrefix of pre_
  • StaticConstantSuffix of _post
  • StaticConstantHungarianPrefix of On

Identifies and/or transforms static constant names as follows:

Before:

static unsigned const MyConstStatic_array[] = {1, 2, 3};

After:

static unsigned const pre_myconststatic_array_post[] = {1, 2, 3};
StaticVariableCase

When defined, the check will ensure static variable names conform to the selected casing.

StaticVariablePrefix

When defined, the check will ensure static variable names will add the prefixed with the given value (regardless of casing).

StaticVariableIgnoredRegexp

Identifier naming checks won't be enforced for static variable names matching this regular expression.

StaticVariableSuffix

When defined, the check will ensure static variable names will add the suffix with the given value (regardless of casing).

StaticVariableHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • StaticVariableCase of lower_case
  • StaticVariablePrefix of pre_
  • StaticVariableSuffix of _post
  • StaticVariableHungarianPrefix of On

Identifies and/or transforms static variable names as follows:

Before:

static unsigned MyStatic_array[] = {1, 2, 3};

After:

static unsigned pre_mystatic_array_post[] = {1, 2, 3};
StructCase

When defined, the check will ensure struct names conform to the selected casing.

StructPrefix

When defined, the check will ensure struct names will add the prefixed with the given value (regardless of casing).

StructIgnoredRegexp

Identifier naming checks won't be enforced for struct names matching this regular expression.

StructSuffix

When defined, the check will ensure struct names will add the suffix with the given value (regardless of casing).

For example using values of:

  • StructCase of lower_case
  • StructPrefix of pre_
  • StructSuffix of _post

Identifies and/or transforms struct names as follows:

Before:

struct FOO {
  FOO();
  ~FOO();
};

After:

struct pre_foo_post {
  pre_foo_post();
  ~pre_foo_post();
};
TemplateParameterCase

When defined, the check will ensure template parameter names conform to the selected casing.

TemplateParameterPrefix

When defined, the check will ensure template parameter names will add the prefixed with the given value (regardless of casing).

TemplateParameterIgnoredRegexp

Identifier naming checks won't be enforced for template parameter names matching this regular expression.

TemplateParameterSuffix

When defined, the check will ensure template parameter names will add the suffix with the given value (regardless of casing).

For example using values of:

  • TemplateParameterCase of lower_case
  • TemplateParameterPrefix of pre_
  • TemplateParameterSuffix of _post

Identifies and/or transforms template parameter names as follows:

Before:

template <typename T> class Foo {};

After:

template <typename pre_t_post> class Foo {};
TemplateTemplateParameterCase

When defined, the check will ensure template template parameter names conform to the selected casing.

TemplateTemplateParameterPrefix

When defined, the check will ensure template template parameter names will add the prefixed with the given value (regardless of casing).

TemplateTemplateParameterIgnoredRegexp

Identifier naming checks won't be enforced for template template parameter names matching this regular expression.

TemplateTemplateParameterSuffix

When defined, the check will ensure template template parameter names will add the suffix with the given value (regardless of casing).

For example using values of:

  • TemplateTemplateParameterCase of lower_case
  • TemplateTemplateParameterPrefix of pre_
  • TemplateTemplateParameterSuffix of _post

Identifies and/or transforms template template parameter names as follows:

Before:

template <template <typename> class TPL_parameter, int COUNT_params,
          typename... TYPE_parameters>

After:

template <template <typename> class pre_tpl_parameter_post, int COUNT_params,
          typename... TYPE_parameters>
TypeAliasCase

When defined, the check will ensure type alias names conform to the selected casing.

TypeAliasPrefix

When defined, the check will ensure type alias names will add the prefixed with the given value (regardless of casing).

TypeAliasIgnoredRegexp

Identifier naming checks won't be enforced for type alias names matching this regular expression.

TypeAliasSuffix

When defined, the check will ensure type alias names will add the suffix with the given value (regardless of casing).

For example using values of:

  • TypeAliasCase of lower_case
  • TypeAliasPrefix of pre_
  • TypeAliasSuffix of _post

Identifies and/or transforms type alias names as follows:

Before:

using MY_STRUCT_TYPE = my_structure;

After:

using pre_my_struct_type_post = my_structure;
TypedefCase

When defined, the check will ensure typedef names conform to the selected casing.

TypedefPrefix

When defined, the check will ensure typedef names will add the prefixed with the given value (regardless of casing).

TypedefIgnoredRegexp

Identifier naming checks won't be enforced for typedef names matching this regular expression.

TypedefSuffix

When defined, the check will ensure typedef names will add the suffix with the given value (regardless of casing).

For example using values of:

  • TypedefCase of lower_case
  • TypedefPrefix of pre_
  • TypedefSuffix of _post

Identifies and/or transforms typedef names as follows:

Before:

typedef int MYINT;

After:

typedef int pre_myint_post;
TypeTemplateParameterCase

When defined, the check will ensure type template parameter names conform to the selected casing.

TypeTemplateParameterPrefix

When defined, the check will ensure type template parameter names will add the prefixed with the given value (regardless of casing).

TypeTemplateParameterIgnoredRegexp

Identifier naming checks won't be enforced for type template names matching this regular expression.

TypeTemplateParameterSuffix

When defined, the check will ensure type template parameter names will add the suffix with the given value (regardless of casing).

For example using values of:

  • TypeTemplateParameterCase of lower_case
  • TypeTemplateParameterPrefix of pre_
  • TypeTemplateParameterSuffix of _post

Identifies and/or transforms type template parameter names as follows:

Before:

template <template <typename> class TPL_parameter, int COUNT_params,
          typename... TYPE_parameters>

After:

template <template <typename> class TPL_parameter, int COUNT_params,
          typename... pre_type_parameters_post>
UnionCase

When defined, the check will ensure union names conform to the selected casing.

UnionPrefix

When defined, the check will ensure union names will add the prefixed with the given value (regardless of casing).

UnionIgnoredRegexp

Identifier naming checks won't be enforced for union names matching this regular expression.

UnionSuffix

When defined, the check will ensure union names will add the suffix with the given value (regardless of casing).

For example using values of:

  • UnionCase of lower_case
  • UnionPrefix of pre_
  • UnionSuffix of _post

Identifies and/or transforms union names as follows:

Before:

union FOO {
  int a;
  char b;
};

After:

union pre_foo_post {
  int a;
  char b;
};
ValueTemplateParameterCase

When defined, the check will ensure value template parameter names conform to the selected casing.

ValueTemplateParameterPrefix

When defined, the check will ensure value template parameter names will add the prefixed with the given value (regardless of casing).

ValueTemplateParameterIgnoredRegexp

Identifier naming checks won't be enforced for value template parameter names matching this regular expression.

ValueTemplateParameterSuffix

When defined, the check will ensure value template parameter names will add the suffix with the given value (regardless of casing).

For example using values of:

  • ValueTemplateParameterCase of lower_case
  • ValueTemplateParameterPrefix of pre_
  • ValueTemplateParameterSuffix of _post

Identifies and/or transforms value template parameter names as follows:

Before:

template <template <typename> class TPL_parameter, int COUNT_params,
          typename... TYPE_parameters>

After:

template <template <typename> class TPL_parameter, int pre_count_params_post,
          typename... TYPE_parameters>
VariableCase

When defined, the check will ensure variable names conform to the selected casing.

VariablePrefix

When defined, the check will ensure variable names will add the prefixed with the given value (regardless of casing).

VariableIgnoredRegexp

Identifier naming checks won't be enforced for variable names matching this regular expression.

VariableSuffix

When defined, the check will ensure variable names will add the suffix with the given value (regardless of casing).

VariableHungarianPrefix

When enabled, the check ensures that the declared identifier will have a Hungarian notation prefix based on the declared type.

For example using values of:

  • VariableCase of lower_case
  • VariablePrefix of pre_
  • VariableSuffix of _post
  • VariableHungarianPrefix of On

Identifies and/or transforms variable names as follows:

Before:

unsigned MyVariable;

After:

unsigned pre_myvariable_post;
VirtualMethodCase

When defined, the check will ensure virtual method names conform to the selected casing.

VirtualMethodPrefix

When defined, the check will ensure virtual method names will add the prefixed with the given value (regardless of casing).

VirtualMethodIgnoredRegexp

Identifier naming checks won't be enforced for virtual method names matching this regular expression.

VirtualMethodSuffix

When defined, the check will ensure virtual method names will add the suffix with the given value (regardless of casing).

For example using values of:

  • VirtualMethodCase of lower_case
  • VirtualMethodPrefix of pre_
  • VirtualMethodSuffix of _post

Identifies and/or transforms virtual method names as follows:

Before:

class Foo {
public:
  virtual int MemberFunction();
}

After:

class Foo {
public:
  virtual int pre_member_function_post();
}

The default mapping table of Hungarian Notation

In Hungarian notation, a variable name starts with a group of lower-case letters which are mnemonics for the type or purpose of that variable, followed by whatever name the programmer has chosen; this last part is sometimes distinguished as the given name. The first character of the given name can be capitalized to separate it from the type indicators (see also CamelCase). Otherwise the case of this character denotes scope.

The following table is the default mapping table of Hungarian Notation which maps Decl to its prefix string. You can also have your own style in config file.

Primitive TypeMicrosoft Type
TypePrefixTypePrefixTypePrefix
int8_ti8signed intsiBOOLb
int16_ti16signed shortssBOOLEANb
int32_ti32signed short intssiBYTEby
int64_ti64signed long long intslliCHARc
uint8_tu8signed long longsllUCHARuc
uint16_tu16signed long intsliSHORTs
uint32_tu32signed longslUSHORTus
uint64_tu64signedsWORDw
char8_tc8unsigned long long intulliDWORDdw
char16_tc16unsigned long longullDWORD32dw32
char32_tc32unsigned long intuliDWORD64dw64
floatfunsigned longulLONGl
doubledunsigned short intusiULONGul
charcunsigned shortusULONG32ul32
boolbunsigned intuiULONG64ul64
_Boolbunsigned charucULONGLONGull
intiunsigneduHANDLEh
size_tnlong long intlliINTi
shortslong doubleldINT8i8
signedilong longllINT16i16
unsignedulong intliINT32i32
longllonglINT64i64
long longllptrdiff_tpUINTui
unsigned longulvoidnoneUINT8u8
long doubleldUINT16u16
ptrdiff_tpUINT32u32
wchar_twcUINT64u64
short intsiPVOIDp
shorts

There are more trivial options for Hungarian Notation:

HungarianNotation.General.*

Options are not belonging to any specific Decl.

HungarianNotation.CString.*

Options for NULL-terminated string.

HungarianNotation.DerivedType.*

Options for derived types.

HungarianNotation.PrimitiveType.*

Options for primitive types.

HungarianNotation.UserDefinedType.*

Options for user-defined types.

Options for Hungarian Notation

  • HungarianNotation.General.TreatStructAsClass
  • HungarianNotation.DerivedType.Array
  • HungarianNotation.DerivedType.Pointer
  • HungarianNotation.DerivedType.FunctionPointer
  • HungarianNotation.CString.CharPointer
  • HungarianNotation.CString.CharArray
  • HungarianNotation.CString.WideCharPointer
  • HungarianNotation.CString.WideCharArray
  • HungarianNotation.PrimitiveType.*
  • HungarianNotation.UserDefinedType.*
HungarianNotation.General.TreatStructAsClass

When defined, the check will treat naming of struct as a class. The default value is false.

HungarianNotation.DerivedType.Array

When defined, the check will ensure variable name will add the prefix with the given string. The default prefix is a.

HungarianNotation.DerivedType.Pointer

When defined, the check will ensure variable name will add the prefix with the given string. The default prefix is p.

HungarianNotation.DerivedType.FunctionPointer

When defined, the check will ensure variable name will add the prefix with the given string. The default prefix is fn.

Before:

// Array
int DataArray[2] = {0};

// Pointer
void *DataBuffer = NULL;

// FunctionPointer
typedef void (*FUNC_PTR)();
FUNC_PTR FuncPtr = NULL;

After:

// Array
int aDataArray[2] = {0};

// Pointer
void *pDataBuffer = NULL;

// FunctionPointer
typedef void (*FUNC_PTR)();
FUNC_PTR fnFuncPtr = NULL;
HungarianNotation.CString.CharPointer

When defined, the check will ensure variable name will add the prefix with the given string. The default prefix is sz.

HungarianNotation.CString.CharArray

When defined, the check will ensure variable name will add the prefix with the given string. The default prefix is sz.

HungarianNotation.CString.WideCharPointer

When defined, the check will ensure variable name will add the prefix with the given string. The default prefix is wsz.

HungarianNotation.CString.WideCharArray

When defined, the check will ensure variable name will add the prefix with the given string. The default prefix is wsz.

Before:

// CharPointer
const char *NamePtr = "Name";

// CharArray
const char NameArray[] = "Name";

// WideCharPointer
const wchar_t *WideNamePtr = L"Name";

// WideCharArray
const wchar_t WideNameArray[] = L"Name";

After:

// CharPointer
const char *szNamePtr = "Name";

// CharArray
const char szNameArray[] = "Name";

// WideCharPointer
const wchar_t *wszWideNamePtr = L"Name";

// WideCharArray
const wchar_t wszWideNameArray[] = L"Name";
HungarianNotation.PrimitiveType.*

When defined, the check will ensure variable name of involved primitive types will add the prefix with the given string. The default prefixes are defined in the default mapping table.

HungarianNotation.UserDefinedType.*

When defined, the check will ensure variable name of involved primitive types will add the prefix with the given string. The default prefixes are defined in the default mapping table.

Before:

int8_t   ValueI8      = 0;
int16_t  ValueI16     = 0;
int32_t  ValueI32     = 0;
int64_t  ValueI64     = 0;
uint8_t  ValueU8      = 0;
uint16_t ValueU16     = 0;
uint32_t ValueU32     = 0;
uint64_t ValueU64     = 0;
float    ValueFloat   = 0.0;
double   ValueDouble  = 0.0;
ULONG    ValueUlong   = 0;
DWORD    ValueDword   = 0;

After:

int8_t   i8ValueI8    = 0;
int16_t  i16ValueI16  = 0;
int32_t  i32ValueI32  = 0;
int64_t  i64ValueI64  = 0;
uint8_t  u8ValueU8    = 0;
uint16_t u16ValueU16  = 0;
uint32_t u32ValueU32  = 0;
uint64_t u64ValueU64  = 0;
float    fValueFloat  = 0.0;
double   dValueDouble = 0.0;
ULONG    ulValueUlong = 0;
DWORD    dwValueDword = 0;

readability-implicit-bool-cast

This check has been renamed to readability-implicit-bool-conversion.

readability-implicit-bool-conversion

This check can be used to find implicit conversions between built-in types and booleans. Depending on use case, it may simply help with readability of the code, or in some cases, point to potential bugs which remain unnoticed due to implicit conversions.

The following is a real-world example of bug which was hiding behind implicit bool conversion:

class Foo {
  int m_foo;

public:
  void setFoo(bool foo) { m_foo = foo; } // warning: implicit conversion bool -> int
  int getFoo() { return m_foo; }
};

void use(Foo& foo) {
  bool value = foo.getFoo(); // warning: implicit conversion int -> bool
}

This code is the result of unsuccessful refactoring, where type of m_foo changed from bool to int. The programmer forgot to change all occurrences of bool, and the remaining code is no longer correct, yet it still compiles without any visible warnings.

In addition to issuing warnings, fix-it hints are provided to help solve the reported issues. This can be used for improving readability of code, for example:

void conversionsToBool() {
  float floating;
  bool boolean = floating;
  // ^ propose replacement: bool boolean = floating != 0.0f;

  int integer;
  if (integer) {}
  // ^ propose replacement: if (integer != 0) {}

  int* pointer;
  if (!pointer) {}
  // ^ propose replacement: if (pointer == nullptr) {}

  while (1) {}
  // ^ propose replacement: while (true) {}
}

void functionTakingInt(int param);

void conversionsFromBool() {
  bool boolean;
  functionTakingInt(boolean);
  // ^ propose replacement: functionTakingInt(static_cast<int>(boolean));

  functionTakingInt(true);
  // ^ propose replacement: functionTakingInt(1);
}

In general, the following conversion types are checked:

  • integer expression/literal to boolean (conversion from a single bit bitfield to boolean is explicitly allowed, since there's no ambiguity / information loss in this case),
  • floating expression/literal to boolean,
  • pointer/pointer to member/nullptr/NULL to boolean,
  • boolean expression/literal to integer (conversion from boolean to a single bit bitfield is explicitly allowed),
  • boolean expression/literal to floating.

The rules for generating fix-it hints are:

  • in case of conversions from other built-in type to bool, an explicit comparison is proposed to make it clear what exactly is being compared:

    • bool boolean = floating; is changed to bool boolean = floating == 0.0f;,
    • for other types, appropriate literals are used (0, 0u, 0.0f, 0.0, nullptr),
  • in case of negated expressions conversion to bool, the proposed replacement with comparison is simplified:

    • if (!pointer) is changed to if (pointer == nullptr),
  • in case of conversions from bool to other built-in types, an explicit static_cast (or a C-style cast since C23) is proposed to make it clear that a conversion is taking place:

    • int integer = boolean; is changed to int integer = static_cast<int>(boolean);,
  • if the conversion is performed on type literals, an equivalent literal is proposed, according to what type is actually expected, for example:

    • functionTakingBool(0); is changed to functionTakingBool(false);,
    • functionTakingInt(true); is changed to functionTakingInt(1);,
    • for other types, appropriate literals are used (false, true, 0, 1, 0u, 1u, 0.0f, 1.0f, 0.0, 1.0f).

Some additional accommodations are made for pre-C++11 dialects:

  • false literal conversion to pointer is detected,
  • instead of nullptr literal, 0 is proposed as replacement.

Occurrences of implicit conversions inside macros and template instantiations are deliberately ignored, as it is not clear how to deal with such cases.

Options

AllowIntegerConditions

When true, the check will allow conditional integer conversions. Default is false.

AllowPointerConditions

When true, the check will allow conditional pointer conversions. Default is false.

readability-inconsistent-declaration-parameter-name

Find function declarations which differ in parameter names.

Example:

// in foo.hpp:
void foo(int a, int b, int c);

// in foo.cpp:
void foo(int d, int e, int f); // warning

This check should help to enforce consistency in large projects, where it often happens that a definition of function is refactored, changing the parameter names, but its declaration in header file is not updated. With this check, we can easily find and correct such inconsistencies, keeping declaration and definition always in sync.

Unnamed parameters are allowed and are not taken into account when comparing function declarations, for example:

void foo(int a);
void foo(int); // no warning

One name is also allowed to be a case-insensitive prefix/suffix of the other:

void foo(int count);
void foo(int count_input) { // no warning
  int count = adjustCount(count_input);
}

To help with refactoring, in some cases fix-it hints are generated to align parameter names to a single naming convention. This works with the assumption that the function definition is the most up-to-date version, as it directly references parameter names in its body. Example:

void foo(int a); // warning and fix-it hint (replace "a" to "b")
int foo(int b) { return b + 2; } // definition with use of "b"

In the case of multiple redeclarations or function template specializations, a warning is issued for every redeclaration or specialization inconsistent with the definition or the first declaration seen in a translation unit.

IgnoreMacros

If this option is set to true (default is true), the check will not warn about names declared inside macros.

Strict

If this option is set to true (default is false), then names must match exactly (or be absent).

readability-isolate-declaration

Detects local variable declarations declaring more than one variable and tries to refactor the code to one statement per declaration.

The automatic code-transformation will use the same indentation as the original for every created statement and add a line break after each statement. It keeps the order of the variable declarations consistent, too.

void f() {
  int * pointer = nullptr, value = 42, * const const_ptr = &value;
  // This declaration will be diagnosed and transformed into:
  // int * pointer = nullptr;
  // int value = 42;
  // int * const const_ptr = &value;
}

The check excludes places where it is necessary or common to declare multiple variables in one statement and there is no other way supported in the language. Please note that structured bindings are not considered.

// It is not possible to transform this declaration and doing the declaration
// before the loop will increase the scope of the variable 'Begin' and 'End'
// which is undesirable.
for (int Begin = 0, End = 100; Begin < End; ++Begin);
if (int Begin = 42, Result = some_function(Begin); Begin == Result);

// It is not possible to transform this declaration because the result is
// not functionality preserving as 'j' and 'k' would not be part of the
// 'if' statement anymore.
if (SomeCondition())
  int i = 42, j = 43, k = function(i,j);

Limitations

Global variables and member variables are excluded.

The check currently does not support the automatic transformation of member-pointer-types.

struct S {
  int a;
  const int b;
  void f() {}
};

void f() {
  // Only a diagnostic message is emitted
  int S::*p = &S::a, S::*const q = &S::a;
}

Furthermore, the transformation is very cautious when it detects various kinds of macros or preprocessor directives in the range of the statement. In this case the transformation will not happen to avoid unexpected side-effects due to macros.

#define NULL 0
#define MY_NICE_TYPE int **
#define VAR_NAME(name) name##__LINE__
#define A_BUNCH_OF_VARIABLES int m1 = 42, m2 = 43, m3 = 44;

void macros() {
  int *p1 = NULL, *p2 = NULL;
  // Will be transformed to
  // int *p1 = NULL;
  // int *p2 = NULL;

  MY_NICE_TYPE p3, v1, v2;
  // Won't be transformed, but a diagnostic is emitted.

  int VAR_NAME(v3),
      VAR_NAME(v4),
      VAR_NAME(v5);
  // Won't be transformed, but a diagnostic is emitted.

  A_BUNCH_OF_VARIABLES
  // Won't be transformed, but a diagnostic is emitted.

  int Unconditional,
#if CONFIGURATION
      IfConfigured = 42,
#else
      IfConfigured = 0;
#endif
  // Won't be transformed, but a diagnostic is emitted.
}

readability-magic-numbers

Detects magic numbers, integer or floating point literals that are embedded in code and not introduced via constants or symbols.

Many coding guidelines advise replacing the magic values with symbolic constants to improve readability. Here are a few references:

Examples of magic values:

template<typename T, size_t N>
struct CustomType {
   T arr[N];
};

struct OtherType {
   CustomType<int, 30> container;
}
CustomType<int, 30> values;

double circleArea = 3.1415926535 * radius * radius;

double totalCharge = 1.08 * itemPrice;

int getAnswer() {
   return -3; // FILENOTFOUND
}

for (int mm = 1; mm <= 12; ++mm) {
   std::cout << month[mm] << '\n';
}

Example with magic values refactored:

template<typename T, size_t N>
struct CustomType {
   T arr[N];
};

const size_t NUMBER_OF_ELEMENTS = 30;
using containerType = CustomType<int, NUMBER_OF_ELEMENTS>;

struct OtherType {
   containerType container;
}
containerType values;

double circleArea = M_PI * radius * radius;

const double TAX_RATE = 0.08;  // or make it variable and read from a file

double totalCharge = (1.0 + TAX_RATE) * itemPrice;

int getAnswer() {
   return E_FILE_NOT_FOUND;
}

for (int mm = 1; mm <= MONTHS_IN_A_YEAR; ++mm) {
   std::cout << month[mm] << '\n';
}

For integral literals by default only 0 and 1 (and -1) integer values are accepted without a warning. This can be overridden with the IgnoredIntegerValues option. Negative values are accepted if their absolute value is present in the IgnoredIntegerValues list.

As a special case for integral values, all powers of two can be accepted without warning by enabling the IgnorePowersOf2IntegerValues option.

For floating point literals by default the 0.0 floating point value is accepted without a warning. The set of ignored floating point literals can be configured using the IgnoredFloatingPointValues option. For each value in that set, the given string value is converted to a floating-point value representation used by the target architecture. If a floating-point literal value compares equal to one of the converted values, then that literal is not diagnosed by this check. Because floating-point equality is used to determine whether to diagnose or not, the user needs to be aware of the details of floating-point representations for any values that cannot be precisely represented for their target architecture.

For each value in the IgnoredFloatingPointValues set, both the single-precision form and double-precision form are accepted (for example, if 3.14 is in the set, neither 3.14f nor 3.14 will produce a warning).

Scientific notation is supported for both source code input and option. Alternatively, the check for the floating point numbers can be disabled for all floating point values by enabling the IgnoreAllFloatingPointValues option.

Since values 0 and 0.0 are so common as the base counter of loops, or initialization values for sums, they are always accepted without warning, even if not present in the respective ignored values list.

Options

IgnoredIntegerValues

Semicolon-separated list of magic positive integers that will be accepted without a warning. Default values are {1, 2, 3, 4}, and 0 is accepted unconditionally.

IgnorePowersOf2IntegerValues

Boolean value indicating whether to accept all powers-of-two integer values without warning. Default value is false.

IgnoredFloatingPointValues

Semicolon-separated list of magic positive floating point values that will be accepted without a warning. Default values are {1.0, 100.0} and 0.0 is accepted unconditionally.

IgnoreAllFloatingPointValues

Boolean value indicating whether to accept all floating point values without warning. Default value is false.

IgnoreBitFieldsWidths

Boolean value indicating whether to accept magic numbers as bit field widths without warning. This is useful for example for register definitions which are generated from hardware specifications. Default value is true.

IgnoreTypeAliases

Boolean value indicating whether to accept magic numbers in typedef or using declarations. Default value is false.

IgnoreUserDefinedLiterals

Boolean value indicating whether to accept magic numbers in user-defined literals. Default value is false.

readability-make-member-function-const

Finds non-static member functions that can be made const because the functions don't use this in a non-const way.

This check tries to annotate methods according to logical constness (not physical constness). Therefore, it will suggest to add a const qualifier to a non-const method only if this method does something that is already possible though the public interface on a const pointer to the object:

  • reading a public member variable
  • calling a public const-qualified member function
  • returning const-qualified this
  • passing const-qualified this as a parameter.

This check will also suggest to add a const qualifier to a non-const method if this method uses private data and functions in a limited number of ways where logical constness and physical constness coincide:

  • reading a member variable of builtin type

Specifically, this check will not suggest to add a const to a non-const method if the method reads a private member variable of pointer type because that allows to modify the pointee which might not preserve logical constness. For the same reason, it does not allow to call private member functions or member functions on private member variables.

In addition, this check ignores functions that

  • are declared virtual
  • contain a const_cast
  • are templated or part of a class template
  • have an empty body
  • do not (implicitly) use this at all (see readability-convert-member-functions-to-static).

The following real-world examples will be preserved by the check:

class E1 {
  Pimpl &getPimpl() const;
public:
  int &get() {
    // Calling a private member function disables this check.
    return getPimpl()->i;
  }
  ...
};

class E2 {
public:
  const int *get() const;
  // const_cast disables this check.
  S *get() {
    return const_cast<int*>(const_cast<const C*>(this)->get());
  }
  ...
};

After applying modifications as suggested by the check, running the check again might find more opportunities to mark member functions const.

readability-math-missing-parentheses

Check for missing parentheses in mathematical expressions that involve operators of different priorities.

Parentheses in mathematical expressions clarify the order of operations, especially with different-priority operators. Lengthy or multiline expressions can obscure this order, leading to coding errors. IDEs can aid clarity by highlighting parentheses. Explicitly using parentheses also clarifies what the developer had in mind when writing the expression. Ensuring their presence reduces ambiguity and errors, promoting clearer and more maintainable code.

Before:

int x = 1 + 2 * 3 - 4 / 5;

After:

int x = 1 + (2 * 3) - (4 / 5);

readability-misleading-indentation

Correct indentation helps to understand code. Mismatch of the syntactical structure and the indentation of the code may hide serious problems. Missing braces can also make it significantly harder to read the code, therefore it is important to use braces.

The way to avoid dangling else is to always check that an else belongs to the if that begins in the same column.

You can omit braces when your inner part of e.g. an if statement has only one statement in it. Although in that case you should begin the next statement in the same column with the if.

Examples:

// Dangling else:
if (cond1)
  if (cond2)
    foo1();
else
  foo2();  // Wrong indentation: else belongs to if(cond2) statement.

// Missing braces:
if (cond1)
  foo1();
  foo2();  // Not guarded by if(cond1).

Limitations

Note that this check only works as expected when the tabs or spaces are used consistently and not mixed.

readability-misplaced-array-index

This check warns for unusual array index syntax.

The following code has unusual array index syntax:

void f(int *X, int Y) {
  Y[X] = 0;
}

becomes

void f(int *X, int Y) {
  X[Y] = 0;
}
The check warns about such unusual syntax for readability reasons:
  • There are programmers that are not familiar with this unusual syntax.
  • It is possible that variables are mixed up.

readability-named-parameter

Find functions with unnamed arguments.

The check implements the following rule originating in the Google C++ Style Guide:

https://google.github.io/styleguide/cppguide.html#Function_Declarations_and_Definitions

All parameters should have the same name in both the function declaration and definition. If a parameter is not utilized, its name can be commented out in a function definition.

int doingSomething(int a, int b, int c);

int doingSomething(int a, int b, int /*c*/) {
    // Ok: the third param is not used
    return a + b;
}

Corresponding cpplint.py check name: readability/function.

readability-non-const-parameter

The check finds function parameters of a pointer type that could be changed to point to a constant type instead.

When const is used properly, many mistakes can be avoided. Advantages when using const properly:

  • prevent unintentional modification of data;
  • get additional warnings such as using uninitialized data;
  • make it easier for developers to see possible side effects.

This check is not strict about constness, it only warns when the constness will make the function interface safer.

// warning here; the declaration "const char *p" would make the function
// interface safer.
char f1(char *p) {
  return *p;
}

// no warning; the declaration could be more const "const int * const p" but
// that does not make the function interface safer.
int f2(const int *p) {
  return *p;
}

// no warning; making x const does not make the function interface safer
int f3(int x) {
  return x;
}

// no warning; Technically, *p can be const ("const struct S *p"). But making
// *p const could be misleading. People might think that it's safe to pass
// const data to this function.
struct S { int *a; int *b; };
int f3(struct S *p) {
  *(p->a) = 0;
}

// no warning; p is referenced by an lvalue.
void f4(int *p) {
  int &x = *p;
}

readability-operators-representation

Enforces consistent token representation for invoked binary, unary and overloaded operators in C++ code. The check supports both traditional and alternative representations of operators, such as && and and, || and or, and so on.

In the realm of C++ programming, developers have the option to choose between two distinct representations for operators: traditional token representation and alternative token representation. Traditional tokens utilize symbols, such as &&, ||, and !, while alternative tokens employ more descriptive words like and, or, and not.

In the following mapping table, a comprehensive list of traditional and alternative tokens, along with their corresponding representations, is presented:

Token Representation Mapping Table

TraditionalAlternative
&&and
&=and_eq
&bitand
|bitor
~compl
!not
!=not_eq
||or
|=or_eq
^xor
^=xor_eq

Example

// Traditional Token Representation:

if (!a||!b)
{
    // do something
}

// Alternative Token Representation:

if (not a or not b)
{
    // do something
}

Options

Due to the distinct benefits and drawbacks of each representation, the default configuration doesn't enforce either. Explicit configuration is needed.

To configure check to enforce Traditional Token Representation for all operators set options to &&;&=;&;|;~;!;!=;||;|=;^;^=.

To configure check to enforce Alternative Token Representation for all operators set options to and;and_eq;bitand;bitor;compl;not;not_eq;or;or_eq;xor;xor_eq.

Developers do not need to enforce all operators, and can mix the representations as desired by specifying a semicolon-separated list of both traditional and alternative tokens in the configuration, such as and;||;not.

BinaryOperators

This option allows you to specify a semicolon-separated list of binary operators for which you want to enforce specific token representation. The default value is empty string.

OverloadedOperators

This option allows you to specify a semicolon-separated list of overloaded operators for which you want to enforce specific token representation. The default value is empty string.

readability-qualified-auto

Adds pointer qualifications to auto-typed variables that are deduced to pointers.

LLVM Coding Standards advises to make it obvious if a auto typed variable is a pointer. This check will transform auto to auto * when the type is deduced to be a pointer.

for (auto Data : MutatablePtrContainer) {
  change(*Data);
}
for (auto Data : ConstantPtrContainer) {
  observe(*Data);
}

Would be transformed into:

for (auto *Data : MutatablePtrContainer) {
  change(*Data);
}
for (const auto *Data : ConstantPtrContainer) {
  observe(*Data);
}

Note const volatile qualified types will retain their const and volatile qualifiers. Pointers to pointers will not be fully qualified.

const auto Foo = cast<int *>(Baz1);
const auto Bar = cast<const int *>(Baz2);
volatile auto FooBar = cast<int *>(Baz3);
auto BarFoo = cast<int **>(Baz4);

Would be transformed into:

auto *const Foo = cast<int *>(Baz1);
const auto *const Bar = cast<const int *>(Baz2);
auto *volatile FooBar = cast<int *>(Baz3);
auto *BarFoo = cast<int **>(Baz4);

Options

AddConstToQualified

When set to true the check will add const qualifiers variables defined as auto * or auto & when applicable. Default value is true.

auto Foo1 = cast<const int *>(Bar1);
auto *Foo2 = cast<const int *>(Bar2);
auto &Foo3 = cast<const int &>(Bar3);

If AddConstToQualified is set to false, it will be transformed into:

const auto *Foo1 = cast<const int *>(Bar1);
auto *Foo2 = cast<const int *>(Bar2);
auto &Foo3 = cast<const int &>(Bar3);

Otherwise it will be transformed into:

const auto *Foo1 = cast<const int *>(Bar1);
const auto *Foo2 = cast<const int *>(Bar2);
const auto &Foo3 = cast<const int &>(Bar3);

Note in the LLVM alias, the default value is false.

readability-redundant-access-specifiers

Finds classes, structs, and unions containing redundant member (field and method) access specifiers.

Example

class Foo {
public:
  int x;
  int y;
public:
  int z;
protected:
  int a;
public:
  int c;
}

In the example above, the second public declaration can be removed without any changes of behavior.

Options

CheckFirstDeclaration

If set to true, the check will also diagnose if the first access specifier declaration is redundant (e.g. private inside class, or public inside struct or union). Default is false.

Example

struct Bar {
public:
  int x;
}

If CheckFirstDeclaration option is enabled, a warning about redundant access specifier will be emitted, because public is the default member access for structs.

readability-redundant-casting

Detects explicit type casting operations that involve the same source and destination types, and subsequently recommend their removal. Covers a range of explicit casting operations, including static_cast, const_cast, C-style casts, and reinterpret_cast. Its primary objective is to enhance code readability and maintainability by eliminating unnecessary type casting.

int value = 42;
int result = static_cast<int>(value);

In this example, the static_cast<int>(value) is redundant, as it performs a cast from an int to another int.

Casting operations involving constructor conversions, user-defined conversions, functional casts, type-dependent casts, casts between distinct type aliases that refer to the same underlying type, as well as bitfield-related casts and casts directly from lvalue to rvalue, are all disregarded by the check.

Options

IgnoreMacros

If set to true, the check will not give warnings inside macros. Default is true.

IgnoreTypeAliases

When set to false, the check will consider type aliases, and when set to true, it will resolve all type aliases and operate on the underlying types. Default is false.

readability-redundant-control-flow

This check looks for procedures (functions returning no value) with return statements at the end of the function. Such return statements are redundant.

Loop statements (for, while, do while) are checked for redundant continue statements at the end of the loop body.

Examples:

The following function f contains a redundant return statement:

extern void g();
void f() {
  g();
  return;
}

becomes

extern void g();
void f() {
  g();
}

The following function k contains a redundant continue statement:

void k() {
  for (int i = 0; i < 10; ++i) {
    continue;
  }
}

becomes

void k() {
  for (int i = 0; i < 10; ++i) {
  }
}

readability-redundant-declaration

Finds redundant variable and function declarations.

extern int X;
extern int X;

becomes

extern int X;

Such redundant declarations can be removed without changing program behavior. They can for instance be unintentional left overs from previous refactorings when code has been moved around. Having redundant declarations could in worst case mean that there are typos in the code that cause bugs.

Normally the code can be automatically fixed, clang-tidy can remove the second declaration. However there are 2 cases when you need to fix the code manually:

  • When the declarations are in different header files;
  • When multiple variables are declared together.

Options

IgnoreMacros

If set to true, the check will not give warnings inside macros. Default is true.

readability-redundant-function-ptr-dereference

Finds redundant dereferences of a function pointer.

Before:

int f(int,int);
int (*p)(int, int) = &f;

int i = (**p)(10, 50);

After:

int f(int,int);
int (*p)(int, int) = &f;

int i = (*p)(10, 50);

readability-redundant-inline-specifier

Detects redundant inline specifiers on function and variable declarations.

Examples:

constexpr inline void f() {}

In the example above the keyword inline is redundant since constexpr functions are implicitly inlined

class MyClass {
    inline void myMethod() {}
};

In the example above the keyword inline is redundant since member functions defined entirely inside a class/struct/union definition are implicitly inlined.

Options

StrictMode

If set to true, the check will also flag functions and variables that already have internal linkage as redundant.

readability-redundant-member-init

Finds member initializations that are unnecessary because the same default constructor would be called if they were not present.

Example

// Explicitly initializing the member s and v is unnecessary.
class Foo {
public:
  Foo() : s() {}

private:
  std::string s;
  std::vector<int> v {};
};

Options

IgnoreBaseInCopyConstructors

Default is false.

When true, the check will ignore unnecessary base class initializations within copy constructors, since some compilers issue warnings/errors when base classes are not explicitly initialized in copy constructors. For example, gcc with -Wextra or -Werror=extra issues warning or error base class 'Bar' should be explicitly initialized in the copy constructor if Bar() were removed in the following example:

// Explicitly initializing member s and base class Bar is unnecessary.
struct Foo : public Bar {
  // Remove s() below. If IgnoreBaseInCopyConstructors!=0, keep Bar().
  Foo(const Foo& foo) : Bar(), s() {}
  std::string s;
};

readability-redundant-preprocessor

Finds potentially redundant preprocessor directives. At the moment the following cases are detected:

  • #ifdef .. #endif pairs which are nested inside an outer pair with the same condition. For example:

    #ifdef FOO
    #ifdef FOO // inner ifdef is considered redundant
    void f();
    #endif
    #endif
  • Same for #ifndef .. #endif pairs. For example:

    #ifndef FOO
    #ifndef FOO // inner ifndef is considered redundant
    void f();
    #endif
    #endif
  • #ifndef inside an #ifdef with the same condition:

    #ifdef FOO
    #ifndef FOO // inner ifndef is considered redundant
    void f();
    #endif
    #endif
  • #ifdef inside an #ifndef with the same condition:

    #ifndef FOO
    #ifdef FOO // inner ifdef is considered redundant
    void f();
    #endif
    #endif
  • #if .. #endif pairs which are nested inside an outer pair with the same condition. For example:

    #define FOO 4
    #if FOO == 4
    #if FOO == 4 // inner if is considered redundant
    void f();
    #endif
    #endif

readability-redundant-smartptr-get

Find and remove redundant calls to smart pointer's .get() method.

Examples:

ptr.get()->Foo()  ==>  ptr->Foo()
*ptr.get()  ==>  *ptr
*ptr->get()  ==>  **ptr
if (ptr.get() == nullptr) ... => if (ptr == nullptr) ...
IgnoreMacros

If this option is set to true (default is true), the check will not warn about calls inside macros.

readability-redundant-string-cstr

Finds unnecessary calls to std::string::c_str() and std::string::data().

Options

StringParameterFunctions

A semicolon-separated list of (fully qualified) function/method/operator names, with the requirement that any parameter currently accepting a const char* input should also be able to accept std::string inputs, or proper overload candidates that can do so should exist. This can be used to configure functions such as fmt::format, spdlog::logger::info, or wrappers around these and similar functions. The default value is the empty string.

readability-redundant-string-init

Finds unnecessary string initializations.

Examples

// Initializing string with empty string literal is unnecessary.
std::string a = "";
std::string b("");

// becomes

std::string a;
std::string b;

// Initializing a string_view with an empty string literal produces an
// instance that compares equal to string_view().
std::string_view a = "";
std::string_view b("");

// becomes
std::string_view a;
std::string_view b;

Options

StringNames

Default is ::std::basic_string;::std::basic_string_view.

Semicolon-delimited list of class names to apply this check to. By default ::std::basic_string applies to std::string and std::wstring. Set to e.g. ::std::basic_string;llvm::StringRef;QString to perform this check on custom classes.

readability-reference-to-constructed-temporary

Detects C++ code where a reference variable is used to extend the lifetime of a temporary object that has just been constructed.

This construction is often the result of multiple code refactorings or a lack of developer knowledge, leading to confusion or subtle bugs. In most cases, what the developer really wanted to do is create a new variable rather than extending the lifetime of a temporary object.

Examples of problematic code include:

const std::string& str("hello");

struct Point { int x; int y; };
const Point& p = { 1, 2 };

In the first example, a const std::string& reference variable str is assigned a temporary object created by the std::string("hello") constructor. In the second example, a const Point& reference variable p is assigned an object that is constructed from an initializer list { 1, 2 }. Both of these examples extend the lifetime of the temporary object to the lifetime of the reference variable, which can make it difficult to reason about and may lead to subtle bugs or misunderstanding.

To avoid these issues, it is recommended to change the reference variable to a (const) value variable.

readability-simplify-boolean-expr

Looks for boolean expressions involving boolean constants and simplifies them to use the appropriate boolean expression directly. Ā Simplifies boolean expressions by application of DeMorgan's Theorem.

Examples:

Initial expressionResult
if (b == true)if (b)
if (b == false)if (!b)
if (b && true)if (b)
if (b && false)if (false)
if (b || true)if (true)
if (b || false)if (b)
e ? true : falsee
e ? false : true!e
if (true) t(); else f();t();
if (false) t(); else f();f();
if (e) return true; else return false;return e;
if (e) return false; else return true;return !e;
if (e) b = true; else b = false;b = e;
if (e) b = false; else b = true;b = !e;
if (e) return true; return false;return e;
if (e) return false; return true;return !e;
!(!a || b)a && !b
!(a || !b)!a && b
!(!a || !b)a && b
!(!a && b)a || !b
!(a && !b)!a || b
!(!a && !b)a || b
The resulting expression e is modified as follows:
  1. Unnecessary parentheses around the expression are removed.
  2. Negated applications of ! are eliminated.
  3. Negated applications of comparison operators are changed to use the opposite condition.
  4. Implicit conversions of pointers, including pointers to members, to bool are replaced with explicit comparisons to nullptr in C++11 or NULL in C++98/03.
  5. Implicit casts to bool are replaced with explicit casts to bool.
  6. Object expressions with explicit operator bool conversion operators are replaced with explicit casts to bool.
  7. Implicit conversions of integral types to bool are replaced with explicit comparisons to 0.
Examples:
  1. The ternary assignment bool b = (i < 0) ? true : false; has redundant parentheses and becomes bool b = i < 0;.
  2. The conditional return if (!b) return false; return true; has an implied double negation and becomes return b;.
  3. The conditional return if (i < 0) return false; return true; becomes return i >= 0;.

    The conditional return if (i != 0) return false; return true; becomes return i == 0;.

  4. The conditional return if (p) return true; return false; has an implicit conversion of a pointer to bool and becomes return p != nullptr;.

    The ternary assignment bool b = (i & 1) ? true : false; has an implicit conversion of i & 1 to bool and becomes bool b = (i & 1) != 0;.

  5. The conditional return if (i & 1) return true; else return false; has an implicit conversion of an integer quantity i & 1 to bool and becomes return (i & 1) != 0;
  6. Given struct X { explicit operator bool(); };, and an instance x of struct X, the conditional return if (x) return true; return false; becomes return static_cast<bool>(x);

Options

IgnoreMacros

If true, ignore boolean expressions originating from expanded macros. Default is false.

ChainedConditionalReturn

If true, conditional boolean return statements at the end of an if/else if chain will be transformed. Default is false.

ChainedConditionalAssignment

If true, conditional boolean assignments at the end of an if/else if chain will be transformed. Default is false.

SimplifyDeMorgan

If true, DeMorgan's Theorem will be applied to simplify negated conjunctions and disjunctions. Ā Default is true.

SimplifyDeMorganRelaxed

If true, SimplifyDeMorgan will also transform negated conjunctions and disjunctions where there is no negation on either operand. This option has no effect if SimplifyDeMorgan is false. Default is false.

When Enabled:

bool X = !(A && B)
bool Y = !(A || B)

Would be transformed to:

bool X = !A || !B
bool Y = !A && !B

readability-simplify-subscript-expr

This check simplifies subscript expressions. Currently this covers calling .data() and immediately doing an array subscript operation to obtain a single element, in which case simply calling operator[] suffice.

Examples:

std::string s = ...;
char c = s.data()[i];  // char c = s[i];

Options

Types

The list of type(s) that triggers this check. Default is ::std::basic_string;::std::basic_string_view;::std::vector;::std::array;::std::span

readability-static-accessed-through-instance

Checks for member expressions that access static members through instances, and replaces them with uses of the appropriate qualified-id.

Example:

The following code:

struct C {
  static void foo();
  static int x;
  enum { E1 };
  enum E { E2 };
};

C *c1 = new C();
c1->foo();
c1->x;
c1->E1;
c1->E2;

is changed to:

C *c1 = new C();
C::foo();
C::x;
C::E1;
C::E2;

The --fix commandline option provides default support for safe fixes, whereas --fix-notes enables fixes that may replace expressions with side effects, potentially altering the program's behavior.

readability-static-definition-in-anonymous-namespace

Finds static function and variable definitions in anonymous namespace.

In this case, static is redundant, because anonymous namespace limits the visibility of definitions to a single translation unit.

namespace {
  static int a = 1; // Warning.
  static const int b = 1; // Warning.
  namespace inner {
    static int c = 1; // Warning.
  }
}

The check will apply a fix by removing the redundant static qualifier.

readability-string-compare

Finds string comparisons using the compare method.

A common mistake is to use the string's compare method instead of using the equality or inequality operators. The compare method is intended for sorting functions and thus returns a negative number, a positive number or zero depending on the lexicographical relationship between the strings compared. If an equality or inequality check can suffice, that is recommended. This is recommended to avoid the risk of incorrect interpretation of the return value and to simplify the code. The string equality and inequality operators can also be faster than the compare method due to early termination.

Example

// The same rules apply to std::string_view.
std::string str1{"a"};
std::string str2{"b"};

// use str1 != str2 instead.
if (str1.compare(str2)) {
}

// use str1 == str2 instead.
if (!str1.compare(str2)) {
}

// use str1 == str2 instead.
if (str1.compare(str2) == 0) {
}

// use str1 != str2 instead.
if (str1.compare(str2) != 0) {
}

// use str1 == str2 instead.
if (0 == str1.compare(str2)) {
}

// use str1 != str2 instead.
if (0 != str1.compare(str2)) {
}

// Use str1 == "foo" instead.
if (str1.compare("foo") == 0) {
}

The above code examples show the list of if-statements that this check will give a warning for. All of them use compare to check equality or inequality of two strings instead of using the correct operators.

Options

StringLikeClasses

A string containing semicolon-separated names of string-like classes. By default contains only ::std::basic_string and ::std::basic_string_view. If a class from this list has a compare method similar to that of std::string, it will be checked in the same way.

Example

struct CustomString {
public:
  int compare (const CustomString& other) const;
}

CustomString str1;
CustomString str2;

// use str1 != str2 instead.
if (str1.compare(str2)) {
}

If StringLikeClasses contains CustomString, the check will suggest replacing compare with equality operator.

readability-suspicious-call-argument

Finds function calls where the arguments passed are provided out of order, based on the difference between the argument name and the parameter names of the function.

Given a function call f(foo, bar); and a function signature void f(T tvar, U uvar), the arguments foo and bar are swapped if foo (the argument name) is more similar to uvar (the other parameter) than tvar (the parameter it is currently passed to) and bar is more similar to tvar than uvar.

Warnings might indicate either that the arguments are swapped, or that the names' cross-similarity might hinder code comprehension.

Heuristics

The following heuristics are implemented in the check. If any of the enabled heuristics deem the arguments to be provided out of order, a warning will be issued.

The heuristics themselves are implemented by considering pairs of strings, and are symmetric, so in the following there is no distinction on which string is the argument name and which string is the parameter name.

Equality

The most trivial heuristic, which compares the two strings for case-insensitive equality.

Abbreviation

Common abbreviations can be specified which will deem the strings similar if the abbreviated and the abbreviation stand together. For example, if src is registered as an abbreviation for source, then the following code example will be warned about.

void foo(int source, int x);

foo(b, src);

The abbreviations to recognise can be configured with the Abbreviations check option. This heuristic is case-insensitive.

Prefix

The prefix heuristic reports if one of the strings is a sufficiently long prefix of the other string, e.g. target to targetPtr. The similarity percentage is the length ratio of the prefix to the longer string, in the previous example, it would be 6 / 9 = 66.66...%.

This heuristic can be configured with bounds. The default bounds are: below 25% dissimilar and above 30% similar. This heuristic is case-insensitive.

Suffix

Analogous to the Prefix heuristic. In the case of oldValue and value compared, the similarity percentage is 8 / 5 = 62.5%.

This heuristic can be configured with bounds. The default bounds are: below 25% dissimilar and above 30% similar. This heuristic is case-insensitive.

Substring

The substring heuristic combines the prefix and the suffix heuristic, and tries to find the longest common substring in the two strings provided. The similarity percentage is the ratio of the found longest common substring against the longer of the two input strings. For example, given val and rvalue, the similarity is 3 / 6 = 50%. If no characters are common in the two string, 0%.

This heuristic can be configured with bounds. The default bounds are: below 40% dissimilar and above 50% similar. This heuristic is case-insensitive.

Levenshtein distance (as Levenshtein)

The Levenshtein distance describes how many single-character changes (additions, changes, or removals) must be applied to transform one string into another.

The Levenshtein distance is translated into a similarity percentage by dividing it with the length of the longer string, and taking its complement with regards to 100%. For example, given something and anything, the distance is 4 edits, and the similarity percentage is 100% - 4 / 9 = 55.55...%.

This heuristic can be configured with bounds. The default bounds are: below 50% dissimilar and above 66% similar. This heuristic is case-sensitive.

Jaro--Winkler distance (as JaroWinkler)

The Jaro--Winkler distance is an edit distance like the Levenshtein distance. It is calculated from the amount of common characters that are sufficiently close to each other in position, and to-be-changed characters. The original definition of Jaro has been extended by Winkler to weigh prefix similarities more. The similarity percentage is expressed as an average of the common and non-common characters against the length of both strings.

This heuristic can be configured with bounds. The default bounds are: below 75% dissimilar and above 85% similar. This heuristic is case-insensitive.

SĆørensen--Dice coefficient (as Dice)

The SĆørensen--Dice coefficient was originally defined to measure the similarity of two sets. Formally, the coefficient is calculated by dividing 2 * #(intersection) with #(set1) + #(set2), where #() is the cardinality function of sets. This metric is applied to strings by creating bigrams (substring sequences of length 2) of the two strings and using the set of bigrams for the two strings as the two sets.

This heuristic can be configured with bounds. The default bounds are: below 60% dissimilar and above 70% similar. This heuristic is case-insensitive.

Options

MinimumIdentifierNameLength

Sets the minimum required length the argument and parameter names need to have. Names shorter than this length will be ignored. Defaults to 3.

Abbreviations

For the Abbreviation heuristic (see here), this option configures the abbreviations in the "abbreviation=abbreviated_value" format. The option is a string, with each value joined by ";".

By default, the following abbreviations are set:

  • addr=address
  • arr=array
  • attr=attribute
  • buf=buffer
  • cl=client
  • cnt=count
  • col=column
  • cpy=copy
  • dest=destination
  • dist=distance
  • dst=distance
  • elem=element
  • hght=height
  • i=index
  • idx=index
  • len=length
  • ln=line
  • lst=list
  • nr=number
  • num=number
  • pos=position
  • ptr=pointer
  • ref=reference
  • src=source
  • srv=server
  • stmt=statement
  • str=string
  • val=value
  • var=variable
  • vec=vector
  • wdth=width

The configuration options for each implemented heuristic (see above) is constructed dynamically. In the following, <HeuristicName> refers to one of the keys from the heuristics implemented.

<HeuristicName>

True or False, whether a particular heuristic, such as Equality or Levenshtein is enabled.

Defaults to True for every heuristic.

<HeuristicName>DissimilarBelow, <HeuristicName>SimilarAbove

A value between 0 and 100, expressing a percentage. The bounds set what percentage of similarity the heuristic must deduce for the two identifiers to be considered similar or dissimilar by the check.

Given arguments arg1 and arg2 passed to param1 and param2, respectively, the bounds check is performed in the following way: If the similarity of the currently passed argument order (arg1 to param1) is below the DissimilarBelow threshold, and the similarity of the suggested swapped order (arg1 to param2) is above the SimilarAbove threshold, the swap is reported.

For the defaults of each heuristic, see above.

Name synthesis

When comparing the argument names and parameter names, the following logic is used to gather the names for comparison:

Parameter names are the identifiers as written in the source code.

Argument names are:

  • If a variable is passed, the variable's name.
  • If a subsequent function call's return value is used as argument, the called function's name.
  • Otherwise, empty string.

Empty argument or parameter names are ignored by the heuristics.

readability-uniqueptr-delete-release

Replace delete <unique_ptr>.release() with <unique_ptr> = nullptr. The latter is shorter, simpler and does not require use of raw pointer APIs.

std::unique_ptr<int> P;
delete P.release();

// becomes

std::unique_ptr<int> P;
P = nullptr;

Options

PreferResetCall

If true, refactor by calling the reset member function instead of assigning to nullptr. Default value is false.

std::unique_ptr<int> P;
delete P.release();

// becomes

std::unique_ptr<int> P;
P.reset();

readability-uppercase-literal-suffix

cert-dcl16-c redirects here as an alias for this check. By default, only the suffixes that begin with l (l, ll, lu, llu, but not u, ul, ull) are diagnosed by that alias.

hicpp-uppercase-literal-suffix redirects here as an alias for this check.

Detects when the integral literal or floating point (decimal or hexadecimal) literal has a non-uppercase suffix and provides a fix-it hint with the uppercase suffix.

All valid combinations of suffixes are supported.

auto x = 1;  // OK, no suffix.

auto x = 1u; // warning: integer literal suffix 'u' is not upper-case

auto x = 1U; // OK, suffix is uppercase.

...

Options

NewSuffixes

Optionally, a list of the destination suffixes can be provided. When the suffix is found, a case-insensitive lookup in that list is made, and if a replacement is found that is different from the current suffix, then the diagnostic is issued. This allows for fine-grained control of what suffixes to consider and what their replacements should be.

Example

Given a list L;uL:

  • l -> L
  • L will be kept as is.
  • ul -> uL
  • Ul -> uL
  • UL -> uL
  • uL will be kept as is.
  • ull will be kept as is, since it is not in the list
  • and so on.
IgnoreMacros

If this option is set to true (default is true), the check will not warn about literal suffixes inside macros.

readability-use-anyofallof

Finds range-based for loops that can be replaced by a call to std::any_of or std::all_of. In C++20 mode, suggests std::ranges::any_of or std::ranges::all_of.

Example:

bool all_even(std::vector<int> V) {
  for (int I : V) {
    if (I % 2)
      return false;
  }
  return true;
  // Replace loop by
  // return std::ranges::all_of(V, [](int I) { return I % 2 == 0; });
}

readability-use-std-min-max

Replaces certain conditional statements with equivalent calls to std::min or std::max. Note: This may impact performance in critical code due to potential additional stores compared to the original if statement.

Before:

void foo() {
  int a = 2, b = 3;
  if (a < b)
    a = b;
}

After:

void foo() {
  int a = 2, b = 3;
  a = std::max(a, b);
}

zircon-temporary-objects

Warns on construction of specific temporary objects in the Zircon kernel. If the object should be flagged, If the object should be flagged, the fully qualified type name must be explicitly passed to the check.

For example, given the list of classes "Foo" and "NS::Bar", all of the following will trigger the warning:

Foo();
Foo F = Foo();
func(Foo());

namespace NS {

Bar();

}

With the same list, the following will not trigger the warning:

Foo F;                 // Non-temporary construction okay
Foo F(param);          // Non-temporary construction okay
Foo *F = new Foo();    // New construction okay

Bar();                 // Not NS::Bar, so okay
NS::Bar B;             // Non-temporary construction okay

Note that objects must be explicitly specified in order to be flagged, and so objects that inherit a specified object will not be flagged.

This check matches temporary objects without regard for inheritance and so a prohibited base class type does not similarly prohibit derived class types.

class Derived : Foo {} // Derived is not explicitly disallowed
Derived();             // and so temporary construction is okay

Options

Names

A semi-colon-separated list of fully-qualified names of C++ classes that should not be constructed as temporaries. Default is empty.

NameOffers fixes
abseil-cleanup-ctadYes
abseil-duration-additionYes
abseil-duration-comparisonYes
abseil-duration-conversion-castYes
abseil-duration-divisionYes
abseil-duration-factory-floatYes
abseil-duration-factory-scaleYes
abseil-duration-subtractionYes
abseil-duration-unnecessary-conversionYes
abseil-faster-strsplit-delimiterYes
abseil-no-internal-dependencies
abseil-no-namespace
abseil-redundant-strcat-callsYes
abseil-str-cat-appendYes
abseil-string-find-startswithYes
abseil-string-find-str-containsYes
abseil-time-comparisonYes
abseil-time-subtractionYes
abseil-upgrade-duration-conversionsYes
altera-id-dependent-backward-branch
altera-kernel-name-restriction
altera-single-work-item-barrier
altera-struct-pack-alignYes
altera-unroll-loops
android-cloexec-acceptYes
android-cloexec-accept4Yes
android-cloexec-creatYes
android-cloexec-dupYes
android-cloexec-epoll-createYes
android-cloexec-epoll-create1Yes
android-cloexec-fopenYes
android-cloexec-inotify-initYes
android-cloexec-inotify-init1Yes
android-cloexec-memfd-createYes
android-cloexec-openYes
android-cloexec-pipeYes
android-cloexec-pipe2Yes
android-cloexec-socketYes
android-comparison-in-temp-failure-retry
boost-use-rangesYes
boost-use-to-stringYes
bugprone-argument-commentYes
bugprone-assert-side-effect
bugprone-assignment-in-if-condition
bugprone-bad-signal-to-kill-thread
bugprone-bool-pointer-implicit-conversionYes
bugprone-branch-clone
bugprone-casting-through-void
bugprone-chained-comparison
bugprone-compare-pointer-to-member-virtual-function
bugprone-copy-constructor-initYes
bugprone-crtp-constructor-accessibilityYes
bugprone-dangling-handle
bugprone-dynamic-static-initializers
bugprone-easily-swappable-parameters
bugprone-empty-catch
bugprone-exception-escape
bugprone-fold-init-type
bugprone-forward-declaration-namespace
bugprone-forwarding-reference-overload
bugprone-implicit-widening-of-multiplication-resultYes
bugprone-inaccurate-eraseYes
bugprone-inc-dec-in-conditions
bugprone-incorrect-enable-ifYes
bugprone-incorrect-roundings
bugprone-infinite-loop
bugprone-integer-division
bugprone-lambda-function-name
bugprone-macro-parenthesesYes
bugprone-macro-repeated-side-effects
bugprone-misplaced-operator-in-strlen-in-allocYes
bugprone-misplaced-pointer-arithmetic-in-allocYes
bugprone-misplaced-widening-cast
bugprone-move-forwarding-referenceYes
bugprone-multi-level-implicit-pointer-conversion
bugprone-multiple-new-in-one-expression
bugprone-multiple-statement-macro
bugprone-no-escape
bugprone-non-zero-enum-to-bool-conversion
bugprone-not-null-terminated-resultYes
bugprone-optional-value-conversionYes
bugprone-parent-virtual-callYes
bugprone-pointer-arithmetic-on-polymorphic-object
bugprone-posix-returnYes
bugprone-redundant-branch-conditionYes
bugprone-reserved-identifierYes
bugprone-return-const-ref-from-parameter
bugprone-shared-ptr-array-mismatchYes
bugprone-signal-handler
bugprone-signed-char-misuse
bugprone-sizeof-container
bugprone-sizeof-expression
bugprone-spuriously-wake-up-functions
bugprone-standalone-emptyYes
bugprone-string-constructorYes
bugprone-string-integer-assignmentYes
bugprone-string-literal-with-embedded-nul
bugprone-stringview-nullptrYes
bugprone-suspicious-enum-usage
bugprone-suspicious-include
bugprone-suspicious-memory-comparison
bugprone-suspicious-memset-usageYes
bugprone-suspicious-missing-comma
bugprone-suspicious-realloc-usage
bugprone-suspicious-semicolonYes
bugprone-suspicious-string-compareYes
bugprone-suspicious-stringview-data-usage
bugprone-swapped-argumentsYes
bugprone-switch-missing-default-case
bugprone-terminating-continueYes
bugprone-throw-keyword-missing
bugprone-too-small-loop-variable
bugprone-unchecked-optional-access
bugprone-undefined-memory-manipulation
bugprone-undelegated-constructor
bugprone-unhandled-exception-at-new
bugprone-unhandled-self-assignment
bugprone-unique-ptr-array-mismatchYes
bugprone-unsafe-functions
bugprone-unused-local-non-trivial-variable
bugprone-unused-raiiYes
bugprone-unused-return-value
bugprone-use-after-move
bugprone-virtual-near-missYes
cert-dcl50-cpp
cert-dcl58-cpp
cert-env33-c
cert-err33-c
cert-err34-c
cert-err52-cpp
cert-err58-cpp
cert-err60-cpp
cert-flp30-c
cert-mem57-cpp
cert-msc50-cpp
cert-msc51-cpp
cert-oop57-cpp
cert-oop58-cpp
concurrency-mt-unsafe
concurrency-thread-canceltype-asynchronous
cppcoreguidelines-avoid-capturing-lambda-coroutines
cppcoreguidelines-avoid-const-or-ref-data-members
cppcoreguidelines-avoid-do-while
cppcoreguidelines-avoid-goto
cppcoreguidelines-avoid-non-const-global-variables
cppcoreguidelines-avoid-reference-coroutine-parameters
cppcoreguidelines-init-variablesYes
cppcoreguidelines-interfaces-global-init
cppcoreguidelines-macro-usage
cppcoreguidelines-misleading-capture-default-by-valueYes
cppcoreguidelines-missing-std-forward
cppcoreguidelines-narrowing-conversions
cppcoreguidelines-no-malloc
cppcoreguidelines-no-suspend-with-lock
cppcoreguidelines-owning-memory
cppcoreguidelines-prefer-member-initializerYes
cppcoreguidelines-pro-bounds-array-to-pointer-decay
cppcoreguidelines-pro-bounds-constant-array-indexYes
cppcoreguidelines-pro-bounds-pointer-arithmetic
cppcoreguidelines-pro-type-const-cast
cppcoreguidelines-pro-type-cstyle-castYes
cppcoreguidelines-pro-type-member-initYes
cppcoreguidelines-pro-type-reinterpret-cast
cppcoreguidelines-pro-type-static-cast-downcastYes
cppcoreguidelines-pro-type-union-access
cppcoreguidelines-pro-type-vararg
cppcoreguidelines-rvalue-reference-param-not-moved
cppcoreguidelines-slicing
cppcoreguidelines-special-member-functions
cppcoreguidelines-virtual-class-destructorYes
darwin-avoid-spinlock
darwin-dispatch-once-nonstaticYes
fuchsia-default-arguments-calls
fuchsia-default-arguments-declarationsYes
fuchsia-multiple-inheritance
fuchsia-overloaded-operator
fuchsia-statically-constructed-objects
fuchsia-trailing-return
fuchsia-virtual-inheritance
google-build-explicit-make-pair
google-build-namespaces
google-build-using-namespace
google-default-arguments
google-explicit-constructorYes
google-global-names-in-headers
google-objc-avoid-nsobject-new
google-objc-avoid-throwing-exception
google-objc-function-naming
google-objc-global-variable-declaration
google-readability-avoid-underscore-in-googletest-name
google-readability-casting
google-readability-todo
google-runtime-int
google-runtime-operator
google-upgrade-googletest-caseYes
hicpp-exception-baseclass
hicpp-ignored-remove-result
hicpp-multiway-paths-covered
hicpp-no-assembler
hicpp-signed-bitwise
linuxkernel-must-check-errs
llvm-header-guard
llvm-include-orderYes
llvm-namespace-comment
llvm-prefer-isa-or-dyn-cast-in-conditionalsYes
llvm-prefer-register-over-unsignedYes
llvm-twine-localYes
llvmlibc-callee-namespace
llvmlibc-implementation-in-namespace
llvmlibc-inline-function-declYes
llvmlibc-restrict-system-libc-headersYes
misc-confusable-identifiers
misc-const-correctnessYes
misc-coroutine-hostile-raii
misc-definitions-in-headersYes
misc-header-include-cycle
misc-include-cleanerYes
misc-misleading-bidirectional
misc-misleading-identifier
misc-misplaced-const
misc-new-delete-overloads
misc-no-recursion
misc-non-copyable-objects
misc-non-private-member-variables-in-classes
misc-redundant-expressionYes
misc-static-assertYes
misc-throw-by-value-catch-by-reference
misc-unconventional-assign-operator
misc-uniqueptr-reset-releaseYes
misc-unused-alias-declsYes
misc-unused-parametersYes
misc-unused-using-declsYes
misc-use-anonymous-namespace
misc-use-internal-linkageYes
modernize-avoid-bindYes
modernize-avoid-c-arrays
modernize-concat-nested-namespacesYes
modernize-deprecated-headersYes
modernize-deprecated-ios-base-aliasesYes
modernize-loop-convertYes
modernize-macro-to-enumYes
modernize-make-sharedYes
modernize-make-uniqueYes
modernize-min-max-use-initializer-listYes
modernize-pass-by-valueYes
modernize-raw-string-literalYes
modernize-redundant-void-argYes
modernize-replace-auto-ptrYes
modernize-replace-disallow-copy-and-assign-macroYes
modernize-replace-random-shuffleYes
modernize-return-braced-init-listYes
modernize-shrink-to-fitYes
modernize-type-traitsYes
modernize-unary-static-assertYes
modernize-use-autoYes
modernize-use-bool-literalsYes
modernize-use-constraintsYes
modernize-use-default-member-initYes
modernize-use-designated-initializersYes
modernize-use-emplaceYes
modernize-use-equals-defaultYes
modernize-use-equals-deleteYes
modernize-use-nodiscardYes
modernize-use-noexceptYes
modernize-use-nullptrYes
modernize-use-overrideYes
modernize-use-rangesYes
modernize-use-starts-ends-withYes
modernize-use-std-formatYes
modernize-use-std-numbersYes
modernize-use-std-printYes
modernize-use-trailing-return-typeYes
modernize-use-transparent-functorsYes
modernize-use-uncaught-exceptionsYes
modernize-use-usingYes
mpi-buffer-derefYes
mpi-type-mismatchYes
objc-assert-equalsYes
objc-avoid-nserror-init
objc-dealloc-in-category
objc-forbidden-subclassing
objc-missing-hash
objc-nsdate-formatter
objc-nsinvocation-argument-lifetimeYes
objc-property-declarationYes
objc-super-selfYes
openmp-exception-escape
openmp-use-default-none
performance-avoid-endlYes
performance-enum-size
performance-faster-string-findYes
performance-for-range-copyYes
performance-implicit-conversion-in-loop
performance-inefficient-algorithmYes
performance-inefficient-string-concatenation
performance-inefficient-vector-operationYes
performance-move-const-argYes
performance-move-constructor-init
performance-no-automatic-move
performance-no-int-to-ptr
performance-noexcept-destructorYes
performance-noexcept-move-constructorYes
performance-noexcept-swapYes
performance-trivially-destructibleYes
performance-type-promotion-in-math-fnYes
performance-unnecessary-copy-initializationYes
performance-unnecessary-value-paramYes
portability-restrict-system-includesYes
portability-simd-intrinsics
portability-std-allocator-const
readability-avoid-const-params-in-declsYes
readability-avoid-nested-conditional-operator
readability-avoid-return-with-void-valueYes
readability-avoid-unconditional-preprocessor-if
readability-braces-around-statements
readability-const-return-typeYes
readability-container-containsYes
readability-container-data-pointerYes
readability-container-size-emptyYes
readability-convert-member-functions-to-staticYes
readability-delete-null-pointerYes
readability-duplicate-includeYes
readability-else-after-returnYes
readability-enum-initial-valueYes
readability-function-cognitive-complexity
readability-function-size
readability-identifier-length
readability-identifier-namingYes
readability-implicit-bool-conversionYes
readability-inconsistent-declaration-parameter-nameYes
readability-isolate-declarationYes
readability-magic-numbers
readability-make-member-function-constYes
readability-math-missing-parenthesesYes
readability-misleading-indentation
readability-misplaced-array-indexYes
readability-named-parameterYes
readability-non-const-parameterYes
readability-operators-representationYes
readability-qualified-autoYes
readability-redundant-access-specifiersYes
readability-redundant-castingYes
readability-redundant-control-flowYes
readability-redundant-declarationYes
readability-redundant-function-ptr-dereferenceYes
readability-redundant-inline-specifierYes
readability-redundant-member-initYes
readability-redundant-preprocessor
readability-redundant-smartptr-getYes
readability-redundant-string-cstrYes
readability-redundant-string-initYes
readability-reference-to-constructed-temporary
readability-simplify-boolean-exprYes
readability-simplify-subscript-exprYes
readability-static-accessed-through-instanceYes
readability-static-definition-in-anonymous-namespaceYes
readability-string-compareYes
readability-suspicious-call-argument
readability-uniqueptr-delete-releaseYes
readability-uppercase-literal-suffixYes
readability-use-anyofallof
readability-use-std-min-maxYes
zircon-temporary-objects

Check aliases

NameRedirectOffers fixes
bugprone-narrowing-conversionscppcoreguidelines-narrowing-conversions
cert-con36-cbugprone-spuriously-wake-up-functions
cert-con54-cppbugprone-spuriously-wake-up-functions
cert-ctr56-cppbugprone-pointer-arithmetic-on-polymorphic-object
cert-dcl03-cmisc-static-assertYes
cert-dcl16-creadability-uppercase-literal-suffixYes
cert-dcl37-cbugprone-reserved-identifierYes
cert-dcl51-cppbugprone-reserved-identifierYes
cert-dcl54-cppmisc-new-delete-overloads
cert-dcl59-cppgoogle-build-namespaces
cert-err09-cppmisc-throw-by-value-catch-by-reference
cert-err61-cppmisc-throw-by-value-catch-by-reference
cert-exp42-cbugprone-suspicious-memory-comparison
cert-fio38-cmisc-non-copyable-objects
cert-flp37-cbugprone-suspicious-memory-comparison
cert-int09-creadability-enum-initial-valueYes
cert-msc24-cbugprone-unsafe-functions
cert-msc30-ccert-msc50-cpp
cert-msc32-ccert-msc51-cpp
cert-msc33-cbugprone-unsafe-functions
cert-msc54-cppbugprone-signal-handler
cert-oop11-cppperformance-move-constructor-init
cert-oop54-cppbugprone-unhandled-self-assignment
cert-pos44-cbugprone-bad-signal-to-kill-thread
cert-pos47-cconcurrency-thread-canceltype-asynchronous
cert-sig30-cbugprone-signal-handler
cert-str34-cbugprone-signed-char-misuse
clang-analyzer-core.BitwiseShiftClang Static Analyzer core.BitwiseShift
clang-analyzer-core.CallAndMessageClang Static Analyzer core.CallAndMessage
clang-analyzer-core.DivideZeroClang Static Analyzer core.DivideZero
clang-analyzer-core.NonNullParamCheckerClang Static Analyzer core.NonNullParamChecker
clang-analyzer-core.NullDereferenceClang Static Analyzer core.NullDereference
clang-analyzer-core.StackAddressEscapeClang Static Analyzer core.StackAddressEscape
clang-analyzer-core.UndefinedBinaryOperatorResultClang Static Analyzer core.UndefinedBinaryOperatorResult
clang-analyzer-core.VLASizeClang Static Analyzer core.VLASize
clang-analyzer-core.uninitialized.ArraySubscriptClang Static Analyzer core.uninitialized.ArraySubscript
clang-analyzer-core.uninitialized.AssignClang Static Analyzer core.uninitialized.Assign
clang-analyzer-core.uninitialized.BranchClang Static Analyzer core.uninitialized.Branch
clang-analyzer-core.uninitialized.CapturedBlockVariableClang Static Analyzer core.uninitialized.CapturedBlockVariable
clang-analyzer-core.uninitialized.NewArraySizeClang Static Analyzer core.uninitialized.NewArraySize
clang-analyzer-core.uninitialized.UndefReturnClang Static Analyzer core.uninitialized.UndefReturn
clang-analyzer-cplusplus.ArrayDeleteClang Static Analyzer cplusplus.ArrayDelete
clang-analyzer-cplusplus.InnerPointerClang Static Analyzer cplusplus.InnerPointer
clang-analyzer-cplusplus.MoveClang Static Analyzer cplusplus.Move
clang-analyzer-cplusplus.NewDeleteClang Static Analyzer cplusplus.NewDelete
clang-analyzer-cplusplus.NewDeleteLeaksClang Static Analyzer cplusplus.NewDeleteLeaks
clang-analyzer-cplusplus.PlacementNewClang Static Analyzer cplusplus.PlacementNew
clang-analyzer-cplusplus.PureVirtualCallClang Static Analyzer cplusplus.PureVirtualCall
clang-analyzer-cplusplus.StringCheckerClang Static Analyzer cplusplus.StringChecker
clang-analyzer-deadcode.DeadStoresClang Static Analyzer deadcode.DeadStores
clang-analyzer-fuchsia.HandleCheckerClang Static Analyzer fuchsia.HandleChecker
clang-analyzer-nullability.NullPassedToNonnullClang Static Analyzer nullability.NullPassedToNonnull
clang-analyzer-nullability.NullReturnedFromNonnullClang Static Analyzer nullability.NullReturnedFromNonnull
clang-analyzer-nullability.NullableDereferencedClang Static Analyzer nullability.NullableDereferenced
clang-analyzer-nullability.NullablePassedToNonnullClang Static Analyzer nullability.NullablePassedToNonnull
clang-analyzer-nullability.NullableReturnedFromNonnullClang Static Analyzer nullability.NullableReturnedFromNonnull
clang-analyzer-optin.core.EnumCastOutOfRangeClang Static Analyzer optin.core.EnumCastOutOfRange
clang-analyzer-optin.cplusplus.UninitializedObjectClang Static Analyzer optin.cplusplus.UninitializedObject
clang-analyzer-optin.cplusplus.VirtualCallClang Static Analyzer optin.cplusplus.VirtualCall
clang-analyzer-optin.mpi.MPI-CheckerClang Static Analyzer optin.mpi.MPI-Checker
clang-analyzer-optin.osx.OSObjectCStyleCastClang Static Analyzer optin.osx.OSObjectCStyleCast
clang-analyzer-optin.osx.cocoa.localizability.EmptyLocalizationContextCheckerClang Static Analyzer optin.osx.cocoa.localizability.EmptyLocalizationContextChecker
clang-analyzer-optin.osx.cocoa.localizability.NonLocalizedStringCheckerClang Static Analyzer optin.osx.cocoa.localizability.NonLocalizedStringChecker
clang-analyzer-optin.performance.GCDAntipatternClang Static Analyzer optin.performance.GCDAntipattern
clang-analyzer-optin.performance.PaddingClang Static Analyzer optin.performance.Padding
clang-analyzer-optin.portability.UnixAPIClang Static Analyzer optin.portability.UnixAPI
clang-analyzer-optin.taint.TaintedAllocClang Static Analyzer optin.taint.TaintedAlloc
clang-analyzer-osx.APIClang Static Analyzer osx.API
clang-analyzer-osx.MIGClang Static Analyzer osx.MIG
clang-analyzer-osx.NumberObjectConversionClang Static Analyzer osx.NumberObjectConversion
clang-analyzer-osx.OSObjectRetainCountClang Static Analyzer osx.OSObjectRetainCount
clang-analyzer-osx.ObjCPropertyClang Static Analyzer osx.ObjCProperty
clang-analyzer-osx.SecKeychainAPIClang Static Analyzer osx.SecKeychainAPI
clang-analyzer-osx.cocoa.AtSyncClang Static Analyzer osx.cocoa.AtSync
clang-analyzer-osx.cocoa.AutoreleaseWriteClang Static Analyzer osx.cocoa.AutoreleaseWrite
clang-analyzer-osx.cocoa.ClassReleaseClang Static Analyzer osx.cocoa.ClassRelease
clang-analyzer-osx.cocoa.DeallocClang Static Analyzer osx.cocoa.Dealloc
clang-analyzer-osx.cocoa.IncompatibleMethodTypesClang Static Analyzer osx.cocoa.IncompatibleMethodTypes
clang-analyzer-osx.cocoa.LoopsClang Static Analyzer osx.cocoa.Loops
clang-analyzer-osx.cocoa.MissingSuperCallClang Static Analyzer osx.cocoa.MissingSuperCall
clang-analyzer-osx.cocoa.NSAutoreleasePoolClang Static Analyzer osx.cocoa.NSAutoreleasePool
clang-analyzer-osx.cocoa.NSErrorClang Static Analyzer osx.cocoa.NSError
clang-analyzer-osx.cocoa.NilArgClang Static Analyzer osx.cocoa.NilArg
clang-analyzer-osx.cocoa.NonNilReturnValueClang Static Analyzer osx.cocoa.NonNilReturnValue
clang-analyzer-osx.cocoa.ObjCGenericsClang Static Analyzer osx.cocoa.ObjCGenerics
clang-analyzer-osx.cocoa.RetainCountClang Static Analyzer osx.cocoa.RetainCount
clang-analyzer-osx.cocoa.RunLoopAutoreleaseLeakClang Static Analyzer osx.cocoa.RunLoopAutoreleaseLeak
clang-analyzer-osx.cocoa.SelfInitClang Static Analyzer osx.cocoa.SelfInit
clang-analyzer-osx.cocoa.SuperDeallocClang Static Analyzer osx.cocoa.SuperDealloc
clang-analyzer-osx.cocoa.UnusedIvarsClang Static Analyzer osx.cocoa.UnusedIvars
clang-analyzer-osx.cocoa.VariadicMethodTypesClang Static Analyzer osx.cocoa.VariadicMethodTypes
clang-analyzer-osx.coreFoundation.CFErrorClang Static Analyzer osx.coreFoundation.CFError
clang-analyzer-osx.coreFoundation.CFNumberClang Static Analyzer osx.coreFoundation.CFNumber
clang-analyzer-osx.coreFoundation.CFRetainReleaseClang Static Analyzer osx.coreFoundation.CFRetainRelease
clang-analyzer-osx.coreFoundation.containers.OutOfBoundsClang Static Analyzer osx.coreFoundation.containers.OutOfBounds
clang-analyzer-osx.coreFoundation.containers.PointerSizedValuesClang Static Analyzer osx.coreFoundation.containers.PointerSizedValues
clang-analyzer-security.FloatLoopCounterClang Static Analyzer security.FloatLoopCounter
clang-analyzer-security.PutenvStackArrayClang Static Analyzer security.PutenvStackArray
clang-analyzer-security.SetgidSetuidOrderClang Static Analyzer security.SetgidSetuidOrder
clang-analyzer-security.cert.env.InvalidPtrClang Static Analyzer security.cert.env.InvalidPtr
clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandlingClang Static Analyzer security.insecureAPI.DeprecatedOrUnsafeBufferHandling
clang-analyzer-security.insecureAPI.UncheckedReturnClang Static Analyzer security.insecureAPI.UncheckedReturn
clang-analyzer-security.insecureAPI.bcmpClang Static Analyzer security.insecureAPI.bcmp
clang-analyzer-security.insecureAPI.bcopyClang Static Analyzer security.insecureAPI.bcopy
clang-analyzer-security.insecureAPI.bzeroClang Static Analyzer security.insecureAPI.bzero
clang-analyzer-security.insecureAPI.decodeValueOfObjCTypeClang Static Analyzer security.insecureAPI.decodeValueOfObjCType
clang-analyzer-security.insecureAPI.getpwClang Static Analyzer security.insecureAPI.getpw
clang-analyzer-security.insecureAPI.getsClang Static Analyzer security.insecureAPI.gets
clang-analyzer-security.insecureAPI.mkstempClang Static Analyzer security.insecureAPI.mkstemp
clang-analyzer-security.insecureAPI.mktempClang Static Analyzer security.insecureAPI.mktemp
clang-analyzer-security.insecureAPI.randClang Static Analyzer security.insecureAPI.rand
clang-analyzer-security.insecureAPI.strcpyClang Static Analyzer security.insecureAPI.strcpy
clang-analyzer-security.insecureAPI.vforkClang Static Analyzer security.insecureAPI.vfork
clang-analyzer-unix.APIClang Static Analyzer unix.API
clang-analyzer-unix.BlockInCriticalSectionClang Static Analyzer unix.BlockInCriticalSection
clang-analyzer-unix.ErrnoClang Static Analyzer unix.Errno
clang-analyzer-unix.MallocClang Static Analyzer unix.Malloc
clang-analyzer-unix.MallocSizeofClang Static Analyzer unix.MallocSizeof
clang-analyzer-unix.MismatchedDeallocatorClang Static Analyzer unix.MismatchedDeallocator
clang-analyzer-unix.StdCLibraryFunctionsClang Static Analyzer unix.StdCLibraryFunctions
clang-analyzer-unix.StreamClang Static Analyzer unix.Stream
clang-analyzer-unix.VforkClang Static Analyzer unix.Vfork
clang-analyzer-unix.cstring.BadSizeArgClang Static Analyzer unix.cstring.BadSizeArg
clang-analyzer-unix.cstring.NullArgClang Static Analyzer unix.cstring.NullArg
clang-analyzer-valist.CopyToSelfClang Static Analyzer valist.CopyToSelf
clang-analyzer-valist.UninitializedClang Static Analyzer valist.Uninitialized
clang-analyzer-valist.UnterminatedClang Static Analyzer valist.Unterminated
clang-analyzer-webkit.NoUncountedMemberCheckerClang Static Analyzer webkit.NoUncountedMemberChecker
clang-analyzer-webkit.RefCntblBaseVirtualDtorClang Static Analyzer webkit.RefCntblBaseVirtualDtor
clang-analyzer-webkit.UncountedLambdaCapturesCheckerClang Static Analyzer webkit.UncountedLambdaCapturesChecker
cppcoreguidelines-avoid-c-arraysmodernize-avoid-c-arrays
cppcoreguidelines-avoid-magic-numbersreadability-magic-numbers
cppcoreguidelines-c-copy-assignment-signaturemisc-unconventional-assign-operator
cppcoreguidelines-explicit-virtual-functionsmodernize-use-overrideYes
cppcoreguidelines-macro-to-enummodernize-macro-to-enumYes
cppcoreguidelines-noexcept-destructorperformance-noexcept-destructorYes
cppcoreguidelines-noexcept-move-operationsperformance-noexcept-move-constructorYes
cppcoreguidelines-noexcept-swapperformance-noexcept-swapYes
cppcoreguidelines-non-private-member-variables-in-classesmisc-non-private-member-variables-in-classes
cppcoreguidelines-use-default-member-initmodernize-use-default-member-initYes
fuchsia-header-anon-namespacesgoogle-build-namespaces
google-readability-braces-around-statementsreadability-braces-around-statements
google-readability-function-sizereadability-function-size
google-readability-namespace-commentsllvm-namespace-comment
hicpp-avoid-c-arraysmodernize-avoid-c-arrays
hicpp-avoid-gotocppcoreguidelines-avoid-goto
hicpp-braces-around-statementsreadability-braces-around-statements
hicpp-deprecated-headersmodernize-deprecated-headersYes
hicpp-explicit-conversionsgoogle-explicit-constructorYes
hicpp-function-sizereadability-function-size
hicpp-invalid-access-movedbugprone-use-after-move
hicpp-member-initcppcoreguidelines-pro-type-member-initYes
hicpp-move-const-argperformance-move-const-argYes
hicpp-named-parameterreadability-named-parameterYes
hicpp-new-delete-operatorsmisc-new-delete-overloads
hicpp-no-array-decaycppcoreguidelines-pro-bounds-array-to-pointer-decay
hicpp-no-malloccppcoreguidelines-no-malloc
hicpp-noexcept-moveperformance-noexcept-move-constructorYes
hicpp-special-member-functionscppcoreguidelines-special-member-functions
hicpp-static-assertmisc-static-assertYes
hicpp-undelegated-constructorbugprone-undelegated-constructor
hicpp-uppercase-literal-suffixreadability-uppercase-literal-suffixYes
hicpp-use-automodernize-use-autoYes
hicpp-use-emplacemodernize-use-emplaceYes
hicpp-use-equals-defaultmodernize-use-equals-defaultYes
hicpp-use-equals-deletemodernize-use-equals-deleteYes
hicpp-use-noexceptmodernize-use-noexceptYes
hicpp-use-nullptrmodernize-use-nullptrYes
hicpp-use-overridemodernize-use-overrideYes
hicpp-varargcppcoreguidelines-pro-type-vararg
llvm-else-after-returnreadability-else-after-returnYes
llvm-qualified-autoreadability-qualified-autoYes

Clang-tidy IDE/Editor Integrations

Apart from being a standalone tool, clang-tidy is integrated into various IDEs, code analyzers, and editors. We recommend using clangd which integrates clang-tidy and is available in most major editors through plugins (Vim, Emacs, Visual Studio Code, Sublime Text and more).

The following table shows the most well-known clang-tidy integrations in detail.

Feature
ToolOn-the-fly inspectionCheck list configuration (GUI)Options to checks (GUI)Configuration via .clang-tidy filesCustom clang-tidy binary
A.L.E. for Vim+---+
Clang Power Tools for Visual Studio-+-+-
Clangd+--+-
CLion IDE+++++
CodeChecker----+
CPPCheck-----
CPPDepend-----
Flycheck for Emacs+--++
KDevelop IDE-++++
Qt Creator IDE++-++
ReSharper C++ for Visual Studio++-++
Syntastic for Vim+---+
Visual Assist for Visual Studio++---

IDEs

CLion 2017.2 and later integrates clang-tidy as an extension to the built-in code analyzer. Starting from 2018.2 EAP, CLion allows using clang-tidy via Clangd. Inspections and applicable quick-fixes are performed on the fly, and checks can be configured in standard command line format. In this integration, you can switch to the clang-tidy binary different from the bundled one, pass the configuration in .clang-tidy files instead of using the IDE settings, and configure options for particular checks.

KDevelop with the kdev-clang-tidy plugin, starting from version 5.1, performs static analysis using clang-tidy. The plugin launches the clang-tidy binary from the specified location and parses its output to provide a list of issues.

QtCreator 4.6 integrates clang-tidy warnings into the editor diagnostics under the Clang Code Model. To employ clang-tidy inspection in QtCreator, you need to create a copy of one of the presets and choose the checks to be performed. Since QtCreator 4.7 project-wide analysis is possible with the Clang Tools analyzer.

MS Visual Studio Ā can integrate clang-tidy by means of three different tools. The ReSharper C++ extension, version 2017.3 and later, provides seamless clang-tidy integration: checks and quick-fixes run alongside native inspections. Apart from that, ReSharper C++ incorporates clang-tidy as a separate step of its code clean-up process. Visual Assist build 2210 includes a subset of clang-tidy checklist to inspect the code as you edit. Another way to bring clang-tidy functionality to Visual Studio is the Clang Power Tools plugin, which includes most of the clang-tidy checks and runs them during compilation or as a separate step of code analysis.

Editors

Emacs24, when expanded with the Flycheck plugin, incorporates the clang-tidy inspection into the syntax analyzer. For Vim, you can use Syntastic, which includes clang-tidy, or A.L.E., a lint engine that applies clang-tidy along with other linters.

Analyzers

clang-tidy is integrated in CPPDepend starting from version 2018.1 and CPPCheck 1.82. CPPCheck integration lets you import Visual Studio solutions and run the clang-tidy inspection on them. The CodeChecker application of version 5.3 or later, which also comes as a plugin for Eclipse, supports clang-tidy as a static analysis instrument and allows to use a custom clang-tidy binary.

Getting Involved

clang-tidy has several own checks and can run Clang static analyzer checks, but its power is in the ability to easily write custom checks.

Checks are organized in modules, which can be linked into clang-tidy with minimal or no code changes in clang-tidy.

Checks can plug into the analysis on the preprocessor level using PPCallbacks or on the AST level using AST Matchers. When an error is found, checks can report them in a way similar to how Clang diagnostics work. A fix-it hint can be attached to a diagnostic message.

The interface provided by clang-tidy makes it easy to write useful and precise checks in just a few lines of code. If you have an idea for a good check, the rest of this document explains how to do this.

There are a few tools particularly useful when developing clang-tidy checks:
  • add_new_check.py is a script to automate the process of adding a new check, it will create the check, update the CMake file and create a test;
  • rename_check.py does what the script name suggests, renames an existing check;
  • pp-trace logs method calls on PPCallbacks for a source file and is invaluable in understanding the preprocessor mechanism;
  • clang-query is invaluable for interactive prototyping of AST matchers and exploration of the Clang AST;
  • clang-check with the -ast-dump (and optionally -ast-dump-filter) provides a convenient way to dump AST of a C++ program.

If CMake is configured with CLANG_TIDY_ENABLE_STATIC_ANALYZER=NO, clang-tidy will not be built with support for the clang-analyzer-* checks or the mpi-* checks.

Choosing the Right Place for your Check

If you have an idea of a check, you should decide whether it should be implemented as a:

  • Clang diagnostic: if the check is generic enough, targets code patterns that most probably are bugs (rather than style or readability issues), can be implemented effectively and with extremely low false positive rate, it may make a good Clang diagnostic.
  • Clang static analyzer check: if the check requires some sort of control flow analysis, it should probably be implemented as a static analyzer check.
  • clang-tidy check is a good choice for linter-style checks, checks that are related to a certain coding style, checks that address code readability, etc.

Preparing your Workspace

If you are new to LLVM development, you should read the Getting Started with the LLVM System, Using Clang Tools and How To Setup Clang Tooling For LLVM documents to check out and build LLVM, Clang and Clang Extra Tools with CMake.

Once you are done, change to the llvm/clang-tools-extra directory, and let's start!

When you configure the CMake build, make sure that you enable the clang and clang-tools-extra projects to build clang-tidy. Because your new check will have associated documentation, you will also want to install Sphinx and enable it in the CMake configuration. To save build time of the core Clang libraries you may want to only enable the X86 target in the CMake configuration.

The Directory Structure

clang-tidy source code resides in the llvm/clang-tools-extra directory and is structured as follows:

clang-tidy/                       # Clang-tidy core.
|-- ClangTidy.h                   # Interfaces for users.
|-- ClangTidyCheck.h              # Interfaces for checks.
|-- ClangTidyModule.h             # Interface for clang-tidy modules.
|-- ClangTidyModuleRegistry.h     # Interface for registering of modules.
   ...
|-- google/                       # Google clang-tidy module.
|-+
  |-- GoogleTidyModule.cpp
  |-- GoogleTidyModule.h
        ...
|-- llvm/                         # LLVM clang-tidy module.
|-+
  |-- LLVMTidyModule.cpp
  |-- LLVMTidyModule.h
        ...
|-- objc/                         # Objective-C clang-tidy module.
|-+
  |-- ObjCTidyModule.cpp
  |-- ObjCTidyModule.h
        ...
|-- tool/                         # Sources of the clang-tidy binary.
        ...
test/clang-tidy/                  # Integration tests.
    ...
unittests/clang-tidy/             # Unit tests.
|-- ClangTidyTest.h
|-- GoogleModuleTest.cpp
|-- LLVMModuleTest.cpp
|-- ObjCModuleTest.cpp
    ...

Writing a clang-tidy Check

So you have an idea of a useful check for clang-tidy.

First, if you're not familiar with LLVM development, read through the Getting Started with LLVM document for instructions on setting up your workflow and the LLVM Coding Standards document to familiarize yourself with the coding style used in the project. For code reviews we mostly use LLVM Phabricator.

Next, you need to decide which module the check belongs to. Modules are located in subdirectories of clang-tidy/ and contain checks targeting a certain aspect of code quality (performance, readability, etc.), certain coding style or standard (Google, LLVM, CERT, etc.) or a widely used API (e.g. MPI). Their names are the same as the user-facing check group names described above.

After choosing the module and the name for the check, run the clang-tidy/add_new_check.py script to create the skeleton of the check and plug it to clang-tidy. It's the recommended way of adding new checks.

If we want to create a readability-awesome-function-names, we would run:

$ clang-tidy/add_new_check.py readability awesome-function-names
The add_new_check.py script will:
  • create the class for your check inside the specified module's directory and register it in the module and in the build system;
  • create a lit test file in the test/clang-tidy/ directory;
  • create a documentation file and include it into the docs/clang-tidy/checks/list.rst.

Let's see in more detail at the check class definition:

...

#include "../ClangTidyCheck.h"

namespace clang {
namespace tidy {
namespace readability {

...
class AwesomeFunctionNamesCheck : public ClangTidyCheck {
public:
  AwesomeFunctionNamesCheck(StringRef Name, ClangTidyContext *Context)
      : ClangTidyCheck(Name, Context) {}
  void registerMatchers(ast_matchers::MatchFinder *Finder) override;
  void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
};

} // namespace readability
} // namespace tidy
} // namespace clang

...

Constructor of the check receives the Name and Context parameters, and must forward them to the ClangTidyCheck constructor.

In our case the check needs to operate on the AST level and it overrides the registerMatchers and check methods. If we wanted to analyze code on the preprocessor level, we'd need instead to override the registerPPCallbacks method.

In the registerMatchers method we create an AST Matcher (see AST Matchers for more information) that will find the pattern in the AST that we want to inspect. The results of the matching are passed to the check method, which can further inspect them and report diagnostics.

using namespace ast_matchers;

void AwesomeFunctionNamesCheck::registerMatchers(MatchFinder *Finder) {
  Finder->addMatcher(functionDecl().bind("x"), this);
}

void AwesomeFunctionNamesCheck::check(const MatchFinder::MatchResult &Result) {
  const auto *MatchedDecl = Result.Nodes.getNodeAs<FunctionDecl>("x");
  if (!MatchedDecl->getIdentifier() || MatchedDecl->getName().startswith("awesome_"))
    return;
  diag(MatchedDecl->getLocation(), "function %0 is insufficiently awesome")
      << MatchedDecl
      << FixItHint::CreateInsertion(MatchedDecl->getLocation(), "awesome_");
}

(If you want to see an example of a useful check, look at clang-tidy/google/ExplicitConstructorCheck.h and clang-tidy/google/ExplicitConstructorCheck.cpp).

If you need to interact with macros or preprocessor directives, you will want to override the method registerPPCallbacks. Ā The add_new_check.py script does not generate an override for this method in the starting point for your new check.

If your check applies only under a specific set of language options, be sure to override the method isLanguageVersionSupported to reflect that.

Check development tips

Writing your first check can be a daunting task, particularly if you are unfamiliar with the LLVM and Clang code bases. Ā Here are some suggestions for orienting yourself in the codebase and working on your check incrementally.

Guide to useful documentation

Many of the support classes created for LLVM are used by Clang, such as StringRef and SmallVector. These and other commonly used classes are described in the Important and useful LLVM APIs and Picking the Right Data Structure for the Task sections of the LLVM Programmer's Manual. Ā You don't need to memorize all the details of these classes; the generated doxygen documentation has everything if you need it. Ā In the header LLVM/ADT/STLExtras.h you'll find useful versions of the STL algorithms that operate on LLVM containers, such as llvm::all_of.

Clang is implemented on top of LLVM and introduces its own set of classes that you will interact with while writing your check. Ā When a check issues diagnostics and fix-its, these are associated with locations in the source code. Ā Source code locations, source files, ranges of source locations and the SourceManager class provide the mechanisms for describing such locations. Ā These and other topics are described in the "Clang" CFE Internals Manual. Ā Whereas the doxygen generated documentation serves as a reference to the internals of Clang, this document serves as a guide to other developers. Ā Topics in that manual of interest to a check developer are:

Most checks will interact with C++ source code via the AST. Ā Some checks will interact with the preprocessor. Ā The input source file is lexed and preprocessed and then parsed into the AST. Ā Once the AST is fully constructed, the check is run by applying the check's registered AST matchers against the AST and invoking the check with the set of matched nodes from the AST. Ā Monitoring the actions of the preprocessor is detached from the AST construction, but a check can collect information during preprocessing for later use by the check when nodes are matched by the AST.

Every syntactic (and sometimes semantic) element of the C++ source code is represented by different classes in the AST. Ā You select the portions of the AST you're interested in by composing AST matcher functions. Ā You will want to study carefully the AST Matcher Reference to understand the relationship between the different matcher functions.

Using the Transformer library

The Transformer library allows you to write a check that transforms source code by expressing the transformation as a RewriteRule. Ā The Transformer library provides functions for composing edits to source code to create rewrite rules. Ā Unless you need to perform low-level source location manipulation, you may want to consider writing your check with the Transformer library. Ā The Clang Transformer Tutorial describes the Transformer library in detail.

To use the Transformer library, make the following changes to the code generated by the add_new_check.py script:

  • Include ../utils/TransformerClangTidyCheck.h instead of ../ClangTidyCheck.h
  • Change the base class of your check from ClangTidyCheck to TransformerClangTidyCheck
  • Delete the override of the registerMatchers and check methods in your check class.
  • Write a function that creates the RewriteRule for your check.
  • Call the function in your check's constructor to pass the rewrite rule to TransformerClangTidyCheck's constructor.

Developing your check incrementally

The best way to develop your check is to start with the simple test cases and increase complexity incrementally. Ā The test file created by the add_new_check.py script is a starting point for your test cases. Ā A rough outline of the process looks like this:

  • Write a test case for your check.
  • Prototype matchers on the test file using clang-query.
  • Capture the working matchers in the registerMatchers method.
  • Issue the necessary diagnostics and fix-its in the check method.
  • Add the necessary CHECK-MESSAGES and CHECK-FIXES annotations to your test case to validate the diagnostics and fix-its.
  • Build the target check-clang-tool to confirm the test passes.
  • Repeat the process until all aspects of your check are covered by tests.

The quickest way to prototype your matcher is to use clang-query to interactively build up your matcher. Ā For complicated matchers, build up a matching expression incrementally and use clang-query's let command to save named matching expressions to simplify your matcher. Ā Just like breaking up a huge function into smaller chunks with intention-revealing names can help you understand a complex algorithm, breaking up a matcher into smaller matchers with intention-revealing names can help you understand a complicated matcher. Ā Once you have a working matcher, the C++ API will be virtually identical to your interactively constructed matcher. Ā You can use local variables to preserve your intention-revealing names that you applied to nested matchers.

Creating private matchers

Sometimes you want to match a specific aspect of the AST that isn't provided by the existing AST matchers. Ā You can create your own private matcher using the same infrastructure as the public matchers. Ā A private matcher can simplify the processing in your check method by eliminating complex hand-crafted AST traversal of the matched nodes. Ā Using the private matcher allows you to select the desired portions of the AST directly in the matcher and refer to it by a bound name in the check method.

Unit testing helper code

Private custom matchers are a good example of auxiliary support code for your check that can be tested with a unit test. Ā It will be easier to test your matchers or other support classes by writing a unit test than by writing a FileCheck integration test. Ā The ASTMatchersTests target contains unit tests for the public AST matcher classes and is a good source of testing idioms for matchers.

You can build the Clang-tidy unit tests by building the ClangTidyTests target. Test targets in LLVM and Clang are excluded from the "build all" style action of IDE-based CMake generators, so you need to explicitly build the target for the unit tests to be built.

Making your check robust

Once you've covered your check with the basic "happy path" scenarios, you'll want to torture your check with as many edge cases as you can cover in order to ensure your check is robust. Ā Running your check on a large code base, such as Clang/LLVM, is a good way to catch things you forgot to account for in your matchers. Ā However, the LLVM code base may be insufficient for testing purposes as it was developed against a particular set of coding styles and quality measures. Ā The larger the corpus of code the check is tested against, the higher confidence the community will have in the check's efficacy and false positive rate.

Some suggestions to ensure your check is robust:

  • Create header files that contain code matched by your check.
  • Validate that fix-its are properly applied to test header files with clang-tidy. Ā You will need to perform this test manually until automated support for checking messages and fix-its is added to the check_clang_tidy.py script.
  • Define macros that contain code matched by your check.
  • Define template classes that contain code matched by your check.
  • Define template specializations that contain code matched by your check.
  • Test your check under both Windows and Linux environments.
  • Watch out for high false positive rates. Ā Ideally, a check would have no false positives, but given that matching against an AST is not control- or data flow- sensitive, a number of false positives are expected. Ā The higher the false positive rate, the less likely the check will be adopted in practice. Mechanisms should be put in place to help the user manage false positives.
  • There are two primary mechanisms for managing false positives: supporting a code pattern which allows the programmer to silence the diagnostic in an ad hoc manner and check configuration options to control the behavior of the check.
  • Consider supporting a code pattern to allow the programmer to silence the diagnostic whenever such a code pattern can clearly express the programmer's intent. Ā For example, allowing an explicit cast to void to silence an unused variable diagnostic.
  • Consider adding check configuration options to allow the user to opt into more aggressive checking behavior without burdening users for the common high-confidence cases.

Documenting your check

The add_new_check.py script creates entries in the release notes, the list of checks and a new file for the check documentation itself. Ā It is recommended that you have a concise summation of what your check does in a single sentence that is repeated in the release notes, as the first sentence in the doxygen comments in the header file for your check class and as the first sentence of the check documentation. Ā Avoid the phrase "this check" in your check summation and check documentation.

If your check relates to a published coding guideline (C++ Core Guidelines, MISRA, etc.) or style guide, provide links to the relevant guideline or style guide sections in your check documentation.

Provide enough examples of the diagnostics and fix-its provided by the check so that a user can easily understand what will happen to their code when the check is run. If there are exceptions or limitations to your check, document them thoroughly. Ā This will help users understand the scope of the diagnostics and fix-its provided by the check.

Building the target docs-clang-tools-html will run the Sphinx documentation generator and create documentation HTML files in the tools/clang/tools/extra/docs/html directory in your build tree. Ā Make sure that your check is correctly shown in the release notes and the list of checks. Ā Make sure that the formatting and structure of your check's documentation looks correct.

Registering your Check

(The add_new_check.py script takes care of registering the check in an existing module. If you want to create a new module or know the details, read on.)

The check should be registered in the corresponding module with a distinct name:

class MyModule : public ClangTidyModule {
 public:
  void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
    CheckFactories.registerCheck<ExplicitConstructorCheck>(
        "my-explicit-constructor");
  }
};

Now we need to register the module in the ClangTidyModuleRegistry using a statically initialized variable:

static ClangTidyModuleRegistry::Add<MyModule> X("my-module",
                                                "Adds my lint checks.");

When using LLVM build system, we need to use the following hack to ensure the module is linked into the clang-tidy binary:

Add this near the ClangTidyModuleRegistry::Add<MyModule> variable:

// This anchor is used to force the linker to link in the generated object file
// and thus register the MyModule.
volatile int MyModuleAnchorSource = 0;

And this to the main translation unit of the clang-tidy binary (or the binary you link the clang-tidy library in) clang-tidy/ClangTidyForceLinker.h:

// This anchor is used to force the linker to link the MyModule.
extern volatile int MyModuleAnchorSource;
static int MyModuleAnchorDestination = MyModuleAnchorSource;

Configuring Checks

If a check needs configuration options, it can access check-specific options using the Options.get<Type>("SomeOption", DefaultValue) call in the check constructor. In this case the check should also override the ClangTidyCheck::storeOptions method to make the options provided by the check discoverable. This method lets clang-tidy know which options the check implements and what the current values are (e.g. for the -dump-config command line option).

class MyCheck : public ClangTidyCheck {
  const unsigned SomeOption1;
  const std::string SomeOption2;

public:
  MyCheck(StringRef Name, ClangTidyContext *Context)
    : ClangTidyCheck(Name, Context),
      SomeOption(Options.get("SomeOption1", -1U)),
      SomeOption(Options.get("SomeOption2", "some default")) {}

  void storeOptions(ClangTidyOptions::OptionMap &Opts) override {
    Options.store(Opts, "SomeOption1", SomeOption1);
    Options.store(Opts, "SomeOption2", SomeOption2);
  }
  ...

Assuming the check is registered with the name "my-check", the option can then be set in a .clang-tidy file in the following way:

CheckOptions:
  my-check.SomeOption1: 123
  my-check.SomeOption2: 'some other value'

If you need to specify check options on a command line, you can use the inline YAML format:

$ clang-tidy -config="{CheckOptions: {a: b, x: y}}" ...

Testing Checks

To run tests for clang-tidy, build the check-clang-tools target. For instance, if you configured your CMake build with the ninja project generator, use the command:

$ ninja check-clang-tools

clang-tidy checks can be tested using either unit tests or lit tests. Unit tests may be more convenient to test complex replacements with strict checks. Lit tests allow using partial text matching and regular expressions which makes them more suitable for writing compact tests for diagnostic messages.

The check_clang_tidy.py script provides an easy way to test both diagnostic messages and fix-its. It filters out CHECK lines from the test file, runs clang-tidy and verifies messages and fixes with two separate FileCheck invocations: once with FileCheck's directive prefix set to CHECK-MESSAGES, validating the diagnostic messages, and once with the directive prefix set to CHECK-FIXES, running against the fixed code (i.e., the code after generated fix-its are applied). In particular, CHECK-FIXES: can be used to check that code was not modified by fix-its, by checking that it is present unchanged in the fixed code. The full set of FileCheck directives is available (e.g., CHECK-MESSAGES-SAME:, CHECK-MESSAGES-NOT:), though typically the basic CHECK forms (CHECK-MESSAGES and CHECK-FIXES) are sufficient for clang-tidy tests. Note that the FileCheck documentation mostly assumes the default prefix (CHECK), and hence describes the directive as CHECK:, CHECK-SAME:, CHECK-NOT:, etc. Replace CHECK by either CHECK-FIXES or CHECK-MESSAGES for clang-tidy tests.

An additional check enabled by check_clang_tidy.py ensures that if CHECK-MESSAGES: is used in a file then every warning or error must have an associated CHECK in that file. Or, you can use CHECK-NOTES: instead, if you want to also ensure that all the notes are checked.

To use the check_clang_tidy.py script, put a .cpp file with the appropriate RUN line in the test/clang-tidy directory. Use CHECK-MESSAGES: and CHECK-FIXES: lines to write checks against diagnostic messages and fixed code.

It's advised to make the checks as specific as possible to avoid checks matching to incorrect parts of the input. Use [[@LINE+X]]/[[@LINE-X]] substitutions and distinct function and variable names in the test code.

Here's an example of a test using the check_clang_tidy.py script (the full source code is at test/clang-tidy/checkers/google/readability-casting.cpp):

// RUN: %check_clang_tidy %s google-readability-casting %t

void f(int a) {
  int b = (int)a;
  // CHECK-MESSAGES: :[[@LINE-1]]:11: warning: redundant cast to the same type [google-readability-casting]
  // CHECK-FIXES: int b = a;
}

To check more than one scenario in the same test file use -check-suffix=SUFFIX-NAME on check_clang_tidy.py command line or -check-suffixes=SUFFIX-NAME-1,SUFFIX-NAME-2,.... With -check-suffix[es]=SUFFIX-NAME you need to replace your CHECK-* directives with CHECK-MESSAGES-SUFFIX-NAME and CHECK-FIXES-SUFFIX-NAME.

Here's an example:

// RUN: %check_clang_tidy -check-suffix=USING-A %s misc-unused-using-decls %t -- -- -DUSING_A
// RUN: %check_clang_tidy -check-suffix=USING-B %s misc-unused-using-decls %t -- -- -DUSING_B
// RUN: %check_clang_tidy %s misc-unused-using-decls %t
...
// CHECK-MESSAGES-USING-A: :[[@LINE-8]]:10: warning: using decl 'A' {{.*}}
// CHECK-MESSAGES-USING-B: :[[@LINE-7]]:10: warning: using decl 'B' {{.*}}
// CHECK-MESSAGES: :[[@LINE-6]]:10: warning: using decl 'C' {{.*}}
// CHECK-FIXES-USING-A-NOT: using a::A;$
// CHECK-FIXES-USING-B-NOT: using a::B;$
// CHECK-FIXES-NOT: using a::C;$

There are many dark corners in the C++ language, and it may be difficult to make your check work perfectly in all cases, especially if it issues fix-it hints. The most frequent pitfalls are macros and templates:

  1. code written in a macro body/template definition may have a different meaning depending on the macro expansion/template instantiation;
  2. multiple macro expansions/template instantiations may result in the same code being inspected by the check multiple times (possibly, with different meanings, see 1), and the same warning (or a slightly different one) may be issued by the check multiple times; clang-tidy will deduplicate _identical_ warnings, but if the warnings are slightly different, all of them will be shown to the user (and used for applying fixes, if any);
  3. making replacements to a macro body/template definition may be fine for some macro expansions/template instantiations, but easily break some other expansions/instantiations.

If you need multiple files to exercise all the aspects of your check, it is recommended you place them in a subdirectory named for the check under the Inputs directory for the module containing your check. Ā This keeps the test directory from getting cluttered.

If you need to validate how your check interacts with system header files, a set of simulated system header files is located in the checkers/Inputs/Headers directory. Ā The path to this directory is available in a lit test with the variable %clang_tidy_headers.

Out-of-tree check plugins

Developing an out-of-tree check as a plugin largely follows the steps outlined above. The plugin is a shared library whose code lives outside the clang-tidy build system. Build and link this shared library against LLVM as done for other kinds of Clang plugins.

The plugin can be loaded by passing -load to clang-tidy in addition to the names of the checks to enable.

$ clang-tidy --checks=-*,my-explicit-constructor -list-checks -load myplugin.so

There is no expectations regarding ABI and API stability, so the plugin must be compiled against the version of clang-tidy that will be loading the plugin.

The plugins can use threads, TLS, or any other facilities available to in-tree code which is accessible from the external headers.

Running clang-tidy on LLVM

To test a check it's best to try it out on a larger code base. LLVM and Clang are the natural targets as you already have the source code around. The most convenient way to run clang-tidy is with a compile command database; CMake can automatically generate one, for a description of how to enable it see How To Setup Clang Tooling For LLVM. Once compile_commands.json is in place and a working version of clang-tidy is in PATH the entire code base can be analyzed with clang-tidy/tool/run-clang-tidy.py. The script executes clang-tidy with the default set of checks on every translation unit in the compile command database and displays the resulting warnings and errors. The script provides multiple configuration flags.

  • The default set of checks can be overridden using the -checks argument, taking the identical format as clang-tidy does. For example -checks=-*,modernize-use-override will run the modernize-use-override check only.
  • To restrict the files examined you can provide one or more regex arguments that the file names are matched against. run-clang-tidy.py clang-tidy/.*Check\.cpp will only analyze clang-tidy checks. It may also be necessary to restrict the header files that warnings are displayed from using the -header-filter flag. It has the same behavior as the corresponding clang-tidy flag.
  • To apply suggested fixes -fix can be passed as an argument. This gathers all changes in a temporary directory and applies them. Passing -format will run clang-format over changed lines.

On checks profiling

clang-tidy can collect per-check profiling info, and output it for each processed source file (translation unit).

To enable profiling info collection, use the -enable-check-profile argument. The timings will be output to stderr as a table. Example output:

$ clang-tidy -enable-check-profile -checks=-*,readability-function-size source.cpp
===-------------------------------------------------------------------------===
                          clang-tidy checks profiling
===-------------------------------------------------------------------------===
  Total Execution Time: 1.0282 seconds (1.0258 wall clock)

   ---User Time---   --System Time--   --User+System--   ---Wall Time---  --- Name ---
   0.9136 (100.0%)   0.1146 (100.0%)   1.0282 (100.0%)   1.0258 (100.0%)  readability-function-size
   0.9136 (100.0%)   0.1146 (100.0%)   1.0282 (100.0%)   1.0258 (100.0%)  Total

It can also store that data as JSON files for further processing. Example output:

$ clang-tidy -enable-check-profile -store-check-profile=. -checks=-*,readability-function-size source.cpp
$ # Note that there won't be timings table printed to the console.
$ ls /tmp/out/
20180516161318717446360-source.cpp.json
$ cat 20180516161318717446360-source.cpp.json
{
"file": "/path/to/source.cpp",
"timestamp": "2018-05-16 16:13:18.717446360",
"profile": {
  "time.clang-tidy.readability-function-size.wall": 1.0421266555786133e+00,
  "time.clang-tidy.readability-function-size.user": 9.2088400000005421e-01,
  "time.clang-tidy.readability-function-size.sys": 1.2418899999999974e-01
}
}

There is only one argument that controls profile storage:

  • -store-check-profile=<prefix>

    By default reports are printed in tabulated format to stderr. When this option is passed, these per-TU profiles are instead stored as JSON. If the prefix is not an absolute path, it is considered to be relative to the directory from where you have run clang-tidy. All . and .. patterns in the path are collapsed, and symlinks are resolved.

    Example: Let's suppose you have a source file named example.cpp, located in the /source directory. Only the input filename is used, not the full path to the source file. Additionally, it is prefixed with the current timestamp.

    • If you specify -store-check-profile=/tmp, then the profile will be saved to /tmp/<ISO8601-like timestamp>-example.cpp.json
    • If you run clang-tidy from within /foo directory, and specify -store-check-profile=., then the profile will still be saved to /foo/<ISO8601-like timestamp>-example.cpp.json

clang-tidy is a clang-based C++ "linter" tool. Its purpose is to provide an extensible framework for diagnosing and fixing typical programming errors, like style violations, interface misuse, or bugs that can be deduced via static analysis. clang-tidy is modular and provides a convenient interface for writing new checks.

Using clang-tidy

clang-tidy is a LibTooling-based tool, and it's easier to work with if you set up a compile command database for your project (for an example of how to do this, see How To Setup Tooling For LLVM). You can also specify compilation options on the command line after --:

$ clang-tidy test.cpp -- -Imy_project/include -DMY_DEFINES ...

clang-tidy has its own checks and can also run Clang Static Analyzer checks. Each check has a name and the checks to run can be chosen using the -checks= option, which specifies a comma-separated list of positive and negative (prefixed with -) globs. Positive globs add subsets of checks, and negative globs remove them. For example,

$ clang-tidy test.cpp -checks=-*,clang-analyzer-*,-clang-analyzer-cplusplus*

will disable all default checks (-*) and enable all clang-analyzer-* checks except for clang-analyzer-cplusplus* ones.

The -list-checks option lists all the enabled checks. When used without -checks=, it shows checks enabled by default. Use -checks=* to see all available checks or with any other value of -checks= to see which checks are enabled by this value.

There are currently the following groups of checks:

Name prefixDescription
abseil-Checks related to Abseil library.
altera-Checks related to OpenCL programming for FPGAs.
android-Checks related to Android.
boost-Checks related to Boost library.
bugprone-Checks that target bug-prone code constructs.
cert-Checks related to CERT Secure Coding Guidelines.
clang-analyzer-Clang Static Analyzer checks.
concurrency-Checks related to concurrent programming (including threads, fibers, coroutines, etc.).
cppcoreguidelines-Checks related to C++ Core Guidelines.
darwin-Checks related to Darwin coding conventions.
fuchsia-Checks related to Fuchsia coding conventions.
google-Checks related to Google coding conventions.
hicpp-Checks related to High Integrity C++ Coding Standard.
linuxkernel-Checks related to the Linux Kernel coding conventions.
llvm-Checks related to the LLVM coding conventions.
llvmlibc-Checks related to the LLVM-libc coding standards.
misc-Checks that we didn't have a better category for.
modernize-Checks that advocate usage of modern (currently "modern" means "C++11") language constructs.
mpi-Checks related to MPI (Message Passing Interface).
objc-Checks related to Objective-C coding conventions.
openmp-Checks related to OpenMP API.
performance-Checks that target performance-related issues.
portability-Checks that target portability-related issues that don't relate to any particular coding style.
readability-Checks that target readability-related issues that don't relate to any particular coding style.
zircon-Checks related to Zircon kernel coding conventions.

Clang diagnostics are treated in a similar way as check diagnostics. Clang diagnostics are displayed by clang-tidy and can be filtered out using the -checks= option. However, the -checks= option does not affect compilation arguments, so it cannot turn on Clang warnings which are not already turned on in the build configuration. The -warnings-as-errors= option upgrades any warnings emitted under the -checks= flag to errors (but it does not enable any checks itself).

Clang diagnostics have check names starting with clang-diagnostic-. Diagnostics which have a corresponding warning option, are named clang-diagnostic-<warning-option>, e.g. Clang warning controlled by -Wliteral-conversion will be reported with check name clang-diagnostic-literal-conversion.

The -fix flag instructs clang-tidy to fix found errors if supported by corresponding checks.

An overview of all the command-line options:

$ clang-tidy --help
USAGE: clang-tidy [options] <source0> [... <sourceN>]

OPTIONS:

Generic Options:

  --help                           - Display available options (--help-hidden for more)
  --help-list                      - Display list of available options (--help-list-hidden for more)
  --version                        - Display the version of this program

clang-tidy options:

  --checks=<string>                - Comma-separated list of globs with optional '-'
                                     prefix. Globs are processed in order of
                                     appearance in the list. Globs without '-'
                                     prefix add checks with matching names to the
                                     set, globs with the '-' prefix remove checks
                                     with matching names from the set of enabled
                                     checks. This option's value is appended to the
                                     value of the 'Checks' option in .clang-tidy
                                     file, if any.
  --config=<string>                - Specifies a configuration in YAML/JSON format:
                                       -config="{Checks: '*',
                                                 CheckOptions: {x: y}}"
                                     When the value is empty, clang-tidy will
                                     attempt to find a file named .clang-tidy for
                                     each source file in its parent directories.
  --config-file=<string>           - Specify the path of .clang-tidy or custom config file:
                                      e.g. --config-file=/some/path/myTidyConfigFile
                                     This option internally works exactly the same way as
                                      --config option after reading specified config file.
                                     Use either --config-file or --config, not both.
  --dump-config                    - Dumps configuration in the YAML format to
                                     stdout. This option can be used along with a
                                     file name (and '--' if the file is outside of a
                                     project with configured compilation database).
                                     The configuration used for this file will be
                                     printed.
                                     Use along with -checks=* to include
                                     configuration of all checks.
  --enable-check-profile           - Enable per-check timing profiles, and print a
                                     report to stderr.
  --enable-module-headers-parsing  - Enables preprocessor-level module header parsing
                                     for C++20 and above, empowering specific checks
                                     to detect macro definitions within modules. This
                                     feature may cause performance and parsing issues
                                     and is therefore considered experimental.
  --exclude-header-filter=<string> - Regular expression matching the names of the
                                     headers to exclude diagnostics from. Diagnostics
                                     from the main file of each translation unit are
                                     always displayed.
                                     Must be used together with --header-filter.
                                     Can be used together with -line-filter.
                                     This option overrides the 'ExcludeHeaderFilterRegex'
                                     option in .clang-tidy file, if any.
  --explain-config                 - For each enabled check explains, where it is
                                     enabled, i.e. in clang-tidy binary, command
                                     line or a specific configuration file.
  --export-fixes=<filename>        - YAML file to store suggested fixes in. The
                                     stored fixes can be applied to the input source
                                     code with clang-apply-replacements.
  --extra-arg=<string>             - Additional argument to append to the compiler command line
  --extra-arg-before=<string>      - Additional argument to prepend to the compiler command line
  --fix                            - Apply suggested fixes. Without -fix-errors
                                     clang-tidy will bail out if any compilation
                                     errors were found.
  --fix-errors                     - Apply suggested fixes even if compilation
                                     errors were found. If compiler errors have
                                     attached fix-its, clang-tidy will apply them as
                                     well.
  --fix-notes                      - If a warning has no fix, but a single fix can
                                     be found through an associated diagnostic note,
                                     apply the fix.
                                     Specifying this flag will implicitly enable the
                                     '--fix' flag.
  --format-style=<string>          - Style for formatting code around applied fixes:
                                       - 'none' (default) turns off formatting
                                       - 'file' (literally 'file', not a placeholder)
                                         uses .clang-format file in the closest parent
                                         directory
                                       - '{ <json> }' specifies options inline, e.g.
                                         -format-style='{BasedOnStyle: llvm, IndentWidth: 8}'
                                       - 'llvm', 'google', 'webkit', 'mozilla'
                                     See clang-format documentation for the up-to-date
                                     information about formatting styles and options.
                                     This option overrides the 'FormatStyle` option in
                                     .clang-tidy file, if any.
  --header-filter=<string>         - Regular expression matching the names of the
                                     headers to output diagnostics from. Diagnostics
                                     from the main file of each translation unit are
                                     always displayed.
                                     Can be used together with -line-filter.
                                     This option overrides the 'HeaderFilterRegex'
                                     option in .clang-tidy file, if any.
  --line-filter=<string>           - List of files with line ranges to filter the
                                     warnings. Can be used together with
                                     -header-filter. The format of the list is a
                                     JSON array of objects:
                                       [
                                         {"name":"file1.cpp","lines":[[1,3],[5,7]]},
                                         {"name":"file2.h"}
                                       ]
  --list-checks                    - List all enabled checks and exit. Use with
                                     -checks=* to list all available checks.
  --load=<pluginfilename>          - Load the specified plugin
  -p <string>                      - Build path
  --quiet                          - Run clang-tidy in quiet mode. This suppresses
                                     printing statistics about ignored warnings and
                                     warnings treated as errors if the respective
                                     options are specified.
  --store-check-profile=<prefix>   - By default reports are printed in tabulated
                                     format to stderr. When this option is passed,
                                     these per-TU profiles are instead stored as JSON.
  --system-headers                 - Display the errors from system headers.
                                     This option overrides the 'SystemHeaders' option
                                     in .clang-tidy file, if any.
  --use-color                      - Use colors in diagnostics. If not set, colors
                                     will be used if the terminal connected to
                                     standard output supports colors.
                                     This option overrides the 'UseColor' option in
                                     .clang-tidy file, if any.
  --verify-config                  - Check the config files to ensure each check and
                                     option is recognized.
  --vfsoverlay=<filename>          - Overlay the virtual filesystem described by file
                                     over the real file system.
  --warnings-as-errors=<string>    - Upgrades warnings to errors. Same format as
                                     '-checks'.
                                     This option's value is appended to the value of
                                     the 'WarningsAsErrors' option in .clang-tidy
                                     file, if any.
  --allow-no-checks                - Allow empty enabled checks. This suppresses
                                     the "no checks enabled" error when disabling
                                     all of the checks.

-p <build-path> is used to read a compile command database.

  For example, it can be a CMake build directory in which a file named
  compile_commands.json exists (use -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
  CMake option to get this output). When no build path is specified,
  a search for compile_commands.json will be attempted through all
  parent paths of the first input file . See:
  https://clang.llvm.org/docs/HowToSetupToolingForLLVM.html for an
  example of setting up Clang Tooling on a source tree.

<source0> ... specify the paths of source files. These paths are
  looked up in the compile command database. If the path of a file is
  absolute, it needs to point into CMake's source tree. If the path is
  relative, the current working directory needs to be in the CMake
  source tree and the file must be in a subdirectory of the current
  working directory. "./" prefixes in the relative files will be
  automatically removed, but the rest of a relative path must be a
  suffix of a path in the compile command database.


Configuration files:
  clang-tidy attempts to read configuration for each source file from a
  .clang-tidy file located in the closest parent directory of the source
  file. The .clang-tidy file is specified in YAML format. If any configuration
  options have a corresponding command-line option, command-line option takes
  precedence.

  The following configuration options may be used in a .clang-tidy file:

  CheckOptions                 - List of key-value pairs defining check-specific
                                 options. Example:
                                   CheckOptions:
                                     some-check.SomeOption: 'some value'
  Checks                       - Same as '--checks'. Additionally, the list of
                                 globs can be specified as a list instead of a
                                 string.
  ExcludeHeaderFilterRegex     - Same as '--exclude-header-filter'.
  ExtraArgs                    - Same as '--extra-args'.
  ExtraArgsBefore              - Same as '--extra-args-before'.
  FormatStyle                  - Same as '--format-style'.
  HeaderFileExtensions         - File extensions to consider to determine if a
                                 given diagnostic is located in a header file.
  HeaderFilterRegex            - Same as '--header-filter-regex'.
  ImplementationFileExtensions - File extensions to consider to determine if a
                                 given diagnostic is located in an
                                 implementation file.
  InheritParentConfig          - If this option is true in a config file, the
                                 configuration file in the parent directory
                                 (if any exists) will be taken and the current
                                 config file will be applied on top of the
                                 parent one.
  SystemHeaders                - Same as '--system-headers'.
  UseColor                     - Same as '--use-color'.
  User                         - Specifies the name or e-mail of the user
                                 running clang-tidy. This option is used, for
                                 example, to place the correct user name in
                                 TODO() comments in the relevant check.
  WarningsAsErrors             - Same as '--warnings-as-errors'.

  The effective configuration can be inspected using --dump-config:

    $ clang-tidy --dump-config
    ---
    Checks:              '-*,some-check'
    WarningsAsErrors:    ''
    HeaderFileExtensions:         ['', 'h','hh','hpp','hxx']
    ImplementationFileExtensions: ['c','cc','cpp','cxx']
    HeaderFilterRegex:   ''
    FormatStyle:         none
    InheritParentConfig: true
    User:                user
    CheckOptions:
      some-check.SomeOption: 'some value'
    ...

Suppressing Undesired Diagnostics

clang-tidy diagnostics are intended to call out code that does not adhere to a coding standard, or is otherwise problematic in some way. However, if the code is known to be correct, it may be useful to silence the warning. Some clang-tidy checks provide a check-specific way to silence the diagnostics, e.g. bugprone-use-after-move can be silenced by re-initializing the variable after it has been moved out, bugprone-string-integer-assignment can be suppressed by explicitly casting the integer to char, readability-implicit-bool-conversion can also be suppressed by using explicit casts, etc.

If a specific suppression mechanism is not available for a certain warning, or its use is not desired for some reason, clang-tidy has a generic mechanism to suppress diagnostics using NOLINT, NOLINTNEXTLINE, and NOLINTBEGIN ... NOLINTEND comments.

The NOLINT comment instructs clang-tidy to ignore warnings on the same line (it doesn't apply to a function, a block of code or any other language construct; it applies to the line of code it is on). If introducing the comment on the same line would change the formatting in an undesired way, the NOLINTNEXTLINE comment allows suppressing clang-tidy warnings on the next line. The NOLINTBEGIN and NOLINTEND comments allow suppressing clang-tidy warnings on multiple lines (affecting all lines between the two comments).

All comments can be followed by an optional list of check names in parentheses (see below for the formal syntax). The list of check names supports globbing, with the same format and semantics as for enabling checks. Note: negative globs are ignored here, as they would effectively re-activate the warning.

For example:

class Foo {
  // Suppress all the diagnostics for the line
  Foo(int param); // NOLINT

  // Consider explaining the motivation to suppress the warning
  Foo(char param); // NOLINT: Allow implicit conversion from `char`, because <some valid reason>

  // Silence only the specified checks for the line
  Foo(double param); // NOLINT(google-explicit-constructor, google-runtime-int)

  // Silence all checks from the `google` module
  Foo(bool param); // NOLINT(google*)

  // Silence all checks ending with `-avoid-c-arrays`
  int array[10]; // NOLINT(*-avoid-c-arrays)

  // Silence only the specified diagnostics for the next line
  // NOLINTNEXTLINE(google-explicit-constructor, google-runtime-int)
  Foo(bool param);

  // Silence all checks from the `google` module for the next line
  // NOLINTNEXTLINE(google*)
  Foo(bool param);

  // Silence all checks ending with `-avoid-c-arrays` for the next line
  // NOLINTNEXTLINE(*-avoid-c-arrays)
  int array[10];

  // Silence only the specified checks for all lines between the BEGIN and END
  // NOLINTBEGIN(google-explicit-constructor, google-runtime-int)
  Foo(short param);
  Foo(long param);
  // NOLINTEND(google-explicit-constructor, google-runtime-int)

  // Silence all checks from the `google` module for all lines between the BEGIN and END
  // NOLINTBEGIN(google*)
  Foo(bool param);
  // NOLINTEND(google*)

  // Silence all checks ending with `-avoid-c-arrays` for all lines between the BEGIN and END
  // NOLINTBEGIN(*-avoid-c-arrays)
  int array[10];
  // NOLINTEND(*-avoid-c-arrays)
};

The formal syntax of NOLINT, NOLINTNEXTLINE, and NOLINTBEGIN ... NOLINTEND is the following:

lint-comment:
  lint-command
  lint-command lint-args

lint-args:
  ( check-name-list )

check-name-list:
  check-name
  check-name-list , check-name

lint-command:
  NOLINT
  NOLINTNEXTLINE
  NOLINTBEGIN
  NOLINTEND

Note that whitespaces between NOLINT/NOLINTNEXTLINE/NOLINTBEGIN/NOLINTEND and the opening parenthesis are not allowed (in this case the comment will be treated just as NOLINT/NOLINTNEXTLINE/NOLINTBEGIN/NOLINTEND), whereas in the check names list (inside the parentheses), whitespaces can be used and will be ignored.

All NOLINTBEGIN comments must be paired by an equal number of NOLINTEND comments. Moreover, a pair of comments must have matching arguments -- for example, NOLINTBEGIN(check-name) can be paired with NOLINTEND(check-name) but not with NOLINTEND (zero arguments). clang-tidy will generate a clang-tidy-nolint error diagnostic if any NOLINTBEGIN/NOLINTEND comment violates these requirements.

Clang-Include-Fixer

Contents

  • Clang-Include-Fixer

    • Setup

      • Creating a Symbol Index From a Compilation Database
      • Integrate with Vim
      • Integrate with Emacs
    • How it Works

One of the major nuisances of C++ compared to other languages is the manual management of #include directives in any file. clang-include-fixer addresses one aspect of this problem by providing an automated way of adding #include directives for missing symbols in one translation unit.

While inserting missing #include, clang-include-fixer adds missing namespace qualifiers to all instances of an unidentified symbol if the symbol is missing some prefix namespace qualifiers.

Setup

To use clang-include-fixer two databases are required. Both can be generated with existing tools.

  • Compilation database. Contains the compiler commands for any given file in a project and can be generated by CMake, see How To Setup Tooling For LLVM.
  • Symbol index. Contains all symbol information in a project to match a given identifier to a header file.

Ideally both databases (compile_commands.json and find_all_symbols_db.yaml) are linked into the root of the source tree they correspond to. Then the clang-include-fixer can automatically pick them up if called with a source file from that tree. Note that by default compile_commands.json as generated by CMake does not include header files, so only implementation files can be handled by tools.

Creating a Symbol Index From a Compilation Database

The include fixer contains find-all-symbols, a tool to create a symbol database in YAML format from a compilation database by parsing all source files listed in it. The following list of commands shows how to set up a database for LLVM, any project built by CMake should follow similar steps.

$ cd path/to/llvm-build
$ ninja find-all-symbols // build find-all-symbols tool.
$ ninja clang-include-fixer // build clang-include-fixer tool.
$ ls compile_commands.json # Make sure compile_commands.json exists.
  compile_commands.json
$ path/to/llvm/source/clang-tools-extra/clang-include-fixer/find-all-symbols/tool/run-find-all-symbols.py
  ... wait as clang indexes the code base ...
$ ln -s $PWD/find_all_symbols_db.yaml path/to/llvm/source/ # Link database into the source tree.
$ ln -s $PWD/compile_commands.json path/to/llvm/source/ # Also link compilation database if it's not there already.
$ cd path/to/llvm/source
$ /path/to/clang-include-fixer -db=yaml path/to/file/with/missing/include.cpp
  Added #include "foo.h"

Integrate with Vim

To run clang-include-fixer on a potentially unsaved buffer in Vim. Add the following key binding to your .vimrc:

noremap <leader>cf :pyf path/to/llvm/source/clang-tools-extra/clang-include-fixer/tool/clang-include-fixer.py<cr>

This enables clang-include-fixer for NORMAL and VISUAL mode. Change <leader>cf to another binding if you need clang-include-fixer on a different key. The <leader> key is a reference to a specific key defined by the mapleader variable and is bound to backslash by default.

Make sure vim can find clang-include-fixer:

  • Add the path to clang-include-fixer to the PATH environment variable.
  • Or set g:clang_include_fixer_path in vimrc: let g:clang_include_fixer_path=path/to/clang-include-fixer

You can customize the number of headers being shown by setting let g:clang_include_fixer_maximum_suggested_headers=5

Customized settings in .vimrc:

  • let g:clang_include_fixer_path = "clang-include-fixer"

    Set clang-include-fixer binary file path.

  • let g:clang_include_fixer_maximum_suggested_headers = 3

    Set the maximum number of #includes to show. Default is 3.

  • let g:clang_include_fixer_increment_num = 5

    Set the increment number of #includes to show every time when pressing m. Default is 5.

  • let g:clang_include_fixer_jump_to_include = 0

    Set to 1 if you want to jump to the new inserted #include line. Default is 0.

  • let g:clang_include_fixer_query_mode = 0

    Set to 1 if you want to insert #include for the symbol under the cursor. Default is 0. Compared to normal mode, this mode won't parse the source file and only search the symbol from database, which is faster than normal mode.

See clang-include-fixer.py for more details.

Integrate with Emacs

To run clang-include-fixer on a potentially unsaved buffer in Emacs. Ensure that Emacs finds clang-include-fixer.el by adding the directory containing the file to the load-path and requiring the clang-include-fixer in your .emacs:

(add-to-list 'load-path "path/to/llvm/source/clang-tools-extra/clang-include-fixer/tool/"
(require 'clang-include-fixer)

Within Emacs the tool can be invoked with the command M-x clang-include-fixer. This will insert the header that defines the first undefined symbol; if there is more than one header that would define the symbol, the user is prompted to select one.

To include the header that defines the symbol at point, run M-x clang-include-fixer-at-point.

Make sure Emacs can find clang-include-fixer:

  • Either add the parent directory of clang-include-fixer to the PATH environment variable, or customize the Emacs user option clang-include-fixer-executable to point to the file name of the program.

How it Works

To get the most information out of Clang at parse time, clang-include-fixer runs in tandem with the parse and receives callbacks from Clang's semantic analysis. In particular it reuses the existing support for typo corrections. Whenever Clang tries to correct a potential typo it emits a callback to the include fixer which then looks for a corresponding file. At this point rich lookup information is still available, which is not available in the AST at a later stage.

The identifier that should be typo corrected is then sent to the database, if a header file is returned it is added as an include directive at the top of the file.

Currently clang-include-fixer only inserts a single include at a time to avoid getting caught in follow-up errors. If multiple #include additions are desired the program can be rerun until a fix-point is reached.

Modularize User's Manual

Modularize Usage

modularize [<modularize-options>] [<module-map>|<include-files-list>]* [<front-end-options>...]

<modularize-options> is a place-holder for options specific to modularize, which are described below in Modularize Command Line Options.

<module-map> specifies the path of a file name for an existing module map. The module map must be well-formed in terms of syntax. Modularize will extract the header file names from the map. Only normal headers are checked, assuming headers marked "private", "textual", or "exclude" are not to be checked as a top-level include, assuming they either are included by other headers which are checked, or they are not suitable for modules.

<include-files-list> specifies the path of a file name for a file containing the newline-separated list of headers to check with respect to each other. Lines beginning with '#' and empty lines are ignored. Header file names followed by a colon and other space-separated file names will include those extra files as dependencies. The file names can be relative or full paths, but must be on the same line. For example:

header1.h
header2.h
header3.h: header1.h header2.h

Note that unless a -prefix (header path) option is specified, non-absolute file paths in the header list file will be relative to the header list file directory. Use -prefix to specify a different directory.

<front-end-options> is a place-holder for regular Clang front-end arguments, which must follow the <include-files-list>. Note that by default, modularize assumes .h files contain C++ source, so if you are using a different language, you might need to use a -x option to tell Clang that the header contains another language, i.e.: Ā -x c

Note also that because modularize does not use the clang driver, you will likely need to pass in additional compiler front-end arguments to match those passed in by default by the driver.

Modularize Command Line Options

-prefix=<header-path>

Prepend the given path to non-absolute file paths in the header list file. By default, headers are assumed to be relative to the header list file directory. Use -prefix to specify a different directory.

-module-map-path=<module-map-path>

Generate a module map and output it to the given file. See the description in Module Map Generation.

-problem-files-list=<problem-files-list-file-name>

For use only with module map assistant. Input list of files that have problems with respect to modules. These will still be included in the generated module map, but will be marked as "excluded" headers.

-root-module=<root-name>

Put modules generated by the -module-map-path option in an enclosing module with the given name. See the description in Module Map Generation.

-block-check-header-list-only

Limit the #include-inside-extern-or-namespace-block check to only those headers explicitly listed in the header list. This is a work-around for avoiding error messages for private includes that purposefully get included inside blocks.

-no-coverage-check

Don't do the coverage check for a module map.

-coverage-check-only

Only do the coverage check for a module map.

-display-file-lists

Display lists of good files (no compile errors), problem files, and a combined list with problem files preceded by a '#'. This can be used to quickly determine which files have problems. The latter combined list might be useful in starting to modularize a set of headers. You can start with a full list of headers, use -display-file-lists option, and then use the combined list as your intermediate list, uncommenting-out headers as you fix them.

modularize is a standalone tool that checks whether a set of headers provides the consistent definitions required to use modules. For example, it detects whether the same entity (say, a NULL macro or size_t typedef) is defined in multiple headers or whether a header produces different definitions under different circumstances. These conditions cause modules built from the headers to behave poorly, and should be fixed before introducing a module map.

modularize also has an assistant mode option for generating a module map file based on the provided header list. The generated file is a functional module map that can be used as a starting point for a module.modulemap file.

Getting Started

To build from source:

  1. Read Getting Started with the LLVM System and Clang Tools Documentation for information on getting sources for LLVM, Clang, and Clang Extra Tools.
  2. Getting Started with the LLVM System and Building LLVM with CMake give directions for how to build. With sources all checked out into the right place the LLVM build will build Clang Extra Tools and their dependencies automatically.

    • If using CMake, you can also use the modularize target to build just the modularize tool and its dependencies.

Before continuing, take a look at Modularize Usage to see how to invoke modularize.

What Modularize Checks

Modularize will check for the following:

  • Duplicate global type and variable definitions
  • Duplicate macro definitions
  • Macro instances, 'defined(macro)', or #if, #elif, #ifdef, #ifndef conditions that evaluate differently in a header
  • #include directives inside 'extern "C/C++" {}' or 'namespace (name) {}' blocks
  • Module map header coverage completeness (in the case of a module map input only)

Modularize will do normal C/C++ parsing, reporting normal errors and warnings, but will also report special error messages like the following:

error: '(symbol)' defined at multiple locations:
   (file):(row):(column)
   (file):(row):(column)

error: header '(file)' has different contents depending on how it was included

The latter might be followed by messages like the following:

note: '(symbol)' in (file) at (row):(column) not always provided

Checks will also be performed for macro expansions, defined(macro) expressions, and preprocessor conditional directives that evaluate inconsistently, and can produce error messages like the following:

 (...)/SubHeader.h:11:5:
#if SYMBOL == 1
    ^
error: Macro instance 'SYMBOL' has different values in this header,
       depending on how it was included.
  'SYMBOL' expanded to: '1' with respect to these inclusion paths:
    (...)/Header1.h
      (...)/SubHeader.h
(...)/SubHeader.h:3:9:
#define SYMBOL 1
        ^
Macro defined here.
  'SYMBOL' expanded to: '2' with respect to these inclusion paths:
    (...)/Header2.h
        (...)/SubHeader.h
(...)/SubHeader.h:7:9:
#define SYMBOL 2
        ^
Macro defined here.

Checks will also be performed for '#include' directives that are nested inside 'extern "C/C++" {}' or 'namespace (name) {}' blocks, and can produce error message like the following:

IncludeInExtern.h:2:3:
#include "Empty.h"
^
error: Include directive within extern "C" {}.
IncludeInExtern.h:1:1:
extern "C" {
^
The "extern "C" {}" block is here.

Module Map Coverage Check

The coverage check uses the Clang library to read and parse the module map file. Starting at the module map file directory, or just the include paths, if specified, it will collect the names of all the files it considers headers (no extension, .h, or .inc--if you need more, modify the isHeader function). It then compares the headers against those referenced in the module map, either explicitly named, or implicitly named via an umbrella directory or umbrella file, as parsed by the ModuleMap object. If headers are found which are not referenced or covered by an umbrella directory or file, warning messages will be produced, and this program will return an error code of 1. If no problems are found, an error code of 0 is returned.

Note that in the case of umbrella headers, this tool invokes the compiler to preprocess the file, and uses a callback to collect the header files included by the umbrella header or any of its nested includes. If any front end options are needed for these compiler invocations, these can be included on the command line after the module map file argument.

Warning message have the form:

warning: module.modulemap does not account for file: Level3A.h

Note that for the case of the module map referencing a file that does not exist, the module map parser in Clang will (at the time of this writing) display an error message.

To limit the checks modularize does to just the module map coverage check, use the -coverage-check-only option.

For example:

modularize -coverage-check-only module.modulemap

Module Map Generation

If you specify the -module-map-path=<module map file>, modularize will output a module map based on the input header list. A module will be created for each header. Also, if the header in the header list is a partial path, a nested module hierarchy will be created in which a module will be created for each subdirectory component in the header path, with the header itself represented by the innermost module. If other headers use the same subdirectories, they will be enclosed in these same modules also.

For example, for the header list:

SomeTypes.h
SomeDecls.h
SubModule1/Header1.h
SubModule1/Header2.h
SubModule2/Header3.h
SubModule2/Header4.h
SubModule2.h

The following module map will be generated:

// Output/NoProblemsAssistant.txt
// Generated by: modularize -module-map-path=Output/NoProblemsAssistant.txt \
     -root-module=Root NoProblemsAssistant.modularize

module SomeTypes {
  header "SomeTypes.h"
  export *
}
module SomeDecls {
  header "SomeDecls.h"
  export *
}
module SubModule1 {
  module Header1 {
    header "SubModule1/Header1.h"
    export *
  }
  module Header2 {
    header "SubModule1/Header2.h"
    export *
  }
}
module SubModule2 {
  module Header3 {
    header "SubModule2/Header3.h"
    export *
  }
  module Header4 {
    header "SubModule2/Header4.h"
    export *
  }
  header "SubModule2.h"
  export *
}

An optional -root-module=<root-name> option can be used to cause a root module to be created which encloses all the modules.

An optional -problem-files-list=<problem-file-name> can be used to input a list of files to be excluded, perhaps as a temporary stop-gap measure until problem headers can be fixed.

For example, with the same header list from above:

// Output/NoProblemsAssistant.txt
// Generated by: modularize -module-map-path=Output/NoProblemsAssistant.txt \
     -root-module=Root NoProblemsAssistant.modularize

module Root {
  module SomeTypes {
    header "SomeTypes.h"
    export *
  }
  module SomeDecls {
    header "SomeDecls.h"
    export *
  }
  module SubModule1 {
    module Header1 {
      header "SubModule1/Header1.h"
      export *
    }
    module Header2 {
      header "SubModule1/Header2.h"
      export *
    }
  }
  module SubModule2 {
    module Header3 {
      header "SubModule2/Header3.h"
      export *
    }
    module Header4 {
      header "SubModule2/Header4.h"
      export *
    }
    header "SubModule2.h"
    export *
  }
}

Note that headers with dependents will be ignored with a warning, as the Clang module mechanism doesn't support headers that rely on other headers being included first.

The module map format defines some keywords which can't be used in module names. If a header has one of these names, an underscore ('_') will be prepended to the name. For example, if the header name is header.h, because header is a keyword, the module name will be _header. For a list of the module map keywords, please see: Lexical structure

PP-Trace User's Manual

pp-trace is a standalone tool that traces preprocessor activity. It's also used as a test of Clang's PPCallbacks interface. It runs a given source file through the Clang preprocessor, displaying selected information from callback functions overridden in a PPCallbacks derivation. The output is in a high-level YAML format, described in pp-trace Output Format.

pp-trace Usage

Command Line Format

pp-trace [<pp-trace-options>] <source-file> [-- <front-end-options>]

<pp-trace-options> is a place-holder for options specific to pp-trace, which are described below in Command Line Options.

<source-file> specifies the source file to run through the preprocessor.

<front-end-options> is a place-holder for regular Clang Compiler Options, which must follow the <source-file>.

Command Line Options

-callbacks <comma-separated-globs>

This option specifies a comma-separated list of globs describing the list of callbacks that should be traced. Globs are processed in order of appearance. Positive globs add matched callbacks to the set, negative globs (those with the '-' prefix) remove callacks from the set.

  • FileChanged
  • FileSkipped
  • InclusionDirective
  • moduleImport
  • EndOfMainFile
  • Ident
  • PragmaDirective
  • PragmaComment
  • PragmaDetectMismatch
  • PragmaDebug
  • PragmaMessage
  • PragmaDiagnosticPush
  • PragmaDiagnosticPop
  • PragmaDiagnostic
  • PragmaOpenCLExtension
  • PragmaWarning
  • PragmaWarningPush
  • PragmaWarningPop
  • MacroExpands
  • MacroDefined
  • MacroUndefined
  • Defined
  • SourceRangeSkipped
  • If
  • Elif
  • Ifdef
  • Ifndef
  • Else
  • Endif
-output <output-file>

By default, pp-trace outputs the trace information to stdout. Use this option to output the trace information to a file.

pp-trace Output Format

The pp-trace output is formatted as YAML. See https://yaml.org/ for general YAML information. It's arranged as a sequence of information about the callback call, including the callback name and argument information, for example::

---
- Callback: Name
  Argument1: Value1
  Argument2: Value2
(etc.)
...

With real data::

---
- Callback: FileChanged
  Loc: "c:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-include.cpp:1:1"
  Reason: EnterFile
  FileType: C_User
  PrevFID: (invalid)
  (etc.)
- Callback: FileChanged
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-include.cpp:5:1"
  Reason: ExitFile
  FileType: C_User
  PrevFID: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/Input/Level1B.h"
- Callback: EndOfMainFile
...

In all but one case (MacroDirective) the "Argument" scalars have the same name as the argument in the corresponding PPCallbacks callback function.

Callback Details

The following sections describe the purpose and output format for each callback.

Click on the callback name in the section heading to see the Doxygen documentation for the callback.

The argument descriptions table describes the callback argument information displayed.

The Argument Name field in most (but not all) cases is the same name as the callback function parameter.

The Argument Value Syntax field describes the values that will be displayed for the argument value. It uses an ad hoc representation that mixes literal and symbolic representations. Enumeration member symbols are shown as the actual enum member in a (member1|member2|...) form. A name in parentheses can either represent a place holder for the described value, or confusingly, it might be a literal, such as (null), for a null pointer. Locations are shown as quoted only to avoid confusing the documentation generator.

The Clang C++ Type field is the type from the callback function declaration.

The description describes the argument or what is displayed for it.

Note that in some cases, such as when a structure pointer is an argument value, only some key member or members are shown to represent the value, instead of trying to display all members of the structure.

FileChanged Callback

FileChanged is called when the preprocessor enters or exits a file, both the top level file being compiled, as well as any #include directives. It will also be called as a result of a system header pragma or in internal renaming of a file.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Reason(EnterFile|ExitFile|SystemHeaderPragma|RenameFile)PPCallbacks::FileChangeReasonReason for change.
FileType(C_User|C_System|C_ExternCSystem)SrcMgr::CharacteristicKindInclude type.
PrevFID((file)|(invalid))FileIDPrevious file, if any.

Example::

- Callback: FileChanged
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-include.cpp:1:1"
  Reason: EnterFile
  FileType: C_User
  PrevFID: (invalid)

FileSkipped Callback

FileSkipped is called when a source file is skipped as the result of header guard optimization.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
ParentFile("(file)" or (null))const FileEntryThe file that #included the skipped file.
FilenameTok(token)const TokenThe token in ParentFile that indicates the skipped file.
FileType(C_User|C_System|C_ExternCSystem)SrcMgr::CharacteristicKindThe file type.

Example::

- Callback: FileSkipped
  ParentFile: "/path/filename.h"
  FilenameTok: "filename.h"
  FileType: C_User

InclusionDirective Callback

InclusionDirective is called when an inclusion directive of any kind (#include</code>, #import</code>, etc.) has been processed, regardless of whether the inclusion will actually result in an inclusion.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
HashLoc"(file):(line):(col)"SourceLocationThe location of the '#' that starts the inclusion directive.
IncludeTok(token)const TokenThe token that indicates the kind of inclusion directive, e.g., 'include' or 'import'.
FileName"(file)"StringRefThe name of the file being included, as written in the source code.
IsAngled(true|false)boolWhether the file name was enclosed in angle brackets; otherwise, it was enclosed in quotes.
FilenameRange"(file)"CharSourceRangeThe character range of the quotes or angle brackets for the written file name.
File"(file)"const FileEntryThe actual file that may be included by this inclusion directive.
SearchPath"(path)"StringRefContains the search path which was used to find the file in the file system.
RelativePath"(path)"StringRefThe path relative to SearchPath, at which the include file was found.
Imported((module name)|(null))const ModuleThe module, whenever an inclusion directive was automatically turned into a module import or null otherwise.

Example::

- Callback: InclusionDirective
  HashLoc: "D:/Clang/llvmnewmod/clang-tools-extra/test/pp-trace/pp-trace-include.cpp:4:1"
  IncludeTok: include
  FileName: "Input/Level1B.h"
  IsAngled: false
  FilenameRange: "Input/Level1B.h"
  File: "D:/Clang/llvmnewmod/clang-tools-extra/test/pp-trace/Input/Level1B.h"
  SearchPath: "D:/Clang/llvmnewmod/clang-tools-extra/test/pp-trace"
  RelativePath: "Input/Level1B.h"
  Imported: (null)

moduleImport Callback

moduleImport is called when there was an explicit module-import syntax.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
ImportLoc"(file):(line):(col)"SourceLocationThe location of import directive token.
Path"(path)"ModuleIdPathThe identifiers (and their locations) of the module "path".
Imported((module name)|(null))const ModuleThe imported module; can be null if importing failed.

Example::

- Callback: moduleImport
  ImportLoc: "d:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-modules.cpp:4:2"
  Path: [{Name: Level1B, Loc: "d:/Clang/llvmnewmod/clang-tools-extra/test/pp-trace/pp-trace-modules.cpp:4:9"}, {Name: Level2B, Loc: "d:/Clang/llvmnewmod/clang-tools-extra/test/pp-trace/pp-trace-modules.cpp:4:17"}]
  Imported: Level2B

EndOfMainFile Callback

EndOfMainFile is called when the end of the main file is reached.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
(no arguments)

Example::

- Callback: EndOfMainFile

Ident Callback

Ident is called when a #ident or #sccs directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
str(name)const std::stringThe text of the directive.

Example::

- Callback: Ident
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-ident.cpp:3:1"
  str: "$Id$"

PragmaDirective Callback

PragmaDirective is called when start reading any pragma directive.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Introducer(PIK_HashPragma|PIK__Pragma|PIK___pragma)PragmaIntroducerKindThe type of the pragma directive.

Example::

- Callback: PragmaDirective
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  Introducer: PIK_HashPragma

PragmaComment Callback

PragmaComment is called when a #pragma comment directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Kind((name)|(null))const IdentifierInfoThe comment kind symbol.
Str(message directive)const std::stringThe comment message directive.

Example::

- Callback: PragmaComment
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  Kind: library
  Str: kernel32.lib

PragmaDetectMismatch Callback

PragmaDetectMismatch is called when a #pragma detect_mismatch directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Name"(name)"const std::stringThe name.
Value(string)const std::stringThe value.

Example::

- Callback: PragmaDetectMismatch
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  Name: name
  Value: value

PragmaDebug Callback

PragmaDebug is called when a #pragma clang __debug directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
DebugType(string)StringRefIndicates type of debug message.

Example::

- Callback: PragmaDebug
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  DebugType: warning

PragmaMessage Callback

PragmaMessage is called when a #pragma message directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Namespace(name)StringRefThe namespace of the message directive.
Kind(PMK_Message|PMK_Warning|PMK_Error)PPCallbacks::PragmaMessageKindThe type of the message directive.
Str(string)StringRefThe text of the message directive.

Example::

- Callback: PragmaMessage
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  Namespace: "GCC"
  Kind: PMK_Message
  Str: The message text.

PragmaDiagnosticPush Callback

PragmaDiagnosticPush is called when a #pragma gcc diagnostic push directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Namespace(name)StringRefNamespace name.

Example::

- Callback: PragmaDiagnosticPush
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  Namespace: "GCC"

PragmaDiagnosticPop Callback

PragmaDiagnosticPop is called when a #pragma gcc diagnostic pop directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Namespace(name)StringRefNamespace name.

Example::

- Callback: PragmaDiagnosticPop
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  Namespace: "GCC"

PragmaDiagnostic Callback

PragmaDiagnostic is called when a #pragma gcc diagnostic directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Namespace(name)StringRefNamespace name.
mapping(0|MAP_IGNORE|MAP_WARNING|MAP_ERROR|MAP_FATAL)diag::SeverityMapping type.
Str(string)StringRefWarning/error name.

Example::

- Callback: PragmaDiagnostic
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  Namespace: "GCC"
  mapping: MAP_WARNING
  Str: WarningName

PragmaOpenCLExtension Callback

PragmaOpenCLExtension is called when OpenCL extension is either disabled or enabled with a pragma.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
NameLoc"(file):(line):(col)"SourceLocationThe location of the name.
Name(name)const IdentifierInfoName symbol.
StateLoc"(file):(line):(col)"SourceLocationThe location of the state.
State(1|0)unsignedEnabled/disabled state.

Example::

- Callback: PragmaOpenCLExtension
  NameLoc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:10"
  Name: Name
  StateLoc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:18"
  State: 1

PragmaWarning Callback

PragmaWarning is called when a #pragma warning directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
WarningSpec(string)StringRefThe warning specifier.
Ids[(number)[, ...]]ArrayRef<int>The warning numbers.

Example::

- Callback: PragmaWarning
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  WarningSpec: disable
  Ids: 1,2,3

PragmaWarningPush Callback

PragmaWarningPush is called when a #pragma warning(push) directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
Level(number)intWarning level.

Example::

- Callback: PragmaWarningPush
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"
  Level: 1

PragmaWarningPop Callback

PragmaWarningPop is called when a #pragma warning(pop) directive is read.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.

Example::

- Callback: PragmaWarningPop
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-pragma.cpp:3:1"

MacroExpands Callback

MacroExpands is called when ::HandleMacroExpandedIdentifier when a macro invocation is found.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
MacroNameTok(token)const TokenThe macro name token.
MacroDirective(MD_Define|MD_Undefine|MD_Visibility)const MacroDirectiveThe kind of macro directive from the MacroDirective structure.
Range["(file):(line):(col)", "(file):(line):(col)"]SourceRangeThe source range for the expansion.
Args[(name)|(number)|<(token name)>[, ...]]const MacroArgsThe argument tokens. Names and numbers are literal, everything else is of the form '<' tokenName '>'.

Example::

- Callback: MacroExpands
  MacroNameTok: X_IMPL
  MacroDirective: MD_Define
  Range: [(nonfile), (nonfile)]
  Args: [a <plus> y, b]

MacroDefined Callback

MacroDefined is called when a macro definition is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
MacroNameTok(token)const TokenThe macro name token.
MacroDirective(MD_Define|MD_Undefine|MD_Visibility)const MacroDirectiveThe kind of macro directive from the MacroDirective structure.

Example::

- Callback: MacroDefined
  MacroNameTok: X_IMPL
  MacroDirective: MD_Define

MacroUndefined Callback

MacroUndefined is called when a macro #undef is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
MacroNameTok(token)const TokenThe macro name token.
MacroDirective(MD_Define|MD_Undefine|MD_Visibility)const MacroDirectiveThe kind of macro directive from the MacroDirective structure.

Example::

- Callback: MacroUndefined
  MacroNameTok: X_IMPL
  MacroDirective: MD_Define

Defined Callback

Defined is called when the 'defined' operator is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
MacroNameTok(token)const TokenThe macro name token.
MacroDirective(MD_Define|MD_Undefine|MD_Visibility)const MacroDirectiveThe kind of macro directive from the MacroDirective structure.
Range["(file):(line):(col)", "(file):(line):(col)"]SourceRangeThe source range for the directive.

Example::

- Callback: Defined
  MacroNameTok: MACRO
  MacroDirective: (null)
  Range: ["D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:8:5", "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:8:19"]

SourceRangeSkipped Callback

SourceRangeSkipped is called when a source range is skipped.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Range["(file):(line):(col)", "(file):(line):(col)"]SourceRangeThe source range skipped.

Example::

- Callback: SourceRangeSkipped
  Range: [":/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:8:2", ":/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:9:2"]

If Callback

If is called when an #if is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
ConditionRange["(file):(line):(col)", "(file):(line):(col)"]SourceRangeThe source range for the condition.
ConditionValue(true|false)boolThe condition value.

Example::

- Callback: If
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:8:2"
  ConditionRange: ["D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:8:4", "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:9:1"]
  ConditionValue: false

Elif Callback

Elif is called when an #elif is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
ConditionRange["(file):(line):(col)", "(file):(line):(col)"]SourceRangeThe source range for the condition.
ConditionValue(true|false)boolThe condition value.
IfLoc"(file):(line):(col)"SourceLocationThe location of the directive.

Example::

- Callback: Elif
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:10:2"
  ConditionRange: ["D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:10:4", "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:11:1"]
  ConditionValue: false
  IfLoc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:8:2"

Ifdef Callback

Ifdef is called when an #ifdef is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
MacroNameTok(token)const TokenThe macro name token.
MacroDirective(MD_Define|MD_Undefine|MD_Visibility)const MacroDirectiveThe kind of macro directive from the MacroDirective structure.

Example::

- Callback: Ifdef
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-conditional.cpp:3:1"
  MacroNameTok: MACRO
  MacroDirective: MD_Define

Ifndef Callback

Ifndef is called when an #ifndef is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the directive.
MacroNameTok(token)const TokenThe macro name token.
MacroDirective(MD_Define|MD_Undefine|MD_Visibility)const MacroDirectiveThe kind of macro directive from the MacroDirective structure.

Example::

- Callback: Ifndef
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-conditional.cpp:3:1"
  MacroNameTok: MACRO
  MacroDirective: MD_Define

Else Callback

Else is called when an #else is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the else directive.
IfLoc"(file):(line):(col)"SourceLocationThe location of the if directive.

Example::

- Callback: Else
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:10:2"
  IfLoc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:8:2"

Endif Callback

Endif is called when an #endif is seen.

Argument descriptions:

Argument NameArgument Value SyntaxClang C++ TypeDescription
Loc"(file):(line):(col)"SourceLocationThe location of the endif directive.
IfLoc"(file):(line):(col)"SourceLocationThe location of the if directive.

Example::

- Callback: Endif
  Loc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:10:2"
  IfLoc: "D:/Clang/llvm/clang-tools-extra/test/pp-trace/pp-trace-macro.cpp:8:2"

Building pp-trace

To build from source:

  1. Read Getting Started with the LLVM System and Clang Tools Documentation for information on getting sources for LLVM, Clang, and Clang Extra Tools.
  2. Getting Started with the LLVM System and Building LLVM with CMake give directions for how to build. With sources all checked out into the right place the LLVM build will build Clang Extra Tools and their dependencies automatically.

    • If using CMake, you can also use the pp-trace target to build just the pp-trace tool and its dependencies.

Clang-Rename

Contents

  • Clang-Rename

    • Using Clang-Rename
    • Vim Integration
    • Emacs Integration

See also:

clang-rename is a C++ refactoring tool. Its purpose is to perform efficient renaming actions in large-scale projects such as renaming classes, functions, variables, arguments, namespaces etc.

The tool is in a very early development stage, so you might encounter bugs and crashes. Submitting reports with information about how to reproduce the issue to the LLVM bugtracker will definitely help the project. If you have any ideas or suggestions, you might want to put a feature request there.

Using Clang-Rename

clang-rename is a LibTooling-based tool, and it's easier to work with if you set up a compile command database for your project (for an example of how to do this see How To Setup Tooling For LLVM). You can also specify compilation options on the command line after --:

$ clang-rename -offset=42 -new-name=foo test.cpp -- -Imy_project/include -DMY_DEFINES ...

To get an offset of a symbol in a file run

$ grep -FUbo 'foo' file.cpp

The tool currently supports renaming actions inside a single translation unit only. It is planned to extend the tool's functionality to support multi-TU renaming actions in the future.

clang-rename also aims to be easily integrated into popular text editors, such as Vim and Emacs, and improve the workflow of users.

Although a command line interface exists, it is highly recommended to use the text editor interface instead for better experience.

You can also identify one or more symbols to be renamed by giving the fully qualified name:

$ clang-rename -qualified-name=foo -new-name=bar test.cpp

Renaming multiple symbols at once is supported, too. However, clang-rename doesn't accept both -offset and -qualified-name at the same time. So, you can either specify multiple -offset or -qualified-name.

$ clang-rename -offset=42 -new-name=bar1 -offset=150 -new-name=bar2 test.cpp

or

$ clang-rename -qualified-name=foo1 -new-name=bar1 -qualified-name=foo2 -new-name=bar2 test.cpp

Alternatively, {offset | qualified-name} / new-name pairs can be put into a YAML file:

---
- Offset:         42
  NewName:        bar1
- Offset:         150
  NewName:        bar2
...

or

---
- QualifiedName:  foo1
  NewName:        bar1
- QualifiedName:  foo2
  NewName:        bar2
...

That way you can avoid spelling out all the names as command line arguments:

$ clang-rename -input=test.yaml test.cpp

clang-rename offers the following options:

$ clang-rename --help
USAGE: clang-rename [subcommand] [options] <source0> [... <sourceN>]

OPTIONS:

Generic Options:

  -help                      - Display available options (-help-hidden for more)
  -help-list                 - Display list of available options (-help-list-hidden for more)
  -version                   - Display the version of this program

clang-rename common options:

  -export-fixes=<filename>   - YAML file to store suggested fixes in.
  -extra-arg=<string>        - Additional argument to append to the compiler command line
                               Can be used several times.
  -extra-arg-before=<string> - Additional argument to prepend to the compiler command line
                               Can be used several times.
  -force                     - Ignore nonexistent qualified names.
  -i                         - Overwrite edited <file>s.
  -input=<string>            - YAML file to load oldname-newname pairs from.
  -new-name=<string>         - The new name to change the symbol to.
  -offset=<uint>             - Locates the symbol by offset as opposed to <line>:<column>.
  -p <string>                - Build path
  -pl                        - Print the locations affected by renaming to stderr.
  -pn                        - Print the found symbol's name prior to renaming to stderr.
  -qualified-name=<string>   - The fully qualified name of the symbol.

Vim Integration

You can call clang-rename directly from Vim! To set up clang-rename integration for Vim see clang/tools/clang-rename/clang-rename.py.

Please note that you have to save all buffers, in which the replacement will happen before running the tool.

Once installed, you can point your cursor to symbols you want to rename, press <leader>cr and type new desired name. The <leader> key is a reference to a specific key defined by the mapleader variable and is bound to backslash by default.

Emacs Integration

You can also use clang-rename while using Emacs! To set up clang-rename integration for Emacs see clang-rename/tool/clang-rename.el.

Once installed, you can point your cursor to symbols you want to rename, press M-X, type clang-rename and new desired name.

Please note that you have to save all buffers, in which the replacement will happen before running the tool.

Clang-Doc

Contents

  • Clang-Doc

    • Use
    • Output
    • Configuration

      • Options

clang-doc is a tool for generating C and C++ documentation from source code and comments.

The tool is in a very early development stage, so you might encounter bugs and crashes. Submitting reports with information about how to reproduce the issue to the LLVM bug tracker will definitely help the project. If you have any ideas or suggestions, please to put a feature request there.

Use

clang-doc is a LibTooling-based tool, and so requires a compile command database for your project (for an example of how to do this see How To Setup Tooling For LLVM).

The tool will process a list of files by default:

$ clang-doc File1.cpp File2.cpp ... FileN.cpp

The tool can be also used with a compile commands database:

$ clang-doc --executor=all-TUs compile_commands.json

To select only a subset of files from the database, use the --filter flag:

$ clang-doc --executor=all-TUs --filter=File[0-9]+.cpp compile_commands.json

Output

clang-doc produces a directory of documentation. One file is produced for each namespace and record in the project source code, containing all documentation (including contained functions, methods, and enums) for that item.

The top-level directory is configurable through the output flag:

$ clang-doc --output=output/directory/ compile_commands.json

Configuration

Configuration for clang-doc is currently limited to command-line options. In the future, it may develop the ability to use a configuration file, but no such efforts are currently in progress.

Options

clang-doc offers the following options:

$ clang-doc --help
OVERVIEW: Generates documentation from source code and comments.

Example usage for files without flags (default):

  $ clang-doc File1.cpp File2.cpp ... FileN.cpp

Example usage for a project using a compile commands database:

  $ clang-doc --executor=all-TUs compile_commands.json

USAGE: clang-doc [options] <source0> [... <sourceN>]

OPTIONS:

Generic Options:

  -help                      - Display available options (-help-hidden for more)
  -help-list                 - Display list of available options (-help-list-hidden for more)
  -version                   - Display the version of this program

clang-doc options:

  --doxygen                   - Use only doxygen-style comments to generate docs.
  --extra-arg=<string>        - Additional argument to append to the compiler command line
                                Can be used several times.
  --extra-arg-before=<string> - Additional argument to prepend to the compiler command line
                                Can be used several times.
  --format=<value>            - Format for outputted docs.
    =yaml                     -   Documentation in YAML format.
    =md                       -   Documentation in MD format.
    =html                     -   Documentation in HTML format.
  --ignore-map-errors         - Continue if files are not mapped correctly.
  --output=<string>           - Directory for outputting generated files.
  -p <string>                 - Build path
  --project-name=<string>     - Name of project.
  --public                    - Document only public declarations.
  --repository=<string>       -
                                URL of repository that hosts code.
                                Used for links to definition locations.
  --source-root=<string>      -
                                Directory where processed files are stored.
                                Links to definition locations will only be
                                generated if the file is in this dir.
  --stylesheets=<string>      - CSS stylesheets to extend the default styles.

The following flags should only be used if format is set to html: - repository - source-root - stylesheets

The Doxygen documentation describes the internal software that makes up the tools of clang-tools-extra, not the external use of these tools. The Doxygen documentation contains no instructions about how to use the tools, only the APIs that make up the software. For usage instructions, please see the user's guide or reference manual for each tool.

  • Doxygen documentation
NOTE:

This documentation is generated directly from the source code with doxygen. Since the tools of clang-tools-extra are constantly under active development, what you're about to read is out of date!

  • Index
  • Search Page

Author

The Clang Team

Info

Nov 26, 2024 19 Extra Clang Tools