Available Checks

The list of the checks the analyzer performs by default

core.AdjustedReturnValueCheck to see if the return value of a function call is different than the caller expects (e.g., from calls through function pointers).
core.CallAndMessageCheck for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers).
core.DivideZeroCheck for division by zero.
core.NonNullParamCheckerCheck for null pointers passed as arguments to a function whose arguments are known to be non-null.
core.NullDereferenceCheck for dereferences of null pointers.
core.StackAddressEscapeCheck that addresses to stack memory do not escape the function.
core.UndefinedBinaryOperatorResultCheck for undefined results of binary operators.
core.VLASizeCheck for declarations of VLA of undefined or zero size.
core.builtin.BuiltinFunctionsEvaluate compiler builtin functions (e.g., alloca()).
core.builtin.NoReturnFunctionsEvaluate "panic" functions that are known to not return to the caller.
core.uninitialized.ArraySubscriptCheck for uninitialized values used as array subscripts.
core.uninitialized.AssignCheck for assigning uninitialized values.
core.uninitialized.BranchCheck for uninitialized values used as branch conditions.
core.uninitialized.CapturedBlockVariableCheck for blocks that capture uninitialized values.
core.uninitialized.UndefReturnCheck for uninitialized values being returned to the caller.
cplusplus.NewDeleteCheck for double-free and use-after-free problems involving C++ delete.
deadcode.DeadStoresCheck for values stored to variables that are never read afterwards.
osx.APICheck for proper uses of various Apple APIs.
osx.SecKeychainAPICheck for proper uses of Secure Keychain APIs.
osx.cocoa.AtSyncCheck for nil pointers used as mutexes for @synchronized.
osx.cocoa.ClassReleaseCheck for sending 'retain', 'release', or 'autorelease' directly to a Class.
osx.cocoa.IncompatibleMethodTypesWarn about Objective-C method signatures with type incompatibilities.
osx.cocoa.NSAutoreleasePoolWarn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode.
osx.cocoa.NSErrorCheck usage of NSError** parameters.
osx.cocoa.NilArgCheck for prohibited nil arguments to ObjC method calls.
osx.cocoa.RetainCountCheck for leaks and improper reference count management.
osx.cocoa.SelfInitCheck that 'self' is properly initialized inside an initializer method.
osx.cocoa.UnusedIvarsWarn about private ivars that are never used.
osx.cocoa.VariadicMethodTypesCheck for passing non-Objective-C types to variadic methods that expect only Objective-C types.
osx.coreFoundation.CFErrorCheck usage of CFErrorRef* parameters.
osx.coreFoundation.CFNumberCheck for proper uses of CFNumberCreate.
osx.coreFoundation.CFRetainReleaseCheck for null arguments to CFRetain/CFRelease/CFMakeCollectable.
osx.coreFoundation.containers.OutOfBoundsChecks for index out-of-bounds when using 'CFArray' API.
osx.coreFoundation.containers.PointerSizedValuesWarns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values.
security.FloatLoopCounterWarn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP).
security.insecureAPI.UncheckedReturnWarn on uses of functions whose return values must be always checked.
security.insecureAPI.getpwWarn on uses of the 'getpw' function.
security.insecureAPI.getsWarn on uses of the 'gets' function.
security.insecureAPI.mkstempWarn when 'mkstemp' is passed fewer than 6 X's in the format string.
security.insecureAPI.mktempWarn on uses of the 'mktemp' function.
security.insecureAPI.randWarn on uses of the 'rand', 'random', and related functions.
security.insecureAPI.strcpyWarn on uses of the 'strcpy' and 'strcat' functions.
security.insecureAPI.vforkWarn on uses of the 'vfork' function.
unix.APICheck calls to various UNIX/Posix functions.
unix.MallocCheck for memory leaks, double free, and use-after-free problems involving malloc.
unix.MallocSizeofCheck for dubious malloc arguments involving sizeof.
unix.MismatchedDeallocatorCheck for mismatched deallocators (e.g. passing a pointer allocating with new to free()).
unix.cstring.BadSizeArgCheck the size argument passed into C string functions for common erroneous patterns.
unix.cstring.NullArgCheck for null pointers being passed as arguments to C string functions.

In addition to these the analyzer contains numerous experimental (alpha) checkers.

Writeups with examples of some of the bugs that the analyzer finds