SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
C

C static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C code

  • All rules 315
  • Vulnerability13
  • Bug76
  • Security Hotspot19
  • Code Smell207

  • Quick Fix 19
Filtered: 6 rules found
multi-threading
    Impact
      Clean code attribute
        1. "pthread_mutex_t" should be unlocked in the reverse order they were locked

           Bug
        2. "pthread_mutex_t" should be properly initialized and destroyed

           Bug
        3. "pthread_mutex_t" should not be locked when already locked, or unlocked when already unlocked

           Bug
        4. Blocking functions should not be called inside critical sections

           Code Smell
        5. Local variables and member data should not be volatile

           Code Smell
        6. Non-reentrant POSIX functions should be replaced with their reentrant versions

           Code Smell

        Non-reentrant POSIX functions should be replaced with their reentrant versions

        consistency - conventional
        maintainability
        Code Smell
        • multi-threading

        Why is this an issue?

        More Info

        A function is called reentrant if it can be interrupted in the middle of its execution and then safely called again ("re-entered") before its previous invocations complete execution.

        It is especially important that multi-threaded applications do not call the same non-reentrant function from different threads.

        This rule will trigger an issue each time a function in the configurable list is invoked.

        A call will be matched differently depending on the presence of the scope resolution operator :: in the function name from the configurable list.

        For example, namespace a { namespace b { void f(); } } can be matched with "f", "b::f", "a::b::f", "::a::b::f" (fully qualified name yielding most precise results).

        It is recommended to provide fully qualified names to the configurable list (i.e., start each name with ::), even for the functions in the global namespace.

        Noncompliant code example

        Given a function that includes localtime:

        #include <stdio.h>
        #include <time.h>
        
        void print_date_and_time(struct tm *time_ptr)
        {
          printf(
            "Current date and time: %d/%02d/%02d %02d:%02d:%02d\n",
            time_ptr->tm_year + 1900,
            time_ptr->tm_mon,
            time_ptr->tm_mday,
            time_ptr->tm_hour,
            time_ptr->tm_min,
            time_ptr->tm_sec);
        }
        
        void print_unix_epoch_date_and_time()
        {
          time_t unix_epoch_time = (time_t)0;
          struct tm *local_time_ptr = localtime(&unix_epoch_time); // Noncompliant, call to the non-reentrant localtime() function
          print_date_and_time(local_time_ptr);
        }
        
        int main(int argc, char* argv[])
        {
          time_t current_time;
          struct tm *local_time_ptr;
        
          time(&current_time);
        
          local_time_ptr = localtime(&current_time); // Noncompliant, call to the non-reentrant localtime() function
        
          // As expected, this will print: Current date and time: 1970/00/01 01:00:00
          print_unix_epoch_date_and_time();
        
          // This will actually also print Current date and time: 1970/00/01 01:00:00
          // Indeed, localtime() is non-reentrant, and always returns the same pointer
          print_date_and_time(local_time_ptr);
        
          return 0;
        }
        

        Compliant solution

        #include <stdio.h>
        #include <time.h>
        
        void print_date_and_time(struct tm *time_ptr)
        {
          printf(
            "Current date and time: %d/%02d/%02d %02d:%02d:%02d\n",
            time_ptr->tm_year + 1900,
            time_ptr->tm_mon,
            time_ptr->tm_mday,
            time_ptr->tm_hour,
            time_ptr->tm_min,
            time_ptr->tm_sec);
        }
        
        void print_unix_epoch_date_and_time()
        {
          time_t unix_epoch_time = (time_t)0;
          struct tm local_time;
          localtime_r(&unix_epoch_time, &local_time); // Compliant
          print_date_and_time(&local_time);
        }
        
        int main(int argc, char* argv[])
        {
          time_t current_time;
          struct tm local_time;
        
          time(&current_time);
        
          localtime_r(&current_time, &local_time); // Compliant
        
          // As expected, this will print: Current date and time: 1970/00/01 01:00:00
          print_unix_epoch_date_and_time();
        
          // As expected, this will print the current date and time
          print_date_and_time(&local_time);
        
          return 0;
        }
        
          Available In:
        • SonarQube IdeCatch issues on the fly,
          in your IDE
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use