Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

C++ static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C++ code

Tags

Impact

Clean code attribute

Function-like macros should not be invoked without all of their arguments
Bug
The address of an automatic object should not be assigned to another object that may persist after the first object has ceased to exist
Bug
Macro arguments should not contain preprocessing directives
Bug
Variables should not be accessed outside of their scope
Bug
The result of "make_format_args" should be passed directly as an argument
Bug
Assigning to an optional should directly target the optional
Bug
Result of the standard remove algorithms should not be ignored
Bug
"std::scoped_lock" should be created with constructor arguments
Bug
Objects should not be sliced
Bug
Immediately dangling references and pointers should not be created
Bug
"pthread_mutex_t" should be unlocked in the reverse order they were locked
Bug
"pthread_mutex_t" should be properly initialized and destroyed
Bug
"pthread_mutex_t" should not be locked when already locked, or unlocked when already unlocked
Bug
"std::move" and "std::forward" should not be confused
Bug
A call to "wait()" on a "std::condition_variable" should have a condition
Bug
A pointer to a virtual base class shall only be cast to a pointer to a derived class by means of dynamic_cast
Bug
Functions with "noreturn" attribute should not return
Bug
RAII objects should not be temporary
Bug
"memcmp" should only be called with pointers to trivially copyable types with no padding
Bug
"memcpy", "memmove", and "memset" should only be called with pointers to trivially copyable types
Bug
"std::auto_ptr" should not be used
Bug
Destructors should be "noexcept"
Bug
Stack allocated memory and non-owned memory should not be freed
Bug
Closed resources should not be accessed
Bug
Dynamically allocated memory should be released
Bug
Freed memory should not be used
Bug
Memory locations should not be released more than once
Bug
Memory access should be explicitly bounded to prevent buffer overflows
Bug
Printf-style format strings should not lead to unexpected behavior at runtime
Bug
Recursion should not be infinite
Bug
Resources should be closed
Bug
Appropriate memory de-allocation should be used
Bug
Function exit paths should have appropriate return values
Bug
Coroutines should have well-defined exception behavior
Bug
Coroutine should have co_return on each execution path or provide return_void
Bug
"volatile" should not be used to qualify objects for which the meaning is not defined
Bug
"volatile" types should not be used in compound operations
Bug
Values returned from string find-related methods should not be treated as boolean
Bug
Relational and subtraction operators should not be used with pointers to different arrays
Bug
Arguments evaluation order should not be relied on
Bug
"reinterpret_cast" should be used carefully
Bug
Parameter values should be appropriate
Bug
Zero should not be a possible denominator
Bug
Line-splicing should not be used in "//" comments
Bug
Member variables should be initialized
Bug
Pointers should not be cast to integral types
Bug
"operator delete" should be written along with "operator new"
Bug
Destructors should not throw exceptions
Bug
Handlers of a function-try-block implementation of a class constructor or destructor shall not reference non-static members from this class or its bases
Bug
Empty throws ("throw;") should only be used in the compound statements of catch handlers
Bug
An exception object should not have pointer type
Bug
Lines starting with "#" should contain valid preprocessing directives
Bug
"#include" directives should be followed by either <filename> or "filename" sequences
Bug
Non-standard characters should not occur in header file names in "#include" directives
Bug
Non-empty statements should change control flow or have at least one side-effect
Bug
Unary minus should not be applied to an unsigned expression
Bug
Objects with integer type should not be converted to objects with pointer type
Bug
Variables should be initialized before use
Bug
String literals with different prefixes should not be concatenated
Bug
Only escape sequences defined in the ISO C standard should be used
Bug
"std::format" numeric types should be 0-padded using the numerical padding and not the character padding
Bug
Arguments corresponding to width and precision formatting options should be integers
Bug
Type-constraints should not be used for forwarding reference parameters
Bug
Perfect forwarding constructors should be constrained
Bug
Requires-expression should not contain unevaluated concept checks or type predicates
Bug
Well-defined type-punning method should be used instead of a union-based one
Bug
"std::cmp_*" functions should be used to compare unsigned values with negative values
Bug
"std::is_constant_evaluated" and "if consteval" should only be used when necessary
Bug
Heterogeneous sorted containers should only be used with types that support heterogeneous comparison
Bug
"#pragma pack" should be used correctly
Bug
Enums should be consistent with the bit fields they initialize
Bug
User-defined types should not be passed as variadic arguments
Bug
Class members should not be initialized with dangling references
Bug
Array values should not be replaced unconditionally
Bug
Integral operations should not overflow
Bug
"case" ranges should not be empty
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
"extern" shouldn't be used on member definitions
Bug
Declaration specifiers should not be redundant
Bug
Function declarations that look like variable declarations should not be used
Bug
"sizeof" should not be called on pointers
Bug
"const" references to numbers should not be made
Bug
Unary prefix operators should not be repeated
Bug
Non-existent operators like "=+" should not be used
Bug
Values of different "enum" types should not be compared
Bug
Conditionally executed code should be reachable
Bug
Null pointers should not be dereferenced
Bug
Single-bit named bit fields should not be of a signed type
Bug
Values should not be uselessly incremented
Bug
"sizeof(sizeof(...))" should not be used
Bug
Related "if/else if" statements should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
All code should be reachable
Bug
Loops with at most one iteration should be refactored
Bug
The original exception object should be rethrown
Bug
Variables should not be self-assigned
Bug
Condition-specific "catch" handlers should not be used after the ellipsis (catch-all) handler
Bug
Handlers in a single try-catch or function-try-block for a derived class and some or all of its bases should be ordered most-derived-first
Bug
Exception classes should be caught by reference
Bug
"std::format" should not be missing indexes
Bug
The "sizeof" and "alignof" operator should not be used with operands of a "void" type
Bug
"nonnull" parameters and return values of "returns_nonnull" functions should not be null
Bug
"for" loop counters should not have essentially floating type
Bug
Line continuation characters '\' should not be followed by trailing whitespace
Bug
A function declared with the "[[noreturn]]" attribute shall not return
Bug
An "explicit type conversion" shall not be an "expression statement"
Bug
Reads and writes on the same file stream shall be separated by a positioning operation
Bug
A pointer to an incomplete class type shall not be deleted
Bug
The result of "std::remove", "std::remove_if", "std::unique" and "empty" shall be "used"
Bug
A comparison of a "potentially virtual" pointer to member function shall only be with "nullptr"
Bug
An exception of class type shall be caught by const reference or reference
Bug
Handlers for a "function-try-block" of a constructor or destructor shall not refer to non-static members from their class or its bases
Bug
A virtual base class shall only be cast to a derived class by means of "dynamic_cast"
Bug
Tokens that look like a preprocessing directive shall not occur within a macro argument
Bug
"abort", "exit", "getenv" and "system" from <stdlib.h> should not be used
Bug
"atof", "atoi" and "atol" from <stdlib.h> should not be used
Bug
"<signal.h>" should not be used
Bug
Dynamic heap memory allocation should not be used
Bug
An object shall not be accessed outside of its lifetime
Bug
Line-splicing shall not be used in "//" comments
Bug
A "noexcept" function should not attempt to propagate an exception to the calling function
Bug
An exception object shall not have pointer type
Bug
Macros used in preprocessor directives should be defined before use
Bug
Evaluation of the operand to the sizeof operator shall not contain side effects
Bug
Bitwise operators should not be applied to signed operands
Bug
Boolean operations should not have numeric operands, and vice versa
Bug
Pointer conversions should be restricted to a safe subset
Bug
Function pointers should not be converted to any other type
Bug
Results of ~ and << operations on operands of underlying types unsigned char and unsigned short should immediately be cast to the operand's underlying type
Bug
Each operand of the ! operator, the logical && or the logical || operators shall have type bool
Bug
When an array is declared, its size shall either be stated explicitly or defined implicitly by initialization
Bug
Floating point numbers should not be tested for equality
Bug
Multiple declarations for an identifier in the same namespace shall not straddle a using-declaration for that identifier
Bug
The "#include" directive shall be followed by either a "<filename>" or ""filename"" sequence
Bug
A named bit-field with "signed integer type" shall not have a length of one bit
Bug
The value of an object must not be read before it has been set
Bug
A line whose first token is "#" shall be a valid preprocessing directive
Bug
All identifiers used in the controlling expression of "#if" or "#elif" preprocessing directives shall be defined prior to evaluation
Bug
Accessible base classes should not be both "virtual" and non-virtual in the same hierarchy
Bug

Variables should not be accessed outside of their scope

intentionality - logical

reliability

Bug

BlockerSonarSource default severity
click to learn more

symbolic-execution

Accessing local objects outside of their scope (for example, via a pointer taken inside the scope) has undefined behavior. This rule flags such access for local variables and lifetime-extended temporaries.

Why is this an issue?

How can I fix it?

More Info

Local variables in C++ are attached to the scope and destroyed when the end of the scope is reached. Any access to a variable outside of their scope has undefined behavior.

Such access occurs, for example, when the address of a variable is stored in a pointer that is later dereferenced:

int func() {
  int* ptr = nullptr;
  {
    int i = 10;
    ptr = &i;
  } // variable i goes out of scope here
  *ptr = 10; // Noncompliant: writing to out-of-scope-variable
}

A similar defect can occur in code that does not have curly braces (also referred to as a compound statement), but contain control structures, like if or for that also introduce scope:

int exampleWithIf() {
  int* ptr;
  if (int i = 10)
    ptr = &i;
  else
    ptr = nullptr;
  // variable i declared in if condition statement goes out of scope here
  if (ptr)
    return *ptr; // Noncompliant: reading from out-of-scope variable
  return 0;
}
void exampleWithFor() {
  int* ptr = nullptr;
  for (int i = 0; i < 10; ++i)
    ptr = &i;
  // variable i defined in for init-statement goes out of scope here
  *ptr = 10; // Noncompliant
}

What is the potential impact?

Accessing a dangling reference or pointer causes undefined behavior. This means the compiler is not bound by the language standard anymore and your program has no meaning assigned to it.

Practically this has a wide range of effects. In many cases, the access works by accident and succeeds at writing or reading a value. However, it can start misbehaving at any time. If compilation flags, compiler, platform, or runtime environment change, the same code can crash the application, corrupt memory, or leak a secret.

Why is the issue raised for reference variables?

When a reference variable is directly initialized to a temporary object, such temporary is lifetime-extended by the variable, i.e., the temporary object is destroyed when the variable goes out of scope. Lifetime-extended temporaries have the same behavior as if they were declared as local variables and may lead to the same issues. For example:

Clazz create();
void refExtension(Clazz const arg) {
  Clazz const* aPtr;
  Clazz const* tPtr;
  {
    Clazz const& aRef = arg; // bounding reference to object arg
    Clazz const& tRef = create(); // temporary object is created here and bound to reference,
                                  // behaves as Clazz const tRef = create();
    aPtr = &aRef;  // points to arg
    tPtr = &tRef;  // point to a temporary object that is lifetime extended
  } // both aRef and tRef go out of scope here, because tRef was extending the lifetime of
    // temporary variable, the object is destroyed
  aPtr->foo(); // OK, a points to arg
  tPtr->foo(); // Noncompliant: the pointers point to a dangling temporary
}

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted