- All versions

• Bounds checking for arrays of arbitrary dimension
• Bounds checking for arrays within classes, structs and unions
• Arrays of unspecified size are no longer considered to have size 0
• Constant global variables are now modelled with a value that does not change
• The constant “-1U” and others will now be modelled with an appropriately large value instead of -1
• Check FPT-misuse no longer warns about function pointers that are the result of the ternary operator (?:)
• Check ITR-uninit now works correctly for iterators that are initialized using operator=
• Check RED-unused-param no longer warns for parameters that have the GNU attribute (unused)
• Checks RED-cond-const-assign and EXP-cond-assign no longer consider “+=” and similar operators to be constant assignments
• Non-system #include files are now included in the analysis of a file that includes them.

- Goanna Studio for Visual Studio

• preprocessor macros within parentheses are expanded
• macros in comments are not expanded

- Goanna Central

• Cygwin support for windows, use –compiler-sort=cygwin to create a cygwin configuration
• Other compiler sort added, use –compiler-sort=other for an empty configuration
• Remove the dependencies on the hard to manage predefined_macro.txt files
• Predefined macros are now stored in the Goanna resource files, which are generated during configuration

- Goanna Studio for Eclipse

• Completely re-organised configuration
  • Per project configuration
  • File based (under a goanna directory in the project file system)
  • User editable, or use the Goanna Project Properties dialogs. (two way synchronisation)
• Menu item “Run Goanna on Selected File(s)” now appears when right-clicking on folders, and will analyse all files found in the selected folder.
• Cygwin toolchain support on windows

- All versions

• stored filenames are now specified as relative paths, allowing the Goanna database to be used in multiple locations
• better support for Unicode source code
• the ARR-inv-index check now allows for unbounded subscripts

- Goanna Central

• license server options can be specified on the command line
• the language choice, C or C++, can be given on the command line

- Visual Studio

• clicking on a warning in a project summary navigates to the relevant code
• better support for Win64 targets
• partial compatibility with Intel Parallel Studio (on VS2005 and VS2008, Goanna does not work with projects converted to use the Intel C++ compiler)

As usual, feedback is welcome.

This is not an easy question to answer for any (automated) tool. While certain classes of bugs such as buffer overflows are likely more severe than, let’s say, unused function parameters it is not guaranteed that they have a larger impact. Sometimes a buffer overflow might only happen in a very unlikely scenario in some abandoned part of the code base, while the unused function parameter stems from a copy&paste mistake within the function leading to an always wrong and potentially dangerous result.  Similarly, it is difficult for any tool to tell, which parts of the code base are more important than others.

Having said that, we developed Goanna Studio and Goanna Central with openness in mind. This means all our detected issues can be easily exported and post-processed by the end user (you can even query our internal SQLite database if you really want to), filtered according to their needs and  ranked according to your system. Moreover, we provide a mapping of all issues to the common CWE criteria and we give you the following classification:

Goanna's Impact Guidance

This 2-dimensional  classification is used for all issues detected by Goanna (see user manuals):

Severity: How serious is this issue typically?
Certainty: How confident are we that this will likely happen?

Both dimensions are based on our experience from having analyzed literally hundreds of millions of lines of code. Severity is ranked similarly to the above example, where a buffer overflow is deemed to be serious. Certainty on the other hand addresses a number of sub-dimensions: How likely is this from our experience to happen in real-life? How certain is Goanna, i.e., does the analysis conclude the issue will appear on every program part or just on a few? How sensitive is the issue to input data etc.? The combined dimensions should give you a good idea where to spend your time first. And while we are looking into integrating a CWSS ranking, we believe that less is sometimes more.

As usual, all current users get the upgrade for free. If you were a trial user in the past and need a trial extension visit: http://redlizards.com/trial-extension.

Whats new in 2.4?

General improvements:

• We revamped the integer arithmetic interval analysis engine with a new algorithm which affords us increased speed and precision. So much speed that we have also added the ability to track pointer arithmetic as mentioned in the previous blog post.
• Our interval analysis engine can handle new operations: Casts, Logical operators and shift operators.
• We have enabled floating licenses in our Studio and Central products; please contact us if you are interested.

Goanna Central improvements:

• The argument –parse-error=0 is now a default, this will cause Goanna to exit with an exit code of 0 when a parse error is encountered. We have also revamped the way parse errors are handled.
• The interprocedural analysis in the Goanna Central command line is now even simpler to use and manage by conveniently specifying a user-defined folder with the argument –ipa=<project name>.  All new database files are then stored in ~/.goanna_project_store/<project name>.

Goanna Studio improvements:

• In Eclipse there is now an option to not run the tool chain compiler during analysis.
• In Eclipse there is a new menu item to jump to the currently selected projects Goanna Studio Properties page.

Renamed checks for consistency:

• ATH-div-0-aft-assign -> ATH-div-0-assign
• ATH-div-0-aft-cmp -> ATH-div-0-cmp-aft
• ATH-div-0-bef-cmp -> ATH-div-0-cmp-bef
• ATH-div-0-param-unchk -> ATH-div-0-unchk-param
• PTR-param-unchk -> PTR-unchk-param
• PTR-param-unchk-some -> PTR-unchk-param-some
• RED-const-assign-cond -> RED-cond-const-assign
• RED-const-expr-cond -> RED-cond-const-expr
• SPC-ret-stack -> MEM-stack
• builtin_ctor_dtor_leak -> COP-ctor-dtor-leak

New checks:

• ARR-inv-index-ptr - A pointer is assigned to an array, static or dynamic, and it is accessed with an index that is out of the array’s bounds.
• ARR-inv-index-ptr-pos - A pointer is assigned to an array, static or dynamic, and it is accessed with an index that may be out of the array’s bounds.
• ATH-overflow-cast - An expression is cast to a different type, resulting in an overflow or underflow of its value.
• ATH-shift-neg - The left-hand side of a right shift operation may be a negative value.
• COP-dtor-throw - An exception is thrown, or may be thrown, in a class’ destructor.
• CPU-delete-throw - An exception is thrown, or may be thrown, in an overloaded delete or delete[] operator.
• FPT-arith-address - Performing pointer arithmetic on the address of a function.
• FPT-literal - Dereferencing a function pointer that refers to a literal address.
• FPT-misuse - A function pointer is used in an invalid context.
• ITR-end-cmp-aft - An iterator is used, then compared with end().
• ITR-invalidated - An iterator is assigned to point into a container, but subsequent modifications to that container have possibly invalidated the iterator. The iterator is then used or dereferenced, which may be undefined behavior.
• ITR-mismatch-alg - A pair of iterators passed to an STL algorithm function point to different containers.
• ITR-store - A container’s begin() or end() iterator is stored and subsequently used.
• MEM-malloc-diff-type - A call to malloc tries to allocate memory based on a sizeof operator, but the target type of the call is of a different type.
• MEM-stack-ref - A stack object is returned from a function as a reference.
• PTR-arith-field - Direct access to a field of a struct using an offset from the address of the struct.
• PTR-arith-var - Invalid pointer arithmetic with an automatic variable that is neither an array nor a pointer.
• RED-cond-var-always - The value of the variable used as a condition will always evaluate to non-zero or true. This means the condition will always be met.
• RED-cond-var-never - The value of the variable used as a condition will always evaluate to zero or false. This means the condition will never be met.

For example:

int arr[15];

int example(int random){
  int *p = arr;
  p += 3;

  int offset = (random > 10 ? random : 10);
  return p[offset + 4];    //'p' points to 4th element, and index will be at least 14.
}

In this code sample, the pointer ‘p’ is used to alias the global, automatic array of ints, ‘arr’. This pointer is then increased by 3, making it point to the 4th element of the array.  An int, ‘offset’ , is set to be some unknown value, but we know it is at least 10. Finally, the pointer is accessed with index (offset + 4). Since the pointer already refers to the 4th element, and we are trying to access an at least 14 elements further along, Goanna will give the following warning:

8: warning: Goanna[ARR-inv-index-ptr] Array pointer `arr' is accessed with index [17,INF]
which is out of array bounds [0,14]

Similarly, we can perform the same analysis on dynamic arrays allocated with new or malloc. We also handle different syntactic forms of array access. The following example illustrates this, as well as our ability to warn for possible, as opposed to definite index violations, from a range of possible index values that may be out of bounds:

#include <malloc.h>
#include <assert.h>

int example2(int random){
  int *p = malloc(5 * sizeof(int));  //p is an array of size
  int offset = (random ? 7 : 3);
  return *(p + offset);    //'offset' will be either 7 or 3.
}

Here, ‘p’ points to a dynamic array of ints, with 5 elements. The ‘offset’ is set to be either 7 or 3. Accessing the index of value ‘offset’, by explicitly dereferencing the pointer, we know that the index may be within the bounds of the array, but it may be too large. Goanna will issue the following warning:

7: warning: Goanna[ARR-inv-index-ptr-pos] Array pointer `p' is accessed with index [3,7]
which may be out of array bounds [0,4]

Both these checks, along with some others we’ve been working on, will appear in the upcoming 2.4 release.

internal error: assertion failed: conv_host_fp_to_double:
error on conversion of DBL_MAX: Numerical result out of range:
((double)1.7...e+308L) (float_pt.c, line 524)

This bug was caused by us upgrading our release build infrastructure that defined DBL_MAX to a value that contained a cast, and our parser was not able to deal with this. We are releasing a patch that will correct this issue. Please download version 2.3.1 if you are using goanna on a 64-bit linux system. Windows and 32-bit linux systems are not affected.

As usual, all current users get the upgrade for free. If you were a trial user in the past and need a trial extension visit: http://redlizards.com/trial-extension

What is new in 2.3?

New Checks:

• ATH-div-0-param-unchk: Dividing by a parameter value without first checking that it is not zero
• MEM-stack-global-field: storing the address of a field of a local struct in a global variable
• ITR-uninit: using (dereferencing or incrementing) an iterator that hasn’t been initialized
• ITR-end-cmp-bef: using an iterator after it has been compared with end(). This can occur when using an iterator after it is used in a loop.

New Goanna Studio features:

• access check descriptions and examples through the IDE
• added ability to manage warnings by suppressing/unsuppressing
• added ability to pass specific options to the Goanna command line that is used during analysis.

Goanna Studio for Eclipse:

• New ability to right-click on a file/project and run the Goanna analysis over just that item
• Project specific settings have been moved to the Properties of the project (out of the Goanna Preferences)
• Right-click menu now includes a link to the Goanna summary page for projects
• If you close the Goanna Warning view it can be reopened from the Goanna menu
• Improved stability of the Goanna warnings pane (with regards to close/open of Eclipse)

Goanna Studio for Visual Studio:

• redesign of menu structure, Goanna is now a top-level menu
• auto updating: no more uninstall-install updating.
  Note: you cannot do this from version 2.2 -> 2.3. It will work from now on.

General:

• Improved handling of floating point numbers in the data tracking analysis
• Warning suppression captured in the database structure
• Several bug fixes including handling of very large ASTs.

Once you have an account on redlizards.com, you can try out Goanna via the online demo at http://redlizards.com/products/demo.html. Just log in, paste in your code in the text box and click the “Analyze” button. The results will show up on the Web page.

We’ve limited the amount of code you can analyze in the demo to 250 lines (so you still might want to download Goanna for serious work).