Static Code Analysis

Survey of Tools

Cppcheck

Goal: Provide confidence that code is correct just by looking at it (without building or executing it).

Helps us find easy bugs buried in thousands of lines of code (not something people are great at).

Formal Methods

Code Metrics

Reviews and Inspection

Formal Methods: ◦ Mathematical!

◦ Require a mathematical model and assertions!

◦ Often require modeling the system as a finite state machine and verifying each state and transition.

Code Metrics

Reviews and Inspection

Formal Methods:

Too difficult! Static analysis is supposed to save time.

Code Metrics

Reviews and Inspection

Formal Methods: Too difficult! Static analysis is supposed to save time.

Code Metrics: • Identify areas where bugs are likely.

• Based on measures of code complexity rooted in graph theory (e.g. Cyclomatic complexity).

Reviews and Inspection

Formal Methods: Too difficult! Static analysis is supposed to save time.

Code Metrics: Good, but doesn’t directly identify defects.

Reviews and Inspection

Formal Methods: Too difficult! Static analysis is supposed to save time.

Code Metrics: Good, but doesn’t directly identify defects.

Reviews and Inspection • Just look at the code and try to find suspicious

patterns.

• Basically what we do when performing code reviews.

Formal Methods: Too difficult! Static analysis is supposed to save time.

Code Metrics: Good, but doesn’t directly identify defects.

Reviews and Inspection

Works pretty well!

Static Code Analysis

Survey of Tools

Cppcheck

Three Popular Commercial Tools:

◦ PC-Lint

◦ Klocwork Insight

◦ Coverity Prevent

One Free Software Tool:

◦ Cppcheck

PC-Lint ◦ Commercial

◦ Works for C code

◦ Often reports many false positives.

◦ Probably the cheapest after Cppcheck (which is free)

Klocwork Insight

Coverity Prevent

Cppcheck

PC-Lint

Klocwork Insight ◦ Commercial

◦ A spin-out of Nortel Networks

◦ Also includes project management and project visualization capabilities.

Coverity Prevent

Cppcheck

PC-Lint

Klocworks Insight

Coverity Prevent ◦ Commercial

◦ Identified over 6000 bugs across 53 open-source projects.

◦ Developed from research at Stanford University.

Cppcheck

PC-Lint

Klocworks Insight

Coverity Prevent

Cppcheck ◦ Open source

◦ Under active development.

◦ Has found > 400 bugs in open-source projects.

◦ Free!

Static Code Analysis

Survey of Tools

Cppcheck

Detects bugs in C and C++ source that compilers normally do not warn about!

Cross-platform (Windows, Linux, etc)

Fancy Qt-based GUI client! ◦ Also available in a command-line version

Usable via plugins from various IDEs (but not VS): ◦ Eclipse

◦ Code::Blocks

◦ Hudson, Jenkins

Packages maintained for FreeBSD, Debian and Ubuntu systems (sudo apt-get install cppcheck)

Used to find bugs in many open-source projects: ◦ Linux Kernel: > 40 bugs found+fixed

◦ VLC Player: > 20 bugs found+fixed

◦ Others: 7-zip, curl, git, etc

Bounds checking for array overruns

Memory and resource leaks

Unused private class functions

Use of deprecated functions

Wrong # of arguments given to printf or scanf

Switch cases that fall through suspiciously

Dozens of others…

Possible buffer overrun

Should be “delete[] buf”

Memory leak: buf

Resource leak: file

Cppcheck finds many of the issues

with that code (but not all)

Buffer overrun

Suspicious format specifier for a

pointer to a C string (but not

necessary a bug)

Bounds checking for array overruns

Unused private class functions

Use of deprecated functions

Memory and resource leaks

Dozens of others…

Preprocessor

Tokenizer

Simplifier

Checks

Source File

Results

Happy Developer

Tokenizer

void foo(char* str) { if (str == 0) printf(str); else printf("Whoa"); }

void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else { printf ( "Whoa" ) ; } }

Simplifier

Tokenizer

void foo(char* str) { if (str == 0) printf(str); else printf("Whoa"); }

void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else { printf ( "Whoa" ) ; } }

Simplifier

Indentation, spacing,

NULL-checks and

braces are normalized

to simplify checks!

void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else { printf ( "Whoa" ) ; } }

Checks Results

Each check iterates over the tokens, and reports if it finds a

suspicious pattern!

Checks implemented as C functions or XML documents that

describe the pattern to look for.

Results categorized as error, warning, style, performance,

portability, or informative.

Cppcheck is a free tool for finding bugs in C++ source code.

It works by parsing the source code, splitting it into tokens and finding suspicious patterns in the tokens.

Official project page:

◦http://cppcheck.sourceforge.net/

Official source repository:

◦https://github.com/danmar/cppcheck