Forgot your password?
typodupeerror
Programming Technology

Static Code Analysis Tools? 87

Posted by Cliff
from the something-else-for-the-tool-box dept.
rewt66 asks: "We are looking for a good static analysis tool for a fairly large (half a million lines) C/C++ project. What tools do you recommend? What do you recommend avoiding? What experience (good or bad) have you had with such tools?"
This discussion has been archived. No new comments can be posted.

Static Code Analysis Tools?

Comments Filter:
  • Prodev Workshop (Score:4, Informative)

    by dwater (72834) on Friday March 30, 2007 @08:43AM (#18541889)
    I found the static analyser in SGI's Prodev Workshop to be quite excellent, though that was a while ago and I am comparing it with nothing - I'm not sure how it stacks up against more recent offerings :

    http://www.sgi.com/products/software/irix/tools/pr odev.html#B [sgi.com]

    Looks like it's IRIX only though, so YMMV, to put it mildly.
  • LLVM (Score:2, Informative)

    by klahnako (209184)
    I just started looking at LLVM, maybe it is good for what you want.

    http://llvm.org/ [llvm.org]
  • PreFast (Score:2, Informative)

    by Yakust (652563)
    If you are on Windows, you can use the native C++ static analysis that comes with the Windows SDK.
    Just add the /analyze switch when invoking the compiler (cl.exe)
    It's the tool that is used by MS to test its own code, known internally as PreFast.
    It helped me find many bugs in other people's code.
    • by cookd (72933)
      /analyze is pretty good. If you're using one of the more expensive editions of Visual Studio, support for /analyze is built into the IDE and very convenient.

      With the latest versions of the Windows SDK, /analyze becomes much more powerful. /analyze has built-in models for the behavior of some CRT-defined functions, but all other functions are black boxes. The newest CRT and Windows SDK headers (as well as any .h files generated by a recent version of MIDL) have all been annotated with "SAL" annotations that
  • by Moggyboy (949119) on Friday March 30, 2007 @09:03AM (#18542055)
    India.
  • Coverity (Score:5, Informative)

    by LLuthor (909583) <lexington.luthor@gmail.com> on Friday March 30, 2007 @09:06AM (#18542071)
    I strongly suggest you look at coverity [coverity.com].

    They have excellent checks as well as the best framework for creating custom tests that I have ever come across.

    NOTE: I am not affiliated with coverity, just a very satisfied user.
    • by greenrom (576281)
      I too have used Coverity, but I wasn't as impressed with it. Especially considdering the price. It is better than lint, but it's not that much better. Expect to get a lot of false positives.

      We used it once on a large set of code from a company we acquired. Since none of us were very familiar with the code, and the code had a lot of stability problems, the thought was that it might help us find some of the more elusive bugs and improve the stability of the software.

      Coverity did find a lot of "problems".
    • by tlhIngan (30335)
      If you're a business, there's also KlocWork [klocwork.com] which seems to work well enough. Bit pricey and can't be installed for home use, but enterprise use is quite nice (hint: competitor to Coverity). I heard they may offer F/OSS scanning as well - one of the nice things is that you can disable a warning on a block of code once it's been verified as a false positive so a subsequent scan won't bring it up again.
    • by johnnliu (454880)
      While not disputing coverity's features, I feel you should discuss other tools you've used in comparison to coverity and describe why you had the conclusion of "the best framework for creating custom tests that I have ever come across".

  • FlexeLint / PC-lint (Score:5, Informative)

    by DoofusOfDeath (636671) on Friday March 30, 2007 @09:07AM (#18542087)

    http://www.gimpel.com/html/lintinfo.htm/ [gimpel.com]

    I've never tried it for a code base as large as 500k. My guess it that I used it up to 15k. I was very pleased with it. I agreed with just about every warning it raised, and was able to easily suppress individual instances or whole classes of errors. I also found it somewhat easier to get started with compared to the big tools from Rational et al.

    I think it's a bit pricey for a an open-source coder like me, but it should be cheap enough for a company with a tools budget.

    • by demo (8301)
      Yeah, I'd recommend this too.
    • Pricey? Well, it's not free, but it's almost free compared to Coverity or high-end tools like that. And it really does some very clever checks. You get a lot of bang for your static analysis buck.

      I've been using PC-Lint for over 10 years now. I think it's made me a better programmer.

      I love PC-Lint, but I really do wish its handling of C++ was better. It was really rough at first, generating kinds of false errors on even the most harmless-looking template code. It's better now, but it still has a lot o
    • Re: (Score:3, Informative)

      by JDisk (82627)
      I have to agree with this recommendation (Gimpel lint).

      A few points, though:

      - It is purely text-based, so if you are looking for a shiny GUI-based tool (easier to sell to the PHB), you are out of luck.

      - depending on the quality of your code, running it for the first time can result in a huge (make that HUGE) amount of warnings. You might want to start small and only turn on more and more options later. Initially, you will have to invest quite a bit of time to get your code "lint-clean". In the long run, thi
    • I'd agree with the recommendation, and FWIW I work on a project with over 1,000,000 lines of C++ code.

      I also agree with the warnings from others about Lint being a bit verbose until you shut off a few stylistic things you might not care about, which fortunately is easy to do.

      I also also agree with the caveat about false positives with non-trivial C++ code: sometimes it just plain misunderstands and gives incorrect warning/error messages. It's been improving steadily in recent versions, though, and the v

    • by SWestrup (28661)
      I have to agree. I fell in love with Gimpel lint years ago and now I always suggest it as a useful tool whenever I enter a new coding shop.

      I only wish the Linux version was as cheap as the Windows one, so I could afford to buy a copy.
    • by GolfBoy (455562)
      Ditto this. Used it on ~850,000 lines of code. Takes some doing to get it configured to flag what you want, and not what you want to ignore. But a great tool. Customer support was fantastic. Reported a bug on ATL template analysis and it was fixed within 2 weeks.
  • ...which, in a 500K LOC program, there may be a bit of, try the copy/paste detector, CPD [sf.net]. There's a chapter on CPD in my PMD book [pmdapplied.com], too...

  • http://www.splint.org/ [splint.org]

    END OF LINE
  • by pdovy (952071)
    Whatever you use, make sure you adjust the settings to only capture those problems that you think are critical. With 500k lines of code, unless your codebase is *extremely* solid running a Lint tool will result in a LOT of action items. I've used SPLINT (a lint for secure programming - http://www.splint.org/ [splint.org]) in a project with a codebase much smaller than 500k and it took weeks to finish addressing all the issues - sometimes these things can be more of a curse than a blessing.
  • by tjwhaynes (114792) on Friday March 30, 2007 @09:47AM (#18542499)

    I work on a C/C++ code base that is a lot bigger than 500k lines. I've worked with results produced by Klocwork [klocwork.com] and also with the output from Reasoning [reasoning.com]. Both of these services/packages will cost you money but both provide good insight into your code. The commercial packages generally produce more focused results with less false-positives, so while they cost you money up front, your developers will spend less time weeding out the noise.

    If paying money out for a commercial package isn't your thing, don't overlook the old standby lint or splint [splint.org], an updated successor.

    Also well worth investigating to see how your code is actually running is Valgrind and it's associated tools [valgrind.org]. The Valgrind toolkit will give you a good idea where memory is being leaked, where variables and pointers are going off the rails. Valgrind hooks into a running program, so it's important to make sure that you test all the corners of the codebase if you go this route.

    Cheers,
    Toby Haynes

    • Valgrind hooks into a running program, so it's important to make sure that you test all the corners of the codebase if you go this route.

      One minor clarification: valgrind can't attach to an already-running program the way a debugger can. Valgrind is actually an x86 emulator, so you have to ask valgrind to execute your program from the very beginning.

      • by SkunkPussy (85271)
        Are there any tools that perform a similar function to valgrind but on windows?
        • by jgrahn (181062)

          Are there any tools that perform a similar function to valgrind but on windows?

          If valgrind isn't available on Windows (I wouldn't know, or care), there's the always the classic, Rational Purify. It's probably expensive.

  • Purify (Score:3, Informative)

    by Khelder (34398) on Friday March 30, 2007 @10:02AM (#18542697)
    I'm happy to say I used C/C++ heavily for quite a while now, but when I did, Purify [ibm.com] was really, really useful for finding problems.

    A coworker of mine who's quite a C/C++ jockey used it recently (this month), and said it's still very good.

    • Our experience was just the opposite. We recently gave up using Purify entirely, because it wasn't finding anything that tools like Valgrind didn't find more reliably and much faster. YMMV.

    • by Tamerlan (817217)
      OP asked specifically about static analysis tools whereas both Purify and Valgrind are dynamic analysis tools.
  • Why are you analyzing your code? What are you looking for? Performance optimizations? Security flaws? Bugs in general?
  • by hAckz0r (989977) on Friday March 30, 2007 @10:33AM (#18543103)
    There are many software tools out there for static analysis, but differ in what they do or who they target as their customer. The big names in my mind are Coverty, Fortify, Prexis, and PolySpace. I only have personal experience with Prexis and PolySpace so I will just speak to those.


    One important thing to consider is the set of compilers, tools, target system, and build environments you are using. If you are using MS only products the you will most likely have very good support because most all source code analysis suits will simply import the build information and you will be off and running right away. If your environment is Unix or embedded systems then things may be more difficult because you will need to hook into the build process somehow. The scanner tools usually intercept the CC command from a "make" build and call their back end using their custom processing rather than the compiler proper. Different products do this in different ways so be sure the product you choose knows how to deal with your specific build environment. In my case I walked into another parties environment and needed to simulate a build for a new build environment that I had never seen before, every time. Not one environment ever looked like the next, so the setup and configuration was always a big challenge, just to get started.

    Prexis is primarily a tool for life cycle scanning of source code for security issues. There are two ways to perform the code scanning, with either the main engine component which can schedule nightly scans and track progress over time or with the additional Prexis Pro utility, which is designed for quick assessments by the engineers on their own code without logging everything into the main database. The Pro tool worked best for my code assessments since I had no need for tracking changes over time, and it was a little easier to configure which counts for a lot in my situation.

    PolySpace is a completely different tool with a different purpose from Prexis. PolySpace attempts to mathematically discover runtime flaws in the code while only using static analysis to do so. It does a great job on smaller projects, but because of the complexity and thoroughness of its analysis, it is somewhat slow. PolySpace needs to evaluate an entire application all at once in order to do a good analysis. If your .5 MSLOC of code is many separate programs/executables then you will be fine, but if you are talking about one huge monolithic application then you may have to evaluate it in chunks which just increases the false positives and forces the engineer to do more manual chasing of details to determine if the issue is really a problem or not. From what I have seen this product is in a class by itself.

    BTW - keep you eyes on this site: http://samate.nist.gov/index.php/Main_Page [nist.gov]

    • by jgrahn (181062)

      PolySpace attempts to mathematically discover runtime flaws in the code while only using static analysis to do so. It does a great job on smaller projects, but because of the complexity and thoroughness of its analysis, it is somewhat slow.

      Last time I heard, Polyspace didn't do C++ -- just C and some random toy language (Java or Ada?). Cool but extremely expensive.

  • I work on a commercial static analysis tool called CodeSonar [grammatech.com]. It costs money, but we do offer free trials.

    Our major competitors in this space are Coverity [coverity.com] and Klocwork [klocwork.com].

    All three tools can (to some extent) infer how a program will behave at run-time, so they find more subtle bugs than tools that just look for suspicious patterns in your code.
  • See www.splint.org [splint.org] for a really good tool for static code checking when it comes to C.

    I have used it sometimes, and as I have noticed that in some cases the version from CVS is better than the released version. (but as always, your mileage may vary).

    For C++ it's a lot harder, but the programming rules for C++ and the compilers are a bit stricter too, so you may be helped there.

    To make things worse (or better, depending on how you see it :-) ) you can always take a look at PurifyPlus from IBM. It conta

  • Regardless of what tool you select, you will have to decide what rules you want to apply and what you are trying to get out of using the tool. If management doesn't understand the purpose of the tools, they may make inappropriate decisions on how to use them. As an example, I worked on a large project, (hundreds of developers), and management decided that we needed to use a static analysis tool and that code had to be "clean" before it could be checked in. It was phased in, so we had a month to eliminate

  • Shameless commercial plug here... I'm the CTO of Klocwork (www.klocwork.com), a vendor of source code analysis tools. We provide security vulnerability and implementation defect checking for C, C++ and Java. In addition, as others on this thread have stated, you're going to want to look at refactoring, architectural analysis, rule tuning, metrics, trends, all the usual stuff and all of which we supply as part of our enterprise suite of products. Check your supplier list carefully as all of the companies in
  • If your project has 500K lines of C/C++, it will almost certainly fail.
    • Re: (Score:2, Informative)

      by idries (174087)
      Many sucessful products are made up of around 500K lines of C++.

      Most console computer games for example start at around 500K lines...
      • Re: (Score:1, Troll)

        by mkcmkc (197982)

        Many sucessful products are made up of around 500K lines of C++.
        That may be, but it doesn't really contradict my comment. The question is: What proportion of 500K+ projects fail?
  • I am employee of Klocwork.

    If you are researching this for you enterprise I suggest you evaluate Klocwork (and its competitors: Coverity, Grammatech, Parasoft, there are others). We handle large-scale C/C++ projects, our own codebase is much larger than yours and we run Klocwork in-house to track defects in our own code on a daily basis and on developer desktops for subprojects. In fact we successfully handled mammoth projects as big as 10M lines of code and beyond (but frankly, it is getting rather trick

  • Understand for C++ (Score:2, Interesting)

    by jvaigl (649268)
    I'm working on a project that's evolved over several years and there's been high turnover among the developers. We use a product called Understand for C++ [scitools.com]. It has a lot of great reverse engineering, metric generation, and source browsing features that make it pretty useful.

    From their marketing blurb...

    Understand, our flagship product, helps thousands of companies maintain impossibly large or complex amounts of source code. It parses source code for reverse engineering, automatic documentation, and calc

    • I recently used this on my last job for max stack depth analysis. A good tool I must say, fairly cheap as well for a corporate budget. The user interface is a bit rough, not very pretty, but I hear its improved a lot over the years. I think I would insist of getting a WebEx demo or something since I doubt I even touched 2% of the program's features.
      • by Amertune (1073838)
        I've used it to go into old code and figure it out so that I could know where to make the changes I needed to make and know what else would be affected by those changes. The interface is getting alot better.
  • from parasoft corporation. Statically tests functions for 50 cases.

    I prefer the Insure++ product myself. It really helps in finding bugs.

    IT IS NOT FREE.
  • You didn't mention what platform you're building on, and you also didn't mention exactly what kind of analysis you want to perform.

    If you're on Windows, the latest Visual Studio C/C++ compilers include a pretty good (but basic) code analysis tool built in. Just use the /analyze flag to cl.exe.

  • Fortify a security static scanner and covers C/C++ as well as Java, JSP, .NET, C#, XML, CFML, PL/SQL and T-SQL.
  • We're on an embedded system with several CPUs.

    One of the CPUs is running Linux. This code we compile with gcc on a Linux box.

    Another CPU is running ThreadX. We cross-compile this on Windows using the Green Hills compiler.

    A couple other CPUs run Nucleus OS. These are also cross-compiled on Windows using the Green Hills compiler.

    We have gotten evaluations of KlokWorks and Coverity (and I've probably said enough here for them to figure out who we are). And they do good stuff, too. But I'm trying to look a
  • Linux kernel developers use this:

    http://www.kernel.org/pub/software/devel/sparse/ [kernel.org]
  • "C/C++". That's like saying "Fortran/LISP". Which language is it? Both?

    If you are like all projects I have seen, you haven't turned on the relevant compiler switches for ANSI/ISO compliance and full warnings. Do that first.

    Second, get yourselves a few more compilers. If you use gcc, fetch the latest version. It doesn't matter if you can run the compiled code.

    Third, write type safe code. If it's really C++ code you are writing, disable C-style casts and see how much of those monstrosities (from a C++ poi

  • C++test from Parasoft has static analysis and Automatice Unit test generation. But you should always try before you buy.

  • Some related C++ analysis tools for Visual Studio may also be of interest to you, IncludeManager and StyleManager: https://secure.profactor.co.uk/products.php [profactor.co.uk]

The "cutting edge" is getting rather dull. -- Andy Purshottam

Working...