What is a Good Open Source Code Analysis Tool?

carlmenezes asks: "I volunteer when I can to help a poor educational institution in India with their computing needs. As you can imagine, most computers are from donations and very little money (if any) can be spent on software licensing. Therefore, the installed software is all Open Source and I do all of the software installation by myself. I have already installed Linux on 16 PCs, with Firefox. The default desktop is KDE and the kdeedu package (klettres in particular) has several loyal fans. Incidentally, the kids don't find it hard to use at all and the lack of 3D doesn't bother them in the least :) I would like to ask the community about a good source code analysis tool. I have already installed Source Navigator. Is there any other comparable open source tool?"

"The analysis tools would be for those students that show more interest than the others in programming. There is a lot of source code in there for them to look at it if they want to. I'm looking more at C/C++ than anything else. There are some very bright students and I would like them to be able to move beyond ordinary school programming if they feel like it. No, there is no Internet connection. I bring in the software on CDs and install it."

Use Java instead

[nganju]

There are two very good open source IDEs for Java, NetBeans and Eclipse (I personally prefer Eclipse).

If you're teaching beginners how to program, Java is simpler anyway. You don't have to understand memory allocation and pointers because it's all taken care of for you. Also you can write non-object-oriented programs to start with by making all functions static.

This way you can start with very simple programs and work your way up to introducing more advanced concepts, like object-oriented, or memory allocation etc.

If you insist on learning with C/C++, I would lobby with the executives at a company like Borland. They usually have the power to throw a few copies your way, as long as they're convinced that it is a philanthropic effort (it makes them look good).

Re:Use Java instead

[cariaso1]

Eclipse is excellent, but requires a decent machine.

Re:Use Java instead

[Anonymous Coward]

Eclipse will also support C/C++ with this plugin: http://www.eclipse.org/cdt/ [eclipse.org]

Burn Heretic!!

[ObsessiveMathsFreak]

Begone foul troll!! Java is the work of the devil!! And eclipse is its dark whore, complete with multiple blasphemous plugins! Repent! Install perl and ye may yet be saved. Turn back now from the dark path of restricted languages and walk the path of the true believers.

In short, I disagree that Java is easier to teach to beginners. Not only must they immendiatly grasp object orientation and functions, they must also work with Java's quite restrictive language constructs. I do agree that C++ is not a very

Oh dear

[lorcha]

I was with you up until the word "perl". Surely you meant PASCAL, right? My stomach churns just thinking about newbie perl code.

I agree Java is a bad language to teach beginners, tho.

Re:Burn Heretic!!

[Smallpond]

They need a language that starts very simple so they can wrap ther heads around programming and start spitting out a few programs

And you want to give them perl? What's wrong with scheme?

Day 1: "Hello, World" in perl
Day 2: Regular expressions
Day 3: Where did everyone go?

Re:Burn Heretic!!

[lachlan76]

What's wrong with scheme

You don't want to scare the students...or the teacher.

Re:Burn Heretic!!

[lmalmeida]

There is always Squeak [squeak.org].

They can start as slow as they want, learn the concepts of programming, and when they want to enter in the "market", can always learn the language de jour, be it C++, Java or C#.

And squeak seem to run quite fast for what it does, and when they botch the runtime the restore is only an cp /whatever/image ~user/image Regards

Re:Burn Heretic!!

[Nicolay77]

And what is C with some STL added ????

C++ !!!!!!!

You don't have to use templates or even objects in every C++ program.

Just writing this:

for (int i=0; i<n: i++)
//stuff

is C++. You have FREEDOM in C++ to use the paradigm you wish. If you don't want to use objects you don't have to go back to C.

Re:Use Java instead

[jdowland]

He wants a source navigator to look at existing code - how many quality open source apps are written in java? Ok, now how many of them are they likely to have experienced, using Linux/KDE/kdeedu?

Re:Use Java instead

[ufnoise]

If you're teaching beginners how to program, Java is simpler anyway. You don't have to understand memory allocation and pointers because it's all taken care of for you. Also you can write non-object-oriented programs to start with by making all functions static.

Unfortunately Java hides how computers actually work. I would first start out with a BASIC interpreter to teach basic algorithms and structured programming. I would then move to C to teach about pointers. Then move into Java or C++.

The proble

Re:Use Java instead

[oliverthered]

Quite a good call, but.....
1: use javascript and a web browser if you want an interpreter, it's quite easy to setup and it's a skill you can take home and play with.

2: You can teach pointers in java, or at least memory addressing using lookups into arrays, which is close to protected mode than the flat memory model you get with C.

3: no way, I wrote java on a 486 years ago, ok I didn't write eclipse, but goto ebay, $50 in hand and get a pc that can run java.

4: I know how a computer works, I could buld one

eyeballs

[ajrs]

they support multiple languages, open source, closed source, pseudo source, etc.

seriously, pick an application everyone like, bring in the source, and have the students give it a new feature or fix a bug. Any text editor should be sufficient.

Re:eyeballs

[magefile]

Jedit is very nice. And there are a few open source projects devoted to expanding it so it's more of a framework for programs/plugins than a text editor.

Re:eyeballs

[oo_waratah]

eyeballs are not always the best approach. Those eyballs have predetermined ideas or thoughts.

For confirmation of this there was a discussion on the security of FOSS projects by a FOSS author. The security bug lasted years in Mailman because no one saw it.

Automated checking of code is not the be all and end all of code however it is better than a poor set of eyeballs anyday.

What are the requirements?

[MarkLewis]

Maybe I didn't fully understand your question, so please correct me if I am mistaken.

But what about popular C/C++ IDE's as KDevelop and Anjuta? Are those not the sort of tools you're looking for?

Mod Parent Up

[Noksagt]

If you didn't understand it, I didn't either. But I think you're correct.

Source-Navigator's "analysis" seems to be to "display relationships between classes and functions and members, and display call trees." Most IDEs will have this functionality, including KDevelop and Anjuta. I'm partial to Anjuta myself, but they are already using KDE. KDevelop would be the natural choice.

Re:Mod Parent Up

[jmccay]

KDevelop is not all it's hyped up to be. It's source code analysis needs a lot of work. I understand what this guy is looking for, and I too have been looking for something similar.

Source Navigator is fine

[ratboy666]

I find that snavigator is quite good for source analysis. If you want a "lighter" tool, cscope can be used. But snavigator also support fortran, cobol &etc "out of the box".

So, I think that its a fine tool for teaching. Most other "IDE"s tie you in to a particular system or language, which snavigator doesn't. I've used it for the Linux kernel, Solaris, and Windows (among other things).

Its a bit slow building its cross-reference database, though, so for larger source bases you do want access to a "big" machine. You can share the results after the xref is built (the same is possible with cscope).

Good luck with your project!

Ratboy.

Cscope, Lint

[n1ywb]

From the Cscope web site [sourceforge.net]:

Cscope is a developer's tool for browsing source code. It has an impeccable Unix pedigree, having been originally developed at Bell Labs back in the days of the PDP-11. Cscope was part of the official AT&T Unix distribution for many years, and has been used to manage projects involving 20 million lines of code!

In April, 2000, thanks to the Santa Cruz Operation, Inc. (SCO) (since merged with Caldera), the code for Cscope was open sourced under the BSD license.

• Allows searching code for:
• all references to a symbol
• global definitions
• functions called by a function
• functions calling a function
• text string
• regular expression pattern
• a file
• files including a file

Curses based (text screen)

An information database is generated for faster searches and later reference

The fuzzy parser supports C, but is flexible enough to be useful for C++ and Java, and for use as a generalized 'grep database' (use it to browse large text documents!)

Has a command line mode for inclusion in scripts or as a backend to a GUI/frontend

Runs on all flavors of Unix, plus most monopoly-controlled operating systems.

From the Split (a modern version of Lint) web site [splint.org]:

Splint[1] is a tool for statically checking C programs for security vulnerabilities and programming mistakes. Splint does many of the traditional lint checks including unused declarations, type inconsistencies, use before definition, unreachable code, ignored return values, execution paths with no return, likely infinite loops, and fall through cases. More powerful checks are made possible by additional information given in source code annotations. Annotations are stylized comments that document assumptions about functions, variables, parameters and types. In addition to the checks specifically enabled by annotations, many of the traditional lint checks are improved by exploiting this additional information.

As more effort is put into annotating programs, better checking results. A representational effort-benefit curve for using Splint is shown in Figure 1. Splint is designed to be flexible and allow programmers to select appropriate points on the effort-benefit curve for particular projects. As different checks are turned on and more information is given in code annotations the number of bugs that can be detected increases dramatically.

Problems detected by Splint include:

• Dereferencing a possibly null pointer (Section 2);
• Using possibly undefined storage or returning storage that is not properly defined (Section 3);
• Type mismatches, with greater precision and flexibility than provided by C compilers (Section 4.1-4.2);
• Violations of information hiding (Section 4.3);
• Memory management errors including uses of dangling references and memory leaks (Section 5);
• Dangerous aliasing (Section 6);
• Modifications and global variable uses that are inconsistent with specified interfaces (Section 7);
• Problematic control flow such as likely infinite loops (Section 8.3.1), fall through cases or incomplete switches (Section 8.3.2), and suspicious statements (Section 8.4);
• Buffer overflow vulnerabilities (Section 9);
• Dangerous macro implementations or invocations (Section 11); and
• Violations of customized naming conventions. (Section 12).

Re:Cscope, Lint

[carlmenezes]

Thanks! CScope is something like what I had in mind. I definitely will check it out this weekend. Also came across CBrowser (the front end to CScope), but then cscope is built into vi, which is the most popular console based text editor here :)

Splint is already installed. What I would like to do is to show the tool to those that are interested, give them a short lesson on it and then leave them to their own devices and let their curiosity make them learn.

Code analysis?

[ponos]

Well, if source code analysis is really what you want, I would suggest splint at http://www.splint.org/ [splint.org]. A static lint-type checker. Really good and sufficiently pedantic. Most C coders should check this out...

P.

The best tool is the human body

[JPyObjC Dude]

Just do the following:

1) Learn how to program.
-- nuf said.
2) Write clean code
-- Proper indenting **
-- sufficient commenting
3) Less code is more
-- More lines is more intimidating that less
-- However, there is a limits (ie Perl)
-- More you can fit on one screen the easier to debug
4) Be a structured programmer
-- It should not matter what language you are programming in. The structures should always be the same.
5) Learn and use language level error handling
-- This will enable you to fully understand how to debug your code
-- Stack traces are a must for any procedural or OO code
6) Make your programs chatty
-- Log files are good but make sure there is a way to easily turn off logging features so that you can speed up programs when you are happy.
7) Learn how to tail log files
-- tail is available on every operating system
--- GNUUtils for win32
--- *nix (Linux, Unix, OSX ...)
8) Write blind code as much as possible
-- IDE's are very powerful but I always write all my code in a text editor totally blind (no compilation, syntax validation...)
-- If you become dependant on the system to tell you what is wrong, you will not learn to SEE the problem.
--- Often times, when I get an error and I know I just changed a piece of code I will not even read the error. I'll just look at the line of code that I changed and visually look for the error. If you don't learn how to do this, then programming probably is not for you.
9) Got errors, don't worry
-- All coders get errors.
-- Only a few times I have written dozens of lines of blind code and not gotten at least one error. I was amazed when I did.
-- Don't get stressed out. Just be pragmatic and move being objective with the error.

That's probably a good start.

Personally I would not trust programs in telling me where coding problems are anyhow. I find it akin to using anti-spyware programs on a win32 box where it would be easier to just not use IE and be more concious of the operating system we use. The latter takes a little more understanding but in the end all will be better :]

JsD
(Java+Python+ObjC-on-BSD-with-firefox==happ iness:)

Re:The best tool is the human body

[angel'o'sphere]

8) Write blind code as much as possible
-- IDE's are very powerful but I always write all my code in a text editor totally blind (no compilation, syntax validation...)
-- If you become dependant on the system to tell you what is wrong, you will not learn to SEE the problem.
--- Often times, when I get an error and I know I just changed a piece of code I will not even read the error. I'll just look at

Thats probably a good way for learning programming (I learned like that, because today tools where magic at my time), but I doubt its a good way to work.
With a good IDE you are ten times faster than with notepad like simple editors. Even VI or VIM with a good ctags/jtags support and codecompletition is already nice.

For C++/Java etc. use Eclipse.
For Java use Eclipse/IDEA IntelliJ or CodeGuide (in reverse order).

Probably you should determine the language you want to teach first. If you use Python, you should look for a decent Python IDE.

angel'o'sphere

Re:The best tool is the human body

[Wolfger]

3) Less code is more -- More lines is more intimidating that less -- However, there is a limits (ie Perl)

Yes, the perl gurus do tend to take code brevity to extremes...

Re:The best tool is the human body

[oliverthered]

2) sort out the indentation when you review, it makes you look at every single line.

3) don't you mean make you code modular? I've seen some people who take the whole small thing to extreams and you end up chasing you tail trying to debug the stuff.

4) prolog, xsl, c++, lisp. go on then.

8) I have more errors writing blind code than using an IDE, modern ide's do.
Refactoring, real-time highlighting of errors, code compleation, code graphing, wysiwyg designers for gui's, graphical component designers (EJB and

valgrind

[yamla]

valgrind [kde.org] and associated add-ons, are absolutely amazing and quite useful for C and C++ programming.

Nobody should be caught dead writing C++ programming without at least knowing about Boost's [boost.org] libraries. Not really analysis tools but useful nevertheless.

linux cross reference

[StyXman]

lxr (http://lxr.linux.no/ [linux.no]) was dveloped with the kernel in mind, but now it works with any C, C++, python, perl and other laguajes (those supported by exuberant-ctags). I used it in several projects and, in conjunction with tabbed browsing, I think it's all I need. Dependencies are: mysql, perl, apache, exuberant-ctags.

PMD

[cuteseal]

If you're using Java... "PMD is a Java source code analyzer. It finds unused variables, empty catch blocks, unnecessary object creation, and so forth. "
http://sourceforge.net/projects/pmd/

cpd

[oo_waratah]

CPD from the same place provides some of the facilities for C code. I have used it on OpenOffice.org.

Re:PMD

[LizardKing]

In a similar vein, Checkstyle [sourceforge.net] is also very good. I especially like the checks for variables that mask those in a higher scope, unused variables and unused imports. I'll deinitely be checking out PMD as well, as the rest of my team are novice Java programmers and I don't have the time to audit all their code. These kind of analysis tools are great, because they allow me to pinpoint likely areas of particularily bad code.

Re:PMD

[tcopeland]

Yup, PMD [sf.net] rocks! And the guys who work on it are really awesome, cool dudes! Especially Tom Copeland, he's the best!

Ahem.

Anyhow, if you're looking for Java bytecode analysis, FindBugs [sourceforge.net] is excellent. Nice folks, too, and the mailing list is pretty active.

myer

[biryokumaru]

myer:

http://home.comcast.net/~jyavner/myer/

LXR

[Pedahzur]

LXR (or linux cross reference) was originally designed to cross reference the Linux kernel, but does C code in general. Check it out at their website. [linux.no]

gcc -Wall

[oo_waratah]

The gcc compiler has quite a number of checks built into it. For example uninitialised variables checks if you use -Wuninitialise. A good first pass on code is to compile -Wall and clean up the problems reported.

You might want to read Steve McConnell on writing solid code to see a full explanation as to why.

Re:gcc -Wall

[MrResistor]

That seems like the best way to me as well. It's always better to learn to do something "by hand" first, then bring in the automation later to speed things up (and not just in academic subjects like programming either, as I learned while designing and building custom industrial robots a few jobs ago).

Anyway, slightly OT, but I haven't been that impressed with kdeedu. It feels very much like an open source project to me (in the negative sense), or at least what comes with Suse 9.1 does anyway. I like gcompr

AutoDia

[Niggle]

If your students want to examine existing code, AutoDia [droogs.org] will generate UML class diagrams from source code in a variety of languages. Output is normally in Dia format but others are supported as well.

It's written as a set of Perl scripts so you'll need a perl installation on the machine.

jGRASP

[Superfluid Blob]

I was sceptical at first (it looked too much like a 'toy'), but jGRASP [auburn.edu] has proven surprisingly useful for getting to grips with legacy C code (reams and reams of 1000+ line functions with nested ifs and cases). It should be useful for teaching purposes too, since it allows collapsing bits of code to show the underlying structure, and handles block exits better than a folding editor would

Doxygen

[gregRowe]

Doxygen is fantastic for source code browsing. http://www.doxygen.org

C source code analyzers

[spinroot]

see: http://spinroot.com/uno/ for an overview of similar tools, see also: http://spinroot.com/static/