What open source C++ static analysis tools are available?

Question

Java has some very good open source static analysis tools such as FindBugs, Checkstyle and PMD. Those tools are easy to use, very helpful, runs on multiple operating systems and free.

Commercial C++ static analysis products are available. Although having such products are great, the cost is just way too much for students and it is usually rather hard to get trial version.

The alternative is to find open source C++ static analysis tools that will run on multiple platforms (Windows and Unix). By using an open source tool, it could be modified to fit certain needs. Finding the tools has not been easy task.

Below is a short list of C++ static analysis tools that were found or suggested by others.

C++ Check http://sf.net/projects/cppcheck/
Oink http://danielwilkerson.com/oink/index.html
C and C++ Code Counter http://sourceforge.net/projects/cccc/
Splint (from answers)
Mozilla's Pork (from answers) (This is now part of Oink)
Mozilla's Dehydra (from answers)
Use option -Weffc++ for GNU g++ (from answers)

What are some other portable open source C++ static analysis tools that anyone knows of and can be recommended?

Some related links.

Commercial, DMS Software Reengineering Toolki, handles Java, C, C++, and COBOL, provides parsing, AST building, name/type resoltion, control/data flow analysis, custom analysis and transformation. See http://www.semanticdesigns.com/Products/DMS/DMSToolkit.html. — Ira Baxter, Jul 02 '09 at 06:48
For commercial tool there's also CppDepend (http://www.cppdepend.com), and maybe the trial version could be sufficient for students. — , Nov 14 '10 at 11:59

score 74 · Answer 1 · edited Feb 22 '15 at 08:46

74

CppCheck is open source and cross-platform.

Mac OSX:

brew install cppcheck

edited Feb 22 '15 at 08:46

Michaël Witrant

7,013
36
43

answered May 08 '09 at 23:27

Soo Wei Tan

3,172
2
32
36

1

@gio I have not seen any issues personally. I believe CppCheck has the ability to ignore or exclude certain paths or files, which helps narrow down the scope. – Soo Wei Tan Mar 06 '15 at 00:47
1

On Windows: `choco install cppcheck` – KindDragon Jul 03 '15 at 11:31

Nicola Bonelli · Answer 2 · 2008-09-27T20:36:07.207

54

Concerning the GNU compiler, gcc has already a builtin option that enables additional warning to those of -Wall. The option is -Weffc++ and it's about the violations of some guidelines of Scott Meyers published in his books "Effective and More Effective C++".

In particular the option detects the following items:

Define a copy constructor and an assignment operator for classes with dynamically allocated memory.
Prefer initialization to assignment in constructors.
Make destructors virtual in base classes.
Have "operator=" return a reference to *this.
Don’t try to return a reference when you must return an object.
Distinguish between prefix and postfix forms of increment and decrement operators.
Never overload "&&", "||", or ",".

edited Sep 27 '08 at 20:36

answered Sep 27 '08 at 20:24

Nicola Bonelli

7,673
3
23
35

7

In addition to gcc’s -Wall and -Weffc++, -Wextra does some good free static analysis, e.g., branches which don’t return a value, or checking an unsigned for being less than zero. It’s remarkable how often professional programmers think the latter is a good idea… – Flash Sheridan Apr 06 '09 at 19:42
24

Yuck, `-Weffc++` warns about *tons* of constructs that are perfectly fine in a large codebase. I second the suggestion of `-Wextra`, though; don't leave home without it! – Tom Dec 15 '09 at 05:40

score 29 · Answer 3 · edited May 23 '17 at 12:10

29

Under development for now, but clang does C analysis and is targeted to handle C++ over time. It's part of the LLVM project.

Update: While the landing page says "The analyzer is a continuous work-in-progress", it is nevertheless now documented as a static analyzer for both C and C++.

Question: How can I run GCC/Clang for static analysis? (warnings only)

Compiler option: -fsyntax-only

edited May 23 '17 at 12:10

Community

1
1

answered Sep 29 '08 at 02:06

Don Wakefield

8,315
2
31
53

1

LLVM is a very interesting project that compared to gcc, generates mo re optimized binaries in less time; and clang, when complete, will be its front-end... – Nicola Bonelli Sep 29 '08 at 21:55
Another editor added the information on the -fsyntax-only switch. Just note that it is essentially a request to run the analysis that the compiler would run without actually compiling, and emit the warnings. I'm not sure, but I think that's different from the static analysis. – Don Wakefield Oct 06 '14 at 17:49

score 21 · Accepted Answer · edited Mar 13 '16 at 01:28

21

Oink is a tool built on top of the Elsa C++ front-end. Mozilla's Pork is a fork of Elsa/Oink.

See: http://danielwilkerson.com/oink/index.html

edited Mar 13 '16 at 01:28

Maxim Kamalov

726
10
22

answered Nov 12 '08 at 22:04

1

I have compiled 1000+ programs in my life, but for the love of God I cannot compile this package no matter what. I tried to use Fedora, Ubuntu, WSL, Cygwin, MSYS2, Windows - but no. Something is always missing and the documentation is just plain awful. Don't get me wrong, I guess the tool is superb. But the website and documentation looks like no one touched them in 10-15 years. – Apache Dec 10 '17 at 10:52

score 17 · Answer 5 · edited May 23 '17 at 11:55

Someone else mentioned -Weffc++, but that is actually one of the only GCC warnings I do not turn on by default. However, the set of warnings that I do turn on is the most important static analysis tool in my kit. You can see the complete list of recommended warnings.

In summary:

-pedantic -Wall -Wextra -Wcast-align -Wcast-qual -Wctor-dtor-privacy -Wdisabled-optimization -Wformat=2 -Winit-self -Wlogical-op -Wmissing-declarations -Wmissing-include-dirs -Wnoexcept -Wold-style-cast -Woverloaded-virtual -Wredundant-decls -Wshadow -Wsign-conversion -Wsign-promo -Wstrict-null-sentinel -Wstrict-overflow=5 -Wswitch-default -Wundef -Werror -Wno-unused

Note that some of these require a new version of gcc, so you may need to eliminate them from your list if you are stuck back on 4.5 or something.

score 14 · Answer 6 · edited Dec 05 '16 at 22:22

14

John Carmack also mentions PVS-Studio in this interesting blog post on "Static Code Analysis".

edited Dec 05 '16 at 22:22

Philipp Claßen

32,622
19
125
194

answered Jan 22 '12 at 15:23

Lucas Cimon

1,636
1
20
26

4

It's neither "open source" and absolutely and positively not "free" in any kind of meaning of that word. It's well known static analysis tool (second to only coverity I think), but it's pricetag is fairly high. – Tomas Pruzina Nov 01 '14 at 18:59

score 7 · Answer 7 · edited Dec 20 '18 at 11:18

7

If by Open Source, you really meant "free", then Microsoft's prefast analysis is a good one. Windows-only ofcourse. It is fully integrated in Visual Studio & the compiler. e.g.:

cl /analyze Sample.cpp

edited Dec 20 '18 at 11:18

Azeem

7,094
4
19
32

answered Sep 27 '08 at 07:59

user15071

3,141
8
28
30

Which version & edition is this available in? – twk Oct 05 '08 at 19:14
Seems to be built into the compiler, which is free. The integration is probly Team edition only. – JBRWilkinson Dec 14 '10 at 12:52

score 6 · Answer 8 · answered Sep 27 '08 at 08:24

6

Mozilla's static analysis work is probably worth a look.

answered Sep 27 '08 at 08:24

Daniel James

3,789
19
30

score 4 · Answer 9 · edited Dec 26 '13 at 02:47

4

Splint seems to fill the bill for C.

If you didn't specify open source I'd say Gimpel Software's PCLint is probably one of the best tools available for static code checking in C++. But, of course, it's not open source.

Mac OSX:

brew install splint

edited Dec 26 '13 at 02:47

Jared Burrows

50,718
22
143
180

answered Sep 26 '08 at 19:52

Onorio Catenacci

14,322
12
75
122

2

But expensive for a single developer :) I like free better – Robert Gould Sep 27 '08 at 01:20
6

splint is for C, not C++. I don't know if they plan to expand coverage or not. Hope so! – Harold Bamford Jan 29 '09 at 19:34
Yes, pclint worth a try, it's counter-part in unix is called flexe-lint, the 9.0 version is must faster that 8.x version, the 9.0 version also support pre-compiled header to speed up analyze. It takes time for you to tame pc-lint, it has false-positive which may take you to trouble if you cannot selectively ignore it. – zhaorufei May 08 '12 at 15:04

score 3 · Answer 10 · answered Jan 19 '10 at 20:18

3

Microsoft's PREFast is also available in the Windows Driver Kit. Version 7.0 is downloadable here.

The Microsoft docs state that it should only be run against driver code but this (old) blog post lays out steps to run it. Perhaps it can be integrated into a normal build process?

answered Jan 19 '10 at 20:18

tmitchell

121
9

PREFast will slow down your build process a lot, for any real project, your build server maybe cannot afford it. – zhaorufei May 08 '12 at 15:01
@zhaorufei: Most static analysis aren't "fast"; they have a pretty complex code analysis job to do, by definition. If you don't like the build cost all the time, just make it optional. – Ira Baxter Mar 28 '14 at 09:34

score 2 · Answer 11 · answered Apr 19 '12 at 08:18

We have been working on an Eclipse CDT plug-in called metriculator. Its still under development but some major metrics (e.g. LSLOC, McCabe, EfferentCoupling) are already implemented.

See http://sinv-56013.edu.hsr.ch/redmine/projects/metricular/wiki/Documentation for more details like video demonstration and documentation.

The latest nightly build is available for installation via update site at: http://sinv-56013.edu.hsr.ch/metriculator/updatesite-nightly/site/

Further Description

Metriculator statically analysis C++ source code and generates software metrics. Metrics are implemented as Codan checkers. The analysis results can be explored in a separate view. Each metric has configurable properties (e.g. a threshold for 'max lines of code per function'). Exceeding these threshold will report a problem and create a marker in the source code editor.

with metriculator you can:

analyse C++ files / folders / projects
define metric thresholds and enable / disable metric using Codans preference page
have problem markers in source code editors
explore metric results
export metric results as tag cloud (available as optional feature via update site)

Currently metriculator comes with the following metrics:

McCabe (Cyclomatic Complexity)
EfferentCoupling per Type
Logical Source Lines of Code
Number of Members per Type
Number of Parameters per Function

score 1 · Answer 12 · edited Aug 22 '13 at 05:55

1

One can also code extensions of GCC in MELT (a domain specific language designed for extending GCC) or GCC plugins in C (much harder) to do some custom analysis.

edited Aug 22 '13 at 05:55

qdii

11,387
7
54
107

answered Nov 09 '11 at 21:33

Basile Starynkevitch

1
16
251
479

2

Have read one of the PDF about MELT and extending gcc with melt, my feeling is that it's still too complex/diffcult to add your own plugins to gcc. Not practical way for common user. – zhaorufei May 08 '12 at 14:59
1

Extending GCC is complex, whatever way you do it (thru C plugins, thru MELT or even thru Python). This is because GCC is complex. And customizing *any* C++ static analysis tool is *hard* because the C++ language specification is very complex, and you'll need to handle most of that complexity (any non-trivial C++ program uses a lot of C++ features, perhaps thru the C++ standard library). – Basile Starynkevitch May 08 '12 at 15:51

score 1 · Answer 13 · answered May 09 '09 at 16:55

1

You should try oo-browser it has awesome integration with xemacs

answered May 09 '09 at 16:55

score 0 · Answer 14 · answered Nov 12 '08 at 22:24

0

Doxygen does some control flow analysis and generates graphs. Those may not be what you're looking for, but I've foudn them useful to look at.

answered Nov 12 '08 at 22:24

Paul Nathan

37,919
28
110
204

What open source C++ static analysis tools are available?

14 Answers14

Linked

Related