-1

[This is a more general question and banks upon the experience with both setting the compiler options and usage of static code analysis tools.]

Currently, I use the -Werror to flag all warning as errors during compilation.

I am planning on using the static code analysis tools for c++. To start with I will be using CppCheck, which has got features as listed here: http://cppcheck.sourceforge.net/#features and are as below:

  • Dead pointers
  • Division by zero
  • Integer overflows
  • Invalid bit shift operands
  • Invalid conversions
  • Invalid usage of STL Memory management
  • Null pointer dereferences
  • Out of bounds checking
  • Uninitialized variables
  • Writing const data

My question is, if I resolve all the errors (detected via -Werror) flagged by the compiler, then won't all these problems(features) listed by CppCheck, get covered already during the compilation stage of the build-deploy workflow?

More generally, does setting the compiler options to a "strictest" level (like in this answer https://stackoverflow.com/a/401276/712248) flag all problems (including/excluding false positives) that could be detected by static analysis tools like CppCheck? So, in essence, if I use the strictest compiler options, I then do not need to use static analysis tools?

gr3ymatt3r
  • 21
  • 2
  • 1
    The quick answer is no. – Tiger4Hire Apr 20 '18 at 17:25
  • 1
    Many regulatory agencies recommend more than one static analysis tool in addition to the compiler warning settings. It's like inviting more than one person to a code inspection; different people have different methods for inspecting code. – Thomas Matthews Apr 20 '18 at 18:40

1 Answers1

1

There is a lot of overlap between the two, for sure, but expect a much higher number of issues with a dedicated analyser. Both real and false-positives. Static Analysers can use slower techniques, and are often only run periodically, like before releases, because on large code bases they may have very long running times. The speed difference is the only real reason why we have two tools not one.

Tiger4Hire
  • 303
  • 1
  • 7
  • "but expect a much higher number of issues" by this do you mean the issues detected in the codebase or the issues encountered in using the analyser tools? – gr3ymatt3r Apr 20 '18 at 21:45
  • I mean expect more issues to be reported, that is potential issues in the code. As I hinted in the reply, typically static analysis tools will produce a lot of benign issues *false positives". Compiler warnings generally are more serious, and less concerned with style. Not always so, though. – Tiger4Hire Apr 20 '18 at 21:55