views:

13382

answers:

10

Java has some very good open source static analysis tools such as FindBugs, Checkstyle and PMD. Those tools are easy to use, very helpful, runs on multiple operating systems and free.

Commercial C++ static analysis products are available from vendors Klocwork, Gimpel and Coverity. Although having such products are great, the cost is just way too much for students.

The alternative is to find open source C++ static analysis tools that will run on multiple platforms (Windows and Unix). By using an open source tool, it could be modified to fit certain needs. Finding the tools has not been easy task.

Below is a short list of C++ static analysis tools that were found or suggested by others.

What are some other portable open source C++ static analysis tools that anyone knows of and can be recommended?

Some related links.

+2  A: 

Splint seems to fill the bill.

If you didn't specify open source I'd say Gimpel Software's PCLint is probably one of the best tools available for static code checking in C++. But, of course, it's not open source.

Onorio Catenacci
Second the recommendation for PCLint, an amazing static code checker.
Nick Haddad
But expensive for a single developer :)I like free better
Robert Gould
splint is for C, not C++. I don't know if they plan to expand coverage or not. Hope so!
Harold Bamford
+3  A: 

If by Open Source, you really meant "free", then Microsoft's prefast analysis is a good one. Windows-only ofcourse. It is fully integrated in Visual Studio & the compiler. e.g.:

cl /analyze Sample.cpp

twk
VS2005/2008 Team only
Harold Bamford
"free beer" from Microsoft, shurely shome mishtake Shirley?
James Morris
+3  A: 

Mozilla's static analysis work is probably worth a look.

Daniel James
+14  A: 

Concerning the GNU compiler, gcc has already a builtin option that enables additional warning to those of -Wall. The option is -Weffc++ and it's about the violations of some guidelines of Scott Meyers published in his books "Effective and More Effective C++".

In particular the option detects the following items:

  • Define a copy constructor and an assignment operator for classes with dynamically allocated memory.
  • Prefer initialization to assignment in constructors.
  • Make destructors virtual in base classes.
  • Have "operator=" return a reference to *this.
  • Don’t try to return a reference when you must return an object.
  • Distinguish between prefix and postfix forms of increment and decrement operators.
  • Never overload "&&", "||", or ",".
Nicola Bonelli
In addition to gcc’s -Wall and -Weffc++, -Wextra does some good free static analysis, e.g., branches which don’t return a value, or checking an unsigned for being less than zero. It’s remarkable how often professional programmers think the latter is a good idea…
Flash Sheridan
Yuck, `-Weffc++` warns about *tons* of constructs that are perfectly fine in a large codebase. I second the suggestion of `-Wextra`, though; don't leave home without it!
Tom
+4  A: 

Under development for now, but clang does C analysis and is targetted to handle C++ over time. It's part of the LLVM project.

Don Wakefield
LLVM is a very interesting project that compared to gcc, generates mo re optimized binaries in less time; and clang, when complete, will be its front-end...
Nicola Bonelli
+5  A: 

Oink is a tool built on top of the Elsa C++ front-end. Mozilla's Pork is a fork of Elsa/Oink.

+1  A: 

Doxygen does some control flow analysis and generates graphs. Those may not be what you're looking for, but I've foudn them useful to look at.

Paul Nathan
+11  A: 

CppCheck is open source and cross-platform.

Soo Wei Tan
+1 I use it most of the time via the eclipse plugin. It has been really helpful for finding code that might leak.
Maik Beckmann
+1  A: 

You should try oo-browser it has awesome integration with xemacs

A: 

Microsoft's PREFast is also available in the Windows Driver Kit. Version 7.0 is downloadable here.

The Microsoft docs state that it should only be run against driver code but this (old) blog post lays out steps to run it. Perhaps it can be integrated into a normal build process?

tmitchell