What open source C++ static analysis tools are available?

Question

Java has some very good open source static analysis tools such as FindBugs, Checkstyle and PMD. Those tools are easy to use, very helpful, runs on multiple operating systems and free.

Commercial C++ static analysis products are available from vendors Klocwork, Gimpel and Coverity. Although having such products are great, the cost is just way too much for students.

The alternative is to find open source C++ static analysis tools that will run on multiple platforms (Windows and Unix). By using an open source tool, it could be modified to fit certain needs. Finding the tools has not been easy task.

Below is a short list of C++ static analysis tools that were found or suggested by others.

• C++ Check http://sf.net/projects/cppcheck/
• Oink http://danielwilkerson.com/oink/
• C and C++ Code Counter http://sourceforge.net/projects/cccc/
• Splint (from answers)
• Mozilla's Pork (from answers)
• Mozilla's Dehydra (from answers)
• Use option -Weff++ for GNU g++ (from answers)

What are some other portable open source C++ static analysis tools that anyone knows of and can be recommended?

Some related links.

• http://stackoverflow.com/questions/97454/c-static-code-analysis-tool-on-windows
• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
• http://www.chris-lott.org/resources/cmetrics/
• http://stackoverflow.com/questions/93260/a-free-tool-to-check-cc-source-code-against-a-set-of-coding-standards
• http://spinroot.com/static/
• http://stackoverflow.com/questions/2873/choosing-a-static-code-analysis-tool

Answer 1

Splint seems to fill the bill.

If you didn't specify open source I'd say Gimpel Software's PCLint is probably one of the best tools available for static code checking in C++. But, of course, it's not open source.

Answer 2

If by Open Source, you really meant "free", then Microsoft's prefast analysis is a good one. Windows-only ofcourse. It is fully integrated in Visual Studio & the compiler. e.g.:

cl /analyze Sample.cpp

Answer 3

Mozilla's static analysis work is probably worth a look.

Answer 4

Concerning the GNU compiler, gcc has already a builtin option that enables additional warning to those of -Wall. The option is -Weffc++ and it's about the violations of some guidelines of Scott Meyers published in his books "Effective and More Effective C++".

In particular the option detects the following items:

• Define a copy constructor and an assignment operator for classes with dynamically allocated memory.
• Prefer initialization to assignment in constructors.
• Make destructors virtual in base classes.
• Have "operator=" return a reference to *this.
• Don’t try to return a reference when you must return an object.
• Distinguish between prefix and postfix forms of increment and decrement operators.
• Never overload "&&", "||", or ",".

Answer 5

Under development for now, but clang does C analysis and is targetted to handle C++ over time. It's part of the LLVM project.

Answer 6

Oink is a tool built on top of the Elsa C++ front-end. Mozilla's Pork is a fork of Elsa/Oink.

Answer 7

Doxygen does some control flow analysis and generates graphs. Those may not be what you're looking for, but I've foudn them useful to look at.

Answer 8

CppCheck is open source and cross-platform.

Answer 9

You should try oo-browser it has awesome integration with xemacs

Answer 10

Microsoft's PREFast is also available in the Windows Driver Kit. Version 7.0 is downloadable here.

The Microsoft docs state that it should only be run against driver code but this (old) blog post lays out steps to run it. Perhaps it can be integrated into a normal build process?