views:

1091

answers:

4

I was recently asked about alternatives to Coverity Prevent for a code base that includes both C/C++ and Java. Obviously, on the Java side, the free tools available include Findbugs (compiled code analysis) and PMD (static code analysis). They are very powerful, especially when you start investigating integration with IDEs (which, again, are free).

However, things are dicey when you start moving into the C/C++ realm with the various compilers, architectures, etc.

I have proposed a variety of tools for the Java side, including both Findbugs and PMD. What I am looking for is the best option for the C/C++ side when considered using the following metrics:

  1. Price: free is better but can be beaten by better value. However, pricing models that charge per line of code are horrifying.
  2. Feature set: how does this tool make my life better? In what ways does it detect my mistakes before I check them in, before we ship the code, etc.?
  3. Usability: can I use the tool at my desk? Can I share the reports and / or findings? Can I integrate the tool with Fogbugz (which we use in my group)? Can I integrate the tool into CruiseControl (or the equivalent)?

The ultimate tool would be something that is as useful and usable as a combination of Findbugs and PMD with identical feature set, all for zero dollars per seat.

+2  A: 

The two that come to mind are Splint for C and Cppcheck for C++.

If you want to look for more options, this function of these tools is "static code analysis". That might help you find more tools for C and/or C++. Also, you might be interested in the answer to the question "What open source C++ static analysis tools are available?"

Thomas Owens
Thanks for the link to the wiki. In this case, I'm trying to produce a specific feature set rather than a list of all available tools. This question is specifically trying to address the reflexive response that I get when I talk about Findbugs and PMD: "Oh, nothing like that exists for C++."
Bob Cross
The tools that I linked to are, from my limited C/C++ experience, the leading non-commercial tools for static code analysis for those languages. There might be others out there, but if I needed to perform static analysis of something in one of those languages, these are the tools I would grab.
Thomas Owens
@Thomas Owens, fair enough - thanks for the recommendations.
Bob Cross
+3  A: 

C++ is a complicated enough language that the tooling for it (such as refactoring or static analysis tools) just isn't as good as Java or C#.

Gimpel Software's PC-lint is the closest thing to a standard bug-checking tool for C++ that I know of. It's commercial with a reasonable pricing model. I don't know how well it integrates with other tools.

The Clang open source project should eventually be able to do much of what you want (and looks really cool), but it's still in development.

Josh Kelley
PC-Lint is fairly easy to integrate at least from the error reporting perspective since you can configure the error message format as required by your IDE to find errors automagically.
Steve Fallows
I have to disagree on the complexity comment. I agree that it's much more *convenient* to analyze Java byte code or standard Java source.
Bob Cross
Macros, a Turing-complete compile-time template language, enough complexity and special cases that most (all?) compilers get some aspect of the standard wrong, resulting in Boost having to develop an extensive list of compiler workarounds... I like C++, but it's not a simple language, and that makes tooling harder.
Josh Kelley
@Josh Kelly, yes, there are plenty of ways to trip in C++ which is why I'm looking for the tools. In terms of writing detectors for some of these cases, it is still possible to analyze the code, even if you can't treat all hardware, compiler and library combinations. Admittedly, it's a *HUGE* pain in the *ss (relative to Java) but there are people doing it.
Bob Cross
A: 

I've used Klocwork and Rational Software Analyzer in the past, and they both work well, though both are commercial/non-free.

Harold L
+1  A: 

PC-Lint is the way to go. Unlike most of the other tools, it has full inter-function and inter-module value tracking and supports all the hairy edges of template compilation/parsing as well. I bought a personal copy for myself about 9 years ago, just because it's so cheap. I ended up using it a lot in open source projects. PC-Lint doesn't license based on LOC, it doesn't phone home, and there's no license server. It's very much on the honor system and very no-nonsense. Over the 9 years, I have found some issues in it (and those have been few and far between), but they have almost always been fixed in a few weeks.

Open-source wise, there is SMatch, based on Coverity's meta-compilation analysis techniques, which the wine project uses quite heavily to great effect. PMD's cpd (copy paste detector) sub-tool works on C++, and is really fast. For cyclomatic complexity, there's pmccabe which is easily installable via apt-get (on Linux; on Windows, I compile the source under cygwin).

PC-Lint does require some configuration to get it working well, a day or two at the most. The other tools don't work as deeply, so you can just hit the ground running with a command like "find . -name .c | xargs pmccabe | sort -n | tail -n 20"

Matt Hargett