tags:

views:

805

answers:

8

What tools do you use to check your C code ?

That is, a tool that helps you determine if you don't have unwanted infinite loop, if you silently cast enum to int, etc. (like a C lint)

Please, precise if it is opensource and on which OS is runs.

Edit : telll also which C standard it supports

+3  A: 

There is splint, opensource, many OS, but doesn't support C99 C standard. http://www.splint.org/

ofaurax
+6  A: 

First off (since it takes no effort) gcc -Wall (as Geoff mentions in his comment there are other warnings that need to be explicitly enabled)

The open source Splint is also good, and runs on pretty well any unix-like OS.

Since the question was about C, it's worth mentioning Misra. This is a set of recommendations aimed at minimising more error prone elements of the language. There are a number of Misra code checkers. Amongst others are these offerings from Abraxas and Greenhills

Andrew Edgecombe
Note that -Wall doesn't turn everything on, so you have to add some more -W options. Also, -Werror to keep yourself honest by having to fix all the warnings.
Greg Hewgill
+2  A: 

I don't think that there is a single tool that can assure your code quality. There is a various static code analyzer and it was discussed many times for example here. But nothing will replace a code review and QA process completely.
The combination of skilled programmers, good tools and good processes will make quality of your code better.

Ilya
+2  A: 

I use Gimpels PC-lint which is not open source, but is a pretty good static code analysis tool for C and C++, and is available for many operating systems. I use PC-Lint in conjunction with Visual lint which makes it much easier to use in the background.

Shane MacLaughlin
A: 

If you happen to use Visual Studio, it's built-in static code checker has surprised me at least once.

You either enable the compiler option /analyze (found under 'Project' -> 'Properties' -> 'Configuration Properties' -> 'C/C++' -> 'Advanced') or run just the analysis with 'Build' -> 'Project only' -> 'Run Code Analysis on ...'

(I was actually pretty surprised to find it under 'Advanced', and NOT enabled by default ...)

Christoffer
A: 

We use the Green Hills compiler that has support for The Motor Industry Software Reliability Association rules aka MISRA C. There is also stand alone checkers available. Depending on what you want to do it can be a bit over kill.

Gerhard
A: 

I tried VC9 Code Analysis as chistoffer said on an ARMV4I DLL project but responds:

1>c1xxast : fatal error C1108: unable to find DLL: 'mspft80.dll'

I'm sure VS2008 is installed properly, but seems I've a missing component.

Hernán
A: 

Have a look at Flawfinder, written by David Wheeler and available on from his home page. An excellent static security analyser that is a good starting point when looking at code.

CAVEAT EMPTOR

Remember that this is no replacement for careful inspection by someone experienced in security, as David says on his page about Flawfinder, "A Fool with a Tool is still a Fool"!

HTH

cheers,

Rob

Rob Wells