static code analysis and cppcheck
DESCRIPTION
A brief introduction to Cppcheck, a static code analysis tool for C++ source code.TRANSCRIPT
Static Code Analysis
Survey of Tools
Cppcheck
Goal: Provide confidence that code is correct just by looking at it (without building or executing it).
Helps us find easy bugs buried in thousands of lines of code (not something people are great at).
Formal Methods
Code Metrics
Reviews and Inspection
Formal Methods: ◦ Mathematical!
◦ Require a mathematical model and assertions!
◦ Often require modeling the system as a finite state machine and verifying each state and transition.
Code Metrics
Reviews and Inspection
Formal Methods:
Too difficult! Static analysis is supposed to save time.
Code Metrics
Reviews and Inspection
Formal Methods: Too difficult! Static analysis is supposed to save time.
Code Metrics: • Identify areas where bugs are likely.
• Based on measures of code complexity rooted in graph theory (e.g. Cyclomatic complexity).
Reviews and Inspection
Formal Methods: Too difficult! Static analysis is supposed to save time.
Code Metrics: Good, but doesn’t directly identify defects.
Reviews and Inspection
Formal Methods: Too difficult! Static analysis is supposed to save time.
Code Metrics: Good, but doesn’t directly identify defects.
Reviews and Inspection • Just look at the code and try to find suspicious
patterns.
• Basically what we do when performing code reviews.
Formal Methods: Too difficult! Static analysis is supposed to save time.
Code Metrics: Good, but doesn’t directly identify defects.
Reviews and Inspection
Works pretty well!
Static Code Analysis
Survey of Tools
Cppcheck
Three Popular Commercial Tools:
◦ PC-Lint
◦ Klocwork Insight
◦ Coverity Prevent
One Free Software Tool:
◦ Cppcheck
PC-Lint ◦ Commercial
◦ Works for C code
◦ Often reports many false positives.
◦ Probably the cheapest after Cppcheck (which is free)
Klocwork Insight
Coverity Prevent
Cppcheck
PC-Lint
Klocwork Insight ◦ Commercial
◦ A spin-out of Nortel Networks
◦ Also includes project management and project visualization capabilities.
Coverity Prevent
Cppcheck
PC-Lint
Klocworks Insight
Coverity Prevent ◦ Commercial
◦ Identified over 6000 bugs across 53 open-source projects.
◦ Developed from research at Stanford University.
Cppcheck
PC-Lint
Klocworks Insight
Coverity Prevent
Cppcheck ◦ Open source
◦ Under active development.
◦ Has found > 400 bugs in open-source projects.
◦ Free!
Static Code Analysis
Survey of Tools
Cppcheck
Detects bugs in C and C++ source that compilers normally do not warn about!
Cross-platform (Windows, Linux, etc)
Fancy Qt-based GUI client! ◦ Also available in a command-line version
Usable via plugins from various IDEs (but not VS): ◦ Eclipse
◦ Code::Blocks
◦ Hudson, Jenkins
Packages maintained for FreeBSD, Debian and Ubuntu systems (sudo apt-get install cppcheck)
Used to find bugs in many open-source projects: ◦ Linux Kernel: > 40 bugs found+fixed
◦ VLC Player: > 20 bugs found+fixed
◦ Others: 7-zip, curl, git, etc
Bounds checking for array overruns
Memory and resource leaks
Unused private class functions
Use of deprecated functions
Wrong # of arguments given to printf or scanf
Switch cases that fall through suspiciously
Dozens of others…
Possible buffer overrun
Should be “delete[] buf”
Memory leak: buf
Resource leak: file
Cppcheck finds many of the issues
with that code (but not all)
Buffer overrun
Suspicious format specifier for a
pointer to a C string (but not
necessary a bug)
Bounds checking for array overruns
Unused private class functions
Use of deprecated functions
Memory and resource leaks
Dozens of others…
Preprocessor
Tokenizer
Simplifier
Checks
Source File
Results
Happy Developer
Tokenizer
void foo(char* str) { if (str == 0) printf(str); else printf("Whoa"); }
void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else { printf ( "Whoa" ) ; } }
Simplifier
Tokenizer
void foo(char* str) { if (str == 0) printf(str); else printf("Whoa"); }
void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else { printf ( "Whoa" ) ; } }
Simplifier
Indentation, spacing,
NULL-checks and
braces are normalized
to simplify checks!
void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else { printf ( "Whoa" ) ; } }
Checks Results
Each check iterates over the tokens, and reports if it finds a
suspicious pattern!
Checks implemented as C functions or XML documents that
describe the pattern to look for.
Results categorized as error, warning, style, performance,
portability, or informative.
Cppcheck is a free tool for finding bugs in C++ source code.
It works by parsing the source code, splitting it into tokens and finding suspicious patterns in the tokens.
Official project page:
◦http://cppcheck.sourceforge.net/
Official source repository:
◦https://github.com/danmar/cppcheck