Static analysis of C ++ code

For me, the beauty of C ++ lies primarily in the permissiveness and terrifying power of the language. We can work with memory as tightly as in C, and at the same time we have such means of abstraction as templates and STL, where you can parameterize anything and anything.
The fee for this is appropriate - not always intelligible compiler errors (try to forget to put a semicolon after determining the class), a very long period of preparation and training of programmers, but most importantly, some bugs become visible only during the execution of the program.
We want more useful versions before launching our programs. One of the means of obtaining the desired - static code analysis. Static means not running the program. Not only probable errors, cases of undefined behavior, memory leaks are interesting, but also things like inaccessible / unused code, recommendations for enhancing the intuitiveness of the programming style.

Means for obtaining software metrics extracted by static analysis methods are not considered in this article. Remarks related to programming standards (the curly bracket should be on a separate line, oooooooh !!) are not interesting either.
The evaluation criteria are simple - the number and usefulness of the found bugs, ease of use (in particular, the absence of code modification requirements), free / reasonable price / good crack.
We carry out a primary review and give a bundle of links to the surface:

• Static_code_analysis
• Wikipedia
• Scott Meyers article on analyzers
• topic on stack overflow about free analyzers

Found things

Gcc pedant keys

First of all, it is necessary to use all possible regular means. gcc provides the following interesting clues related to increasing compiler and preprocessor vigilance.

• -Wall includes all versions, including compatibility with the new standard, array boundaries (in my opinion, does not plow, although they say that it will work with -O2), volatile / register variables (reports that he does not care for your buzzwords and what // register //, and what not, it will decide itself), the following points (i ++ + ++ i)
• -Wextra - another bundle of vornings of the type of empty bodies in if, a comparison between signed and unsigned
• -pedantic - following ISO C ++ standard. For example, the prohibition of the type long long.
• -Weffc ++ must have option. It is not included with -Wextra or -Wall and contains a check of Scott Meyers recommendations:
• • Item 11: dynamically allocated memory.
  • Item 12: Prefer initialization to assignment in constructors.
  • Item 14: Make destructors virtual in base classes.
  • Item 15: Have "operator =" return a reference to * this.
  • Item 23: You must return an object.
  • Item 6: Distinguish between prefix and postfix forms of increment and decrement operators.
  • Item 7: Never overload "&&", "||", or ",".
• -Woverloaded-virtual - overloading of virtual functions looks bad.
• -Wctor-dtor-privacy - unused classes - with private constructors and destructor
• -Wnon-virtual-dtor - non-virtual destructor
• -Wold-style-cast - C-style cast - this is bad
• -Werr = 'type of Vorning' - perceive Vorning as an error. For configuring Samurai -Werr without parameters
• -Wconversion -Wsign-conversion - a type conversion conversion. at which value may change. Oddly, not included in -Wall
• -Winit-self - int i = i;
• -Wunreachable-code - code that will never be executed

Of course, not himself so clever, but read everything here in this man-article about the keys associated with the warnings

Cppcheck

Perhaps the most worthy of the programs found.
The official site of the program and its plug-in for eclipsoids. It recognizes quite a lot, finds the following errors:

• some memory leaks, for example, the absence of delete and delete [], the absence of delete in the destructor
• array overrun
• exception throwing in destructor
• null pointer dereference
• dereference after clearing the memory
• virtuality base class destructor
• using the same iterator for different containers
• different smaller things

It is possible to mark classes as smart pointers (so as not to report on false memo cards), a GUI on Qt4.

Vera ++

Vera ++ , unlike cppcheck, is focused on style checking. It has an updated rule base. By default, there are a lot of really idiotic pieces like “there must be a space before the colon” ​​in the database. The only useful feature is a ban on using the namespace in header files. Rules, however, you can write yourself in the Tcl language. :)
')

Rats

RATS tells pretty convincing horror stories about security and buffer overflow attacks. I didn’t intently look at it because I don’t know very much about the protected code.

Checkers for C without pluses

Surprisingly, pure C programmers seem to care more about static analysis. Here we have a list of one and two

Will they be useful for positive developers? If you have code without classes and you remember which C ++ programs will not be built with the C compiler, then why not?

Splint

Such a thing is for pure C. It is assembled with little or no effort, but it works cleanly and is looking for a lot of things - see the manual.

Simian

Simian - similarity analyzer. Looking for duplicate code, it means. Honestly, I did not come up with her application

CIL

CIL - With Intermediate Language. Compiles C to simplified C! Simplified C can already be fed to other analyzers, which theoretically should improve the quality of their work.

Incomprehensible, oftopic

• Oink . Be careful if you want to use it. When compiling it seemed to me that I was assembling at least the linux kernel for some kind of exotic architecture. It requires Flex and Bison, for a long time I guessed ... (:: It’s also necessary to fix a bunch of compilation errors - it seems that the developers didn’t do something that they never run - they didn’t collect even once. In the end, the beast defeated, but turned out to be not impressive. It works with the preprocessor files, but gives out some nonsense for them: by setting a simple mistake with the array border - I get silence. If you feed oink something on C ++ with STL many lines. And I received it at the cost of 3 hours of compilation and editing of source codes?
• Mozilla Dehydra is something based on this very Oink. I would be glad if someone tells about this checker, because the word Mozilla this time does not mean "everything is simple and clear." I did not see the list of found bugs, I did not want to compile after Oink.
• There are also compilers that provide more Vorning based on static analysis. For example Rose
• Rational Purify - the renowned IBM Rational company has its own set of tools for static and dynamic analysis. I would be glad if someone will tell about this program, trials for Linux they turned out only for x64-architecture.

Trial / Cracked Software

A little of his such. Many analyzers are worth a lot of dollars and do not have cracks.
Here is an example of such an analyzer, you can go to their website and ask for trials of Cleanscape . The possibilities are not much different from cppcheck.

What else would you like

Not all errors in the code that are amenable to static analysis were presented in existing programs. And I would like to:

• Exception specification policy as in Java.
• using auto_ptr in STL containers, dereferencing auto_ptr after assigning to another auto_ptr.
• using namespace in h-files
• override delete without new or new without delete
• call delete [] for non-arrays
• using vector with bool values ​​inside