Domain: klocwork.com
Stories and comments across the archive that link to klocwork.com.
Comments · 7
-
Dilbert did this in 1998
-
Absolutely
At my little corner of Lockheed Martin we use Klocwork and LDRA to analyze C/C++ embedded code for military hardware. Since the various compilers for each contract aren't nearly as full-featured as say, Visual Studio or Eclipse, I've found static code analysis tools invaluable. Can't comment on the cost/results ratio though, since I don't purchase stuff. =)
-
Klocwork
I am employee of Klocwork.
If you are researching this for you enterprise I suggest you evaluate Klocwork (and its competitors: Coverity, Grammatech, Parasoft, there are others). We handle large-scale C/C++ projects, our own codebase is much larger than yours and we run Klocwork in-house to track defects in our own code on a daily basis and on developer desktops for subprojects. In fact we successfully handled mammoth projects as big as 10M lines of code and beyond (but frankly, it is getting rather tricky at that point).
We do have product for individual developers and small shops, but for now it is Java only.
-
Re:Coverity
If you're a business, there's also KlocWork which seems to work well enough. Bit pricey and can't be installed for home use, but enterprise use is quite nice (hint: competitor to Coverity). I heard they may offer F/OSS scanning as well - one of the nice things is that you can disable a warning on a block of code once it's been verified as a false positive so a subsequent scan won't bring it up again.
-
CodeSonar + other commercial tools
I work on a commercial static analysis tool called CodeSonar. It costs money, but we do offer free trials.
Our major competitors in this space are Coverity and Klocwork.
All three tools can (to some extent) infer how a program will behave at run-time, so they find more subtle bugs than tools that just look for suspicious patterns in your code. -
C and C++ Static Analysis tools
I work on a C/C++ code base that is a lot bigger than 500k lines. I've worked with results produced by Klocwork and also with the output from Reasoning. Both of these services/packages will cost you money but both provide good insight into your code. The commercial packages generally produce more focused results with less false-positives, so while they cost you money up front, your developers will spend less time weeding out the noise.
If paying money out for a commercial package isn't your thing, don't overlook the old standby lint or splint, an updated successor.
Also well worth investigating to see how your code is actually running is Valgrind and it's associated tools. The Valgrind toolkit will give you a good idea where memory is being leaked, where variables and pointers are going off the rails. Valgrind hooks into a running program, so it's important to make sure that you test all the corners of the codebase if you go this route.
Cheers,
Toby Haynes -
Re:Fortify also very good
SuperKendall, if you are interested in evaluating Klocwork, just give us a call or, if you prefer to contact me directly: artem.frolov at klocwork dot com (I am a software developer with Klocwork). I may be able to answer your questions from developer's perspective. Are you interested in Java, C or C++? What is your main concern: security or defects?