What is a Good Open Source Code Analysis Tool?

carlmenezes asks: "I volunteer when I can to help a poor educational institution in India with their computing needs. As you can imagine, most computers are from donations and very little money (if any) can be spent on software licensing. Therefore, the installed software is all Open Source and I do all of the software installation by myself. I have already installed Linux on 16 PCs, with Firefox. The default desktop is KDE and the kdeedu package (klettres in particular) has several loyal fans. Incidentally, the kids don't find it hard to use at all and the lack of 3D doesn't bother them in the least :) I would like to ask the community about a good source code analysis tool. I have already installed Source Navigator. Is there any other comparable open source tool?" "The analysis tools would be for those students that show more interest than the others in programming. There is a lot of source code in there for them to look at it if they want to. I'm looking more at C/C++ than anything else. There are some very bright students and I would like them to be able to move beyond ordinary school programming if they feel like it. No, there is no Internet connection. I bring in the software on CDs and install it."

Use Java instead

[nganju]

There are two very good open source IDEs for Java, NetBeans and Eclipse (I personally prefer Eclipse).

If you're teaching beginners how to program, Java is simpler anyway. You don't have to understand memory allocation and pointers because it's all taken care of for you. Also you can write non-object-oriented programs to start with by making all functions static.

This way you can start with very simple programs and work your way up to introducing more advanced concepts, like object-oriented, or memory allocation etc.

If you insist on learning with C/C++, I would lobby with the executives at a company like Borland. They usually have the power to throw a few copies your way, as long as they're convinced that it is a philanthropic effort (it makes them look good).

Re:Use Java instead

[cariaso1]

Eclipse is excellent, but requires a decent machine.

Re:Use Java instead

Eclipse will also support C/C++ with this plugin: http://www.eclipse.org/cdt/

Re:Use Java instead

[jdowland]

He wants a source navigator to look at existing code - how many quality open source apps are written in java? Ok, now how many of them are they likely to have experienced, using Linux/KDE/kdeedu?

What are the requirements?

[MarkLewis]

Maybe I didn't fully understand your question, so please correct me if I am mistaken.

But what about popular C/C++ IDE's as KDevelop and Anjuta? Are those not the sort of tools you're looking for?

Source Navigator is fine

[ratboy666]

I find that snavigator is quite good for source analysis. If you want a "lighter" tool, cscope can be used. But snavigator also support fortran, cobol &etc "out of the box".

So, I think that its a fine tool for teaching. Most other "IDE"s tie you in to a particular system or language, which snavigator doesn't. I've used it for the Linux kernel, Solaris, and Windows (among other things).

Its a bit slow building its cross-reference database, though, so for larger source bases you do want access to a "big" machine. You can share the results after the xref is built (the same is possible with cscope).

Good luck with your project!

Ratboy.

Cscope, Lint

[n1ywb]

From the Cscope web site:

Cscope is a developer's tool for browsing source code. It has an impeccable Unix pedigree, having been originally developed at Bell Labs back in the days of the PDP-11. Cscope was part of the official AT&T Unix distribution for many years, and has been used to manage projects involving 20 million lines of code!

In April, 2000, thanks to the Santa Cruz Operation, Inc. (SCO) (since merged with Caldera), the code for Cscope was open sourced under the BSD license.

• Allows searching code for:
• all references to a symbol
• global definitions
• functions called by a function
• functions calling a function
• text string
• regular expression pattern
• a file
• files including a file

Curses based (text screen) An information database is generated for faster searches and later reference The fuzzy parser supports C, but is flexible enough to be useful for C++ and Java, and for use as a generalized 'grep database' (use it to browse large text documents!) Has a command line mode for inclusion in scripts or as a backend to a GUI/frontend Runs on all flavors of Unix, plus most monopoly-controlled operating systems.

From the Split (a modern version of Lint) web site:

Splint[1] is a tool for statically checking C programs for security vulnerabilities and programming mistakes. Splint does many of the traditional lint checks including unused declarations, type inconsistencies, use before definition, unreachable code, ignored return values, execution paths with no return, likely infinite loops, and fall through cases. More powerful checks are made possible by additional information given in source code annotations. Annotations are stylized comments that document assumptions about functions, variables, parameters and types. In addition to the checks specifically enabled by annotations, many of the traditional lint checks are improved by exploiting this additional information.

As more effort is put into annotating programs, better checking results. A representational effort-benefit curve for using Splint is shown in Figure 1. Splint is designed to be flexible and allow programmers to select appropriate points on the effort-benefit curve for particular projects. As different checks are turned on and more information is given in code annotations the number of bugs that can be detected increases dramatically.

Problems detected by Splint include:

• Dereferencing a possibly null pointer (Section 2);
• Using possibly undefined storage or returning storage that is not properly defined (Section 3);
• Type mismatches, with greater precision and flexibility than provided by C compilers (Section 4.1-4.2);
• Violations of information hiding (Section 4.3);
• Memory management errors including uses of dangling references and memory leaks (Section 5);
• Dangerous aliasing (Section 6);
• Modifications and global variable uses that are inconsistent with specified interfaces (Section 7);
• Problematic control flow such as likely infinite loops (Section 8.3.1), fall through cases or incomplete switches (Section 8.3.2), and suspicious statements (Section 8.4);
• Buffer overflow vulnerabilities (Section 9);
• Dangerous macro implementations or invocations (Section 11); and
• Violations of customized naming conventions. (Section 12).

Re:Cscope, Lint

[carlmenezes]

Thanks! CScope is something like what I had in mind. I definitely will check it out this weekend. Also came across CBrowser (the front end to CScope), but then cscope is built into vi, which is the most popular console based text editor here :)

Splint is already installed. What I would like to do is to show the tool to those that are interested, give them a short lesson on it and then leave them to their own devices and let their curiosity make them learn.

The best tool is the human body

[JPyObjC+Dude]

Just do the following:

1) Learn how to program.
-- nuf said.
2) Write clean code
-- Proper indenting **
-- sufficient commenting
3) Less code is more
-- More lines is more intimidating that less
-- However, there is a limits (ie Perl)
-- More you can fit on one screen the easier to debug
4) Be a structured programmer
-- It should not matter what language you are programming in. The structures should always be the same.
5) Learn and use language level error handling
-- This will enable you to fully understand how to debug your code
-- Stack traces are a must for any procedural or OO code
6) Make your programs chatty
-- Log files are good but make sure there is a way to easily turn off logging features so that you can speed up programs when you are happy.
7) Learn how to tail log files
-- tail is available on every operating system
--- GNUUtils for win32
--- *nix (Linux, Unix, OSX ...)
8) Write blind code as much as possible
-- IDE's are very powerful but I always write all my code in a text editor totally blind (no compilation, syntax validation...)
-- If you become dependant on the system to tell you what is wrong, you will not learn to SEE the problem.
--- Often times, when I get an error and I know I just changed a piece of code I will not even read the error. I'll just look at the line of code that I changed and visually look for the error. If you don't learn how to do this, then programming probably is not for you.
9) Got errors, don't worry
-- All coders get errors.
-- Only a few times I have written dozens of lines of blind code and not gotten at least one error. I was amazed when I did.
-- Don't get stressed out. Just be pragmatic and move being objective with the error.

That's probably a good start.

Personally I would not trust programs in telling me where coding problems are anyhow. I find it akin to using anti-spyware programs on a win32 box where it would be easier to just not use IE and be more concious of the operating system we use. The latter takes a little more understanding but in the end all will be better :]

JsD
(Java+Python+ObjC-on-BSD-with-firefox==happ iness:)

Re:The best tool is the human body

[angel'o'sphere]

8) Write blind code as much as possible
-- IDE's are very powerful but I always write all my code in a text editor totally blind (no compilation, syntax validation...)
-- If you become dependant on the system to tell you what is wrong, you will not learn to SEE the problem.
--- Often times, when I get an error and I know I just changed a piece of code I will not even read the error. I'll just look at

Thats probably a good way for learning programming (I learned like that, because today tools where magic at my time), but I doubt its a good way to work.
With a good IDE you are ten times faster than with notepad like simple editors. Even VI or VIM with a good ctags/jtags support and codecompletition is already nice.

For C++/Java etc. use Eclipse.
For Java use Eclipse/IDEA IntelliJ or CodeGuide (in reverse order).

Probably you should determine the language you want to teach first. If you use Python, you should look for a decent Python IDE.

angel'o'sphere

valgrind

[yamla]

valgrind and associated add-ons, are absolutely amazing and quite useful for C and C++ programming.

Nobody should be caught dead writing C++ programming without at least knowing about Boost's libraries. Not really analysis tools but useful nevertheless.

linux cross reference

[StyXman]

lxr (http://lxr.linux.no/) was dveloped with the kernel in mind, but now it works with any C, C++, python, perl and other laguajes (those supported by exuberant-ctags). I used it in several projects and, in conjunction with tabbed browsing, I think it's all I need. Dependencies are: mysql, perl, apache, exuberant-ctags.

myer

[biryokumaru]

myer:

http://home.comcast.net/~jyavner/myer/

gcc -Wall

[oo_waratah]

The gcc compiler has quite a number of checks built into it. For example uninitialised variables checks if you use -Wuninitialise. A good first pass on code is to compile -Wall and clean up the problems reported.

You might want to read Steve McConnell on writing solid code to see a full explanation as to why.

Re:gcc -Wall

[MrResistor]

That seems like the best way to me as well. It's always better to learn to do something "by hand" first, then bring in the automation later to speed things up (and not just in academic subjects like programming either, as I learned while designing and building custom industrial robots a few jobs ago).

Anyway, slightly OT, but I haven't been that impressed with kdeedu. It feels very much like an open source project to me (in the negative sense), or at least what comes with Suse 9.1 does anyway. I like gcompris much better.

In fact, I like gcompris better than any of the commercial apps I've looked at, all of which are very insipid in the "baby talk" kinda way. Gcompris treats the child like an intelligent human being, which is very important IMO. I've always tried to treat my daughter that way, and as a result her vocabulary often gets her mistaken for being 1-3 years older than she is.

I'm sure that, like the rest of KDE, kdeedu is progressing very quickly. Still, I highly recommend gcompris to anyone who wants some high quality educational software for their child.

Burn Heretic!!

[ObsessiveMathsFreak]

Begone foul troll!! Java is the work of the devil!! And eclipse is its dark whore, complete with multiple blasphemous plugins! Repent! Install perl and ye may yet be saved. Turn back now from the dark path of restricted languages and walk the path of the true believers.

In short, I disagree that Java is easier to teach to beginners. Not only must they immendiatly grasp object orientation and functions, they must also work with Java's quite restrictive language constructs. I do agree that C++ is not a very good languages for beginners. C maybe, with some STL added. I would still be of the opinion that beginners are best starting off with BASIC or perl(without mentioning regular expressions). They need a language that starts very simple so they can wrap ther heads around programming and start spitting out a few programs, without getting bogged down by advanced concepts.

Doxygen

[gregRowe]

Doxygen is fantastic for source code browsing. http://www.doxygen.org