Slashdot Mirror

← Back to Stories (view on slashdot.org)

Static Code Analysis Tools?

Posted by Cliff on from the something-else-for-the-tool-box dept.

rewt66 asks: "We are looking for a good static analysis tool for a fairly large (half a million lines) C/C++ project. What tools do you recommend? What do you recommend avoiding? What experience (good or bad) have you had with such tools?"

8 of 87 comments (clear)

  1. Prodev Workshop by dwater · · Score: 3, Informative

    I found the static analyser in SGI's Prodev Workshop to be quite excellent, though that was a while ago and I am comparing it with nothing - I'm not sure how it stacks up against more recent offerings :

    http://www.sgi.com/products/software/irix/tools/pr odev.html#B

    Looks like it's IRIX only though, so YMMV, to put it mildly.

    --
    Max.
  2. Re:Ideas by Anonymous Coward · · Score: 4, Insightful

    1. If you have 500k lines in a single project, consider re-factoring it into separate libraries that you can divide and conquer. Also, if you have 500k lines of code, consider cleaning it up, re-factoring it, etc. Fewer lines of code is more impressive than more.

    That's great and all, but some things just take a lot of code. Refactoring into libraries only goes so far, you're still going to have a ton of code, it'll just be split up in libraries. That's useful, and it's good advice, but since the poster didn't ask about it, you could at least give him the benefit of the doubt and assume the project is already organized appropriately. Half a million lines isn't that big, certainly not big enough to automatically assume their codebase is organized badly.

  3. Static analysis tool? by Moggyboy · · Score: 5, Funny

    India.

    --
    Work smarter, not harder.
    1. Re:Static analysis tool? by tfinniga · · Score: 4, Funny

      doing cut'n paste coding
      Seriously, that's a huge problem. All of a sudden your code stops working, and when you check it out, it's all missing.
      "Sorry, I needed it somewhere else."

      Copy and paste coding is much better.
      --
      Powered by Web3.5 RC 2
  4. Coverity by LLuthor · · Score: 4, Informative

    I strongly suggest you look at coverity.

    They have excellent checks as well as the best framework for creating custom tests that I have ever come across.

    NOTE: I am not affiliated with coverity, just a very satisfied user.

    --
    LL
  5. FlexeLint / PC-lint by DoofusOfDeath · · Score: 4, Informative

    http://www.gimpel.com/html/lintinfo.htm/

    I've never tried it for a code base as large as 500k. My guess it that I used it up to 15k. I was very pleased with it. I agreed with just about every warning it raised, and was able to easily suppress individual instances or whole classes of errors. I also found it somewhat easier to get started with compared to the big tools from Rational et al.

    I think it's a bit pricey for a an open-source coder like me, but it should be cheap enough for a company with a tools budget.

  6. All the statistics I ever use by Bromskloss · · Score: 3, Funny

    wc project.c

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
  7. What software analysis tool? That all depends... by hAckz0r · · Score: 3, Informative
    There are many software tools out there for static analysis, but differ in what they do or who they target as their customer. The big names in my mind are Coverty, Fortify, Prexis, and PolySpace. I only have personal experience with Prexis and PolySpace so I will just speak to those.


    One important thing to consider is the set of compilers, tools, target system, and build environments you are using. If you are using MS only products the you will most likely have very good support because most all source code analysis suits will simply import the build information and you will be off and running right away. If your environment is Unix or embedded systems then things may be more difficult because you will need to hook into the build process somehow. The scanner tools usually intercept the CC command from a "make" build and call their back end using their custom processing rather than the compiler proper. Different products do this in different ways so be sure the product you choose knows how to deal with your specific build environment. In my case I walked into another parties environment and needed to simulate a build for a new build environment that I had never seen before, every time. Not one environment ever looked like the next, so the setup and configuration was always a big challenge, just to get started.

    Prexis is primarily a tool for life cycle scanning of source code for security issues. There are two ways to perform the code scanning, with either the main engine component which can schedule nightly scans and track progress over time or with the additional Prexis Pro utility, which is designed for quick assessments by the engineers on their own code without logging everything into the main database. The Pro tool worked best for my code assessments since I had no need for tracking changes over time, and it was a little easier to configure which counts for a lot in my situation.

    PolySpace is a completely different tool with a different purpose from Prexis. PolySpace attempts to mathematically discover runtime flaws in the code while only using static analysis to do so. It does a great job on smaller projects, but because of the complexity and thoroughness of its analysis, it is somewhat slow. PolySpace needs to evaluate an entire application all at once in order to do a good analysis. If your .5 MSLOC of code is many separate programs/executables then you will be fine, but if you are talking about one huge monolithic application then you may have to evaluate it in chunks which just increases the false positives and forces the engineer to do more manual chasing of details to determine if the issue is really a problem or not. From what I have seen this product is in a class by itself.

    BTW - keep you eyes on this site: http://samate.nist.gov/index.php/Main_Page