Cppcheck is a free static code analysis tool that finds bugs in C and C++ code without executing the program. It works by tokenizing, simplifying, and checking code for patterns that may indicate bugs. Some checks look for buffer overruns, unused functions, memory leaks, and invalid arguments. Cppcheck is cross-platform, has a GUI and command line interface, and has found hundreds of bugs in open source projects.

2.  Static Code Analysis
 Survey of Tools
 Cppcheck

3.  Goal: Provide confidence that code is correct
just by looking at it (without building or
executing it).
 Helps us find easy bugs buried in thousands
of lines of code (not something people are
great at).

4.  Formal Methods
 Code Metrics
 Reviews and Inspection

5.  Formal Methods:
◦ Mathematical!
◦ Require a mathematical model and assertions!
◦ Often require modeling the system as a finite state machine
and verifying each state and transition.
 Code Metrics
 Reviews and Inspection

6.  Formal Methods:
Too difficult! Static analysis is supposed to save time.
 Code Metrics
 Reviews and Inspection

7.  Formal Methods:
Too difficult! Static analysis is supposed to save time.
 Code Metrics:
• Identify areas where bugs are likely.
• Based on measures of code complexity rooted in graph
theory (e.g. Cyclomatic complexity).
 Reviews and Inspection

8.  Formal Methods:
Too difficult! Static analysis is supposed to save time.
 Code Metrics:
Good, but doesn’t directly identify defects.
 Reviews and Inspection

9.  Formal Methods:
Too difficult! Static analysis is supposed to save time.
 Code Metrics:
Good, but doesn’t directly identify defects.
 Reviews and Inspection
• Just look at the code and try to find suspicious
patterns.
• Basically what we do when performing code reviews.

10.  Formal Methods:
Too difficult! Static analysis is supposed to save time.
 Code Metrics:
Good, but doesn’t directly identify defects.
 Reviews and Inspection
Works pretty well!

11.  Static Code Analysis
 Survey of Tools
 Cppcheck

12.  Three Popular Commercial Tools:
◦ PC-Lint
◦ Klocwork Insight
◦ Coverity Prevent
 One Free Software Tool:
◦ Cppcheck

13.  PC-Lint
◦ Commercial
◦ Works for C code
◦ Often reports many false positives.
◦ Probably the cheapest after Cppcheck (which is free)
 Klocwork Insight
 Coverity Prevent
 Cppcheck

14.  PC-Lint
 Klocwork Insight
◦ Commercial
◦ A spin-out of Nortel Networks
◦ Also includes project management and project
visualization capabilities.
 Coverity Prevent
 Cppcheck

15.  PC-Lint
 Klocworks Insight
 Coverity Prevent
◦ Commercial
◦ Identified over 6000 bugs across 53 open-source
projects.
◦ Developed from research at Stanford University.
 Cppcheck

16.  PC-Lint
 Klocworks Insight
 Coverity Prevent
 Cppcheck
◦ Open source
◦ Under active development.
◦ Has found > 400 bugs in open-source projects.
◦ Free!

17.  Static Code Analysis
 Survey of Tools
 Cppcheck

18.  Detects bugs in C and C++ source that compilers
normally do not warn about!
 Cross-platform (Windows, Linux, etc)
 Fancy Qt-based GUI client!
◦ Also available in a command-line version
 Usable via plugins from various IDEs (but not VS):
◦ Eclipse
◦ Code::Blocks
◦ Hudson, Jenkins

19.  Packages maintained for FreeBSD, Debian and
Ubuntu systems (sudo apt-get install cppcheck)
 Used to find bugs in many open-source
projects:
◦ Linux Kernel: > 40 bugs found+fixed
◦ VLC Player: > 20 bugs found+fixed
◦ Others: 7-zip, curl, git, etc

20.  Bounds checking for array overruns
 Memory and resource leaks
 Unused private class functions
 Use of deprecated functions
 Wrong # of arguments given to printf or scanf
 Switch cases that fall through suspiciously
 Dozens of others…

22. Possible buffer overrun
Memory leak: buf
Should be “delete[] buf”
Resource leak: file

23. Cppcheck finds many of the issues
with that code (but not all)

25. Buffer overrun
Suspicious format specifier for a
pointer to a C string (but not
necessary a bug)

26.  Bounds checking for array overruns
 Unused private class functions
 Use of deprecated functions
 Memory and resource leaks
 Dozens of others…

27. Preprocessor
Source File
Tokenizer
Simplifier
Results
Checks
Happy Developer

28. void foo(char* str)
{
if (str == 0)
printf(str);
else
printf("Whoa");
}
Tokenizer
Simplifier
void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else
{ printf ( "Whoa" ) ; } }

29. void foo(char* str)
{
if (str == 0)
printf(str);
else
printf("Whoa");
} Indentation, spacing,
NULL-checks and
braces are normalized
Tokenizer to simplify checks!
Simplifier
void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else
{ printf ( "Whoa" ) ; } }

30. void foo ( char * str ) { if ( ! str ) { printf ( str ) ; } else
{ printf ( "Whoa" ) ; } }
Results
Checks
 Each check iterates over the tokens, and reports if it finds a
suspicious pattern!
 Checks implemented as C functions or XML documents that
describe the pattern to look for.
 Results categorized as error, warning, style, performance,
portability, or informative.

31.  Cppcheck is a free tool for finding
bugs in C++ source code.
 It works by parsing the source
code, splitting it into tokens and
finding suspicious patterns in the
tokens.

32.  Official project page:
◦ http://cppcheck.sourceforge.net/
 Official source repository:
◦ https://github.com/danmar/cppc
heck