How to Do Static Analysis of C/C++ with Cppcheck
Sees flaws that neither you nor your compiler can find.
The programming languages C and C++ have several optional tools that: knowing how to use them them, will be essential for writing secure code.
That’s why they are recommended languages for professionals in the area, otherwise, the person should look for easier languages that manage things automatically where the programmer often doesn’t even know what he’s really doing. C and C++ is like an airplane control panel, and sometimes people want to use them like a TV remote.
What is Static Analysis?
Static Analysis, in short, is finding bugs in your code without running it. That’s why it has this name: static, if we do the analyzes during the execution of the program it would be a dynamic analysis.
Usually these analyzes are done by additional programs that can see details that neither you nor your compiler identifies.
In this article we will see how to use Cppcheck which is one of the best known and easy to use tools for static analysis in code written in C/C++.
Cppcheck is a static code analysis tool for the C and C++ programming languages. It is a versatile tool that can check non-standard codes. Cppcheck is a free software made under the license GNU General Public License.
Cppcheck supports a wide variety of static checks that may not be covered by the compiler itself. These checks are static analyzes that can be performed at the source code level.
Some of the supported checks include:
- Automatic variable checking
- Checking bounds for array saturations
- Class checking (e.g. unused functions, variable initialization and memory duplication)
- Use of deprecated or superseded functions according to the Open Group
- Exception security checking, e.g. memory allocation usage and destructor checks
- Memory leaks, e.g. due to scope loss without deallocation
- Resource leaks, for example due to forgetting to close a file handle
- Invalid usage of default template library functions and languages
- Elimination of dead code using usedFunction option
- Miscellaneous stylistic and performance bugs
The project is actively under development and maintained on different operating systems. He found valid bugs in several popular projects such as Linux kernel and MPlayer.
You can install using your operating system’s package manager, examples:
emerge and among others. Examples:
Or you can also install directly from the source code available on GitHub, like this:
After installation confirm that everything is correct by checking the version:
In this case, according to the publication date of this article, its current version is
Suppose you have this code below:
Can you find errors in this code?
The truth is that not even the compiler can do it, even if we enable all the necessary
flags for debug, example:
Note that it will compile without even a warning if you want and still run normally.
Now let’s do the STATIC ANALYSIS with
cppcheck with the following command:
See the image below the errors he listed:
How crazy, right?! 😃
Now let’s fix our code by adding explicit to our constructor as he indicated and also the parameter:
const String& iname
When running the same command again, we will notice that we have resolved all the errors, except the error:
This error is not really an error but rather the path to the standard library which can have numerous locations depending on the operating system and even the compiler. So we can ignore it.
But, with this example, we see how useful static analysis with
cppcheck can help you in everyday life. Remembering that we spend more time debugging than writing the code itself, so these analyzes will save you a lot of work and also headaches.
There are plugins for Cppcheck for several IDEs and Editors such as: Vim, Neovim, Emacs, Eclipse, Code:Blocks, Qt Creator, Kdevelop and many more!
For more information visit the repository on GitHub and the page on Source Forge.