Cppcheck
Cppcheck is a static analyzer for C and C++ code. It is open-source, free, cross-platform, and easy-to-use.
The project's website: http://cppcheck.sourceforge.net/
Cppcheck is an open-source, free tool distributed under the GNU General Public License. Daniel Marjamäki is the project's manager (his profile on Stack Overflow). The project's source code can be downloaded from the github website.
Cppcheck's capabilities
At the time of writing this article, the most recent version of Cppcheck is 1.60.1 which supports the following languages: C89, C99, C11, C++03, C++11; and provides the following plugins to integrate into various development environments:
- Code::Blocks - integrated
- CodeLite - integrated
- Eclipse - Cppcheclipse
- Jenkins - Cppcheck Plugin
- Visual Studio / Eclipse - Visual Lint by RiverBlade (paid solution)
Cppcheck's scope of use
One of the basic advantages of the Cppcheck analyzer is that it is easy-to-use. It is good for teaching, and studying, the static analysis methodology: for instance, you install Cppcheck on a Windows syste,m and get a GUI interface allowing you to immediately start checking your projects.
Figure 1. Cppcheck for Windows, the main window. Click on the picture to enlarge it.
Just select "Check directory" in the menu, and specify the path to your project. The project analysis report looks something like the screenshots below.
Figure 2. Project analysis report. Click on the picture to enlarge it.
Well, I was not quite honest when I said that Cppcheck doesn't need any customization. If you start using it on a deeper level, you'll need to customize some settings. For example, you'll need to specify paths to third-party libraries, integrate Cppcheck with your development environment, or set up night checks. But the fact that you can just select a directory and get a result, is just awesome! It's especially so, if you you're only getting started with static analysis, in which case such a capability is invaluable.
When analysis is over, you can study the diagnostic messages. They are grouped into the following categories: Errors, Warnings, Style Warnings, Portability Warnings, Performance Warnings, Information Messages. You can easily turn these groups on and off, by clicking on special buttons on the toolbar.
Figure 3 shows how to set the message view mode to see only Style Warnings: the message group "Style Warnings" is on, while all the rest are off (1). The file "cpuid_x86.c" contains several warnings of this type, and the first one is selected which refers to line 214 (2). The diagnostic's description is shown in the lower window (3).
Figure 3. Setting up the message view mode. Click on the picture to enlarge it.
Diagnostics
The Cppcheck analyzer is also good at detecting many other issues. These are just some of them:
- Incorrect use of functions from Standard Template Library;
- Memory leaks;
- Resource leaks;
- Bounds checking for array overruns;
- Use of uninitialized variables;
- Use of obsolete functions;
- Check input/output operations;
- Null pointer dereferencing.
Examples of diagnostics
Below you will find a few samples of errors, which the Cppcheck analyzer is able to detect.
Sample 1. The MPlayer project
In this code, the issue of missing data is processed incorrectly. If the "(!sh->wf || sh->wf->cbSize < 80)" condition is executed, a memory leak occurs.
....
context_t *ctx = calloc(1, sizeof(context_t));
const SpeexMode *spx_mode;
const SpeexStereoState st_st = SPEEX_STEREO_STATE_INIT;
if (!sh->wf || sh->wf->cbSize < 80) {
mp_msg(MSGT_DECAUDIO, MSGL_FATAL, "Missing extradata!\n");
return 0;
}
....The diagnostic message:
libmpcodecs/ad_speex.c:44: Memory leak: ctx
Sample 2. The Doom 3 project
In this code, "sizeof(*ctx)" must be written instead of "sizeof(ctx)". The bug prevents the 'ctx' object from being cleared completely, so only the first several bytes are cleared.
void MD5_Final( MD5_CTX *ctx, unsigned char digest[16] ) {
....
memset( ctx, 0, sizeof( ctx ) );The diagnostic message:
..\Doom3\id-Software-DOOM-3-a9c49da\neo\idlib\hashing\MD5.cpp(252):
Using size of pointer ctx, instead of size of its data.
Sample 3. The Doom 3 project
Memory is allocated as if for an array of items, but released as if it was allocated for only one item. The correct operation is [] sortIndex.
void idImageManager::PrintMemInfo( MemInfo_t *mi ) {
int *sortIndex;
....
sortIndex = new int[images.Num()];
....
delete sortIndex;The diagnostic message:
..\Doom3\id-Software-DOOM-3-a9c49da\neo\renderer\Image_init.cpp(2214)
Mismatching allocation and deallocation: sortIndex
Sample 4. The Quake 3: Arena project
An array consists of three items, but it is handled as if it contained four items.
void RB_CalcColorFromOneMinusEntity( unsigned char *dstColors )
{
...
unsigned char invModulate[3];
...
invModulate[0] = 255 - backEnd.currentEntity->e.shaderRGBA[0];
invModulate[1] = 255 - backEnd.currentEntity->e.shaderRGBA[1];
invModulate[2] = 255 - backEnd.currentEntity->e.shaderRGBA[2];
invModulate[3] = 255 - backEnd.currentEntity->e.shaderRGBA[3];
// this trashes alpha, but the AGEN block fixes itThe diagnostic message:
..\Quake3\id-Software-Quake-III-Arena-dbe4ddb\code\renderer\tr_shade_calc.c 628
Array 'invModulate[3]' index 3 out of bounds
Sample 5. The Quake 3: Arena project
The function printf() prints two numbers, but passes three parameters. Either one parameter is unnecessary, or the format string is incorrect.
static void do_uid(int x) {
printf("<a href='#%d'>%d</a>", x, x, x);
}The diagnostic message:
..\Quake3\id-Software-Quake-III-Arena-dbe4ddb\lcc\src\2html.c 131
printf format string has 2 parameters but 3 are given
References
- Website: http://cppcheck.sourceforge.net/
- Wikipedia: Cppcheck.
- Cppcheck manual: HTML, PDF.
- Cppcheck git repository.
- A positive comment about Cppcheck. Cppcheck: free, easy, and great.
- Evgeny Ryzhkov. Cppcheck and PVS-Studio compared.
- Aleksey Vitebskiy. Poor Man's Visual Studio Cppcheck Integration.
0