Open Source Static Code Analysis: Cppcheck with Eclipse
Join the DZone community and get the full member experience.
Join For FreeI have a challenge for you: Can you spot the problem in the following source?
TMOUT1_CounterHandle TMOUT1_GetCounter(TMOUT1_CounterType nofTicks)
{
TMOUT1_CounterHandle handle;
CS1_CriticalVariable();
handle = 0;
if (nofTicks==0) {
nofTicks = 1; /* wait at least for one tick, otherwise will timeout immediately */
}
CS1_EnterCritical();
while (!TMOUT1_FreeCounters[handle] && handle<TMOUT1_NOF_COUNTERS) {
handle++;
}
if (handle<TMOUT1_NOF_COUNTERS) {
TMOUT1_FreeCounters[handle]=FALSE;
TMOUT1_Counters[handle] = nofTicks;
}
CS1_ExitCritical();
if (handle==TMOUT1_NOF_COUNTERS) {
return TMOUT1_OUT_OF_HANDLE;
}
return handle;
}
No? Well, I have not spotted the problem the first time neither. However, a reader of this blog did: he used a cool tool named ‘cppcheck': that tool reported the following:
Array Index Handle is uses before limits check
How cool is that? Not so cool is my bad programming style here:-(. At least the fix was easy :-).
Cppcheck can find many coding errors, portability problems and many more. Cppcheck has found this real problem in the Freescale USB Stack for me:
Example issue found by Cpptest
So this is a bad and nasty bug: the function returns the address of a variable on the stack!!! On return from that function, that variable on the stack is gone and might cause the system to crash. Thank you for flagging this, Cppcheck!
Obviously, cppcheck has not been used by that developer writing that code, and I think they really should have. I have started using Cppcheck for my code base, and I’m amazed how many possible issues it is able to find!
So here is how you can install it and use it…
Cppcheck Installation
Cppcheck can be downloaded from http://cppcheck.sourceforge.net/:
Cppcheck web site
The SourceForge site with the download is here: https://sourceforge.net/projects/cppcheck/. Run the setup, and it will install Cppcheck.
Installation of Eclipse Plugins
What makes using Cppcheck really easy is the ‘Cppcheclipse’ plugin in Eclipse.The website for this plugin is here: https://code.google.com/a/eclipselabs.org/p/cppcheclipse. Follow the instructions on
https://code.google.com/a/eclipselabs.org/p/cppcheclipse/wiki/Installation
or directly use the following Eclipse Update Site with Help > Install New Software:http://cppcheclipse.eclipselabs.org.codespot.com/svn/update/
In the Eclipse workspace settings (Window > Preferences), point to the Cppcheck binary:
Binary Path to Cppcheck
This panel also has global settings for all projects, or I can set project specific options.
Configuration of cppcheck messages
Using Cppcheck with Cppcheclipse
Running Cppcheck on the project is easy: simply use the context menu not the project:
Running CppCheck
This will check the sources in the project and report issues in the problems view.
Tips
In case a problem with too many configurations comes up:
;;information;toomanyconfigs;Too many #ifdef configurations - cppcheck only checks 12 configurations. Use --force to check all configurations. For more details, use --enable=information.
Cppcheck too many configurations
To avoid that problem, I can restrict the number of configurations, and I have __GNUC__ defined in the project properties:
Restricted Configuration
I recommend to have a read at the cppcheck manual, e.g. found at http://cppcheck.sourceforge.net/manual.html. It has a lot of advanced options, and ways how to suppress warnings/messages directly in the source code, etc.
Summary
It is always amazing what cool gems of open source tools are out there to be explored! Cpptest is a powerful free of charge static analysis tool which can be easily used with Eclipse, including Freescale’s Kinetis Design Studio. It might not catch every programming error, and a developer should have a bunch of tools in its hand. But every bug killed early is one bug less :-). I’m using PC-lint too (see “Eclipse and PC-lint: Linticator“), but having an open source tool in addition to PC-lint, free of charge, is even better.
Opinions expressed by DZone contributors are their own.
Comments