To automate C code quality analysis in our company, I've been asked to integrate Cppcheck tool with our SonarQube server (through the C Community plugin). For the C part of our main product, in Visual Studio, we have a dozen of solutions, with almost a hundred of projects within each solution.
- See full list on codeproject.com.
- Oct 08, 2012 Cppcheck is a good tool to have in your arsenal. Anything that helps me avoid stupid mistakes is very welcome. The problem is that if you use Visual Studio, you either have to use the separate Cppcheck GUI or pay an arm and a leg for something like Visual Lint.
- Choose a tag to compare. Search for a tag. This commit was created on GitHub.com and signed with GitHub’s verified signature. GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits. VioletGiraffe released this on Jul 30, 2020.
- Cppcheck - MISRA C 2012 Compliance. The MISRA C 2012 compliance checking in cppcheck is a work in progress. We are currently trying to get funding for misra development through kickstarter. Please donate to make the misra addon more complete. In the table below we show checkers that are included/missing in latest.
- Analysis results by PVS-Studio
- Analysis results by Cppcheck
Contents
In this article, I'm going to tell you about a check of the MatrixSSL project done with the static analyzers for C/C++ code PVS-Studio and Cppcheck.
The article is written by Pavel Pimenov, the author of the open peer-to-peer client FlylinkDC++. The article is published in our blog by his permission.
What I liked about the MatrixSSL project was that it came with the MS Visual Studio 2010 version available 'out-of-the-box'.
Visual Studio Code
You know, in order to be able to build openSSL from source files for Visual C++, you usually have to dance around with a shaman's drum for a while :). That's why many Windows developers use ready binary openSSL builds such as Win32 OpenSSL Installation Project.
MatrixSSL is an alternative library of cryptographic algorithms distributed under the GNU license (commercial support is also available).
The source code of the open-source version can be downloaded from the official site. We analyzed the current version 3.7.1.
About the analyzers
- PVS-Studio is a commercial static analyzer detecting errors in source code of C/C++/C++11 applications (we used version PVS-Studio 5.21).
- Cppcheck is a free open-source analyzer (we used version Cppcheck 1.68).
Analysis results by PVS-Studio
Memory clearing
V512 A call of the 'memset' function will lead to underflow of the buffer 'ctx->pad'. hmac.c 136, 222, 356
The code of all the three functions is alright and only the used part of the array is cleared, but the analyzer warns that the size of the requested buffer - 128 bytes - is probably too large.
I think it's OK here but still it's better to clear either 64 or 128 bytes just for the code to look neat. You can write it, for example, like this:
V597 The compiler could delete the 'memset' function call, which is used to flush 'tmp' buffer. The RtlSecureZeroMemory() function should be used to erase the private data. aes.c 1139
The optimizer throws away the call of the standard memset() function. I guess it may be critical for a crypto library and is a potential break.
Other similar issues: aes.c 1139, aes.c 1190, aes.c 1191, des3.c 1564, des3.c 1609, des3.c 1610, corelib.c 304, pkcs.c 1625, pkcs.c 1680, pkcs.c 1741
V676 It is incorrect to compare the variable of BOOL type with TRUE. Correct expression is: 'QueryPerformanceFrequency(& hiresFreq) FALSE'. osdep.c 52, 55
PS_TRUE is declared as '1'. MSDN says the following about the return value of the QueryPerformanceFrequency function: 'If the installed hardware supports a high-resolution performance counter, the return value is nonzero' So, a safer way to write it is QueryPerformanceCounter() PS_FALSE
Office for free mac. V547 Expression '(id = ssl->sessionId) ((void *) 0)' is always false. Pointer 'id = ssl->sessionId' != NULL. matrixssl.c 2061
There's an obvious error here: The condition will never be fulfilled because sessionld is declared as an array of 32 bytes and can't have a NULL address. This error is not critical of course and could probably be viewed just as an excessive pointless check.
V560 A part of conditional expression is always true: 0x00000002. osdep.c 265
Cppcheck For Windows
We have a typo here: Instead of FILE_SHARE_READ | FILE_SHARE_WRITE, the programmer wrote && and got 1 && 2 1
which is equivalent to one FILE_SHARE_READ.
Probably incorrect condition
V590 Consider inspecting the '* c != 0 && * c 1' expression. The expression is excessive or contains a misprint. ssldecode.c 3539
Probable performance drop
V814 Decreased performance. The 'strlen' function was called multiple times inside the body of a loop. x509.c 226
Visual Studio Community
In this code, inside the while() loop, the analyzer detected a call of the strlen() function for a parameter which doesn't change. Generally it is not optimal but in this particular case since the strlen() function receives a constant known at the compilation stage, the optimizer in the /O2 mode will remove the function call completely and substitute it with the constant's value calculated at the compilation stage.
Analysis results by Cppcheck
This analyzer generated fewer warnings but there were some among them which PVS-Studio had failed to diagnose.
None of them affect the library's work as they all refer to unit-tests in cryptotest.
'Finishing return-shot in the head'
Adobe photoshop cc torrent download for mac. Consecutive return, break, continue, goto or throw statements are unnecessary. The second statement can never be executed, and so should be removed.
Github Cppcheck Visual Studio Extension
This is a copy-paste error. There are two identical lines at the end: return PS_SUCCESS;.
Another typo of this kind can be found in the function psSha384Test(void).
Memory leak
Memory leak: table
This issue is non-critical in this case but it's nice to see that Cppcheck can catch it. The code is inside files and looks as follows (copy-paste):
- cryptotesteccperfeccperf.c
- cryptotestrsaperfrsaperf.c
Resources are better to be requested right before they are really necessary. If you look at the code in those files, you will see that the table is not used at all, that is, the call of the malloc() function as well as the call of the free(table) function at the end are just excessive.
Conclusion
I am a FlylinkDC++ developer and I've been using the PVS-Studio analyzer granted to us as an open-source project for more than two years now. The analyzer more than once helped us find various bugs both in our own code and third-party libraries' code. Thanks to regular checks, FlylinkDC++'s code has become much more stable and safe. And that's wonderful!
Bugs Found
Collected Errors
14 526Roslyn API: Why PVS-Studio Was Analyzing the Project So Long
Finally! PVS-Studio Supports .NET 5 Projects
Perl Script Instead of Blame-notifier on Linux OS
Hidden Reefs in String Pool, or Another Reason to Think Twice Before Interning Instances of String Class in C#
PVS-Studio Team's Kanban Board. Part 1: Agile
Do you make errors in the code?
Check your codewith PVS-Studio
Static code analysis
for C, C++, C# and Java
Follow us
Tweets by @Code_AnalysisOriginal author(s) | Daniel Marjamäki |
---|---|
Initial release | May 8, 2007; 13 years ago |
Stable release | |
Repository | |
Written in | C++ |
Operating system | Cross-platform |
Available in | English, Dutch, Finnish, Swedish, German, Russian, Japanese, Serbian, Spanish, French, Italian, Korean, Chinese |
Type | Static code analysis |
License | GNU General Public License |
Website | cppcheck.sourceforge.net |
Cppcheck is a static code analysis tool for the C and C++programming languages. It is a versatile tool that can check non-standard code.[2] The creator and lead developer is Daniel Marjamäki.
Photoshop cc 2014 crack for mac. Cppcheck is free software under the GNU General Public License.
Features[edit]
Cppcheck supports a wide variety of static checks that may not be covered by the compiler itself. These checks are static analysis checks that can be performed at a source code level. The program is directed towards static analysis checks that are rigorous, rather than heuristic in nature.
Some of the checks that are supported include:
- Automatic variable checking
- Bounds checking for array overruns
- Classes checking (e.g. unused functions, variable initialization and memory duplication)
- Usage of deprecated or superseded functions according to Open Group[3]
- Exception safety checking, for example usage of memory allocation and destructor checks
- Memory leaks, e.g. due to lost scope without deallocation
- Resource leaks, e.g. due to forgetting to close a file handle
- Invalid usage of Standard Template Library functions and idioms
- Dead code elimination using unusedFunction option
- Miscellaneous stylistic and performance errors
As with many analysis programs, there are many unusual cases of programming idioms that may be acceptable in particular target cases or outside of the programmer's scope for source code correction. A study conducted in March 2009 identified several areas where false positives were found by Cppcheck, but did not specify the program version examined.[4] Cppcheck has been identified for use in systems such as CERNs 4DSOFT meta analysis package,[5] for code verification in high energy particle detector readout devices,[6] system monitoring software for radio telescopes[7] as well as in error analysis of large projects, such as OpenOffice.org[8] and the Debian archive.[9]
Development[edit]
The project is actively under development[10] and is actively maintained in different distributions.[11][12] It has found valid bugs in a number of popular projects[13] such as the Linux kernel and MPlayer.[14]
Plugins[edit]
Plugins for the following IDEs or text editors exist[15]
- SoftaCheck (GitHub Plugin)[16]
- CLion[17]
- Code::Blocks - integrated.
- CodeLite - integrated.
- Eclipse[18]
- Emacs[19]
- gedit[20]
- Hudson[21]
- Jenkins[22]
- Kate[23]
- KDevelop[24]
- Qt Creator[25]
- Sublime Text[26]
- Visual Studio[27][28][29]
- Yasca[30]
See also[edit]
References[edit]
- ^'Releases - danmar/cppcheck'. Retrieved 1 January 2021 – via GitHub.
- ^'A Survey of C and C++ Software Tools for Computational Science'(PDF). Science and Technologies Facility Council. Chilbolton, Daresbury, and Rutherford Appleton Laboratories. December 2009. p. 14. Archived from the original(PDF) on 12 March 2012. Retrieved 14 September 2010.
- ^'System Interfaces'. pubs.opengroup.org. Retrieved 2020-09-24.
- ^'Static Code Analysis For Embedded Systems'(PDF).
- ^'Dissemination and use of knowledge plan (EU Deliverable DNA2.11'(PDF). 2010.
- ^'Entwurf und Implementierung eines adaptiven, strahlentoleranten eingebetteten Systems am Beispiel eines Read-Out-Controllers (En: Development and implementation of an adaptive, radiation tolerant embedded system for operation of a Read-Out controller)'(PDF). 2010. Archived from the original(PDF) on 2012-03-11.
- ^'The Wettzell System Monitoring Concept and First Realizations'(PDF). International VLBI Service for Geodesy & Astrometry. 2010. p. 447.
- ^'Hunting for vulnerabilities in large software : the OpenOffice suite'(PDF).
- ^'Introducing the 'Debian's Automated Code Analysis' (DACA) project'. LWN.net.
- ^Cppcheck on Github
- ^Cppcheck on Debian's Package Tracking System
- ^FreeBSD port
- ^'List of user reported bugs found by cppcheck'.
- ^'Found Bugs list'. SourceForge. Archived from the original on 2013-10-14.
- ^'SourceForge.net: cppcheck'. sourceforge.net. Archived from the original on 2012-07-18.
- ^'cppcheck sourceforge page'.
- ^'cppcheck plugin for CLion'. plugins.jetbrains.com.
- ^'Cppcheclipse'. github.com.
- ^'Flycheck'. github.com.
- ^'gedit Cppcheck plugin'. github.com. Archived from the original on 2012-12-17.
- ^'Cppcheck Plugin'. hudson-ci.org. Archived from the original on 2017-10-26. Retrieved 2010-09-15.
- ^'Cppcheck Plugin'. jenkins-ci.org.
- ^Cullmann, Christoph (2013-02-02). 'Kate Project Plugin News – Code Analysis'. Kate | Get an Edge in Editing. Retrieved 2016-12-14.
- ^Funk, Kevin (2016-12-06). 'KDevelop's Cppcheck plugin merged into kdevelop.git, will be released with 5.1'. Retrieved 2016-12-14.
- ^'Qt Creator Plug-in Gallery'. Qt Wiki.
- ^'Sublimelinter plugin'. github.com.
- ^'Cppcheck add-in'. Visual Studio Marketplace.
- ^VioletGiraffe. 'Homepage cppcheck-vs-addin'. Retrieved 3 March 2014.
- ^Srix. 'Simple open source static analysis tool for Visual Studio'. Archived from the original on 2015-02-10. Retrieved 27 August 2012.
- ^Scovetta, Michael. 'Yasca'.
External links[edit]
- Cppcheck on SourceForge.net