What open source C++ static analysis tools are available

Java has some very good open source static analysis tools such as FindBugs, Checkstyle and PMD. Those tools are easy to use, very helpful, runs on multiple operating systems and free.

Commercial C++ static analysis products are available from vendors Klocwork, Gimpel and Coverity. Although having such products are great, the cost is just way too much for students.

The alternative is to find open source C++ static analysis tools that will run on multiple platforms (Windows and Unix). By using an open source tool, it could be modified to fit certain needs. Finding the tools has not been easy task.

Below is a short list of C++ static analysis tools that were found or suggested by others.

• C++ Check http://sf.net/projects/cppcheck/
• Oink http://www.cubewano.org/oink/
• C and C++ Code Counter http://sourceforge.net/projects/cccc/
• Splint (from answers)
• Mozilla's Pork (from answers)
• Mozilla's Dehydra (from answers)
• Use option -Weff++ for GNU g++ (from answers)

What are some other portable open source C++ static analysis tools that anyone knows of and can be recommended?

Some related links.

• http://stackoverflow.com/questions/97454/c-static-code-analysis-tool-on-windows
• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
• http://www.chris-lott.org/resources/cmetrics/
• http://stackoverflow.com/questions/93260/a-free-tool-to-check-cc-source-code-against-a-set-of-coding-standards
• http://spinroot.com/static/
• http://stackoverflow.com/questions/2873/choosing-a-static-code-analysis-tool

 

 

http://splint.org/

Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.

http://sourceforge.net/apps/mediawiki/cppcheck/index.php?title=Main%5FPage

Cppcheck is an analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools, we don't detect syntax errors. Cppcheck only detects the types of bugs that the compilers normally fail to detect. The goal is no false positives.