Why should you care about C/C++ static analysis?

lahlali issam
4 min readFeb 6, 2024

--

Many resources discuss the benefits of using the static analysis tools, and how they could help you improve your code base. Somehow they show you what you could gain after using them. But did you asked yourself what do you lose if you don’t use them?

Let’s take an example of a memory corruption due to free of a pointer twice, this cause random crash. It could take few hours or maybe many days to find this kind of issue. Many similar risky problems exist in C/C++ specially concerning memory corruption. Just one problem could cost few dollars or many thousands of dollars.

The impact of an issue depends also on the nature of the program, Indeed a problem in an embedded application of a machine does not have the same impact as a crash in a paint application.Sometimes one problem could cost many million of dollars or even many billions of dollars, like the case of Ariane5 where a bug costs $7 billion.

Let’s take a common hidden bug made by almost all C++ developers and even the most popular C++ web sites do the same mistake, we talk about the sum of two integers:

int c=a+b; //where a and b are two integers

And in almost all web resources we have the sum function like this

int sum(int a,int b)

{

return a+b;

}

In general it works as expected because a and b in many applications are not big numbers. But what if in some cases a+b is > 2147483647

How to avoid this kind of issue?

1- Compilers warnings:

Each compiler could report after the build many warnings. These warnings won’t keep your code from compiling except if you decide to treat them as errors. Don’t hesitate to take a look as these warnings instead of ignoring them. Indeed compiler warnings are often indicators of future bugs that you would see only at runtime.

However in the case of the sum issue, the compilers are silent, no warning is reported.

2- Use the auto keyword

The auto keyword in C++ automatically detects and assigns a data type to the variable with which it is used. The compiler analyses the variable’s data type by looking at its initialization. It is necessary to initialize the variable when declaring it using the auto keyword. Unfortunately the auto feature is not smart yet to detect the correct type in this case:

3- Use a static analysis tool

Let’s take as example cppcheck, which is primarily detects the types of bugs that the compilers normally do not detect. Many interesting errors are reported by this tool.

You need less than one minute to download it, maybe 20 minutes to configure it, the analysis takes a few minutes to many hours, but in this time you are free to do other tasks. After the analysis you could have thousands of potential issues, in the beginning you could focus only on priority errors.

After the code analysis with cppcheck we have the error: Signed integer overflow for expression ‘a+b’.

Finally for free static analysis tools, you lose only 30 min to have a list of potential issues that could cost you many thousand of dollars.

For commercial tools you lose more than time, you have to pay it. Therefore, you lose also money. Let’s suppose that you purchase a tool with 1000$ and it helps you find a problem that needs two or three days for a developer to find it. Three days of a C/C++ developer could cost more than 1000$. But if you take into account the hidden cost of one issue, you will be surprised how many a simple issue could cost to the company. Many stories exist on the web talking about the cost of simple issues.

Here are some free static analysis tools:

CppCheck (Free): Many checks are provided by CppCheck, here are some of the checks available:

  • Out of bounds checking
  • Checking exception safety
  • Memory leaks checking
  • Warn if obsolete functions are used
  • Check for invalid usage of STL
  • Check for uninitialized variables and unused functions

Clang-tidy(Free): is a clang-based C++ “linter” tool. Its purpose is to provide an extensible framework for diagnosing and fixing typical programming errors, like style violations, interface misuse, or bugs that can be deduced via static analysis. clang-tidy is modular and provides a convenient interface for writing new checks. Here’s the checks list of clang-tidy.

Many other static analysis tools exist, some of them are easily accessible to test, for others you have to contact their companies and ask for a trial version.

If you could just lose 30 min and use cppcheck, be sure that you will not waste your time.

Summary

It’s better to combine many C++ tools to detect potential issues in your C++ code base, some tools detect bugs, some others detect also the bug-prone situations . You can first try the free tools to check the issues reported.

--

--

Responses (2)