Section 7.6. Static Program Checker

7.6. Static Program Checker

During application porting, changes to the original code may inject potential errors, such as referencing null pointers or typographical errors (errors that can cause infinite loops and go undetected). These errors may even be left undetected at compile and link time. A tool such as a static code checker^[10] that is used in conjunction with the build process can help detect such errors, creating a proactive build environment that can eliminate future problems during functional and systems tests.

^[10] Other static program checkers are available, such as Flawfinder (www.dwheeler.com/flawfinder/) and Coverity (www.coverity.com).

7.6.1. Splint

Splint is a tool for statically checking C programs for programming mistakes such as potential memory leaks, referencing of null pointers, unused declarations, type inconsistencies, ignored return values, and likely infinite loops. One important feature that Splint also provides is checking for potential buffer-overflow scenarios in an application. Running ported applications through a tool such as Splint creates a more robust application that is less prone to fail during application testing. Splint is available from www.splint.org/.

7.6.2. CodeSonar

CodeSonar is a commercially available source code analyzer that performs a deep static analysis on code and identifies many types of bugs. These include null-pointer dereferences, divide-by-zeros, buffer overruns, buffer underruns, double-frees, use-after-frees, and frees of nonheap memory. CodeSonar does a whole-program analysis, taking into account effects arising from the interaction of different functions in different files. It can detect complex bugs that are difficult to identify through manual analysis. To learn more about CodeSonar, go to www.grammatech.com.

You can find a list of several other static analyzers in both open-source and commercial forms at www.splint.org/links.html.