Chapter 9: Code Analysis for CC | Professional Visual Studio 2005 Team System (Programmer to Programmer)

Overview

Team System ships with several testing tools for C and C++ programmers. For example, AppVerifier provides support for dynamically testing unmanaged applications. Another feature, Code Analysis for C/C++ (also known as PREfast) is an integrated static code analyzer that enables you to detect security and coding defects during compile time. Here is what Code Analysis for C/C++ has to offer:

Complete integration with Visual Studio 2005. It can check your code against a collection of memory and program execution rules. The test results window or custom logs enable you to view the list of errors and warnings, making it easy to solve potential problems.
The C/C++ Code Analysis engine includes rich annotations and #pragma support to help you effectively enable, disable, filter, and manipulate errors and warnings.
It can be launched using command-line directives, making it easy to automate and integrate with other components (such as Team Foundation Server).

Note

Code Analysis for C/C++ does not support .NET code. The best static testing tool for .NET code is the Managed Code Analysis tool (best known as FxCop), covered in Chapter 8. Microsoft Research is currently working on a version of PREfast for the C# language called PREsharp. PREsharp information is available on the following Microsoft Research website: http://www.microsoft.com/windows/cse/pa/pa.mspx.

Code Analysis for C/C++ is an extremely important and useful tool in Microsoft's internal software development process. They have used it extensively in the development and testing of Windows 2000, Windows Server 2003, and Windows XP. It also has been used for application security audits companywide for both the Trustworthy Computing and Secure Windows Initiatives. Code Analysis for C/C++ has been an integral tool for testing and securing the codebase for Windows XP Service Pack 2, and continues to be in wide use for a number of other products.

Note

Code Analysis for C/C++ is only available in Visual Studio 2005 Team Developer and the Team Suite versions of Team System.

Three core versions of Code Analysis for C/C++ are currently available from Microsoft (some are still referred to as PREfast). Each version has its own specific capabilities and documentation:

This chapter focuses completely on Team System's Code Analysis for C/C++.
The driver-specific version (drvfast.cmd) is available as part of the Microsoft Windows Server 2003 Service Pack 1 Driver Development Kit (DDK). This kit is available for download from the MSDN Subscriber downloads (http://www.subscriptions.msdn.com). You can obtain a white paper and an accompanying PowerPoint presentation deck at http://www.microsoft.com/whdc/devtools/tools/PREfast.mspx.
PREfast (prefast.exe) is available in the Platform Builder for Windows CE 5.0 SDK. Please refer to the following MSDN article for more details: http://www.msdn.microsoft.com/library/en-us/wcepbguide5/html/wce50oriPREfastAnalysisTool.asp.

Team System's C/C++ static code analyzer has been specifically designed for Win32 code on the x86 platform, as 64-bit support is not currently available.

In this chapter, we describe the advantages and challenges of static code analysis. You will learn how to use Code Analysis for C/C++ within Team System, including how to enable it, manage it, control it, and integrate and share the results on Team Foundation Server using check-in policies and bug work items. Finally, you will learn how to extend the C/C++ static code analysis engine using #pragma directives and inline annotations.