Any good static analysis tools out there?

[Derek]

This isn't exactly a language question, but I'm curious if any
of the veteran programmers out there could recommend a static
analysis tool for C++. Specifically, I'm looking for something
that can flag unreachable code, possible security errors like
buffer overflows, and identify unused entities. It would also
be great if said tool could identify any headers included un-
necessarily, and perhaps compute some basic metrics. Are there
any tools like this out there for C++? I'm mostly interested
in something that runs on Win32 and Solaris, but I'll entertain
other platforms as well.

 

[grahamo]

Hi Derek,

purecoverage and purify from IBM (formerly Rational before "Big Blue"
bought 'em) are probably what you want. I also know of a tool from a
company called "Headway software" that does C++ analysis of your
code, check them out at www.headwaysoftware.com

I have a few "hardened" C++ colleagues that have used the headway
analysis tool and spoke very highly of it. headway tout;

"Rapid Reverse Engineering and Static Analysis of your "as-is" design
for Java, C, C++ or Ada Software"


Either one of those two should provide you with the functionality you
need.

Cheers

Graham

 

[Ron Natalie]

Hi Derek,

purecoverage and purify from IBM (formerly Rational before "Big Blue"
bought 'em) are probably what you want

Not if you want static analysis (which is what he asked for). Purify
is about as far from static as you can get. It bashes your code (in
the windows case) at runtime. It provides absolutely ZERO static
analysis. "lint" is an example of a very old static analyser.

Some of the competing products do some static analysis in addition
to runtime work. However, almost everyone I've found (at least on
windows) have significant problems.