Earlier in the year I wrote about static analysis tools for C and wanted to cover a couple more.

Let’s continue with our simple array-out-of-bounds test from the last post:

int main(void)
{
	int my_array[3] = { 0 };

	for(int i = 0; i < 6; i++)
		my_array[i] = i;

	return 0;
}

GCC Static Analysis

Red Hat’s David Malcolm has been busy adding a static analyser to GCC with the -fanalyzer switch, covered in Red Hat Developer blog posts:

Unfortunately I couldn’t get it to find an error on the above code, neither with GCC-11 in Ubuntu 22.04, nor with Compiler Explorer’s current “static analysis” or “trunk” versions of GCC (which appear to be daily builds).

I emailed David and logged by bug with GCC for this.

Turns out Compiler Explorer’s gcc (static analysis) branch was almost 3 years out of date, logged an Issue to fix that too.

PVS-Studio

I came across this commercial static analyzer from a series of blog posts about writing good code:

Usually commercial products like this are inaccessible to us mere mortals, and I expect a paid license of this runs into at least 4 figures per seat. They don’t even offer single licenses, only commercial volume.

However, they provide a free license to students, open source projects, and even non-commercial personal projects. Very nice!

It’s also available via Compiler Explorer as a plugin. In the compiler window just go Add Tool and PVS-Studio.

This is awesome, and a good way to get your product in front of people who’ll later use it in industry, where companies are more willing pay for it.

From the above blog posts you can see that PVS-Studio catches lots of things that other static analyzers don’t, and it picks up our incorrect access too:

The documentation for all analyzer warnings is available here: https://pvs-studio.com/en/docs/warnings/.

<source>:6:1: warning: V557 Array overrun is possible. The value of 'i' index could reach 5.

Not as friendly as cppcheck was in the last post, but does the job.