    tools for static code analysis

    I happen to come across this info on
    I was wondering if some of you are using and also would recommend tools for static code analysis to find memory leaks, buffer overruns and many other common errors? Would they give some advantage over the compilation message from gcc/g++? Are valgrind and profile also among those tools?

    Valgrind and profile are runtime analysis tools. Static analysis occurs directly on your source code to find logical problems. Coverity is the only static analysis tool I've familiar with, and it's extremely expensive.

    In general, static analysis is much more difficult than runtime analysis, and tends to find a different set of problems. Because it is so difficult, not many people are giving away such tools for free.

    If your goal is to find memory leaks and out-of-bounds accesses, you can use runtime analysis with tools like Valgrind, BoundsChecker, Purify, etc. Also, combine these tools with a good coverage profiler. Runtime analysis can only find problems in code that actually executes -- analyzing coverage is necessary to make sure you're actually finding a significant fraction of bugs.

    Don't worry if your coverage ends up low, like 60%. It's really difficult to design tests that actually exercise your code completely. Even Microsoft only requires 80% code coverage for people checking in directly to their tree, but 80% is high.
    Thanks, brewbuck!

