Static Analysis

Static analysis tools look at the source code and warn you of any possible errors. Some static analysis tools also warns about code that doesn't adhere to certain guidelines such as the core guidelines.

cppcheck is a popular static analysis tool. It focuses on issues that might cause bugs, however it also has extensions to enforce some coding style checks.

Unix users can simply download it from your package manager. It has a command line and GUI interface (cppcheck-gui). Source code and Windows installer are available here. On Windows, make sure to add C:/ProgramFiles/CppCheck (or whatever its download location is), to your PATH so that you can use the cppcheck in the command line.

I would suggest the cppcheck GUI as it's very easy to use. Visual Studio also has a cppcheck plugin, however it seems to only work for Visual Studio projects (not CMake).

Some helpful command line arguments:

  • -I <include directory> - search through the following include directories
  • --library=<lib> - uses information about an external library such as googletest or openssl
  • --addon=<addon> - enable an addon such as cert which enables checks for CERT coding guidelines
  • --enable=<check> - enables checks with the given name, such as all, which enables all checks
  • --platform=<type> - sets the platform type (such as unix64, win64, avr8, etc.)
  • --std=<std> - sets the standard version (ex. c11, c89, c++11, c++17, c++03). The current default is c++20.
  • --output-file=<file> - writes results to an output file instead of stderr
  • --cppcheck-build-dir=<dir> - specifies the build directory. These speeds up repeated analysis times by only checking files that changed.
  • -i <dir> - exclude a directory or file
  • --max-ctu-depth=<N> - sets the maximum analysis depth. Higher values are slower but can catch more errors. The default is 2.
  • --project=<file> - specify the project file to use. This file can be a Visual studio .sln, it can be a compile_commands.json, or it can be a .cppcheck xml file which stores the options for checking a given directory. These are generated by the cppcheck gui, but can also be written manually.

For the following file structure:

Project
|
|___include
|   |
|
|___src
|   |
|
|___test
|   |
|

we can run cppcheck with the command

cppcheck -I Project/include/ Project/src/ Project/test/ --library=googletest --std=c++17

Another thing to note is that CMAKE can generate a cppcheck project file for us by enabling CMAKE_EXPORT_COMPILE_COMMANDS. This can be done with set(CMAKE_EXPORT_COMPILE_COMMANDS ON). This outputs a compile_commands.json file which we can specify to cppcheck to use via --project. Specifically, what this does it it creates a compilation database which stores information such as the compiler options used, source files, and include directories. Using a compiltation database makes satic analysis tools more effective by providing them more information to work with.

Clang-tidy

clang-tidy is another static analysis tool that focuses more on stylistic checks than cppcheck. It is only available for Unix, however on Windows you can use the the Code Analysis tools built into Visual Studio which are very good. This tool incorporates some of the CPP Core Guidelines into their checks.

We can use it like so:

clang-tidy -header-filter=.* -checks=* src/* include/*

The -header-filter argument is used to filter which header files the tool will look at. In this example, we have it analyze all the headers. The -checks argument is passed a pattern to filter which checks to enable, here we enable all checks.

Windows

For Windows, Visual Studio (not VSCode) has code analysis under the Analyze tab. Microsoft has further information and documentation about this online. The VS code analysis is quite good and incorportates the CPP Core Guidelines. You can also use it by using the /analyze flag on MSVC compiler.