From cppcheck

Cppcheck - A tool for static C/C++ code analysis

Overview

This program tries to detect bugs that your C/C++ compiler don't see.
The goal is no false positives.

Cppcheck does not detect the kinds of problems that compilers normally detect. We recommend that you enable as many warnings as possible in your compiler.
If you use Visual C++: you should use warning level 4.
If you use GCC: take a look at Warning options - using GCC
If you use another compiler: look in the manual.

Cppcheck is versatile. You can check non-standard code that includes various compiler extensions, inline assembly code, etc.

If you have portability problems, please report it. Cppcheck is supposed to work on any platform that has sufficient cpu and memory.
Cppcheck is supposed to be compilable by any C++ compiler which handles the latest C++ standard.

Accuracy

Cppcheck is far from finished, it is continuosly improved to make it more accurate.

Cppcheck is rarely wrong about reported errors. But there are many bugs that it doesn't detect.

You will find more bugs in your software by testing your software carefully, than by using Cppcheck.
You will find more bugs in your software by instrumenting your software (with for example valgrind), than by using Cppcheck.
It is unlikely that you will find all the bugs in your software through testing and instrumenting. Cppcheck can detect some of the bugs that you have missed.

Checks

Auto Variables

A pointer to a variable is only valid as long as the variable is in scope.
Check:

• returning a pointer to variable
• assigning address of an variable to an effective parameter of a function

Bounds checking

out of bounds checking

Class

Check the code for each class.

• Missing constructors
• Are all variables initialized by the constructors?
• Warn if memset, memcpy etc are used on a class
• If it's a base class, check that the destructor is virtual
• The operator= should return a constant reference to itself
• Are there unused private functions

Deprecated functions

Warn if any of these deprecated functions are used:

• mktemp
• gets
• scanf

Memory leaks (function variables)

Is there any allocated memory when a function goes out of scope

Memory leaks (class variables)

If the constructor allocate memory then the destructor must deallocate it.

Other

Other checks

• C-style pointer cast in cpp file
• redundant if
• bad usage of the function 'strtol'
• bad usage of the function 'sprintf' (overlapping data)
• division with zero
• unsigned division
• unused struct member
• passing parameter by value
• check how signed char variables are used
• condition that is always true/false
• unusal pointer arithmetic. For example: "abc" + 'd'
• dereferencing a null pointer
• Incomplete statement

STL usage

Check for invalid usage of STL:

• out of bounds errors
• misuse of iterators when iterating through a container
• dereferencing an erased iterator
• for vectors: using iterator/pointer after push_back has been used

Unused functions

Check for functions that are never called

Forum, chat

IRC channel:
channel: #cppcheck
server: irc.freenode.net

Forum: https://apps.sourceforge.net/phpbb/cppcheck///

Future releases

The plan is to release a new version roughly once a month.
Version 1.38 is planned to be released on October 25th.

Bugs and feature requests

Use Trac to report any problems: https://apps.sourceforge.net/trac/cppcheck/

Defects are for severe bugs such as:

• False positives (when "--all" is not used)
• Cppcheck hangs/crashes
• Bug in any of the core classes (Tokenizer/Token/Preprocessor)
• Fail to compile

Enhancements are for issues such as:

• Fail to detect bug
• Change the output of Cppcheck
• Suggestion for a new check

Contribute

You are welcome to contribute. Help is needed.

• Testing - Pick a project and test it's source with latest version. Write tickets to Trac about issues you find from Cppcheck. If you test open source projects and write bug reports to them, check the issues in Found bugs section, and write links to the bug reports you have created e.g. to our forum, so we can keep a track about them.
• Developing - Pick a ticket from Trac, write a test case for it (and write a comment to the ticket that test case has been created). Or pick a test case that fails and try to fix it. Make a patch and submit it to Trac either inline if it is small, or attach it as a file.
• Marketing - Write articles, reviews or tell your friends about us. The more users we have, the more people we have testing and the better we can become.
• Design - Invent new good checks and create tickets to Trac about them.
• Integration - Write a plugin to your favorite IDE or create a package for your distribution or operating system.
• Technical Writer - Write better documentation for the bugs we find. Currently only a few bugs have any documentation at all.

Getting the source code

Latest version can be found in the git

git clone git://github.com/danmar/cppcheck.git

You can also download the latest sources in a zip or tgz archive:

1. goto this webpage: https://github.com/danmar/cppcheck/
2. click the "download" button. And choose the file format you want.

Donating money

If you wish to donate money you can do so here:
Donate money

Found bugs

Cppcheck is continuously tested against various open source projects.
It's a good way to find the false positives that Cppcheck gives.

Found bugs

Customized reports

The output from Cppcheck is always the same. But the output can easily be customized through XSLT.