Hi @all, i'm currently evaluating software solutions (open source when possible) for static code analysis to be used on C sourcecode. Toolchains used are avr-gcc and arm-gcc. Has anybody experience with the use of those tools for embedded development and can suggest a good solution? Best regards, Ralf
Have you checked out this list? http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#C.2FC.2B.2B At work we use a commercial tool (Klocwork). I'm not really familiar with the open source ones.
Yes, i did. Unfortunately it's just a list without any comparison of the tools. I'm looking for the opinion of people who are actually using a code analysis tool with their cross gcc toolchain. BTW what about the Klocwork tool? Is it beneficial? What toolchain are you using?
I've worked with Lint, splint and QA-C, whereas the first and the latter one are commercial tools. Splint hasn't been updated for a long time - it seems to me that the development has been stopped. I don't understand why you ask for the (compiler-) toolchain - do you expect any special dependencies between the compiler and the code analysis tool?
...beside the programming language itself?
Yeah, I also don't really see what difference it makes what compiler/toolchain you are using. It's the source code which gets analyzed after all. Unless maybe you are compiling the Linux kernel which needs gcc-specific extensions? Klocwork Insight is pretty solid, but also not cheap. Not feasible for private users, only for companies I should think. Using it is certainly beneficial. Unless you ignore what the tool finds and leave your code as it is ;)
I'm asking for the toolchain out of two reasons: 1. the supported (required) language standard (we use gnu99 C standard as all our toolchains are recent cross gcc's, splint on the other hand only supports C89) 2. there is some effort to make microcontroller specifics known to the code checker (ISRs, hardware registers etc.) and if someone already has done this i might not need to do it myself
Alright. Did you already play with the different code check settings of your compiler (gcc)? Most recent compilers can be configured to do a lot of code analysis by themselves. This might not be a replacement for the code analysis tool, but it's better than nothing ;)
I did and i'm using Eclipse's CODAN but i would really like a little more in-depth analysis
While splint is an easy-to-use (but somewhat limited) tool with fast results it does only ANSI C and fails spectacularly if applied to a C99 oder even gnu99 codebase. As was already mentioned development on it has stopped more or less. As far as I know there are no plans for C99 support. Today's compilers are able to give most of splint's warnings when set up appropriate. An interesting project that might have a bright future is the Clang frontend for the Low-Level Virtual Machine. Usage of libclang by development tools might make stuff possible that previously was reserved to other languages. There's also a static analyzer built on top of it: http://clang-analyzer.llvm.org/ The project is a WIP still under heavy development but at least for C (as opposed to C++) it's results are already usable. They also aim for high compatibility with GCC.