Comparison of Static Code Checking Tools

Introduction

The last couple of years a new generation of static code checkers is emerging. These new code checkers are capable of finding a new type of defects based on control flow and data flow analysis. Errors such as buffer overflow, memory leakage and null pointer dereference can now be detected without actually running the code.

Due to this recent revolution, the market of static code analysis for C and C++ is changing rapidly. Existing suppliers of code checkers are forced to add data flow and control flow capabilities to their tools as well. As a result, it has become quite hard for potential users of these tools to select the right tool for the job.

This survey compares available static code checkers that are capable of doing control flow and data flow analysis. The research will be done incrementally, revealing new data if it becomes available. Feedback and customer experiences are welcome and will be integrated in the results.

The following steps will be taken. First a selection of tools is made. After that the requirements including their weighing will be determined. Finally, the requested data will be collected. Part of the survey will be to set up a test suite for comparison.

Tools that Qualify

In order to qualify the following requirements must be met:

C and/or C++ support
Being able to detect control flow and/or data flow defects without running code

The tools that currently qualify are:

C++test/BugDetective (Parasoft)
CodeSonar (GrammaTech)
Coverity Prevent (Coverity)
Fortify 360 (Fortify)
Klocwork Insight (Klocwork)
PolySpace (MathWorks)
Sparrow (Fasoo)

Requirements

The following requirements are assessed:

Ease of installation. How long does it take to get first results?
Ease of use. How much time does it cost to understand the results? How much time does it cost to change the configuration? Is there any support to suppress individual violations? Are there any plugins available for programming IDEs?
Performance. How long did it take to process the TIOBE test suite?
Accuracy of results. How many false positives are found in the TIOBE test suite? How many false negatives? Is the available rule set complete enough?
Interfacing. Is it possible to run in batch mode? And if so, how easy is it to export data to another program?
Price. What pricing model is used and what are the license costs?
Support. How long does it take to get support and what is the quality of the answers?

C/C++ Test Suite

The 3 most frequently downloaded SourceForge open source C/C++ projects will be used as test suite. These are:

Let us know whether there are other requirements that are important. Shortly we will publish the "Ease of installation" results of the various tools.

More information will follow soon.

TIOBE Coding Standard Framework TICS

On this page

Introduction
Tools that Qualify
Requirements
C/C++ Test Suite

Additional Information

TIOBE Index

The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors. TIOBE Index

Related products

Grammatech - Static Code Analysis
Atollic Analyzer- Dynamic Code Coverage Anlysis
ARM RealView Profiler - Non-intrusive Analysis

	+31 77307 8438 +49 8914367945 Local numbers
	Send an email

Supplier Information

About TIOBE:
TIOBE is specialized in assessing and tracking the quality of software. We measure the quality of a software system by applying widely accepted coding standards to it.

TIOBE Software BV has been founded 1st of October 2000 with the aid of a major investment of Swiss company Synspace and some private investors. The name TIOBE stands for "The Importance Of Being Earnest". This is also the name of a comedy play written by Oscar Wilde at the end of the Nineteenth Century. By choosing this name, the founders of TIOBE Software emphasize their sincere and professional attitude towards customers, suppliers and colleagues.