Reputation: 8850
Developing a static source code analysis tool for proprietary API?
There is a proprietary API that is built on top of C++. So it uses all the features of C++ and then has its own APIs. There are some APIs that function exactly the same as C++ API (like for malloc there is Stralloc), these APIs are provided for performance reasons.
Though there are many static code analyzers available for C++, we cannot use any of them. There is a need to have a static code analyzer which could be run on the code with proprietary APIs.
I would like to know how do I begin developing the code analyzer. It may need not be very feature oriented like the ones available for C++. I want to start with basic stuff like reporting unused variables, buffer overflows, memory leaks.
Any guidance will be appreciated.
[UPDATE] I found the following question which is what I was looking for, only difference is, instead of Java my concern is for proprietary APIs. So far I have got couple of good answers but I would really like to know more from people who have been through such kind of development.
Introduction to Static Analysis
Upvotes: 3
Views: 935
Answers (4)
Reputation: 95420
Parsing C++ is very hard in practice. If you have a C++ extended dialect, you need a full C++ parser that is "easily" bent to your dialect, and has means to build analysis tools.
The DMS Software Reengineering Toolkit is fully customizable generic analysis and transformation infrastructure, providing general parsing, tree building, symbol table construction and flow analysis capabilities. It is used to build fully custom analyzers.
It has a C++ Front End that handles several standard dialects of C++, and can be customized to handle other extensions. The C++ front end has full preprocessor capabilities, parses and builds ASTs, and does full C++ name and type analysis.
Upvotes: 1
Reputation: 28769
Do not try to write this from scratch. C++ is notoriously difficult to even parse, and I don't think you'd get far on this route.
You should use an extendible C++ static analyser, so that you can write your own plugins to analyse your library calls. Off the top of my head, I would suggest:
- The gcc C++ front-end (gcc now has plugins)
- The EDG C++ parser
- Rose (uses EDG)
- LLVM (perhaps using clang, but it might not be ready for primetime)
- Microsoft's Phoenix Framework (I assume it can do this, I have not checked).
The best answer is likely clang or rose.
Upvotes: 1
Reputation: 21
Solutions like Coverity and Klocwork have an extensible rule set where you can write your own rules. You can also configure the tool so that their standard memory checks understand custom memory allocators. Some limitations apply though.
It's useful to use these tools because then you can borrow off the same workflow. Again, it depends on what you code you have and what exactly you are looking to do.
Upvotes: 2
Reputation: 5572
I'm confused:
Is this a language implementation on top of C++ or just a set of APIs on top of C++?
If the latter, any normal C++ profiler will capture things like memory leaks and overflows.
Upvotes: 2
Related Questions
- How to build a static code analysis tool?
- Open Source Static Code Analysis Models
- How detect API breaks in C++
- Static Analysis API's?
- Static Code Analysis through API
- Are C++ static code analyis tools worth it?
- Static analysis tool customization for any language
- How to static analyze C++ and Objective-C++ code?
- Static source code analysis for C# that operates on source code level
- Static source code analysis with LLVM