c/c++ validator

c/c++ validator

[Tommy Vercetti]

Hi folks

I would like to ask you about source validation software. Software that runs 
trough source code, and attempts to find any possible memory leaks, and other 
problems. Is there anything opensource for C or/and C++ out there ?

I know it's the wrong list to ask for it, but that's quite close to compilers, 
and some of you may know about it.

Thanks.

-- 
Vercetti

Re: c/c++ validator

[Mathieu Malaterre]

Something like:

http://www.cs.rpi.edu/~gregod/STLlint/STLlint.html

HTH
Mathieu

Tommy Vercetti wrote:
> Hi folks
> 
> I would like to ask you about source validation software. Software that runs 
> trough source code, and attempts to find any possible memory leaks, and other 
> problems. Is there anything opensource for C or/and C++ out there ?
> 
> I know it's the wrong list to ask for it, but that's quite close to compilers, 
> and some of you may know about it.
> 
> Thanks.
> 

Re: c/c++ validator

[Tommy Vercetti]

On Sunday 19 June 2005 00:32, you wrote:
> Something like:
>
> http://www.cs.rpi.edu/~gregod/STLlint/STLlint.html

Yeah, but for more than just STL, and opensource. C++ checker that is going to 
work for instance for KDE.
 Wonder why they use proprietary parser, there are opensource parsers around, 
like elsa, or gcc c++ parser.

> HTH
> Mathieu
>
> Tommy Vercetti wrote:
> > Hi folks
> >
> > I would like to ask you about source validation software. Software that
> > runs trough source code, and attempts to find any possible memory leaks,
> > and other problems. Is there anything opensource for C or/and C++ out
> > there ?
> >
> > I know it's the wrong list to ask for it, but that's quite close to
> > compilers, and some of you may know about it.
> >
> > Thanks.

-- 
Vercetti

Re: c/c++ validator

[Gabriel Dos Reis]

Tommy Vercetti <vercetti@zlew.org> writes:

| On Sunday 19 June 2005 00:32, you wrote:
| > Something like:
| >
| > http://www.cs.rpi.edu/~gregod/STLlint/STLlint.html
| 
| Yeah, but for more than just STL, and opensource. C++ checker that
| is going to work for instance for KDE.
|  Wonder why they use proprietary parser,

maybe because they work? ;-p

| there are opensource
| parsers around,  like elsa, or gcc c++ parser.

Elsa does not parse C++.  

GCC/g++ parser is tightly integrated to GCC.

Most of the tools I know of are either "research projects" (which
means that they basically "die" when the professor get promoted or the
students graduate; they are lots of them out there) or are/ use
proprietary tools. 

We need to get GCC/g++ to a competing level of usefulness but the road
is not quite that straight.

-- Gaby

Re: c/c++ validator

[Tommy Vercetti]

On Sunday 19 June 2005 03:03, you wrote:
> Tommy Vercetti <vercetti@zlew.org> writes:
> | On Sunday 19 June 2005 00:32, you wrote:
> | > Something like:
> | >
> | > http://www.cs.rpi.edu/~gregod/STLlint/STLlint.html
> |
> | Yeah, but for more than just STL, and opensource. C++ checker that
> | is going to work for instance for KDE.
> |  Wonder why they use proprietary parser,
>
> maybe because they work? ;-p

> | there are opensource
> | parsers around,  like elsa, or gcc c++ parser.
>
> Elsa does not parse C++.
Elsa is for C/C++, so it says on their website.

> GCC/g++ parser is tightly integrated to GCC.
>
> Most of the tools I know of are either "research projects" (which
> means that they basically "die" when the professor get promoted or the
> students graduate; they are lots of them out there) or are/ use
> proprietary tools.
>
> We need to get GCC/g++ to a competing level of usefulness but the road
> is not quite that straight.

Yep.

Btw, don't have to cc me, I'm reading that list.

-- 
Vercetti

Re: c/c++ validator

[Gabriel Dos Reis]

Tommy Vercetti <vercetti@zlew.org> writes:

| On Sunday 19 June 2005 03:03, you wrote:
| > Tommy Vercetti <vercetti@zlew.org> writes:
| > | On Sunday 19 June 2005 00:32, you wrote:
| > | > Something like:
| > | >
| > | > http://www.cs.rpi.edu/~gregod/STLlint/STLlint.html
| > |
| > | Yeah, but for more than just STL, and opensource. C++ checker that
| > | is going to work for instance for KDE.
| > |  Wonder why they use proprietary parser,
| >
| > maybe because they work? ;-p
| 
| > | there are opensource
| > | parsers around,  like elsa, or gcc c++ parser.
| >
| > Elsa does not parse C++.
| Elsa is for C/C++, so it says on their website.

I know what the website says.  My comment was about the actual *uses*
of the parser.  Have you tried it on actual C++ programs? 

-- Gaby

Re: c/c++ validator

[Mathieu Malaterre]

Gabriel Dos Reis wrote:
> Tommy Vercetti <vercetti@zlew.org> writes:
> 
> | On Sunday 19 June 2005 03:03, you wrote:
> | > Tommy Vercetti <vercetti@zlew.org> writes:
> | > | On Sunday 19 June 2005 00:32, you wrote:
> | > | > Something like:
> | > | >
> | > | > http://www.cs.rpi.edu/~gregod/STLlint/STLlint.html
> | > |
> | > | Yeah, but for more than just STL, and opensource. C++ checker that
> | > | is going to work for instance for KDE.
> | > |  Wonder why they use proprietary parser,
> | >
> | > maybe because they work? ;-p
> | 
> | > | there are opensource
> | > | parsers around,  like elsa, or gcc c++ parser.
> | >
> | > Elsa does not parse C++.
> | Elsa is for C/C++, so it says on their website.
> 
> I know what the website says.  My comment was about the actual *uses*
> of the parser.  Have you tried it on actual C++ programs? 

How about gccxml:

http://www.gccxml.org

Mathieu

Re: c/c++ validator

[Gabriel Dos Reis]

Mathieu Malaterre <mmalater@nycap.rr.com> writes:

| Gabriel Dos Reis wrote:
| > Tommy Vercetti <vercetti@zlew.org> writes:
| > | On Sunday 19 June 2005 03:03, you wrote:
| > | > Tommy Vercetti <vercetti@zlew.org> writes:
| > | > | On Sunday 19 June 2005 00:32, you wrote:
| > | > | > Something like:
| > | > | >
| > | > | > http://www.cs.rpi.edu/~gregod/STLlint/STLlint.html
| > | > |
| > | > | Yeah, but for more than just STL, and opensource. C++ checker that
| > | > | is going to work for instance for KDE.
| > | > |  Wonder why they use proprietary parser,
| > | >
| > | > maybe because they work? ;-p
| > | | > | there are opensource
| > | > | parsers around,  like elsa, or gcc c++ parser.
| > | >
| > | > Elsa does not parse C++.
| > | Elsa is for C/C++, so it says on their website.
| > I know what the website says.  My comment was about the actual *uses*
| > of the parser.  Have you tried it on actual C++ programs?
| 
| How about gccxml:
| 
| http://www.gccxml.org

It is a not C++ parser :-) -- if you're interested in function bodies
and other more fundamental things, you lose.  It suffers from the same
problems (at least ones we've found quite annoying) of using GCC
currently:  too much of low-level stuff directly geared to code 
generation as understood by GCC now, and C++ programs are not
represented at the most abstract level (contrast that with a
celebrated C++ front-end on the market).  And it also shares problems
with Elsa, no real support for templates (although the case of Elsa is
slightly "worse" :-)).  Now, if you're just interested in simple
"toplevel" decls, then that might be fine :-) 

-- Gaby

Re: c/c++ validator

[Mark Loeser]

[-- Attachment #1: Type: text/plain, Size: 805 bytes --]

Tommy Vercetti wrote:
> Hi folks
> 
> I would like to ask you about source validation software. Software that runs 
> trough source code, and attempts to find any possible memory leaks, and other 
> problems. Is there anything opensource for C or/and C++ out there ?

My summer research project that I'm working on is very closely related
to this.  Its a static analysis tool that looks for problems like buffer
overflows, unitialized variables, and division by zero.  Unfortunately
its not yet open sourced (probably because its still really really
beta), but I'm trying to talk to my advisor to see if he'd let me
continue working on it on my own and open source it, or if he is going
to release it at some point.

If you are interested, email me back off list and I'll talk to my advisor.

Mark Loeser

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: c/c++ validator

[Tommy Vercetti]

On Sunday 19 June 2005 04:48, Gabriel Dos Reis wrote:
> Mathieu Malaterre <mmalater@nycap.rr.com> writes:
> | Gabriel Dos Reis wrote:
> | > Tommy Vercetti <vercetti@zlew.org> writes:
> | > | On Sunday 19 June 2005 03:03, you wrote:
> | > | > Elsa does not parse C++.
> | > |
> | > | Elsa is for C/C++, so it says on their website.
> | >
> | > I know what the website says.  My comment was about the actual *uses*
> | > of the parser.  Have you tried it on actual C++ programs?

They claim it does compile qt, and they work on making it compile KDE. That's 
enough for me. 
On free software "market" there is lack of good static checker/validator of 
c++ code. 
I was looking on different ones, for C, that claimed to have ability to find 
security problems. One that I found the best, is splint. But it's still not 
able to find such obvious problem:

char a[10];
for( unsigned int i; i< 100 ; i++ ) {
	a[i]=a[i]+1;
}

Even thou, it analyzes buffers, and other stuff. So...
Plus it can't do that for c++. 
It shouldn't be so hard, if they have code that gathers so much information 
already, and can find infinite loops, even not easy cases..

Elsa parses c++ code well enough for me, to at least try to write some code 
that will do something like that. Elsa thou has one potential problem, it's 
on bsd licence. Licence issues sux. 
You can't take some code from splint, and stick it into bsd code. I guess, but 
I maybe wrong. I don't even think that it will work from design point of 
view.

> | How about gccxml:
> |
> | http://www.gccxml.org
>
> It is a not C++ parser :-) -- if you're interested in function bodies
> and other more fundamental things, you lose.  It suffers from the same
> problems (at least ones we've found quite annoying) of using GCC
> currently:  too much of low-level stuff directly geared to code
> generation as understood by GCC now, and C++ programs are not
> represented at the most abstract level (contrast that with a
> celebrated C++ front-end on the market).  And it also shares problems
> with Elsa, no real support for templates (although the case of Elsa is
> slightly "worse" :-)).  Now, if you're just interested in simple
> "toplevel" decls, then that might be fine :-)

gccxml parser is a good idea maybe, but I don't think it's good for what I am 
looking for.

-- 
Vercetti

Re: c/c++ validator

[Kai Henningsen]

vercetti@zlew.org (Tommy Vercetti)  wrote on 19.06.05 in <200506192258.00250@gj-laptop>:

> I was looking on different ones, for C, that claimed to have ability to find
> security problems. One that I found the best, is splint. But it's still not
> able to find such obvious problem:

Did you look at sparse? That seems to do quite a useful job on the Linux  
kernel (which is, of course, the main reason for its existence). I don't  
really have an idea how good it would be on non-kernel C code. (Not C++,  
obviously.)

MfG Kai

Re: c/c++ validator

[Tommy Vercetti]

On Monday 20 June 2005 10:12, Kai Henningsen wrote:
> vercetti@zlew.org (Tommy Vercetti)  wrote on 19.06.05 in 
<200506192258.00250@gj-laptop>:
> > I was looking on different ones, for C, that claimed to have ability to
> > find security problems. One that I found the best, is splint. But it's
> > still not able to find such obvious problem:
>
> Did you look at sparse? That seems to do quite a useful job on the Linux
> kernel (which is, of course, the main reason for its existence). I don't
> really have an idea how good it would be on non-kernel C code. (Not C++,
> obviously.)
sparse is fairly primitive. So far splint does the job, almost. And only for 
C :/

-- 
Vercetti

Re: c/c++ validator

[David Bremner]

I complied this list for the local C++ users group several months ago, 
it might be helpful.
http://www.nwcpp.org/Misc/Tools_DavidBremner.html

Regards,
David Bremner

Re: c/c++ validator

[Florian Krohm]

> Tommy Vercetti <vercetti@zlew.org> writes:
> 
> | Yeah, but for more than just STL, and opensource. C++ checker that
> | is going to work for instance for KDE.
> |  Wonder why they use proprietary parser,
> 

Gabriel Dos Reis wrote:

> Most of the tools I know of are either "research projects" (which
> means that they basically "die" when the professor get promoted or the
> students graduate; they are lots of them out there) or are/ use
> proprietary tools. 
> 
> We need to get GCC/g++ to a competing level of usefulness but the road
> is not quite that straight.
> 

Yes, twice. Among the things that you need are:

- detailled source code correspondence for every TREE node,
- you want to know whether a TREE node represents something that was
  compiler generated as opposed to written in the source (e.g. for
  cast operations)
- you most likely want an unlowered representation of the C++ source
  (and that will be the real hard part)
- you don't want the frontend to optimize anything, e.g no folding
  (ideally you want both the folded and unfolded expression)
- you might want to know whether a certain TREE node was the result of
  a macro expansion

I used a very old version of GCC (3.0.1) as the frontend for some 
static checker. We succeeded in hacking in support for some of the
above but C++ was a royal pain because of lowering. 

Florian