What tools do you use for static code analysis?

I set up the Hudson Continuous Integration (CI) build system for my iPhone Objective-C projects (iOS apps) and compiled a varied list of tools that I can use to analyze my projects during build:

• Clang Static Analyzer : A free, modern, standalone tool that catches more problems than the version of Clang included in Xcode 4. Active project. - visit http://clang-analyzer.llvm.org

• Doxygen : A free documentation tool that also generates class dependency diagrams. Active project - visit http://www.doxygen.nl

• HFCCA (Cyclomatic complexity analyzer without headers): A free Python script to calculate code complexity, but without header files and preprocessors. Supports XML output for Hudson / Jenkins assemblies. Active project. - visit http://code.google.com/p/headerfile-free-cyclomatic-complexity-analyzer.

• CLOC (counting lines of code): a free tool for counting files, lines of code, comments, and blank lines. Supports diffing, so you can see the differences between assemblies. Active project. - visit http://cloc.sourceforge.net

• SLOCcount (number of lines of source code): a free tool for counting lines of code and estimating costs and time associated with a project. Doesn't seem active. - visit http://sourceforge.net/projects/sloccount and http://www.dwheeler.com/sloccount

• AnalysisTool : A free code analysis tool that measures code complexity and also generates dependency diagrams. Not active. It doesn't seem to work with Xcode 4, but I would like it to work. - visit http://www.karppinen.fi/analysistool

For C ++, I use CppCheck. It seems to be working fine.

I am using the PMD plugin for Eclipse. It is quite nice and very customizable. CheckStyle is also good if you are looking for more style elements.

Checkstyle, Findbugs and PMD work in Java. I am currently very pleased with PMD working at NetBeans. It has a pretty simple GUI for managing the rules you want to run. It is also very easy to run verification in a single file, a whole package, or a whole project.

Also see the question Selecting a tool for analyzing static code if you are looking for C / UNIX-based tools.

Obviously, the answer depends on programming languages. UNO is suitable for C programs.

@ Thomas Owens: I think you meant Shint.

Lint is the only thing I used in the previous position. It was not bad, most of the things it offered were good catches, some did not make much sense. Until you have a process to make sure there are no lint errors or warnings, it is useful to use some hidden errors.

We use QAC programming for our C code. Works fine.

We recently talked about checking out some more advanced and static / dynamic code analyzers, such as Coverity Prevent or the GrammaTech analysis tool.

They claim that not only static analysis, but also the detection of runtime errors, etc. It is assumed that in one of the main points of sale there are fewer false positives.

We use Coverity Prevent in Palm to analyze C and C ++ code, and it did a great job of detecting some hidden errors in our code. It also detects many problems that are unlikely to be affected, but it’s easy to note that they will not be fixed or “not a problem” in the code database that the tool generates. This is expensive, but the company sometimes works on open source projects and provides reports for maintainers. They have a white paper about our use of the product on their website if you want to learn more about our experience.

My administrators are really cheap, so I can only use cheap tools:

1) UDP (C / C ++ Code Counter): various results related to the number of lines (compared to comment lines, cyclic complexity, information flow, ...) 2) Semian: The fastest search for duplicate code that I when I tried it. 3) LOC Metrix: Not very useful, but can help make a point.

The only time I used one of these tools is Split (C programming language). I thought this was useful, but I was by no means a strong user, and I think I barely scratched the surface of what he could do.