Monday, 8 April 2013

Coverity static analysis for C, C++ and Java code

It's a well known principle of software engineering that the earlier bugs can be caught, the lower the overall cost. As such, testing needs to happen at every level. Once your project is at the coding stage, the earliest form of testing is on the code itself, not on the binaries the compiler produces.

We run a variety of tools over critical codebases such as Upstart and Whoopsie regularly to identify issues well before they "escape into the wild". These tools include Coverity Scan (see the list of projects already using it).

If you really care about your code and you are involved with a C, C++ or Java project, I'd strongly encourage you to take a look at this awesome tool. If you aren't directly involved in such projects, try contacting those running them and suggesting they use Coverity.

The Coverity Scan service is entirely free for OSS projects. You will need to register to obtain an account and then download the client analysis tool. Once setup, a particularly attractive feature is the ability to auto-upload the analysis data generated for your project using ESR's coverity-submit tool. This could for example be hooked into your upload or release process to ensure no code quality regressions. After you have uploaded the analysis data, you can browse through the results of the scan using the web interface in a variety of ways, including a view that shows the errors "inline" with markers added around the code Coverity has identified as problematic.

For those who have either never used static analysis tools, or have simply never used Coverity, don't fall into the trap of thinking that gcc -pedantic -Wall or even LLVM's scan-build should be "good enough for anyone" - it simply is not. Consider too Steckel's Rule to Success,

"Good enough is never good enough"

Coverity performs very deep analysis and its results may well surprise you... but rather that than unexpected surprises for your users.

Apologies if this post sounds like a bit of a sales pitch. It really isn't though: the Coverity service is free and what they are offering really is too good to ignore.

Note: I have no affiliation with Coverity - I'm just extremely impressed with their Scan tool! :-)


  1. Even if it's gratis for free software, it is not free software itself, so I'm concerned: have you tried and compared it to free tools such as gcov or clang based tools?

  2. @Alexandre - I appreciate that. I use all the OSS tools you mention (and others such as smatch) *in combination* with Coverity. From my observations, Coverity has much better coverage that the current OSS offerings (however, I have no intention of stopping using the OSS tools).

    My favourite static-analysis tool used to be splint, but that project appears to have languished. If only someone would update it to support atleast C99... :-)

  3. Hello, James.
    I suggest trying a new code analyzer CppCat -

  4. Nice article, thanks for the information. It's very complete information. I will bookmark for next reference
    jaring futsal | jaring golf | jaring pengaman proyek |
    jaring pengaman bangunan | jaring pengaman gedung

  5. Thank you for the post, Can you please help me with the driver download link, I believe the patch related to printer installation is missing in my system

    123 hp officejet 6230 setup