Coverity static analysis for C, C++ and Java code

James Hunt james.hunt at
Mon Apr 8 13:40:59 UTC 2013

On 08/04/13 13:57, Matthias Klose wrote:
> Am 08.04.2013 14:13, schrieb James Hunt:
>> As a precis of my earlier blog post [1], I'd like to encourage those involved
>> with a C, C++ or Java project in Ubuntu to take a look at the Coverity Scan
>> static-analysis service offered free to OSS projects [2].
>> We're already using it for critical packages including Upstart and Whoopsie [3],
>> but it would be great to expand its scope to make it use the norm rather than
>> the exception.
> Did it catch the wrong use of the malloc attribute in upstart? ;)
I don't know - we were using it in anger then and I've now fixed that gcc
function attribute issue :)

>> For those who have either never used static analysis tools, or have simply never
>> used Coverity, don't fall into the trap of thinking that "gcc -pedantic -Wall"
>> should be good enough for anyone - it simply is not.
> I don't know where you did get this from ...  Anyway, not using -Wextra leaves
> out more things.
> while not static analysis tools, you might want to look at -fsanitize=address
> and -fsanitize=thread in GCC 4.8 (available in the ubuntu-toolchain-r/test PPA).
Will do, thanks.

> There's also clang --analyze, scan-view and scan-build in the clang package as a
> static analyzer.
Yes, I have used and continue to use these tools. However, from my experiences,
they are not as thorough as Coverity for the codebases I'm regularly looking at.

> And all of these are free software.
Back in the day, splint [1] rocked on static analysis but the project appears to
have languished - it doesn't even appear to handle C99. YMMV but IMHO, Coverity
Scan is the most thorough static-analysis tool available to OSS developers today
that I've seen. Maybe if splint were to be revived my opinion may change... ;)

>   Matthias

Kind regards,


[1] -
James Hunt
#upstart on freenode

More information about the ubuntu-devel mailing list