Coverity and Klocwork code analyzers drill deeper
Industry leaders show remarkable scalability and prowess but differ in design philosophy
Remarkable increases in hardware performance are enabling the design and creation of tools that were simply not possible years ago. With two processor cores tearing through 3 billion instructions per second, it's now possible to devise tools that perform rich, very thorough analyses very quickly.
Coverity Prevent and Klocwork K7 are two such tools; they analyze source code for bugs and defects using a variety of techniques, including stepping through all possible execution paths. As a result, they detect infelicities that are not caught in testing, nor necessarily detected in manual code inspections. These products are especially valuable to sites with very large code bases, especially if those applications are important or mission-critical. My review showed Klocwork K7 holding an edge over Coverity Prevent. However, the products are close enough in many respects that both warrant consideration before any purchase is finalized.
Going to the source
Both tools transcend the traditional concept of static code analysis, so understanding them requires something of a mind shift. The most widely known static code analyzer is lint, the code scanner bundled with Unix for decades. Lint looks for infelicities in C and C++ code and for suspicious constructs. For example, it flags suspicious indentation, possible truncation when a large value is copied to a smaller variable, as well as a host of other possible bugs. Good lint utilities often generate hundreds of warnings, and using lint often means learning how to reduce the number of warnings generated by items of no real concern to you -- aka false positives.
K7 and Prevent do not traffic in this kind of bug sniffing. They relegate those bugs to lint and look for more insidious defects. For example, both specialize in stepping through every possible executable path through the code base. They search for functions that are called incorrectly or with invalid values and then report on the specific path through the code that leads to the undesired result. They also look for other dangerous items, such as references to variables whose memory has been de-allocated by code in other functions, and so on. Essentially, any defects that arise from cross-functional code errors are their stock in trade.
The intended beneficiaries of this analysis are sites with large code bases -- typically 500,000 or more lines of code. With that much code, sites simply cannot use other means to traverse all the code paths to ensure everything lines up as it should. So, having tools that automate this analysis and work backward through hundreds of function calls, if need be, to track down a possibly corrupted value is a valuable resource, especially in handling edge cases that might escape typical functional testing. In preparing this review, I looked at small to midsize code bases -- the largest being 80,000 lines -- and I spoke with customers of both vendors, some of whom used the products on projects that exceeded 20 million lines of code.
Much in common