Cppcheck — Static Analysis Tool for C and C++ Code

Introduction

Cppcheck is a static analysis tool for C and C++ code that focuses on detecting real bugs rather than stylistic issues. It catches undefined behavior, memory leaks, buffer overflows, and null pointer dereferences with a low false-positive rate, making it practical for daily use in CI pipelines.

What Cppcheck Does

• Detects undefined behavior, out-of-bounds access, and use-after-free errors
• Finds memory leaks, resource leaks, and missing deallocations
• Identifies null pointer dereferences through path-sensitive analysis
• Checks for MISRA C and MISRA C++ compliance in safety-critical projects
• Supports custom rules and suppressions to reduce noise for specific codebases

Architecture Overview

Cppcheck parses C/C++ source files into an abstract syntax tree and applies a library of checkers that perform flow-sensitive analysis. Value flow tracking propagates known values through assignments and branches to detect issues at specific code paths. The tool does not use a full preprocessor; instead, it analyzes all possible preprocessor configurations by default. Check libraries describe the behavior of standard and third-party APIs (like POSIX, Qt, OpenSSL) so the analyzer understands function contracts without seeing their source.

Self-Hosting & Configuration

• Install via system package managers (apt, brew, choco) or build from source with CMake
• Configure check severity levels: error, warning, style, performance, and portability
• Use --suppress and inline comments to silence known false positives
• Add check libraries (XML files) for project-specific APIs and frameworks
• Integrate with CI via XML, SARIF, or plain-text output and the --error-exitcode flag

Key Features

• Low false-positive rate by design: every reported issue should be a real problem
• MISRA C/C++ compliance checking for automotive, medical, and safety-critical software
• Multi-threaded analysis with -j flag for faster scanning of large codebases
• IDE integrations for VS Code, CLion, Visual Studio, and Eclipse
• Check library system that models external API contracts without needing their source code

Comparison with Similar Tools

• Clang-Tidy — part of the LLVM project with broader refactoring capabilities; Cppcheck focuses on bug detection with fewer false positives
• PVS-Studio — commercial analyzer with deeper analysis; Cppcheck is free and open-source
• Coverity — enterprise-grade with CI integration; Cppcheck runs locally with zero setup
• GCC -fanalyzer — built into GCC 10+; Cppcheck works across compilers and has a wider checker set
• SonarQube C++ — platform-based with dashboards; Cppcheck is a standalone CLI tool

FAQ

Q: Does Cppcheck replace compiler warnings? A: No. Use both. Cppcheck finds issues that compilers miss, like cross-function null pointer dereferences and resource leaks.

Q: How do I integrate Cppcheck with CI? A: Run cppcheck --error-exitcode=1 in your CI script. It returns non-zero if errors are found. Use --xml for machine-readable output.

Q: Can Cppcheck analyze C++ header-only libraries? A: Yes. Point it at the header files. It will parse templates and inline functions.

Q: Does it support C++20 and later? A: Yes. Cppcheck supports modern C++ standards including C++20. Use the --std flag to specify the standard version.

Sources

• https://github.com/danmar/cppcheck
• https://cppcheck.sourceforge.io/