Do you recommend Enabling Code Analysis for C/C++ on Build? - c++

I'm using Visual Studio 2010, and in my C++/CLI project there are two Code Analysis settings:
Enable Code Analysis on Build
Enable Code Analysis for C/C++ on Build
My question is about the second setting.
I've enabled it and it takes a long time to run and it doesn't find much.
Do you recommend enabling this feature? Why?

The two options you specify control the automatic execution of Code Analysis on managed and native C++ respectively.
Code Analysis of managed code is performed by FXCop engine analyzing the generated IL.
Code Analysis of native code is performed during compilation by the PREFast engine analyzing the C++ source code.
I strongly encourage you to require your developers to have run CA on their code before checking it in. If you don't, you're:
Delaying the process of ensuring that your code has no known vulnerabilities and issues that could otherwise have been systematically removed from your product's source.
Denying your developers their right to improve their skills by learning incrementally what code they should not be writing and why.
Selling your customers short because they're the ones who will suffer from crashes and security issues when they're using your product.
Further, if you're writing native C++ and have not already planned to start adorning your code with SAL Annotations, then, frankly, someone at your place of work deserves to be dragged out into the street and humiliated! There's some great stuff coming down the pipe shortly in the next version of the SAL annotations - get on it now and be way ahead of the curve compared to your competitors! :)

Never did anything for me. In theory, it's supposed to help catch logical errors, but I've never found it to report anything.

We are using LINT to do a static code analysis for plain C++ applications (no .Net, no C++/CLI).
This is different from what you are using but probably the same principles can be applied.
We execute LINT like this:
During a build, only the changed sources (CPP files) are run through LINT. Possibly many more files are being recompiled (if a header file is changed), but only the changed .CPP files are run through LINT.
Run the static code analysis on all files on a Continuous Integration server. If it finds something, let it mail the error to the developers that most recently committed changes to the versioning system, or to the main developer.
What you could do additionally is to perform a static code analysis on all files that are committed to your versioning system. E.g. in Subversion you could do this in a commit-trigger.

Related

Is there a continuous compilation plugin for Visual Studio Code like Godbolt's Compiler Explorer?

I wanted something that would compile automatically after a given number of (milli)seconds and display the results in the "Problems" tab.
The current behavior is to statically analyze every file on itself, which typically misses a lot of context (macros primarily) and produces a quasi-infinite array of false positives that make its use typically very difficult, at least on my particular use cases.
I found Matt Ever's Compiler Explorer plugin but it suffers from the original problem: it analizes each source file without context.
I do not really need to see the generated assembly side-by-side, although having that would be fantastic as I could stop using objdump for that purpose on a terminal.
The main requirement here is really to not take my hands off the keyboard to issue a build command - and respective mouse moves etc. I need context-dependent squiggles, tightly integrated with the build system I am currently using.
I am aiming primarily at C++ with CMake so a good solution would take advantage of the output this build system generates. I would not mind if the solution is specific to a single cmake generator as Make or Ninja.
Suggestions and even DIY solutions are very very welcome. Thank you!

Why is Code Contract analysis not installed by default

We're just beginning a new project and we're keen to include testing from the ground up.
While we were looking at which unit test solution to use I came across Code Contracts which seem like they offer an easier way to check things like null parameter passing without having to write independent unit test methods.
One thing I am little confused about and makes me wary of investing heavily in Code Contract checks, is the fact that the analysis tool needs to be downloaded from DevLabs and isn't included in VS2012 by default.
What is the reason for this?
Additionally: It seems people are reporting that VS2012 support for Code Contract analysis seems flakey, why would be use Code Contracts if the analysis capabilities aren't very good?
I can't speak for VS2012, but it works perfectly fine for me in VS2010. There is a very minor conflict with Code Analysis in that a false alert is raised, but you simply switch off that Code Analysis rule and rely on the Code Contracts static checking (which is a lot more comprehensive).
Probably the best place to get the answer for your IDE integration is via the email address located on the Code Contracts Website, however I suspect that because its a research project, not having it as an "official" part of the IDE provides the ability for more regular updates.

Dynamic dead code elimination tools for complex C++ projects

We have a project with a lot of code, part of it is legacy.
As part of the work flow, every once in a while, all the functionality of the product is checked.
I wonder if there is a way to use this fact to dynamically check which parts of the code were never used? (The difficult part is the C++ code, the .Net and Java are more under control and have less legacy).
Also - are there dynamic dead code elimination tools are there that can work with lots of code and complex projects (i.e. ~1M lines)?
All the similar questions I found talked about static analysis which we all ready do.
Thank you!
You might want to look at the code coverage tools that are used in testing. The idea of these tools is that they instrument the code and after running the set of tests you know what lines of code were executed at least once and what lines were never executed. After that you can improve tests.
The same thing can be used to identify dead code in case if you have diverse enough execution environment.
I don't know what platform you are on but we have used Gcov with success if you're compiling with the gnu toolchain:
http://gcc.gnu.org/onlinedocs/gcc/Gcov.html

Adding source instrumentation code - Is source-to-source compiler right approach? How to build one?

I am working on a project where I need to track changes to particular set of variables in any given application code to model memory access patterns.
I can think of two approaches mainly, please give your thoughts on them.
My initial thought is to do it like many profilers like gprof would do, where I add instrumentation code in the target application code before compilation and analyze the log generated by this instrumentation code to the get required information.
To accomplish, I can only think of some sort of source-to-source compiler where it parses given code and injects instrumentation code (Same language source-source compiler) into application which I can later compile and run to get the required logs.
Does this seem right or am I over-engineering? If not, are there tools that let me build a source-source compiler (relatively) easily?
I read about GDB's support for python, so, I am thinking if I can write a python script to get set of variables as config file and set watchpoints and log everytime there is a write to variables being watched. I tried to use this GDB feature but on my Ubuntu machine it doesn't seem to be working for now.
http://sourceware.org/gdb/onlinedocs/gdb/Python.html#Python
And, the language of applications is going to be nesC (I guess nesC is converted to C in the process of compilation) (and applications are going to run on TOSSIM like native apps on my computer).
See my paper on instrumenting codes using a program transformation systems (PTS) (PTS is a very general kind of "source-to-source compiler).
It shows how to install probes in code in a pretty straightforward way, once you have a grammar for the language of interest. The underlying tool, DMS, makes it fairly easy to define the grammar too.

C++ Video Game Programming IDE

I am looking for a C++ IDE in which I can actively play the game and test the updates live instead of testing it, redoing th code, compiling it and running it again. I'm running Windows 7 x86 professional.
This isn't really an answer, and so probably shouldn't get upvotes, but has information.
I don't know of any C++ IDE that can do runtime updates of code, but it's definitely not impossible. There's lots of C++ assemblers which already JIT code, live updates is merely the next step that no IDE has taken quite yet that I know of.
asmjit can JIT C++
Visual Studio can JIT C++/CLI (which isn't quite C++) (RMartinho corrects that VIsual Studio compiles C++/CLI to IL, and then JITs the IL. Tehcnically different.)
cling uses the clang fruntend and LLVM backend, which has a JIT code generation system.
R.Martinho has also reminded me that Microsoft Visual Studio already has this feature. http://msdn.microsoft.com/en-us/library/esaeyddf(v=vs.100).aspx If you "stop" the code, you can make changes, and it will apply those changes and resume execution.
There's an interesting project at http://runtimecompiledcplusplus.blogspot.co.uk/ that is working on this problem and looks like it might work for you; I haven't used it myself but it looks active if still a little raw. It uses the Visual Studio 2010 compiler.
You can't run C++ code without compiling. Minor syntactic differences between languages shouldn't be an issue so you shouldn't limit yourself to just one language.
I suggest you give Unity a chance; there's a fairly robust free version available. You can write scripts in C# (a language similar to C++), or UnityScript (somehting similar to JavaScript) or Boo (similar to Python) and you can test the results right away, without having to compile.
What about Edit and Continue in Visual Studio? In order to use it, you have to pause execution (either by breakpoint or Pause button), recompile and resume. Note, that you can edit the code while the program is running. I know you can't test the game live, but you don't have to reload resources etc. It's IDE integration makes it really easy and straightforward to use.
If you want changes to be visible live, though, consider using script language such as Lua. One of their purposes is what you want to achieve.
I've listed the options for runtime compilation of C++ code on the alternatives wiki page of Runtime Compiled C++.
From the sounds you may interested in either Recode or Alcanterea.
Organize your C++ game to use plugins, and add a feature to load a new (binary version of) plugin during the game.
Then, you could play your game, recompile a plugin, reload it (so invoke your dynamic linker at runtime), and continue playing.
It is not failproof, but it might usually work.
Of course you cannot unload a plugin which has some active call frame on the (or some thread's) call stack. I would suggest to avoid unloading old plugins...