I was looking for a better open-source static analysis tool than the very limited Cppcheck, and I came across two interesting options:

• CodeChecker, built on top of Clang Static Analyzer, Clang-Tidy, and Cppcheck.
• Infer, a tool developed by Facebook. I haven’t tested it yet.

In this post, I’ll share my experience with CodeChecker, which I find amazing. The number of checks this tool provides is astonishing. For example, while Cppcheck identified 5–10 issues in the project’s code (excluding all libraries), CodeChecker uncovered roughly 1,000. (I added more files for analysis, including PC simulations and unit tests, but the difference is still enormous.)

The tool provides many checks that can be enabled or disabled depending on the project. It’s unlikely anyone would need all of them. I found it works best to enable everything, generate a report, and then disable the checks that aren’t useful. For example, there’s a checker for validating C++98 compatibility, which doesn’t matter to me since I use C++17.

Here’s the list of checks I’ve disabled in my setup:

--enable-all
--disable clang-diagnostic-c++98-compat
--disable modernize-use-trailing-return-type
--disable readability-identifier-length
--disable readability-uppercase-literal-suffix
--disable modernize-avoid-c-arrays
--disable modernize-use-auto
--disable altera-unroll-loops
--disable cppcheck-missingIncludeSystem
--disable cppcheck-toomanyconfigs
--disable clang-diagnostic-padded
--disable altera-struct-pack-align
--disable clang-diagnostic-weak-vtables
--disable altera-id-dependent-backward-branch
--disable bugprone-easily-swappable-parameters

This snippet is part of my CMake configuration, which you can probably adapt for your project if it’s useful. However, CodeChecker relies heavily on CMake for configuration. For projects using other build systems, like SCons or Makefiles, it may not work well.

The tool is also very CPU-intensive and slows down my computer significantly, especially when running in Docker. There’s a flag to limit CPU usage, but it didn’t work well for me—or maybe I didn’t configure it correctly.

Since my project is hosted on GitHub and has CI configured, I’ve found a better way to use the tool. Static analysis builds are triggered automatically on every push. While the analysis runs remotely, I work on fixing other bugs based on the last report. Once the CI build finishes, I download the results and see if my previous changes fixed problems. From time to time, I rebase and squash those commits, then fix the history with git push --force.

CodeChecker is a great tool!

PS: I only have 92 warnings in the code now :-)