Menu Share

CMake static analyser with CppCheck

by | Published on
category CMake

Static analyzer is a very cool thing. They are usually avaialbe on higher level languages since those languages are easy to parse. C# for example has made it very easy with its reflection system to be able to parse other C# code and find issues through statically analyzing your code.

In this very short article I will discuss what static analyzers are and how they help you.

Table of Contents

What is a Static Analyzer

A static analyzer is a tool that reads your code and tries to search for problems early on before they become bugs. It is not a compiler and it usually reports errors your compiler might miss. The static analyzers try to find logical issues.

Take for example the following C++ code:

int some_function(int* arr)
    int a = arr[0];

    if(arr != nullptr)
        return a + arr[1];

    return 0;

Without any context on how this function is used and just by looking at it you can spot some issues right? For example we take a pointer array… and yes, we do check it for nullptr but we dereference it beforehand. So if we check it for null then we might expect that it could be a null and then the first line would be an error.

This is where a static analyzer would come in handy. If we run it with a static analyzer later we will get a message that we either need to remove the condition or we have an error and need to move the condition to the top so that it check before dereferencing.

But lets first talk about whic analyzers we can use.

In C++ the choices are not so many though. C++ is one of those languages that is very hard to parse especially because of it precompiler and definitions. This low level configuration and cross-platform differences make it very hard for a static analyzer to analyze your code.

Lets get the paid options out first. The most popular paid options for static analysis of your code are either PVS Studio or SonarQube. SonarQube is typically a free tool but C++ is part of its premium language support. Probably because it is hard to do.

Free Option?

Well there is also a free option for static checking your code. This is called CppCheck and you can check its site and online demo here: This tool does a lot for you to try and save you from errors.

CppCheck and CMake

Well since in this blog I talk a lot about the CMake build tool lets explore how you can get this working on build. It is very easy. You have to install CppCheck from the official site on your machine and have it in your path. Then you also have to use the ninja generator or the makefiles generator on cmake.

If we take the code from the top and put it in a file called lib.cpp and then we need to write the following code for our cmake file:

cmake_minimum_required(VERSION 3.17)

find_program(CMAKE_CXX_CPPCHECK NAMES cppcheck)
	list(APPEND CMAKE_CXX_CPPCHECK "--enable=all")

add_library(some_library lib.cpp)

What this code essentially does is that it tries to find the program cppcheck and put it in one of the built-in variables of CMake called CMAKE_CXX_CPPCHECK. If that is found we also want to add an option to the cppcheck command line to enable all static checks. Other than that we define a library with our file to test the static analyzer.

If you generate and build your project then using a command like:

 cmake -S . -B ./build -G Ninja 

You would get something like this in your terminal:

warning GE6ED157D: Either the condition 'arr!=nullptr' is redundant or there is possible null pointer dereference: arr. [nullPointerRedundantCheck]
      int a = arr[0];


This is what a static analyzer does. It could really help you find some issues that the compiler would galdly leave out. I hope this article on static checking your code has been informative and this kind of information you can also expect from my Udemy course which is just released as of the writing of this article. You can take it from here Complete CMake Project Management.

Leave a comment

Your email address will not be published. Required fields are marked *