static-analysis

Are there any shell (specifically bash or ksh) checkers that test shell scripts for style, best practices, naming conventions, etc? (Something like Lint for C, or Perl::Critic for Perl.) I know with ksh you can do syntax checking by running ksh -n script.ksh but I was hoping for something more than just sytax checking - something that parses/analyzes the actual code? I'm probably out of luck, but I guess it doesn't hurt to ask. Brian Campbell The Debian and Ubuntu projects use a script checkbashisms , that looks for particular patterns that might indicate that someone is relying on /bin/sh

I'm writing the startup code for an embedded system -- the code that loads the initial stack pointer before jumping to the main() function -- and I need to tell it how many bytes of stack my application will use (or some larger, conservative estimate). I've been told the gcc compiler now has a -fstack-usage option and -fcallgraph-info option that can somehow be used to statically calculates the exact "Maximum Stack Usage" for me. ( "Compile-time stack requirements analysis with GCC" by Botcazou, Comar, and Hainque ). Nigel Jones says that recursion is a really bad idea in embedded systems (

Is there a setting in Resharper 4 (or even Visual Studio itself...) that forces a warning if I forget to wrap code in a using block, or ommit the proper Dispose call in a finally block? Correct automatic Dispose analysis requires DFA (Data Flow Analysis) in a global way. It is unlikely that you create an IDisposable object and doesn't call any method on it and do not pass it around as an argument. If disposable object is passed to other methods (including calling its members, when "this" is implicitly passed), the tool should analyse if Dispose is not called within, or that object is not

Our static analysis tool complains about a "useless type qualifier on return type" when we have prototypes in header files such as: const int foo(); We defined it this way because the function is returning a constant that will never change, thinking that the API seemed clearer with const in place. I feel like this is similar to explicitly initializing global variables to zero for clarity, even though the C standard already states that all globals will be initialized to zero if not explicitly initialized. At the end of the day, it really doesn't matter. (But the static analysis tool doesn't

Being vaguely familiar with the Java world I was googling for a static analysis tool that would also was intelligent enough to fix the issues it finds. I ran at CodePro tool but, again, I'm new to the Java community and don't know the vendors. What tool can you recommend based on the criteria above? FindBugs, PMD and Checkstyle are all excellent choices especially if you integrate them into your build process. At my last company we also used Fortify to check for potential security problems. We were fortunate to have an enterprise license so I don't know the cost involved. Eduard Wirch Findbugs

I'm used to having my compiler complain when I do something stupid like a typo on a variable name but JavaScript has a habit of letting this pass. Are there any static analysis tools for JavaScript? Flash Sheridan I agree that JSLint is the best place to start. Note that JavaScript Lint is distinct from JSLint . I’d also suggest checking out JSure , which in my limited testing did better than either of them, though with some rough edges in the implementation—the Intel Mac version crashed on startup for me, though the PowerPC version ran fine even on Intel, and the Linux version ran fine as