小明思考

高性能服务器端计算
posts - 70, comments - 428, trackbacks - 0, articles - 0
  C++博客 :: 首页 :: 新随笔 :: 联系 :: 聚合  :: 管理

C++代码静态分析工具-Prefast

Posted on 2006-03-28 13:59 小明 阅读(13185) 评论(7)  编辑 收藏 引用 所属分类: C/C++Tools

1. 什么是Prefast

Prefast是一种代码分析工具,它能够帮助你找到编译器不能找到的错误或者缺陷。Prefast首次被微软集成到Visual Studio 2005 Team Suite中去,使用起来非常方便。

2.怎么使用Prefast
在vs2005 Team Suite中,使用Prefast非常简单。修改你的工程属性,设置Enable Code Analysis For C/C++为Yes.

prefast1.jpg

效果:
prefast2.jpg

注意到有可能错误的地方以浅灰色显示在编辑器中了。

3.Prefast能帮你找到哪些错误
1)没有初始化

// no initial
void  defect1()
{
         int  a;
         int  b;

        b  =  a;
}

会报: d:\test\testcode\testcode.cpp(18) : warning C6001: Using uninitialized memory 'a': Lines: 15, 16, 18

2)空指针取值

// one path dereference NULL
void  defect4( int  b,  int  c)
{
         int   * =  NULL;
         int  a  =   1 ;

         if  (b  ==   1 ) {
                 if  (c  ==   1 ) {
                        p  =   & a;
                }
                 else  {
                                                
                }
        }
         else  {
                 if  (c  ==   1 ) {

                }
                 else  {
                        p  =   & a;
                }
        }

         * p;

         return ;
}    

会报:d:\test\testcode\testcode.cpp(65) : warning C6011: Dereferencing NULL pointer 'p': Lines: 45, 46, 48, 57, 65

3)可能错误的运算符优先级

void  defect5()
{
         int  a  =   1 ;
         int  b  =   1 ;
         int  c  =   1 ;

         if  (a  &  b  ==  c)
                 return ;
}

会报: d:\test\testcode\testcode.cpp(76) : warning C6281: Incorrect order of operations: relational operators have higher precedence than bitwise operators

4)可能的buffer overrun

void  defect8()
{
         char  buf[ 100 ];
         char  buf2[ 200 ];
         int  i  =   100 ;

        sprintf(buf,  " hello world %d " , i);
        strcpy(buf, buf2);
}

会报: d:\test\testcode\testcode.cpp(133) : warning C6202: Buffer overrun for 'buf', which is possibly stack allocated, in call to 'strcpy': length '200' exceeds buffer size '100'

5)可能的无穷循环

// infinite loop
void  defect14()
{
        signed  char  i;

         for  (i  =   100 ; i  >=   0 ; i ++ ) {
                ; 
        }
}

会报: d:\test\testcode\testcode.cpp(198) : warning C6292: Ill-defined for-loop: counts up from maximum

6)格式字符串错误

// Format string mismatch
void  defect21()
{
         char  buff[ 5 ];
        sprintf(buff,  " %s %s " " a " );
}

会报: d:\test\testcode\testcode.cpp(277) : warning C6063: Missing string argument to 'sprintf' that corresponds to conversion specifier '2'

7)安全问题

void  defect27()
{
        CreateProcess(NULL,
                " c:\\program files\\Project.exe arg1 " // correct "\"c:\\program files\\Project.exe\" arg1",
               NULL,
               NULL,
                false ,
                0 ,
               NULL,
               NULL,
               NULL,
               NULL);               
}

会报: d:\test\testcode\testcode.cpp(327) : warning C6277: NULL application name with an unquoted path in call to 'CreateProcessA': results in a security vulnerability if the path contains spaces

8)=和==误用

void  defect32()
{
         int  a  =   1 ;

         if  (a  =   2 )
                 return ;
}

会报: d:\test\testcode\testcode.cpp(405) : warning C6282: Incorrect operator: assignment of constant in Boolean context. Consider using '==' instead

9)逻辑运算问题

// always false
void  defect45()
{
         int  x;

         if  ( 0   &&  x ++ ) {
                ;
        }
}

会报: d:\test\testcode\testcode.cpp(564) : warning C6237: (<zero> && <expression>) is always zero. <expression> is never evaluated and might have side effects

10)其他





Feedback

# re: C++代码静态分析工具-Prefast  回复  更多评论   

2006-03-28 17:36 by 笑笑生
不错

# re: C++代码静态分析工具-Prefast  回复  更多评论   

2006-03-28 18:32 by christanxw
哪里可以下载?

# re: C++代码静态分析工具-Prefast  回复  更多评论   

2006-03-28 20:57 by fiestay
楼上的哥们,楼主逗说了,这个是和VS.net 2005集成在一起的:)

这工具看起来还不错,没有具体用过.有个叫C++Test的工具也能对代码进行分析,也可以进行单元测试,也不错:)

# re: C++代码静态分析工具-Prefast  回复  更多评论   

2006-03-29 12:12 by flyingxu
有VC6能用的吗?

# re: flyingxu   回复  更多评论   

2006-03-29 12:57 by 小明
vc6中使用Prefast的方法:

prefast是附带在微软的DDK中的

In VC6 project

1. Install Windows IFS Kit and DDK package
2. Execute Development Kits->Windows IFS Kit and DDK ->Build environment -> windows 2000->windows 2000 checked build environment
3. Export Visual Studio project to a .mak file
4. remove /GZ in .mak file or link fail
5. Edit a run.bat file (not necessary, only for set new include and lib path)

run.bat file content
----------------
rem set include and lib path
set include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
set lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
rem clean environment
nmake /f httpgetfile.mak clean
rem run prefast command
C:\WINDDK\3790.1830\bin\x86\prefast\scripts\prefast nmake /f httpgetfile.mak CFG="HttpGetFile - Win32 Debug"
rem unset include and lib path
set lib=
set include=

# re: C++代码静态分析工具-Prefast  回复  更多评论   

2008-11-03 10:01 by 微波辐射
C上可以用吗?

# re: C++代码静态分析工具-Prefast  回复  更多评论   

2008-11-04 17:01 by zhangyz
linux 有这样的工具吗?

只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   知识库   博问   管理