CodeChecker

2024.04.26.

CodeChecker Research Group

Description of Activities

Static analysis is a method to analyze the source code without executing it. It is widely used to find bugs and code smells in industrial software. CodeChecker is a static analysis infrastructure tooling system originally built on top of the LLVM/Clang Static Analyzer and Clang-Tidy software. The initial goal was to offer a replacement for scan-build in a Linux or macOS (OS/X) development environment. scan-build is a script supplied with the LLVM/Clang Compiler Infrastructure that allows users to run the Clang Static Analyzer on their project. CodeChecker was developed to allow greater customization of the executed build, to support Clang-Tidy, and to support the viewing of the analysis results in a controlled, centralized, remotely accessible web application. Ever since its inception, CodeChecker has grown to be a feature-rich software defect analysis and triaging system.

The main features of CodeChecker are: (1) Support for executing multiple analyzers on your project (currently the Clang Static Analyzer and Clang-Tidy). (2) Fine-tuning of analysis modules’ at the invocation of analysis, without having to meddle with the individual analyzers. (3) Subsequent analysis runs only check and update results for modified files without analyzing the entire project (depends on build system support!) (4) Suppression of known false positive results, either using a configuration file or via annotation in source code, along with the exclusion of entire source paths from analysis. (5) Support storage of analysis reports from (but not the execution of) a plethora of static analyzers, including Java, Python, and Go analyzers. (6) Web application which allows viewing and discussing discovered code defects, with a streamlined and easy experience. (7) Filtering of results across almost all parameters. (8) Comparison (diff) view to contrast individual analysis runs, e.g. to gatekeep defect-introducing changes. (9) Self-contained static HTML report generation in case the full Web application experience is not needed. (10) Easily implementable Thrift-based server-client communication used for the storage and query of discovered defects (11) Support for multiple bug visualization front-ends, such as the web application, a command-line tool, and a Visual Studio Code and an Eclipse plug-in.

Research Interests

Secure coding in theory and practice
Implementing new checkers both based on AST matchers and symbolic execution
Supporting various open-source plugins and languages (e.g. Spotbugs or PyLint)
Improving the Clang Static Analyzer engine
Dataflow analysis

Research/service concepts/Methodology

AST analysis
Symbolic execution
Dataflow analysis
C/C++/Java/Python

Research Staff

Habil PhD Zoltán Porkoláb
Máté Cserép
Tibor Brunner
Kristóf Umann
Réka Kovács
Richárd Szalay

Projects

Ericsson Ltd – replacing Coverity with CodeChecker
Graphisoft Ltd – introduction of CodeChecker on the codebase

5 important publications in the field

Kovács, R., Horváth, G. and Porkoláb, Z. (2019) ‘Detecting C++ lifetime errors with symbolic execution’, BCI'19: Proceedings of the 9th Balkan Conference on Informatics, Sofia, Bulgaria, September 2019., pp. 25:1–25:6.
Kovacs, R. and Horvath, G. (2018) ‘An Initial Prototype of Tiered Constraint Solving in the Clang Static Analyzer’, Studia Universitatis Babeș-Bolyai Informatica, 63(2), pp. 88–101.
Szécsi, P. Gy., Horváth, G. and Porkoláb, Z. (2022) ‘Improved Loop Execution Modeling in the Clang Static Analyzer’, Acta Cybernetica, 25(4), pp. 909–921.
Horváth G. and Pataki, N. (2019) ‘Categorization of C++ Classes for Static Lifetime Analysis’, BCI'19: Proceedings of the 9th Balkan Conference on Informatics, Sofia, Bulgaria, September 2019., pp. 21:1–21:7.
Horváth, G., Szécsi, P., Gera, Z., Krupp, D. and Pataki, N. (2018) ‘Challenges of Implementing Cross Translation Unit Analysis in Clang Static Analyzer’, In: Beszédes, Á. and Gupta, M. (eds.) 2018 IEEE 18th International Working Conference on Source Code Analysis and Manipulation (SCAM), Madrid, Spain, 2018, pp. 171–176.