Static Code Analysis - any recommendations for tools to use

I am looking to try and automate parts of testing and have been looking at Static Code Analysis tools. One example being Codesonar from Grammatech. I was wondering if Particle Development Team/Community could recommend any such tools for me to investigate?

What kind of tests? Unit tests? Compile tests? etc.?

I don’t use a static code analysis tool, so I don’t have a recommendation there. However, I will mention a different technique that I’ve found to be very handy:

In JsonParserGeneratorRK, making sure that I didn’t overwrite or underwrite blocks, use invalid memory, or leak memory was very important. I ported a very small subset of system firmware with things like wiring String, Stream, Print, mills, etc. that works in native gcc. Then I could run a test suite natively on Mac OS or Linux. Linux is even better because then I can run the test suite thorough valgrind, which is a free tool that does the block bounds checking and memory leak detection.

The code is in the test directory here:


@nrobinson2000 Static Code Analysis tools can do a variety of checks; security vulnerabilities and reliability issues. Some of this stuff is performed by the compiler but other things like division by zero and resource leakage aren’t. Some work with binary libraries although within the Particle open source environment this isn’t needed.

1 Like

@rickkas7 - whilst you don’t use such tools what about the development team? I am not sure that static code analysis is what I need to setup anyhow. At the moment documented functional test cases to allow sufficient regression testing when system firmware changes and for significant application releases is what’s needed. I am really just flying a kite to see what advice comes back.

1 Like

In my day job I work for a largish software developer and we use valgrind extensively to look for memory leaks. There is a semi-automated test harness that runs valgrind and reports deviations from baseline.

We also use clang-format and some groups use clang-tidy, which is a static analysis tool. clang-tidy can take custom rule sets so that can be an deep rabbit hole you can dive into.

The work I do here is related to chip design so I don’t use these tools very often but they are popular here.

None of this tooling replaces testing: positive functional tests, API tests, and, in our world, negative tests for error message etc. That is a totally different axis. The static analysis and memory leak tools are about code hygiene and preventing the insertion of bugs, not about finding bugs directly.


@bko - thanks for your feedback. The static code analysis tool idea came from a conversation with a vendor at an IoT meetup. I am not keen at all to go down any rabbit holes and testing is really the avenue I will need to fully explore - I am using Atlassian Jira to manage the requirements (stories/epics) into development sprints - so something aligned with that would be best.

@armor, I asked a friend of mine who does this stuff for a living and without knowing the specifics of what you want, provide the following two links:

Hope they help.