PC-lint Plus is a static analysis tool that finds bugs, quirks, idiosyncrasies, and glitches in C and C++ programs. The
purpose of this analysis is to determine potential problems in such programs before integration or porting, or to
reveal unusual constructs that may be a source of subtle and, yet, undetected errors. Because it looks across several
modules rather than just one, it can determine things that a compiler cannot. It is normally much fussier about
many details than a compiler wants to be.
PC-lint Plus doesn’t just find bugs and potential bugs, such as null pointer dereference, out of bounds access, and
improper operation order, it will also point out the use of dubious constructs and substandard practices that are
likely to result in buggy code or code that is difficult to reason about. PC-lint Plus can also be configured to
diagnose violations of common coding standard violations, such as the MISRA C and MISRA C++ guidelines. Each
diagnostic message is assigned a unique number and a great deal of flexibility is provided for the control of when and
how messages are delivered. In particular, the format of the messages emitted is extremely customizable and
messages can be enabled/disabled for individual files, functions, lines and for specific symbols, calls, expressions,
statements, types, etc.
PC-lint Plus also offers a number of distinguishing flagship features including:
Value Tracking
Strong Type Checking
Dimensional Analysis
User-defined Function Semantics
See the corresponding sections of this reference manual for additional information.
By default, PC-lint Plus performs 2 passes over the source code. In each pass, a new thread is launched to process
each file in your project. The -max_threads option controls the number of concurrent processing threads. Even if
only one concurrent processing thread is requested, the processing of each file will take place in an independent
thread.
In pass 0, most standard messages that do not require aggregate information about entire files or the entire project
are emitted as PC-lint Plus examines the code. At the end of each module in pass 0, module wrap-up is performed
and messages that rely on information gathered from the entirety of the module are issued (e.g. reports of unused
entities not visible outside the module).
In pass 1, information gathered from all the modules in pass 0 is used to perform global wrap-up. During global
wrap-up, messages that rely on this inter-module information are issued (e.g. reports of unused entities with
external linkage). Value Tracking is also performed for calls between functions in different modules collected during
intramodule Value Tracking during pass 0.
The -unit_check option stops execution before pass 1, effectively suppressing global wrap-up. This option is often used when analyzing a subset of a larger project. The -vt_passes option can be used to request additional Value Tracking passes after pass 1. The benefits of multiple Value Tracking passes is discussed in section 8.8 Interfunction Value Tracking .
Consider the following C program (we have deliberately kept this example small and comprehensible):
1char *report(short m, short n, char *p) { 2 int result; 3 char *temp; 4 long nm; 5 int i, k, kk; 6 char name[11] = "Joe Jakeson"; 7 nm = n * m; 8 temp = p == "" ? "null" : p; 9 for (i = 0; i < m; i++) { 10 k++; 11 kk = i; 12 } 13 if (k == 1) 14 result = nm; 15 else if (kk > 0) 16 result = 1; 17 else if (kk < 0) 18 result = -1; 19 if (m == result) 20 return temp; 21 else 22 return name; 23}
As far as most compilers are concerned, it is a valid C (or C++) program. However, it has a number of subtle errors and suspicious constructs that will be reported upon inspection by PC-lint Plus. Here is the default output of PC-lint Plus when processing this example (referred to as intro_example1.c below):
--- Module: intro_example1.c (C) intro_example1.c 6 info 784: nul character truncated from string char name[11] = "Joe Jakeson"; ^~~~~~~~~~~~~ intro_example1.c 22 warning 604: returning address of auto variable 'name' return name; ^~~~ intro_example1.c 10 warning 530: 'k' is likely uninitialized k++; ^ intro_example1.c 5 supplemental 891: allocated here int i, k, kk; ^ intro_example1.c 8 info 779: string constant in comparison operator '==' temp = p == "" ? "null" : p; ^ ~~
The default message format contains the file name and line number corresponding to the diagnostic, the
message category (error, warning, etc.), the message number, and the text of the message. Following
the main diagnostic line is the line of source code being referenced, followed by the message pointer
(indicated by a caret) along with any applicable highlighting (indicated by tildes). We have added
blank lines between the messages in this example. In some cases, multiple locations may be relevant to
the diagnostic. In this case, the primary location is provided in the main message and one or more
supplemental messages (the 891 messages above) follow with the other pertinent locations. In such cases, the
supplemental messages should be considered as being "attached" to the immediately preceding primary
message.
The format of the messages is fully customizable to allow integration with IDEs that expect a particular diagnostic
format or other post-processing tools that require data formatted in XML, JSON, etc. The display
of supplemental messages can be disabled, as can the display of extracted source lines and message
pointers.
Diagnostics produced by PC-lint Plus fall into one of four categories: error, warning, info, and note. The default warning level is 3, which means that only errors, warnings, and infos are presented. Notes (also referred to as "elective notes" due to the fact that they are disabled by default), can be enabled by setting the warning level to 4 with the option -w4 or by enabling specific elective notes. Similarly, reducing the warning level or disabling individual messages that are enabled by default can be used to limit message output. Here is an example of some of the elective note messages that are emitted when processing the above example with the highest warning level:
intro_example1.c 5 note 9146: multiple declarators in a declaration int i, k, kk; ^ intro_example1.c 1 note 9403: function 'report' parameter 2 has same unqualified type ('short') as previous parameter char *report(short m, short n, char *p) { ~~~~~~~ ^ intro_example1.c 8 note 9050: dependence placed on operator precedence (operand of ?:) temp = p == "" ? "null" : p; ^
Elective notes are not enabled by default because they do not necessarily represent a fault or likely defect but rather
provide certain information that some users find informative.
PC-lint Plus communicates with the programmer via diagnostic messages and the programmer communicates with PC-lint Plus through the use of lint options. Options start with a + or - (except for the special !e option) and can appear on the command line, within lint option files, or in special comments within your source code. Options are processed in the order they are encountered, which means they can be used to temporarily alter the behavior of PC-lint Plus. Options are used to specify all configurable properties of PC-lint Plus, from the location of include directories and pre-defined macros, to which messages should be suppressed and how diagnostics should be communicated.