I'm developing libsheepy (a C library) and I have been running 4 static analyzer:
- clang static analyzer (11)
- gcc static analyzer (10.2)
I also created unit tests with near 100% code coverage, the non covered code is in 3 categories:
- the cleanup functions (gcc extension). They free objects when they are out of scope, it simplifies memory management
- the code executed when there is a out a memory error (OOM)
- the NULL checks that can't happen in correct programs
With the unit tests, I found most issues in libsheepy and I think there are only a few unknown bugs left.
Coverity is the static analyzer that found the most problems (results here and commit fixing the issues), most of them in the OOM code that is non tested in the unit tests, there are also issues that were found with the unit tests by coverity which are not listed here.
- missing free in the OOM code
- missing va_end in the OOM code
- more correct printf format type (was not an issue)
- simplify logic (was not an issue)
I fixed most the issues found with the unit tests so here is list of issue types not detected by the static analyzers:
- possible infinite loop
- memory leak when buffers are allocted and freed in different sub-functions
The majority of the issues found in the unit tests are arbitrary logic errors that static analyzers can't find.
Unit tests and static analyzers complement each other. With static analyzers, one can make sure the unit tests are correct and not missing issues.