When choosing a compiler (which should be understood to include the linker), a C99-compliant compiler should be used whenever possible.
When choosing a source code analysis tool, it is clearly desirable that the tool be able to enforce as many of the rules in this document as possible. To the greatest extent possible, these checkers should be both complete and sound.
<!-- /* Font Definitions */ @font-face
Unknown macro: {font-family}
/* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal
Unknown macro: {mso-style-unhide}
.MsoChpDefault
Unknown macro: {mso-style-type}
@page Section1
Unknown macro: {size}
div.Section1
Unknown macro: {page}
-->Â | | | False Positives |
|
|
Y |
N |
False Negatives |
Y |
Misses some defects and over does it. [4] |
Misses some defects but never over does it. [3] |
N |
Never misses defects but does over do it. [2] |
Compliant. [1] |
 |
The possibilities for a given guideline are outlined in the table below. The tool may report defects which don't exist (false positives, or "over doing it"), or may fail to report defects which do exist (false negatives).
Compilers and source code analysis tools are trusted processes, meaning that a degree of reliance is placed on the output of the tools. Consequently, developers must ensure that this trust is not misplaced. Ideally, this should be achieved by the tool supplier running appropriate validation tests. While it is possible to use a validation suite to test a compiler or source code analysis tools, no formal validation scheme exists at this time.