View Source

When choosing a compiler (which should be understood to include the linker), a C99-compliant compiler should be used whenever possible.

When choosing a source code analysis tool, it is clearly desirable that the tool be able to enforce as many of the rules in this document as possible.  To the greatest extent possible, these checkers should be both complete and sound.

<!--  /* Font Definitions */  @font-face 	{font-family:"Cambria Math"; 	panose-1:2 4 5 3 5 4 6 3 2 4; 	mso-font-charset:1; 	mso-generic-font-family:roman; 	mso-font-format:other; 	mso-font-pitch:variable; 	mso-font-signature:0 0 0 0 0 0;}  /* Style Definitions */  p.MsoNormal, li.MsoNormal, div.MsoNormal 	{mso-style-unhide:no; 	mso-style-qformat:yes; 	mso-style-parent:""; 	margin:0in; 	margin-bottom:.0001pt; 	mso-pagination:widow-orphan; 	font-size:12.0pt; 	font-family:"Times New Roman","serif"; 	mso-fareast-font-family:"Times New Roman";} .MsoChpDefault 	{mso-style-type:export-only; 	mso-default-props:yes; 	font-size:10.0pt; 	mso-ansi-font-size:10.0pt; 	mso-bidi-font-size:10.0pt;} @page Section1 	{size:8.5in 11.0in; 	margin:1.0in 1.0in 1.0in 1.0in; 	mso-header-margin:.5in; 	mso-footer-margin:.5in; 	mso-paper-source:0;} div.Section1 	{page:Section1;} -->Â | | | False   Positives |
| | | *Y* | *N* |
| False   Negatives | *Y* | Misses some defects   and over does it. \[4\] | Misses some defects   but never over does it. \[3\] |
| *N* | Never misses   defects but does over do it. \[2\] | Compliant. \[1\] |Â 

The possibilities for a given guideline are outlined in the table below. The tool may report defects which don't exist (false positives, or "over doing it"), or may fail to report defects which do exist (false negatives).



Compilers and source code analysis tools are _trusted_ processes, meaning that a degree of reliance is placed on the output of the tools.  Consequently, developers must ensure that this trust is not misplaced. Ideally, this should be achieved by the tool supplier running appropriate validation tests.  While it is possible to use a validation suite to test a compiler or source code analysis tools, no formal validation scheme exists at this time.