Tools that have been evaluated by students before (and the reports):

• FindBugs is a fairly comprehensive collection of bug detectors for Java.  FindBugs is unsound (may not find every bug) and incomplete (warnings may not indicate true bugs).  Compared to other tools, FindBugs finds a very broad range of errors, but tends to do more shallow analysis.
• gim-findbugs-05.pdf
• Daikon is a tool for dynamically detecting likely invariants in Java and C/C++ programs.
• noh-daikon-05.pdf
• kim-daikon-02.pdf
• prakash-daikon-02.pdf
  
• ESC/Java and ESC/Java 2 are tools for finding errors in Java programs. They use static analysis to find errors such as null dereference errors, array bounds errors, type cast errors, and race conditions at compile time. They support pre- and post-condition style reasoning.
• niswonger-escjava-02.pdf
  
• Eclat is a tool that automatically generates test inputs for a Java program. Eclat differs from other tools for generating tests in that it uses a novel selection mechanism to filter out most of the candidate tests, only presenting to the user the ones that are most likely to actually reveal an error in the program or a deficiency in an existing test suite.
• chen-eclat-05.pdf
  
• Purify is a tool for detecting memory errors in C/C++ programs at runtime, or debugging garbage-collection related problems in Java. A free trial version of this commercial product is available.
• hagen-purify-05.pdf
• gbajabiamila-purify-05.pdf
  
• zhao-purify-02.pdf
  
• Java PathFinder is a model checker for Java programs.  An release (for internal CMU use only) is available on Blackboard.
• dickey-pathfinder-05.pdf
  
• Reflexion Models is a tool for reverse engineering code (the most recent tool supports Java).
• keum-reflexion-05.pdf
  

Implementation Projects

• Exploring the design of a rule-based language and its semantics
• lee-language-05.pdf
  
• Using the bddbddb package to implement a taintedness analysis
• bierhoff-bddbddb-05.pdf
  

Literature Surveys

• A survey of clone detection analysis tools
• latoza-clone-detection-05.pdf
  

Commercial tools with trial or free versions available:

• Coverity is the commercial version of Metal.  There is a free trial version available.
  
• PREfast is the commercial version of PREfix.  You may have to do some gymnastics to get access to it, but it has been distributed as beta software so there is hope.

Open source or research tools:

• JLint is a tool that finds Java bugs using dataflow analysis
• PMD finds simple design problems in Java programs
• Fluid is a tool developed at CMU that can assure the absence of concurrency errors.  While it is not publicly available, we may be able to release it to students interested in evaluating the tool.
  
• Rigi is a reverse-engineering tool that is designed to help programmers understand and reengineer large C programs.
• MAGIC and ComFoRT are model-checking tools developed here at CMU.
  
• Bandera is a tool for verifying properties of Java programs using model-checking.
• Lackwit is a tool that helps programmers with reverse engineering or restructuring tasks. The tool can detect abstraction violations, identify unused variables, functions, and fields of data structures, and detect simple errors of operations on abstract datatypes (such as failure to close after open).
• Hyper/J is a tool that supports better separation of concerns that cross-cut standard class and method boundaries.
• Splint (formerly LCLint) is a tool for statically checking C programs for security vulnerabilities and coding mistakes.
• Zing is a software model checking project at Microsoft Research that can handle C# programs.
• BLAST is a software model checker for C programs.
• BOOP is an open source reimplementation of SLAM, and can be used for verifying device driver properties.
• Microsoft's SLAM project is now part of the Static Driver Verifier, to be released shortly

Other tools are also fair game; just contact the instructor.