Static analysis for Jsonnet C++ code

[mbrukman]

Given that Jsonnet is written in C++, there are many potential issues that can lurk in C++ code, such as undefined behavior, buffer overruns, etc.

While unit tests help ensure that code does what it's supposed to (and handles errors correctly), there are other classes of issues that can be found via static analysis. Some of the tools that can be used for this are:

• Coverity, which provides free scans to open-source projects
• LLVM/Clang tools such as: AddressSanitizer, ThreadSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, etc.

These and other similar tools can help find bugs without writing explicit tests, so they provide a lot of value with little additional effort.

[sparkprime]

It's possible to run the tests in valgrind with an environment var, which we do occasionally. Long term it's possible we will switch over to the Go implementation (behind a C API) and then all of these problems go away.

[sbarzowski]

clang-tidy (clang-based linter) may also be worth trying