pycparser

Pycparser does exactly what it promises: parses C code into Python AST structures. The documentation is thorough with clear examples showing how to parse files and traverse ASTs. The _c_generator.py example demonstrates round-tripping C code, which was invaluable for understanding the AST structure. However, expect to spend time learning the AST node hierarchy - you'll be constantly referencing the docs to understand what attributes each node type has.

Error messages are generally helpful when your C code has syntax issues, pointing to line numbers and problematic tokens. The preprocessing requirement (you must run cpp first) is well-documented but easy to forget initially. Debugging is straightforward with the show() method that prints AST trees, making it easy to understand what you're working with.

Community support is decent - most common questions are answered in GitHub issues. The library is stable and well-maintained. For straightforward parsing and analysis tasks, it's excellent. Complex transformations require more effort since you're manually walking and modifying the AST, but the visitor pattern support helps.

Pycparser does what it promises—parses C code into a Python AST—but the developer experience leaves much to be desired. The API is straightforward once you understand it (parse_file, parse), but getting started requires manually generating parser tables and understanding the preprocessing step with fake libc headers, which isn't immediately obvious from the docs.

The AST visitor pattern works well for traversing parse trees, and the library handles most C99 constructs correctly. However, error messages when parsing fails are cryptic, often pointing to lexer/parser internals rather than the actual C code issue. Type hints are completely absent (even in 3.0), making IDE support minimal—you'll be constantly referring to docs to understand node types.

Documentation exists but feels academic rather than practical. The examples folder helps, but there's no comprehensive guide for common tasks like extracting function signatures or analyzing struct definitions. You'll spend time reading source code to understand node attributes.

pycparser is a pure-Python C99 parser that I've used extensively for static analysis tooling and C code manipulation. From a security perspective, it's refreshingly simple: no native extensions, no complex dependencies beyond PLY for lexing/parsing. The attack surface is minimal since it's just parsing text into an AST - no code execution, no dynamic loading.

The library follows secure-by-default principles well. Parse errors are clean and don't leak system information. Input validation is straightforward - you feed it C code strings and get predictable AST objects or parsing exceptions. There's no network I/O, no file system traversal beyond what you explicitly provide, and no authentication concerns since it's purely computational.

The main practical consideration is that you need to preprocess your C code with the bundled fake_libc_include headers or your own preprocessing pipeline. This adds complexity but keeps pycparser focused and reduces risk. Error messages are descriptive enough for debugging without exposing internals. For supply chain risk, the minimal dependency tree (just PLY) is a significant advantage.