Continuous Code Inspection and AnalysisZulfi Zamindar, Field Application Engineer

Agenda Code Inspection Static Code Analysis C-STAT DemonstrationDynamic Code AnalysisC-RUN Demonstration Summary

Code Inspection

Why use C for embedded?

• Widespread knowledge of the language– Data type conversion, pointer accesses etc.

• Widespread tool support for the language– Many different compilers for virtually any target– Many middleware options– Many static analysis tools

• Fairly close to hardware– You can abstract to a higher level of interaction with the hardware– You can get all the way down to writing bits to ports

Why care about code analysis?

• C is not safe– Many languages are very similar to C

• All software contains bugs

• The later you find a bug, the more expensive it gets

Cost

Development cycle$

$$$$$$

$$$

System test product recall

Code inspections

3 approaches to code inspections– Code reviews– Pair programming– Automated inspections

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

Code inspections

• Code reviews– Activity, where the code gets viewed & read by one or several humans– At least one of the humans must not be the author of the code– Can be done as interruption of the implementation or after the implementation– Possible process: Fagan inspection

Code inspections

Code review goals– Improve code quality– Find possible defects– Knowledge transfer– Highlight possible better solutions– QA guideline compliance

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

Code inspections

Pair programming– Two programmers work together at one workstation– One (the driver) writes the code, while the other

(the observer) reviews the code, while it is typed in

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

Code inspections

• Pair programming advantages– Better code with less defects– Improved problem / project oriented focus– Knowledge transfer, reduced bus factor

• Pair programming challenges– Building successful / productive teams

Code inspections

• Automated inspections– Offload the code reviews to a machine– No limitations in the frequency of the code reviews– High repeatability of the results– Can be included into CI flow

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

C-STAT – Static Code Analyzer

What is Static code analysis

• A way to statically analyze software (as opposed to dynamically)

• In this context it means analyzing C/C++ source code without compiling or executing the program

• Intended to identify potential errors, vulnerabilities, portability issues, coding standards compliance etc.

• Highly recommended for any embedded development, mandatory for certification

• IAR Systems provides C-STAT

What is MISRA-C

• Motor Industry Software Reliability Association– A consortium that promotes standards to improve the safety and reliability of

embedded code– MISRA-C is:

o A language subset, that takes out the undefined behavior that is part of the C standard

o A basis for a coding standard

Static code analysis

• IAR Systems provides C-STAT– Fully integrated into the IAR Embedded Workbench– Flexible rule selection + export / import of rule-sets– Detailed documentation of checks and messages– C-STAT supports:

o ~250 checks based on issues addressed by CWE and CERTo MISRA-C 2004o MISRA-C 2012o MISRA-C++ 2008

Classic C mistakes

• Array out-of-bounds• Null pointer dereferencing• Using variable before initialization• Order of evaluation of operands• Integer overflow

• Casting issues• Assignment where check for equality was

intended• Illegal printf/scanf format strings• Forgetting to handle a case in switch

statement• Passing macro arguments with side

effects

C-STAT static analysis

Static analysis C-STAT (cont’d)

Online help on checks (1)

F1

Online help on checks (2)

F1

Representation of results

• Text fileSave-to-file in C-STAT Messages window

• Automatically generated .db file– Can be opened with sql browser and– Exported as csv file

HTML summary and full report

Exclude code from being checked

• Suppression via #pragma:#pragma cstat_suppress="INT-use-signed-as-unsigned"<my code>

• Suppression with comments:<my code> //cstat !MISRAC2004-6.3

//cstat –MISRAC2012*

<my code>

//cstat +MISRAC2012*

• Suppressed messages documented in html report

C-STAT through Eclipse plugin

Continuous Integration

• Continuous Integration (CI) environments– automate the build and test of code, every time a team member commits changes to

the version control system– should be agnostic to the underlying tools– should offer the option to call tools from the command line

C-STAT and CI

• C-STAT from the command line– Perform static code analysis from the command line– Useful when you want to automate repetitive analysis– Results will be reported in the console window and in a database file– Syntax: icstat.exe [options] <command> [--<extra>]

C-STAT and CI

• C-STAT through iarbuild.exe– Build your complete project based on the project settings file *.ewp withiarbuild.exe

– Static code analysis via C-STAT can be invoked – Syntax: iarbuild.exe project.ewp [ -clean | -build | -make | -cstat_analyze | -cstat_clean] configuration [log options][parallel][custom argument variables]

Summary (1)• Automated inspections are a good

approach to improve code quality• Static code analysis helps you to identify

possible issues in an efficient way• C-STAT is available for daily use inside

IAR Embedded Workbench as well as from the command line

Demonstration of C-STAT

Run-time analysis – C-RUN

• Detection of data manipulation issues during runtime

• Addresses arithmetic, bound and heap checking

• Very efficient instrumentation of compiled code

• Fully integrated in IAR Embedded Workbench for: ARM ≥ v7.20

C-RUN run-time analysis

Individual checks can be turned on/off• Overhead depends on:

– Performed checks– Application profile

• Can be configured on module basis

Runtime analysis C-RUN, cont’d

Very detailed feedback on what went wrong:

Runtime analysis C-RUN, cont’d

Rules to disable C-RUN Messages

Summary

Total fault coverage with Compiler/Linker

Com

pile

r/Lin

ker

Summary

Total fault coverage with Compiler/Linker, C-STAT

Static analysis

Com

pile

r/Lin

ker

Summary

Total fault coverage with Compiler/Linker, C-STAT and C-RUN

Runtim

e analysis

Static analysis

Com

pile

r/Lin

ker

Demonstration of C-RUN

Thank you for your attention!

www.iar.com