Maintaining code quality is an ongoing challenge as embedded systems grow in code size and complexity. While their approaches and solutions differ, embedded software tool vendors are all evolving their code quality offerings to meet today’s needs.
The complexity of today’s embedded software keeps pushing the goalposts further out in terms of ensuring good quality code. As these systems get more complex, the challenge of producing error free code isn’t getting any easier. To keep pace, vendors of code analysis tools are innovating with highly integrated and effective solutions.
Even though they are all addressing similar demands, the major embedded tool vendors each have their own approach to code quality tool solutions. Some link them tightly within their integrated development environment (IDE), while others take a more modular approach. Meanwhile, issues due to programming languages, standards compliance and processor support differentiate the code quality tools of these vendors.
For its part, IAR Systems’ centerpiece tool for ensuring code quality is its C-RUN runtime analysis tool. C-RUN is an add-on to IAR Embedded Workbench for Arm and for Renesas RX. C-RUN performs runtime analysis by checking application execution directly within the development environment (Figure 1). It checks for arithmetic issues, bounds issues and heap integrity and will tell you what went wrong and where.
C-RUN is designed to provide a convenient and flexible rule selection in the settings and error filter management. The runtime analysis tool can be used for C and C++ source code and adds efficient instrumentation of diagnosis routines inside your code when enabled. The tool can check your code during execution on the target or in the simulator and you get a direct code correlation and graphical feedback in editor.
C-RUN can be used standalone to find hard-to-detect problems in the field. It only requires users to build and deploy a test firmware for a unit with the necessary C-RUN tests enabled in IAR Embedded Workbench. The C-RUN output messages will then be redirected to a serial interface and log the messages. The recorded cryptic messages can then be parsed offline to plaintext with the C-SPY command line utility (cspybat) for diagnosis and bug fixing.
C-RUN is fully integrated with the IAR Embedded Workbench IDE. The helps embedded developers ensure their code is safe and of high quality at an early stage, which also aids companies to shorten their time to market. That’s because the impact of errors further down the line might be very time consuming and expensive.
TRIO OF TOOLS
LDRA provides a trio of tools aimed at code quality review: Testbed, Dynamic Data Flow Coverage (DDFC) and LDRArules. LDRA Testbed enforces compliance with coding standards and clearly indicates software flaws that might otherwise pass through the standard build and test process to become latent problems. LDRA’s proprietary parsing engine enables Testbed to quickly incorporate new analysis techniques to meet changing standards requirements.
With LDRA Testbed as a foundation, embedded developers can tailor the tool suite for your specific needs. LDRA offers a full range of software testing core components and optional modules, as well as software certification and consulting services, allowing you to only pay for exactly what you need. According to the company, LDRA Testbed was the first tool to be used for certification to the Federal Aviation Authority’s FAA DO-178B standard for both airborne and ground-based systems. LDRA Testbed is the only tool that enables static rule checking, complexity, and dynamic analysis for MISRA C compliance, says LDRA.
DDFC is an optional module for Testbed. The DDFC feature of the LDRA tool suite was specifically designed to address a requirement of avionics-related standards such as DO-178C and DO-248C, which define data coupling to be “The dependence of a software component on data not exclusively under the control of that software component” and require that “Test coverage of software structure, both data and control coupling, is achieved.”
Finally, LDRArules is a stand-alone rules checker that doesn’t require investment in the complete tool chain (Figure 2). LDRArules enforces compliance with industry- or user-defined coding standards and provides clear visibility of software flaws that might typically pass through the build and test process and become latent problems. LDRArules incorporates next-generation reporting capabilities to show code quality, fault detection, and avoidance measures. You can quickly and easily view results in call graphs, flow graphs, and code review reports in an easy-to-read, intuitive format.
INTEGRATED STATIC ANALYZER
As part of its development tools suite, Green Hills Software provides an integrated static source code analyzer called DoubleCheck. While other source code analyzers run as separate tools, DoubleCheck is an integrated static analyzer that’s built into the Green Hills C/C++ compiler. According to Green Hills (Figure 3), DoubleCheck leverages accurate and efficient analysis algorithms that have been tuned and field-proven in 30+ years of producing embedded development tools. DoubleCheck can be used as a single integrated tool to perform compilation and defect analysis in the same pass.
A typical compiler issues warnings and errors for some basic potential code problems, such as violations of the language standard or use of implementation-defined constructs, says Green Hills. In contrast, DoubleCheck performs a full program analysis, finding bugs caused by complex interactions between pieces of code that may not even be in the same source file.
DoubleCheck determines potential execution paths through code, including paths into and across subroutine calls, and how the values of program objects (such as standalone variables or fields within aggregates) could change across these paths.
The DoubleCheck analyzer understands the behavior of many standard runtime library functions. For example, it knows that subroutines like free should be passed pointers to memory allocated by subroutines like malloc. The analyzer uses this information to detect errors in code that calls or uses the result of a call to these functions.
CATCHING MORE DEFECTS
With its roots as a specialist in static code analysis, GrammaTech’s solution for ensuring code quality is its CodeSonar tool. CodeSonar employs a unified dataflow and symbolic execution analysis that examines the computation of the complete application. By not relying on pattern matching or similar approximations, CodeSonar’s static analysis engine is extraordinarily deep, finding 3-5 times more defects on average than other static analysis tools, according to the company.
Like a compiler, CodeSonar does a build of your code using your existing build environment, but instead of creating object code, CodeSonar creates an abstract model of your entire program. From the derived model, CodeSonar’s symbolic execution engine explores program paths, reasoning about program variables and how they relate. Advanced theorem-proving technology prunes infeasible program paths from the exploration.
In March, GrammaTech announced a technology partnership with GitLab, the single application for the DevOps lifecycle. As part of the alliance, the GrammaTech’s CodeSonar product is now integrated with GitLab’s Ultimate DevSecOps platform allowing customers to implement code analysis early and directly within CI/CD pipelines (Figure 4). Development teams are under constant pressure to meet aggressive deadlines for delivering new software, with rolling releases and agile development practices that are pushing new features and code quickly into production, says GrammaTech. CodeSonar is designed to shift security left in DevSecOps by detecting and eliminating bugs and vulnerabilities at the earliest stages of the development cycle.
The integration of CodeSonar with GitLab enables organizations to develop and release high quality and secure software that is free from harmful defects and exploitable weaknesses which can cause system failures, enable data breaches and increase liability. The GrammaTech module for GitLab provides native SAST capabilities that scan code for defects within CI/CD pipelines, and eliminates the need for any integration and maintenance by users. It enables customers to assess code continuously, avoiding costly mistakes and rework associated with waiting until the testing phase to scan for security problems.
QUALITY ADA CODE
As its name suggests, AdaCore is a leader in Ada language software tools. The company’s code quality solution is its CodePeer tool. CodePeer is an Ada source code analyzer that detects runtime and logic errors. It assesses potential bugs before program execution, serving as an automated peer reviewer, helping to find errors easily at any stage of the development life-cycle. CodePeer helps you improve the quality of your code and makes it easier for you to perform safety and/or security analysis.
CodePeer is a stand-alone tool that runs on Windows and Linux platforms and may be used with any standard Ada compiler or fully integrated into the GNAT Pro development environment. It can detect several of the “Top 25 Most Dangerous Software Errors” in the Common Weakness Enumeration. CodePeer supports all versions of Ada (83, 95, 2005, 2012). CodePeer has been qualified as a Verification Tool under the DO-178B and EN 50128 software standards.
CodePeer comes with additional tools including a coding standard checker (GNATcheck) and a metrics calculator/reporter (GNATmetric). CodePeer is integrated with GNAT Studio and GNATbench IDEs and with a web server for viewing its HTML output. It also comes with a plug-in for Jenkins (continuous builder) and GNATdashboard.
AdaCore emphasizes that CodePeer is designed to be a multipurpose, interdisciplinary tool for the whole team (Figure 5). Developers can use it while writing their code, to detect and thereby prevent (local) problems prior to integration of their work. Testing and reviewer team members can use CodePeer to annotate code where potential problems have been detected, such as specific CWE-related issues. And certification engineers can use it to reduce the effort needed for safety or security certification.
Wind River’s Diab Compiler is the heart of the company’s Workbench development tools suite. The compiler’s long legacy in the embedded market means it’s been tested with millions of test cases and industry standard test suites. The tool also boasts POSIX PSE52 conformance. The tool is particularly suited to standards in heavy industries such as automotive, avionics and industrial markets. In those markets, it is critical that software conform to industry standards for functional safety.
Diab Compiler has achieved Automotive SPICE (Software Process Improvement and Capability dEtermination) Level 2 certification. As a reliable code generation tool for avionics products, the tool is certified to DO-178B. It also nuclear market certified to IEC 60880, railway applications certified to EN 50128, and industrial products certified to IEC 61508. It can now also be qualified for use in automotive applications certified to ISO 26262.
Diab Compiler is certified by TÜV SÜD to be suitable for developing safety-related software. It supports customers working on automotive safety and industrial products with the creation of safety artifacts that meet their end product’s safety certification requirements. According to Wind River, Diab Compiler is exhaustively tested using both industry-standard test suites and a library of in-house test cases to reduce the risk of vulnerability in your safety-critical software. Wind River maintains a policy to transparently disclose Diab Compiler issues that might compromise the safety compliance of your project.
PUBLISHED IN CIRCUIT CELLAR MAGAZINE • APRIL 2021 #369 – Get a PDF of the issue