EmbeddedRelated.com
Forums
The 2025 Embedded Online Conference
   Forums    More Forums    comp.arch.embedded  

Static analysis tool?

Started by Dave Nadler April 16, 2021
Reply by Michael Kellett April 17, 20212021-04-17
On 16/04/2021 20:24, Dave Nadler wrote:

> Perhaps someone here can help...
> 
> I'm doing a presentation on techniques for embedded, especially removing 
> and keeping out bugs ;-) Using an example project from last year. A 
> reviewer of my first draft suggested many of the bugs surfaced in the 
> project would have been caught by static analysis - but I haven't had 
> such great luck in the past.
> 
> Tried CPPcheck, and while it found some less-than-optimal stuff it only 
> found one of the real bugs discussed.
> 
> Tried to get an evaluation copy of Coverity, but got a wildly annoying 
> and clueless sales person who promises a member of the right team will 
> contact me shortly (Real Soon Now).
> 
> Bugs I had to fix and amenable to static analysis included:
> - uninitialized variable (only one found by CPPcheck)
> - use of magic 0xff index value as subscript off end of array
> - C macro with unguarded arguments getting wrong answer
> - use of int8 to index 1kb buffer (so only 256 bytes got used)
> 
> Anybody able to recommend a tool they've used successfully?
> Thanks in advance,
> Best Regards, Dave


I uses PC_Lint Version 9, not the latest, but Gimple now only sell site 
licenses at rather high cost if you only need 1. It's still a cheapish 
solution.
Ristan Case it nice but has not been updated for years and is not likely 
to be.
Lint + MISRA is a bit like doing a code review with a colleague who 
objects to pretty much everything you do. For me its main virtue is in 
forcing you to think about stuff a little more.
On the current project (where I'm using these tools) it has certainly 
caught a few bugs but a lot more instances of stuff that can (and 
should) be expressed more clearly or simply.
The problem with working in a "MISRA compliant" environment is that 
slavish obedience is required which is often daft. The documentation 
burden of dealing with exceptions can become large.

On balance I think it improves my code. (And since on the current 
project no code reviews ever happen - it's all I've got :-(

All the above applies to C only.

MK
Reply by David Brown April 17, 20212021-04-17
On 16/04/2021 21:24, Dave Nadler wrote:

> Perhaps someone here can help...
> 
> I'm doing a presentation on techniques for embedded, especially removing
> and keeping out bugs ;-) Using an example project from last year. A
> reviewer of my first draft suggested many of the bugs surfaced in the
> project would have been caught by static analysis - but I haven't had
> such great luck in the past.
> 
> Tried CPPcheck, and while it found some less-than-optimal stuff it only
> found one of the real bugs discussed.
> 
> Tried to get an evaluation copy of Coverity, but got a wildly annoying
> and clueless sales person who promises a member of the right team will
> contact me shortly (Real Soon Now).
> 
> Bugs I had to fix and amenable to static analysis included:
> - uninitialized variable (only one found by CPPcheck)
> - use of magic 0xff index value as subscript off end of array
> - C macro with unguarded arguments getting wrong answer
> - use of int8 to index 1kb buffer (so only 256 bytes got used)
> 
> Anybody able to recommend a tool they've used successfully?
> Thanks in advance,
> Best Regards, Dave


Your first step should always be the compiler - a good compiler, with
optimisation enabled (that's essential) and lots of warnings will pick
up many such things.  It won't do everything, but it is certainly a good
start.  gcc in particular has got better and better at this over time -
I have found bugs in code (other people's code, of course :-) ) after
switching to a newer gcc and enabling more warnings.

Actually, that is perhaps the /second/ step.  The first step is to adopt
good coding practices (and perhaps a formal standard) that make it
easier to avoid writing the bugs in the first place, and to spot them
when they are made accidentally.  For example, a strong emphasis on
static inline functions rather than macros means your risk of macro
problems drops dramatically - and a coding standard that insists on
always guarding the arguments means you don't get the macro bug you
mentioned above.
Reply by Dave Nadler April 17, 20212021-04-17
On 4/16/2021 3:24 PM, Dave Nadler wrote:

> Perhaps someone here can help...
> 
> I'm doing a presentation on techniques for embedded, especially removing 
> and keeping out bugs ;-) Using an example project from last year. A 
> reviewer of my first draft suggested many of the bugs surfaced in the 
> project would have been caught by static analysis - but I haven't had 
> such great luck in the past.
> 
> Tried CPPcheck, and while it found some less-than-optimal stuff it only 
> found one of the real bugs discussed.
> 
> Tried to get an evaluation copy of Coverity, but got a wildly annoying 
> and clueless sales person who promises a member of the right team will 
> contact me shortly (Real Soon Now).
> 
> Bugs I had to fix and amenable to static analysis included:
> - uninitialized variable (only one found by CPPcheck)
> - use of magic 0xff index value as subscript off end of array
> - C macro with unguarded arguments getting wrong answer
> - use of int8 to index 1kb buffer (so only 256 bytes got used)
> 
> Anybody able to recommend a tool they've used successfully?
> Thanks in advance,
> Best Regards, Dave


Thanks all for the comments. I should have explained this project came 
from elsewhere; landed in my lap to add a minor feature which resulted 
in needing to do lots of debug of existing problems. I even rewrote part 
of it in C++ ;-)  Project is proprietary so Coverity scan is not 
applicable as that's only for FOSS. Only 5 (maybe 6?) of the top dozen 
bugs COULD be found by static analysis but certainly that would have 
been helpful.

If anybody has an hour and would be interested to review the 
presentation first draft video PM me - I can always use some 
constructive comments and suggestions!

Thanks again,
Best Regards, Dave
Reply by Dave Nadler May 2, 20212021-05-02
On 4/17/2021 10:34 AM, Dave Nadler wrote:

> On 4/16/2021 3:24 PM, Dave Nadler wrote:
>> Perhaps someone here can help...
>>
>> I'm doing a presentation on techniques for embedded, especially 
>> removing and keeping out bugs ;-) Using an example project from last 
>> year. A reviewer of my first draft suggested many of the bugs surfaced 
>> in the project would have been caught by static analysis - but I 
>> haven't had such great luck in the past.
>>
>> Tried CPPcheck, and while it found some less-than-optimal stuff it 
>> only found one of the real bugs discussed.
>>
>> Tried to get an evaluation copy of Coverity, but got a wildly annoying 
>> and clueless sales person who promises a member of the right team will 
>> contact me shortly (Real Soon Now).
>>
>> Bugs I had to fix and amenable to static analysis included:
>> - uninitialized variable (only one found by CPPcheck)
>> - use of magic 0xff index value as subscript off end of array
>> - C macro with unguarded arguments getting wrong answer
>> - use of int8 to index 1kb buffer (so only 256 bytes got used)
>>
>> Anybody able to recommend a tool they've used successfully?
>> Thanks in advance,
>> Best Regards, Dave
> 
> Thanks all for the comments. I should have explained this project came 
> from elsewhere; landed in my lap to add a minor feature which resulted 
> in needing to do lots of debug of existing problems. I even rewrote part 
> of it in C++ ;-)  Project is proprietary so Coverity scan is not 
> applicable as that's only for FOSS. Only 5 (maybe 6?) of the top dozen 
> bugs COULD be found by static analysis but certainly that would have 
> been helpful.
> 
> If anybody has an hour and would be interested to review the 
> presentation first draft video PM me - I can always use some 
> constructive comments and suggestions!
> 
> Thanks again,
> Best Regards, Dave


Further follow-up: Never heard back from Coverity (as expected).
Tried Perforce Klocworks and got a very perky and slightly less annoying 
sales person who promised prompt follow-up, and as usual none was 
forthcoming.

Any other static analysis tools you folks can suggest?
Reply by Don Y May 2, 20212021-05-02
On 5/2/2021 8:41 AM, Dave Nadler wrote:

> On 4/17/2021 10:34 AM, Dave Nadler wrote:
>> On 4/16/2021 3:24 PM, Dave Nadler wrote:
>>> Perhaps someone here can help...
>>>
>>> I'm doing a presentation on techniques for embedded, especially removing and 
>>> keeping out bugs ;-) Using an example project from last year. A reviewer of 
>>> my first draft suggested many of the bugs surfaced in the project would have 
>>> been caught by static analysis - but I haven't had such great luck in the past.
>>>
>>> Tried CPPcheck, and while it found some less-than-optimal stuff it only 
>>> found one of the real bugs discussed.
>>>
>>> Tried to get an evaluation copy of Coverity, but got a wildly annoying and 
>>> clueless sales person who promises a member of the right team will contact 
>>> me shortly (Real Soon Now).
>>>
>>> Bugs I had to fix and amenable to static analysis included:
>>> - uninitialized variable (only one found by CPPcheck)
>>> - use of magic 0xff index value as subscript off end of array
>>> - C macro with unguarded arguments getting wrong answer
>>> - use of int8 to index 1kb buffer (so only 256 bytes got used)
>>>
>>> Anybody able to recommend a tool they've used successfully?
>>> Thanks in advance,
>>> Best Regards, Dave
>>
>> Thanks all for the comments. I should have explained this project came from 
>> elsewhere; landed in my lap to add a minor feature which resulted in needing 
>> to do lots of debug of existing problems. I even rewrote part of it in C++ 
>> ;-)  Project is proprietary so Coverity scan is not applicable as that's only 
>> for FOSS. Only 5 (maybe 6?) of the top dozen bugs COULD be found by static 
>> analysis but certainly that would have been helpful.
>>
>> If anybody has an hour and would be interested to review the presentation 
>> first draft video PM me - I can always use some constructive comments and 
>> suggestions!
>>
>> Thanks again,
>> Best Regards, Dave
> 
> Further follow-up: Never heard back from Coverity (as expected).
> Tried Perforce Klocworks and got a very perky and slightly less annoying sales 
> person who promised prompt follow-up, and as usual none was forthcoming.
> 
> Any other static analysis tools you folks can suggest?


You're not going to find anything of the same caliber as Klocwork/Coverity
in the "discount/FOSS" aisle.

But, as I said, elsewhere, with enough (machine) "eyes" looking at your code,
you may eke out some insights that would evade a normal review.

Look at PVS Studio.  ConQAT won't necessarily give you the sorts of flags
that you're likely expecting from a static analysis tool; but, can help with
things like clone detection (more "smells" than actual "problems")

[Of course, there are other tools that do similar things]
You might also like... (promoted content)
CodeSecure - The Trusted Leader in Product Software Security
CodeSecure - The Trusted Leader in Product Software Security
CodeSecure - The Trusted Leader in Product Software Security
Toradex Quality Now On SMARC
Toradex Quality Now On SMARC
Toradex Quality Now On SMARC
Toradex Small Form Factor Survey
Toradex Small Form Factor Survey
Toradex Small Form Factor Survey
The 2025 Embedded Online Conference