Dr. Dobb's Journal - March 2008 - (Page 22)

Core Technology by Paul Anderson Detecting Bugs in Safety-Critical Code Advanced static analysis When software is used for safety-critical applications, bugs aren’t just expensive annoyances—they can kill. Faced with such dire consequences, developers of safety-critical systems Paul is VP of Engineering at GrammaTech. He can be contacted at paul@grammatech.com. go to great lengths to prevent bugs from making it into the field. These measures are undeniably effective at reducing risk. Although there have been some famous catastrophic failures over the years, if medical devices or flight-control systems failed as often as most software fails, the headlines would be much grimmer. So how do they do it, and how can those of us who do not write safety-critical code emulate their success? Well, there are many strategies, but two stand out as being key and offer important lessons for other developers—static analysis and rigorous testing. Historically, static analysis had been used to enforce standards or style rules, and do some superficial syntactic checks for patterns that might indicate flaws. While helpful, especially as standards such as Misra C (misra.org.uk) or JSF C++ (www.research.att .com/~bs/JSF-AV-rules.pdf) are widely used by safetycritical software developers, these old-style tools have been difficult to use effectively, not least because of their high false-positive rate. Recently, a new breed of “advanced” static-analysis tools has emerged. These are capable of finding serious bugs such as buffer overruns, null pointer dereferences, resource leaks, and race conditions. They can also highlight inconsistencies or contradictions in the code, such as unreachable code, useless assignments, and redundant conditions, all of which often indicate programmer confusion, and correlate well with bugs. In Gerald Holzmann’s “Ten Rules for Writing Safety-Critical Code” (www.spinroot.com/p10), rule 10 specifies that advanced static-analysis tools should be used proactively all through the development process. Systematic testing is the other prong. As well as being a good idea, often it’s also the law. Regulators such as the FAA specify strict rules about how code is tested before it can be deployed in a safety-critical device. In some cases, developers must demonstrate that test suites achieve full coverage of the code. The trouble with this is that it can be enormously expensive to develop these test suites. However, advanced staticanalysis tools can help reduce the cost by steering developers away from futile or unnecessary work. In this article, I focus on advanced static analysis, how it complements traditional testing, and how it can be used for both bug finding and for reducing testing costs. Advanced Static Analysis With roots in esoteric techniques such as model checking and abstract interpretation, advanced static analysis is not your father’s technology. Instead of complaining endlessly about stylistic discrepancies or superficial syntactic problems, this new breed of tools can find serious coding flaws. They integrate easily 22 Dr. Dobb’s Journal l www.ddj.com l March 2008 http://misra.org.uk http://www.research.att.com/~bs/JSF-AV-rules.pdf http://www.research.att.com/~bs/JSF-AV-rules.pdf http://www.spinroot.com/p10 http://www.ddj.com

Table of Contents Feed for the Digital Edition of Dr. Dobb's Journal - March 2008

Dr. Dobb's Journal - March 2008 Contents Hmmmm Alia Vox Developer Diaries Developer’s Notebook Social Networks and Software Development Conversations Detecting Bugs in Safety-Critical Code Change Code Without Fear Continuous Integration and Performance Testing Wt: A Web Toolkit Automating Release Notifications The Agile Edge Effective Concurrency Swaine’s Flames

Dr. Dobb's Journal - March 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.