What is "Static Code Analysis"?

Go To Last Post
79 posts / 0 new

Pages

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Dan Saks often writes wisely : http://www.embedded.com/electronics-blogs/programming-pointers/4023879/Enumeration-Constants-vs-Constant-Objects
EDIT: Note that the article is from 2001. While the principles still holds, the performance of compilers might have changed considerably.

As of January 15, 2018, Site fix-up work has begun! Now do your part and report any bugs or deficiencies here

No guarantees, but if we don't report problems they won't get much of  a chance to be fixed! Details/discussions at link given just above.

 

"Some questions have no answers."[C Baird] "There comes a point where the spoon-feeding has to stop and the independent thinking has to start." [C Lawson] "There are always ways to disagree, without being disagreeable."[E Weddington] "Words represent concepts. Use the wrong words, communicate the wrong concept." [J Morin] "Persistence only goes so far if you set yourself up for failure." [Kartman]

Last Edited: Thu. Jun 8, 2017 - 08:26 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Note that "const objects" is one of the places where 'C' does differ from C++ !

Top Tips:

  1. How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
  2. "Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
  3. Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
  4. Difference between a crystal, and a crystal oscillatorhttps://www.avrfreaks.net/comment...
  5. When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
  6. Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I must have missed the memo. Why is an enum member a "better" choice than the more obvious "static const int foo = 10;" ?

 

(But I agree that either is better than a #define)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Isn't scoped enums even better (C++11 onwards)? Should at least remove the implicit cast between enum members and int.

 

EDIT; for someones enjoyment: cpp.sh

:: Morten

 

(yes, I work for Microchip, yes, I do this in my spare time, now stop sending PMs)

 

The postings on this site are my own and do not represent Microchip’s positions, strategies, or opinions.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

meolsen wrote:
EDIT; for someones enjoyment: cpp.sh
Not that enjoyable!

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Sure... can't convert enum class to int implicitly

:: Morten

 

(yes, I work for Microchip, yes, I do this in my spare time, now stop sending PMs)

 

The postings on this site are my own and do not represent Microchip’s positions, strategies, or opinions.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

When I asked about enums occupying memory, here is what I had in mind.

 

If I #define NextVal 10, then the only "memory" used is the same flash space that any numeric value would occupy. [nb: this statement is clearly true only for Harvard architectures where code occupies some nominally nonvolatile memory]

 

But, if I do

 

    enum   {
        NextVal = 10,
        };

What is the memory "footprint"? Does is live in SRAM? Is the memory footprint any different than

 

static const uint8_t NextVal = 10;

 

 If used in a place where speed is critical, aren't there usually more operations to get it out of SRAM than from FLASH (especially if it is a single byte would otherwise be embedded in the (AVR) instruction)?

 

And, again, folks, I am not in any way critical of the suggestions and comments above; they are really appreciated. Just trying to compare and contrast (and learn).

 

Jim

 

Until Black Lives Matter, we do not have "All Lives Matter"!

 

 

Last Edited: Thu. Jun 8, 2017 - 03:32 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0
#define NextVal 10

enum {
    NextVal = 10,
};

None of these occupy ANY memory.

:: Morten

 

(yes, I work for Microchip, yes, I do this in my spare time, now stop sending PMs)

 

The postings on this site are my own and do not represent Microchip’s positions, strategies, or opinions.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

All of those are evaluated at compile-time?

 

OK, lets extend this a little. We know that

 

uint8_t MaxVal = 10;

Does not, all by itself, occupy memory. Memory occupancy is determined as it is used. But, the simple variable declaration, just shown, does occupy memory once you write

 

x = MaxVal;

And, in a Harvard architecture, that memory occupancy is SRAM rather than FLASH because MaxVal, here as a plain variable, can be altered at other points in the program. But, if I write

 

static const uint8_t NextVal = 10;

And use it thus:

 

x = MaxVal;

Does MaxVal live in SRAM or does it live in FLASH (again, Harvard architecture)? Is the "assignment" made at compile time (as a #define would be) or is it assigned at run time?  The same question, then, of an enum. If MaxVal had been defined as an enum, and used in an assignment statement, does that value live in SRAM or does it live in FLASH? If (and, of course, this is a big "if") speed and memory footprint are important at a given point in the program, it seems to me that this would be useful information.

 

HOWEVER, this thread started out about MISRA, static code analysis, and, by inference, "safety". We know that type checking is an important aspect of safety. On the other hand, safety can include constants being in FLASH where we have a very high confidence level that nothing will alter them (no buffer over-runs, no stack overflows, no nothing!). And, by "FLASH", I don't mean p-strings, but the way the AVR op-codes embeds constants into the opcodes, the results then being in FLASH.

 

So, please, I am not trying to be argumentative, here. Quite the contrary. Trying to learn!

 

Thanks for every one's input!

 

Jim

 

Until Black Lives Matter, we do not have "All Lives Matter"!

 

 

Last Edited: Thu. Jun 8, 2017 - 04:25 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Perhaps some of the C experts hammer me down, but I remember it this way.

 

Because it's legal to make a pointer to a const, it has to live in RAM on an AVR.

 

add

You can't make a pointer to enum therefore it is different. 

 

 

Last Edited: Thu. Jun 8, 2017 - 05:29 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The case for using a name instead of a raw number is simple:
Documentation and the ease of making reliable changes.

 

Deciding between #define , static const int
and enum constants can be interesting.

 

@ka7ehk:
Unless MaxVal is global, the as-if rule allows the
compiler to do with MaxVal pretty much whatever it wants.
Even without help, the compiler will probably be
able to figure out whether MaxVal is ever changed.
If never changed, (uint8_t)10 will be quietly substituted for MaxVal.
MaxVal might be as-if-ed completely away.
Do not make a pointer to it.
x=MaxVal will probably become LDI Rx, 10 .
In C, no object may be used as the dimension of a global array.
In C++, your static const uint_t NextVal may be so used.
NextVal will almost certainly be as-if-ed away.
The necessary reasoning is required to allow its use as an array size.

 

Deciding between #define , static const int
and enum constants is not always interesting.

 

If you just want one number in the range -0x7FFF..0x7FFF
and do not need it in a constant expression,
use whatever makes you feel good.
If you need it for a constant expression, e.g. an array dimension,
in C, scratch static const int.
If you need a built-in type, scratch enum.
If you need it in assembly, use #define.

Iluvatar is the better part of Valar.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

skeeve wrote:

 

In C, IIRC the types of the enum constants are int (!!)
and sizeof(enum menage) == sizeof(int) .

Not sure about C++.

 

GNU has always had, since I've used it, the -fshort-enums compiler option.  This causes enums to have the smallest int that can contain the enumerated values.  In my code that is almost invariably an 8 bit int.

 

In the latest GNU and Microsoft C++ compilers, you can specify the size of the enums.  I don't know about C compilers.

 

   enum   Events : unsigned char  {
      None = 0,
      };
 

 

Last Edited: Thu. Jun 8, 2017 - 07:44 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

C++ now allows one to specify the underlying type of an enumeration type.

For C, IIRC, the underlying type is always int.

Optimization usually handles size issues with enumerators.

It's not much of an issue, except for arrays of enumeration variables.

Making such arrays arrays of bytes (not enums) will sidestep the size issue.

C's enums do not help much with type safety..

ints and C's enums can be implicitly converted to each other.

Iluvatar is the better part of Valar.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

PC-lint

PC-lint Plus is multi-platform instead of Windows only (now: Linux 64b, macOS, Windows) along with numerous improvements.

Gimpel Software

Gimpel Software

http://www.gimpel.com/html/index.htm

PC-lint Plus is Now Available

...

 

What is PC-lint Plus?

PC-lint Plus is a rewrite of PC-lint from the ground up. ...

...

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
Over time we have used various other static code analysis tools (including cppcheck - which is both C and C++ despite the name) but these days we use the terror that is Klockwork:

Electronic Design

Electronic Design

Improving Code Quality in the New Year

Are you going to reduce bugs and improve security and code quality in 2018?

William Wong | Dec 21, 2017

http://www.electronicdesign.com/industrial-automation/improving-code-quality-new-year

...

There are a number of vendors that provide static analysis tools, including AdacoreRogue Wave Software/KlockworkGrammatechLDRAParasoftProgramming Research, and Synopsys. There are also some open-source tools, including cppcheck and the Eclipse Codan (CODe Analysis) project

...

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

SonarQube

Continuous Code Quality

https://www.sonarqube.org/

FOSS with value-added by commercial offerings.

 

https://github.com/SonarSource

SonarQube due to :

FastArduino

https://github.com/jfpoilpret/fast-arduino-lib#fastarduino

...

FastArduino C++ code is also analyzed by SonarQube and results of this analysis are published from time to time here.

...

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0


westfw wrote:
 (klocwork in particular would produce a lot of "false positives" in our codebase.  That had to be approved and added to exception lists. :-( )

Electronic Design

What's the Difference Between Sound and Unsound Static Analysis?

by Claire Dross [AdaCore, SPARK], Boris Yakobowski | Electronic Design [AdaCore, CodePeer]

Sep 12, 2018

https://www.electronicdesign.com/embedded-revolution/whats-difference-between-sound-and-unsound-static-analysis

What's the Difference Between Sound and Unsound Static Analysis? | Electronic Design

...

[in 3rd and 4th paragraphs]

In practice, sound static analyzers output an exhaustive list of places where the vulnerability could occur, most of which are false alarms or "false positives" that need to be reviewed.

While more demanding for users, these static analyzers make it possible to achieve higher levels of confidence than is possible with their unsound counterparts, which makes them attractive in a security context. 

...

 

Definition of Sound Analysis

...

 

Costs and Benefits of Sound and Unsound Analysis

[first paragraph, bullets, second paragraph]

Depending on the technique used, they [sound analyses] may require code changes, user-supplied annotations, or reviews of numerous false alarms.

[remainder is on SPARK]

 

Conclusion

...

[last paragraph]

Thanks to its ease of deployment, unsound static analysis has become a standard tool in serious software development. It’s used in most large software companies, and advised by best practices. Due to its higher cost, sound static analysis has long been the domain of experts. However, with the recent progress in verification techniques, sound static analysis is used in more and more projects, and is becoming part of the standard development process when strong safety or security requirements are needed. In the years to come, sound static analysis may become a standard tool for critical software development.

 

P.S.

[end of second paragraph]

For example, Mozilla uses Clang Analyzer, clang-tidy, their own checkers, and Coverity on its C/C++ code.2

Extra Clang Tools 8 documentation

Clang-Tidy

http://clang.llvm.org/extra/clang-tidy/

...

 

clang-tidy is a clang-based C++ “linter” tool. Its purpose is to provide an extensible framework for diagnosing and fixing typical programming errors, like style violations, interface misuse, or bugs that can be deduced via static analysis. clang-tidy is modular and provides a convenient interface for writing new checks.

 

...

 

Edit: missing URL

edit2 : corrected URLs for second author and title

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Fri. Sep 18, 2020 - 06:44 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ka7ehk wrote:
The application where this might apply is a "public infrastructure" one.
One instance of infrastructure are railroads; the rail industry has safety standards.

Implementing what's required per a safety standard is one of the Big 5 best practices.

 

Barr Group

Firmware Update v18.03

by Michael Barr

2018-03-13

https://barrgroup.com/resources/firmware-update/v1803

(about mid-page)

The State of Embedded Systems Safety

[safety standard, coding standard, code reviews, static analysis, regression testing]

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

el_programmer wrote:
Speaking about the MISRA rules, some analyzers check the compliance of the code with these standards (Coverity, Klocwork, Parasoft and others), and some - like PVS-Studio don’t. As the developers state in their blog ...
MISRA added to PVS-Studio as blog'd on 10.12.2018 in addition to CWE and SEI CERT :

PVS-Studio: Support of MISRA C and MISRA C++ Coding Standards

by Andrey Karpov (CTO, Program Verification Systems)

...

So initially we have been critical to the MISRA standards and haven't planned to introduce them for a long time.

...

Everything changed when in 2018 we've started supporting embedded systems. This year we supported the following features in the analyzer:

  • Windows. IAR Embedded Workbench, C/C++ Compiler for ARM C, C++
  • Windows/Linux. Keil µVision, DS-MDK, ARM Compiler 5/6 C, C++
  • Windows/Linux. Texas Instruments Code Composer Studio, ARM Code Generation Tools C, C++
  • Windows/Linux/macOS. GNU Arm Embedded Toolchain, Arm Embedded GCC compiler, C, C++

...

So now you can install or upgrade PVS-Studio and start using diagnostics based on rules from MISRA C and MISRA C++. The set of supported rules is incomplete, but it shouldn't be an obstacle to start using PVS-Studio. 

...

[how to enable MISRA in PVS-Studio on Windows, macOS, and Linux]

...

 

P.S.

[how to for feedback]

...

 

PVS-Studio is now zero price for conditional FOSS (specific repositories, no mirrors) and conditional non-FOSS (ones as given (iow an individual) or in the specific role of student, specific comments in non-header source code files)

Free PVS-Studio for those who develops open source projects

 

edit: by-line

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Sat. Dec 29, 2018 - 10:35 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

A zero price instance of IAR C-STAT :

The Embedded Muse 365 - This Week's Cool Product

...

Need development tools? IAR's suite is provided along with their runtime analysis tools.

...

"Also included for free is C-STAT and C-RUN for code analysis, which is normally a separate purchase from IAR."

...

IAR Embedded Workbench® for Renesas Synergy™ (Windows 7, Windows 10)

 

Edit: 2nd URL

 

"Dare to be naïve." - Buckminster Fuller

Last Edited: Thu. Jan 10, 2019 - 08:51 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Ways to Get a Free PVS-Studio License

by Andrey Karpov

March 11, 2019

...

Open source projects, small closed projects, public security specialists and owners of the Microsoft MVP status can use the license for free.

...

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

from USA NIST : 

SATE VI Ockham Sound Analysis Criteria

[page 4]

Abstract

...

AbsInt: Products

Frama-C

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:

I must have missed the memo. Why is an enum member a "better" choice than the more obvious "static const int foo = 10;" ?

 

The problem with C was mentioned above by @awneil. In C `static const int foo = 10;` is not usable in the majority of "constant" contexts. Such `foo` is not a constant expression in C. For this reason in C you are stuck with `enum` or `#define`.

 

It C++ one known problem with `static const int foo = 10;` dates back to the original C++ standard (C++98): it was cumbersome to declare such constants as static class members in C++98, since even if such entity was never used as an lvalue (e.g. address of `foo` was never taken), the user was still required to provide a separate definition for this static member. For this reason it was much easier to use `enum` when declaring constants inside a class. This strange requirement was mostly an oversight, corrected in subsequent versions of the standard. In modern C++ there's no reason to prefer `enum` over `const` or `static const` (or, `constexpr`).

Dessine-moi un mouton

Last Edited: Sat. Sep 19, 2020 - 06:37 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 2

It's when you build and run your code on a test board, then shuffle around on the carpet, rub some balloons on your hair, then touch the chip and see how the code works differently.  cheeky  S.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

One reason to prefer enums is when the value is used as a choice, not a number:

enum Game_t { POKER, SOLITAIRE, THRONES, YAHTZE } ;

enum Character_t { PROTAGONIST, CELESTIAL_BEING, MU, NONPLAYER, DRLINDA }

In C++, conversion to Game_t or Character_t would require a cast.

My guess is that at least some coding rules require enums in such cases.

 

 

Edit: ypo_t

Iluvatar is the better part of Valar.

Last Edited: Sun. Sep 20, 2020 - 06:18 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The CodeQL static analyzer is available via a Visual Studio Code extension.

 

CodeQL - Visual Studio Marketplace

due to

GitHub: Now our built-in bug checker gets these third-party code-scanning tools | ZDNet

by October 6, 2020 -- 12:05 GMT (05:05 PDT) | Topic: Enterprise Software

GitHub users can now customize the Microsoft platform's code-checking feature with third-party scanning tools.

...

GitHub Code Scanning works on top of CodeQL (Query Language), a technology that GitHub integrated into its platform after it acquired code-analysis platform Semmle in September 2019.

...

The current roster includes Checkmarx, Codacy, CodeScan, DefenseCode ThunderScan, Fortify on Demand, Muse, Secure Code Warrior, Synopsys Intelligent Security Scan, Veracode Static Analysis, and Xanitizer. 

...

The third-party scanners are available on GitHub's marketplace

...

 


About data flow analysis — Learn CodeQL

 

"Dare to be naïve." - Buckminster Fuller

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Another instance is internet infrastructure (OpenSSL)

SonarSource Blog » For secure code, maintainability matters

by G. Ann Campbell

October 20, 2020

[beginning of next to last paragraph]

Static analysis didn't find Heartbleed, but it could have put the peer reviewers in a better position to spot it on their own.

...

Infrastructure now has static analysis available thanks to the Linux Foundation due to Heartbleed.

 

P.S.

[in article's third paragraph from the bottom]

...

And there will always be bugs and vulnerabilities that static analysis can't find. For instance, there's no way to know statically that you shouldn't allow a negative integer as a shopping cart quantity. That's the job of peer review.

...

Peers asking

  • What are the constraints?
  • Error handling?
  • Exception?
  • Assertion?

Constraints are in C++20 and several other computer languages.

 

P.P.S.

[in the article]

Experts: Bugs and Code Smells are security 'weaknesses'

[in third paragraph]

...

CWE-699 is the  Software Development view. It "organizes weaknesses around concepts that are frequently used or encountered in software development". It contains 40 sub-categories, including  Complexity Issues, ...

...

fyi, SonarLint can detect excessive Cognitive Complexity.

 


Tooling - Core Infrastructure Initiative (Linux Foundation)

...

  • scan.coverity.com allows two free scans per project per week

...

  • Frama-C false positive free scans

...

Coverity Scan - Static Analysis

 

Going from EMBEDDED C to C++ | AVR Freaks

 

Visual Studio extension | SonarLint

C: Cognitive Complexity of functions should not be too high (SonarSource)

 

"Dare to be naïve." - Buckminster Fuller

Pages