Continuous Code Inspection

Michael Fuhrmann, Field Application Engineer

Agenda

• Code inspections

• Static code analysis

• C-STAT and CI

Code inspections

Code inspections

• 3 approaches to code inspections

– Code reviews

– Pair programming

– Automated inspections

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

Code inspections

• Code reviews

– Activity, where the code gets viewed & read by one or

several humans

– At least one of the humans must not be the author of

the code

– Can be done as interruption of the implementation or

after the implementation

– Possible process: Fagan inspection

Code inspections

• Code review goals

– Improve code quality

– Find possible defects

– Knowledge transfer

– Highlight possible better solutions

– QA guideline compliance

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

Code inspections

• Pair programming

– Two programmers work together at

one workstation

– One (the driver) writes the code, while

the other (the observer) reviews the

code, while it is typed in

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

Code inspections

• Pair programming advantages

– Better code with less defects

– Improved problem / project oriented focus

– Knowledge transfer, reduced bus factor

• Pair programming challenges

– Building successful / productive teams

Code inspections

• Automated inspections

– Offload the code reviews to a machine

– No limitations in the frequency of the

code reviews

– High repeatability of the results

– Can be included into CI flow

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

Static code analysis

Static code analysis

• Wikipedia defines static code analysis as

– … the analysis of computer software that is performed

without actually executing programs …

– … the analysis performed by an automated tool, with

human analysis being called program understanding,

program comprehension, or code review

Static code analysis

• Background on static code analysis

– Intended to identify potential errors, vulnerabilities,

portability issues, etc.

– Can be used to enforce compliance to a coding style

and / or to a language subset (e.g. MISRA-C)

– Highly recommended for any embedded

development, mandatory for many certifications, if

you are in the area of functional safety

Static code analysis

• Motor Industry Software Reliability Association

– A consortium that promotes standards to improve the

safety and reliability of embedded code

– MISRA-C is:

• A language subset, that takes out the undefined behavior that

is part of the C standard

• A basis for a coding standard

Static code analysis

• IAR Systems provides C-STAT

– Fully integrated into the IAR Embedded Workbench

– Flexible rule selection + export / import of rule-sets

– Detailed documentation of checks and messages

– C-STAT supports:

• ~250 checks based on issues addressed by CWE and CERT

• MISRA-C 2004

• MISRA-C 2012

• MISRA-C++ 2008

Demonstration of C-STAT

C-STAT and CI

C-STAT and CI

• Continuous Integration (CI) environments

– automate the build and test of code, every time a team

member commits changes to the version control system

– should be agnostic to the underlying tools

– should offer the option to call tools from the command

line

C-STAT and CI

• C-STAT from the command line

– Perform static code analysis from the command line

– Useful when you want to automate repetitive analysis

– Results will be reported in the console window and in

a database file

– Syntax: icstat.exe [options] <command> [--<extra>]

C-STAT and CI

• C-STAT through iarbuild.exe

– Build your complete project based on the project settings file *.ewp with iarbuild.exe

– Static code analysis via C-STAT can be invoked

– Syntax: iarbuild.exe project.ewp [ -clean | -build |

-make | -cstat_analyze | -cstat_clean] configuration

[log options][parallel][custom argument variables]

C-STAT and CI

Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/

Test Build

CommitNotify

Code

Summary

• Automated inspections are a good

approach to improve code quality

• Static code analysis helps you to identify

possible issues in an efficient way

• C-STAT is available for daily use inside

IAR Embedded Workbench as well as

from the command line

Thank you for your attention!

www.iar.com