Featured Webinar: AI-Enhanced API Testing: A No-Code Approach to Testing | Watch Now
Static Analysis
Many of the quality tasks specified in ISO 26262, including data and control flow analysis and semantic analysis are supported by modern advanced tools like Parasoft C/C++test. In addition, static analysis tools include metrics and support peer code review with capabilities that assist unit testing and runtime error detection.
The Role of Static Analysis in ISO 26262 Software Verification
Verification methods like static analysis provide teams with a practical way to expose, prevent, and correct errors in automotive software systems. The real power of advanced static analysis tools comes from the ability to analyze the code, based on industry coding compliance standards like MISRA C/C++, CERT C/C++, and AUTOSAR C++ 14.
The analysis reports code rule and directive violations, along with code complexity and quality metrics. This data can be source-controlled for historical and auditing purposes, but equally important is the use of a defect tracking and managing system to provide meaningful analytical views and prioritization with the intent of solving the highest risk issues down to the lowest.
Walkthroughs and Inspections
Informal methods used to verify design and implementation. Static analysis tools automate much of the tedious aspects of code inspection such as coding standards compliance while flagging errors and possible software weaknesses.
Control Flow Analysis
A static code analysis technique for determining the control flow of a program. Modern advanced static analysis tools, such Parasoft C/C++test, use sophisticated control and data flow analysis to detect complex defects and security vulnerabilities.
Data Flow Analysis
A technique for gathering information about the possible set of values calculated at various points in a computer program. Data flow analysis is a critical aspect of advanced static analysis tools that helps detect complex errors such as tainted data vulnerabilities.
Static Code Analysis
The general term is used to describe the analysis of code that is performed without actual code execution. This includes the terms used above.
The Role of Static Analysis Tools in Support of ISO 26262 Design Principles for Software Unit Design and Implementation
Coding standards embody the best practices learned from years of experience and aim to harden code by avoiding bad practices that result in inadequate quality and security while promoting good practices that create more resilient code. In the case of automotive standards, they are based on best practices plus guidance on preventing the types of software failures that have been observed over the years.
Coding standards usually define a subset of a programming language deemed safer and more secure to use. The aim of this is to prevent unpredictable behavior in the first place, limiting the risky language features that make them possible.
The only practical, objective, and sustainable way to enforce coding standards is with static code analysis tools, which can automatically analyze enormous amounts of source code at a time. These tools integrate into software builds in a CI/CD pipeline and are available directly in a developer’s IDE. And they provide reports indicating the conformance of analyzed software to the standard selected.
The following sections cover the important industry standards in the automotive software industry and how automation, tools, and processes can be leveraged to ease compliance.
Different Types of Static Code Analysis
One of the most common types of static code analysis is SAST or static application security testing. This is also considered a best practice for application security testing but can be applied elsewhere. To identify all error classes, multiple coding standards (MISRA, AUTOSAR, CERT, CWE) may need to be used.
As such, it’s best to familiarize yourself with various types of static code analysis and the errors they’re meant to detect.
Performance
These tests identify errors that will reduce overall performance. They can also be used to ensure that developers stay up-to-date with current best practices.
Security
Certainly a critical test, security-related source code analysis finds security risks like weak cryptography, configuration problems, and framework-specific command injection errors.
Reliability
These tests help prevent issues with functionality. No developer wants to deal with an emergency unresponsive service message at 4 a.m. This type of static code analysis is useful for finding memory leaks or threading problems.
Style
This type of static analysis encourages teams to adopt uniform coding styles for ease of use, understanding, and bug fixing. Since it identifies style violations, developers don’t have to waste time looking for them.
What Errors Can Static Code Analysis Detect?
Each static analysis rule or guideline tackles different issues. Some issues that affect reliability might be resource leaks for C or null pointer exceptions in C++. MISRA C:2023 Directive 4.12 exists to prevent the use of dynamic memory that can lead to out-of-storage run-time failures, which is undesirable.
The guideline states, “The identifiers ‘calloc’, ‘malloc’, ‘realloc’, ‘aligned_alloc’ and ‘free’ shall not be used and no macro with one of these names shall be expanded.”
Therefore, the following code will produce a violation.
int* p1 = (int*)malloc(10); /* Violation */
free(p1); /* Violation */
The recommended solution is to pre-allocate a block of memory and manage it as needed via your defined equivalent of “malloc” and “free”. Similarly in C++, the common solution is to overload the “new” and “delete” operators.
The intent of the software, the language, and the platform all affect the kinds of errors static code analysis can detect.
Static Code Analysis Deviations
Static code analysis identifies errors based on given rulesets. That means that, if any line defies a rule, it will be flagged. Of course, as in real life, there are some exceptions to these rules across different software types.
In situations like these, developers allow for deviations. The rules can adjust to the circumstances and allow for special issues. A team can decide yes or no whether or not that deviation is acceptable. This also gets documented as it violates the original rules.
How to Choose a Static Code Analysis Tool
Parasoft’s suite of tools to automate software testing works across diverse workflows and team compositions. When it comes to static code analysis, that rings just as true. It speeds up the development cycle, reduce defect rates, and provide continuous improvement. Identifying which tool might work best for your needs starts simply with the base language of the source code. In addition to C and C++ solutions, Parasoft also provides solutions for Java testing with Jtest as well as testing C# and VB.NET languages with dotTEST.
Static code analysis can be performed either in the IDE (Eclipse, VS Code, Visual Studio) or using the command-line interface for automation and continuous integration pipelines. The results of the analysis can be accessed immediately within the IDE and from generated reports (HTML, PDF, XML) as well as aggregated for further post-processing, reporting, and analytics from the award-winning Parasoft DTP reporting and analytics dashboard.
Elevate your software testing with Parasoft solutions.
Explore the Chapters
- Introduction »
- 1. Overview »
- 2. Static Analysis »
- 3. MISRA »
- 4. AUTOSAR C++ 14 »
- 5. SEI/CERT »
- 6. CWE »
- 7. Unit Testing »
- 8. Regression Testing »
- 9. Software Integration Testing »
- 10. Software System Testing »
- 11. Structural Code Coverage »
- 12. Requirements Traceability Matrix »
- 13. Tool Qualification »
- 14. Reporting & Analytics »