CGM And Static Code Analysis Provide Safer Applications

June 15, 2010
Technology Editor Bill Wong explains why static code analysis and CGM are something to use regularly.

Gluten meal on your lawn

Programming Research’s Structure101 module

There are many parallels between the use of organic fertilizer such as corn gluten meal (CGM) and code analysis tools for application development (Fig. 1). Both need to be used on a regular basis for the best results, while a one-time application rarely meets expectations.

The chemical competition tends to be bad for the environment and the grass in the long run, but CGM is all you need for most lawns. But while there are many code analysis tools, you can’t always get away with just choosing one. Sometimes, using more than one tool on the same project makes sense simply because of the kind of analysis that each performs.

Even a quick scan of the available options yields a long list, including Coverity’s Static Analysis, LDRA’s Tool Suite, Klockwork’s Insight, Grammatech’s CodeSonar, and Programming Research’s PRQA. Most target C, C++, and Java, which hits most languages used by embedded developers. There is even a number of open-source projects like Splint (see “Electronic Design Interviews U. of Virginia Computer Prof”) or CLang for Objective-C running on Apple’s Macintosh.

Static analysis can check for a range of problems, finding bugs before an application is even run. It can also enforce standards such as corporate coding standards like those set by organizations such as MISRA C. Additionally, these tools can check for security and safety issues.

These tool suites, especially the commercial ones, often address a range of code management and improvement tools. For example, LDRA’s Embed-X addresses life-cycle management. Programming Research’s Structure101, an adjunct to PQRA, displays the interaction within an application’s architecture (Fig. 2).

Is It Worth The Trouble?

The CGM answer is a bit easier. It isn’t toxic, so your dog and kids can play in the grass after it’s applied. It’s also good for the grass and environment, and it takes as much effort as using the alternatives.

For static analysis, the answer is just as easy but harder to accept by most programmers. It’s often harder to justify because it does take more work to use the tools, and commercial solutions often cost a good deal. This is especially true, as other components such as requirement analysis come into play.

Luckily, the use of more features may have more compile time overhead. But there are typically no additional development steps above the initial addition of a static analysis tool into the tool chain being used for development.

LDRA field application engineer Shan Bhattacharya agrees (see “Requirements Driven Development—Too Challenging To Be Worth It?”). So do many developers who use these tools on a daily basis.

Remember, the cost of finding and fixing bugs grows exponentially with respect to time as an application moves from the developer’s desktop to quality assurance (QA) to production to the field. Even finding a fraction of the bugs in an application using static analysis can provide payback well in excess of the cost of the tools.

And don’t forget other issues such as licensing. A number of companies such as Black Duck Software (see “Is It GPL If It Quacks Like A Duck?”) can help track the software, libraries, and platforms used to build an application to make sure you’re compliant with the requirements imposed by commercial and open-source licenses.

Time to mow the lawn. I only have to use CGM in the spring and the fall—a bit longer than most programming cycles. So how many of you use CGM and static analysis on a regular basis?

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form. 

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below. 

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.  

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence. 

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!