Code Quality: Static analysis—essential for code quality, but not the silver bullet
Let’s start with the obvious: static analysis on its own is not a silver bullet. It doesn’t guarantee high code quality, safety, or security in your complex military embedded application. Nor does static analysis ensure your application meets the functional requirements defined for your program.
Adding to the industry confusion is a lack of equality among static analysis tools, even though a number of them are very similar because they use the same commercial parsing technology as the engine. Although shallow in their analysis, many of these are at least capable of providing quick and dirty feedback regarding the high-level quality of the developer’s code.
I don’t want to dive into all the differences in static analysis tools. Very simply, at the core, differences typically lie in the parsing technology, user interface, and their connectivity to other tools in the chain. My real goal is to talk about why you should care about static analysis.
Static analysis automates the code review process, measuring code for quality without having to compile, link, and execute it. This saves time and energy in what is historically a long, costly, and labor-intensive process. Static analysis automatically checks the code for style, naming conventions, and language restrictions. The better tools highlight the deficiencies in the code and give the developer the ability to quickly repair the problem areas and run the analysis again. As part of this process, static analysis can improve code quality and portability by ensuring that the development team adheres to a particular corporate or industry recognized coding standard such as MISRA or the JSF coding standard.
More sophisticated tools provide greater analysis depth and give developers the ability to understand the complex areas of code. They also report valuable details like code complexity as well as data and control flow. More effective tools present the results of their in-depth analysis at a high level of abstraction, which makes the code easier to understand. Furthermore, more capable tools seamlessly interoperate with more sophisticated integrated development environments speeding up the overall development lifecycle.
Today’s military applications require support for architectural standards such as ARINC 653 or FACE to improve code portability and reusability. A high-quality static analysis toolset offers a strong foundation for quickly constructing higher quality code that is more portable, maintainable, safe, and secure. It should be a tool utilized in the overall process. However, static analysis is only one tool addressing a common problem set. An effective quality process also needs to leverage technologies such as bi-directional requirements traceability, dynamic analysis, structural coverage analysis, unit, integration, and system-level testing both on the host development platform and -- when possible -- on the target hardware.
So, static analysis isn’t a silver bullet. At the same time, you’d be crazy to ignore it.