November 18, 2019
My coworkers and I have recently been looking into using static analysis tools on our codebase. Portions of the project can compromise user safety and given that we’re pioneering C++ into our embedded software stack and will eventually be releasing it to other developers in the company, we wanted a tool that would not only make sure our usage of the language was correct, but also have something that could help developers that have never used C++ in an embedded project get started.
Static analysis is a method of testing the code without running it. It can be said it is the opposite of dynamic analysis which would be covered by methods such as unit testing and integration testing. While this dynamic analysis is great at verifying the functionality of code, it doesn’t do much for checking if the functions are written in a way that satisfies proper use of the language. To quote Bjarne Stroustrup from a recent interview, “I’m a great fan of static analysis because you can check for not just the language rules but for the usage of language rules…”.
One of the tools we have been looking into is Helix QAC from a company called Perforce. There are other tools that boast more comprehensive coverage of code standards but an interesting feature of it is a severity ranking for each violation it finds. This means that while your codebase may have hundreds or even thousands of violations, the severity index allows you to filter out most of them to isolate only the ones that are likely to cause subtle bugs or are dangerously non-standard uses of the language in question.
If you have user safety in mind, want to ship higher quality code, would like a tool that allows you to get a deeper knowledge of the language, or some combination of the three I’d highly recommend checking out static code analyzers for your current and future projects!
Bjarne Stroustrup interview skipped to the portion about static analysis:
https://youtu.be/uTxRF5ag27A?t=2180