continuous code inspection - iar systems · continuous code inspection michael fuhrmann, field...
TRANSCRIPT
Continuous Code Inspection
Michael Fuhrmann, Field Application Engineer
Agenda
• Code inspections
• Static code analysis
• C-STAT and CI
Code inspections
Code inspections
• 3 approaches to code inspections
– Code reviews
– Pair programming
– Automated inspections
Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/
Code inspections
• Code reviews
– Activity, where the code gets viewed & read by one or
several humans
– At least one of the humans must not be the author of
the code
– Can be done as interruption of the implementation or
after the implementation
– Possible process: Fagan inspection
Code inspections
• Code review goals
– Improve code quality
– Find possible defects
– Knowledge transfer
– Highlight possible better solutions
– QA guideline compliance
Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/
Code inspections
• Pair programming
– Two programmers work together at
one workstation
– One (the driver) writes the code, while
the other (the observer) reviews the
code, while it is typed in
Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/
Code inspections
• Pair programming advantages
– Better code with less defects
– Improved problem / project oriented focus
– Knowledge transfer, reduced bus factor
• Pair programming challenges
– Building successful / productive teams
Code inspections
• Automated inspections
– Offload the code reviews to a machine
– No limitations in the frequency of the
code reviews
– High repeatability of the results
– Can be included into CI flow
Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/
Static code analysis
Static code analysis
• Wikipedia defines static code analysis as
– … the analysis of computer software that is performed
without actually executing programs …
– … the analysis performed by an automated tool, with
human analysis being called program understanding,
program comprehension, or code review
Static code analysis
• Background on static code analysis
– Intended to identify potential errors, vulnerabilities,
portability issues, etc.
– Can be used to enforce compliance to a coding style
and / or to a language subset (e.g. MISRA-C)
– Highly recommended for any embedded
development, mandatory for many certifications, if
you are in the area of functional safety
Static code analysis
• Motor Industry Software Reliability Association
– A consortium that promotes standards to improve the
safety and reliability of embedded code
– MISRA-C is:
• A language subset, that takes out the undefined behavior that
is part of the C standard
• A basis for a coding standard
Static code analysis
• IAR Systems provides C-STAT
– Fully integrated into the IAR Embedded Workbench
– Flexible rule selection + export / import of rule-sets
– Detailed documentation of checks and messages
– C-STAT supports:
• ~250 checks based on issues addressed by CWE and CERT
• MISRA-C 2004
• MISRA-C 2012
• MISRA-C++ 2008
Demonstration of C-STAT
C-STAT and CI
C-STAT and CI
• Continuous Integration (CI) environments
– automate the build and test of code, every time a team
member commits changes to the version control system
– should be agnostic to the underlying tools
– should offer the option to call tools from the command
line
C-STAT and CI
• C-STAT from the command line
– Perform static code analysis from the command line
– Useful when you want to automate repetitive analysis
– Results will be reported in the console window and in
a database file
– Syntax: icstat.exe [options] <command> [--<extra>]
C-STAT and CI
• C-STAT through iarbuild.exe
– Build your complete project based on the project settings file *.ewp with iarbuild.exe
– Static code analysis via C-STAT can be invoked
– Syntax: iarbuild.exe project.ewp [ -clean | -build |
-make | -cstat_analyze | -cstat_clean] configuration
[log options][parallel][custom argument variables]
C-STAT and CI
Cartoon licensed under CC-BY-3.0 http://geek-and-poke.com/
Test Build
CommitNotify
Code
Summary
• Automated inspections are a good
approach to improve code quality
• Static code analysis helps you to identify
possible issues in an efficient way
• C-STAT is available for daily use inside
IAR Embedded Workbench as well as
from the command line
Thank you for your attention!
www.iar.com