Overview
The Safer C toolset
is the first C toolset to be designed from the beginning using measurement-based
feedback.
Today, C is more
widely used than ever and is the dominant language used in programmable
embedded control systems for example. However, the cost of failure in
such systems today can be very high indeed. C has many fault and failure
modes, but this is balanced by the fact that more is known about how
C programs fail than arguably any other language. By avoiding these
fault and failure modes, C is capable of producing some of the most
reliable systems ever measured, (Hatton (1995))
whilst retaining the many benefits of C such as efficiency, small footprint,
portability, availability of experienced engineers and very widespread
availability of good compilers.
The key question
is how do we develop in C and avoid these fault and failure modes ?
The Safer C toolset
The Safer C toolset
(SCT) was designed and built by Oakwood Computing Associates to answer
this question by bringing together a vast amount of experience from
around the world and placing it on the engineer's desktop as an ever-present
expert, unobtrusive but always available when needed on the engineer's
own code. In particular, the feedback gained by teaching more than
2500 engineers so far on our companion Safer
C course proved invaluable. It became obvious when teaching this
course that engineers make the same kind of mistakes in certain parts
of the language. By providing a mixture of education, animation, direct
and indirect defect detection and population comparison measurements,
the Safer C toolset allows the vast majority of these problems to be
avoided when the code first appears.
To build confidence
in the toolset itself, it goes through a formidably detailed set of
tests before each revision, one of which is a requirement to parse FIPS160
correctly, the international ISO C standard. The toolset is fully internationalised.
Many faults can
be detected statically before they fail. Some faults can only be detected
dynamically when they actually fail. To accommodate this, the Safer
C toolset implements various combinations of both static and dynamic
analysis in its three toolset versions.
Static Analysis
Static analysis
is one of the most powerful of all defect avoidance techniques. In the
Safer C toolset, static defects are avoided by:-
- Education. SCT
contains animations of key areas of difficulty in the language along
with discussions and reference works such as a comprehensive MISRA
suite.
- Detection. SCT
can directly detect several hundred known defects in the language
using its built-in knowledge base.
- Prediction. SCT
uses unique defect clustering algorithms to predict defect-prone components
in a system.
The toolset also
enables the following kinds of static analysis to be done:-
- Compliance analysis.
Compliance with well-known publicly available standards such as MISRA
can be measured directly.
- Forensic analysis.
SCT allows the user to search for specific optional patterns from
a vast collection when performing both detective or verification work.
Here SCT works closely with the human analyst maximising their efficiency.
- Inspection checklists.
SCT contains a large number of inspection checklists which are often
used in standard code inspections. These are fully automated by SCT
greatly reducing the workload of a typical inspection.
- Verification
analysis. SCT allows the user to map messages to different tool message
systems so that tool output can be easily compared.
Dynamic Analysis
Although static
analysis is exceptionally powerful, there remain defect types which
can not be detected statically. This is particularly a problem in embedded
control systems where dynamic testing can be very expensive. The Safer
C toolset has a dynamic analysis option allowing a wide class of run-time
defects to be detected using its unique EAST technology, (Equivalent
Asserted Source Transformation). This allows defects of the following
categories to be detected at run-time on an increasingly wide class
of platforms:-
- Arithmetic expression
failures such as overflows, uninitialised variables, divisions by
zero, conversion loss of precision, and array bound violations.
- Defects in standard
library calls such as illegal arguments, overlapping writes, illegal
file operations.
- Dynamic memory
failures such as illegal or multiple frees, illegal writes and reads
and various other forms of heap or stack abuse.
Stack mirroring
also allows the detection of potentially dangerous stack use.
In addition to the
above, coverage information is extracted at run-time.
Note
It should be noted
that dynamic analysis at this level of sophistication has a very significant
penalty both in run-time performance and in space. In partial compensation,
the Safer C toolset will only check what it is requested to check through
its extensive options and even then it will only check dynamically if
it cannot determine the relevant information statically. This version
of the toolset is only available as part of a consultancy contract.
Platforms
The Safer C toolset
is available currently on Windows, Linux and Sparc Solaris platforms.
The entire source code is identical on all platforms allowing rapid
porting of new versions. The toolset is distributed entirely as an Internet
product allowing unusually rapid product evolution.
Trademarks
Safer
C is a trademark of Oakwood Computing Associates Ltd. MISRA is a trademark
of the Motor Industry Research Association. Windows is a trademark of
Microsoft. Sparc and Solaris are trademarks of Sun Microsystems.
Back
to top
