The Toolset


The Safer C toolset is the first C toolset to be designed from the beginning using measurement-based feedback.

Today, C is more widely used than ever and is the dominant language used in programmable embedded control systems for example. However, the cost of failure in such systems today can be very high indeed. C has many fault and failure modes, but this is balanced by the fact that more is known about how C programs fail than arguably any other language. By avoiding these fault and failure modes, C is capable of producing some of the most reliable systems ever measured, (Hatton (1995)) whilst retaining the many benefits of C such as efficiency, small footprint, portability, availability of experienced engineers and very widespread availability of good compilers.

The key question is how do we develop in C and avoid these fault and failure modes?

Safer C™: The Toolset

The Safer C toolset (SCT) was designed and built by Oakwood Computing Associates to answer this question by bringing together a vast amount of experience from around the world and placing it on the engineer's desktop as an ever-present expert, unobtrusive but always available when needed on the engineer's own code. In particular, the feedback gained by teaching more than 2500 engineers so far on our companion Safer C course proved invaluable. It became obvious when teaching this course that engineers make the same kind of mistakes in certain parts of the language. By providing a mixture of education, animation, direct and indirect defect detection and population comparison measurements, the Safer C toolset allows the vast majority of these problems to be avoided when the code first appears.

To build confidence in the toolset itself, it goes through a formidably detailed set of tests before each revision, one of which is a requirement to parse FIPS160 correctly, the international ISO C standard. The toolset is fully internationalised.

Many faults can be detected statically before they fail. Some faults can only be detected dynamically when they actually fail. To accommodate this, the Safer C toolset implements various combinations of both static and dynamic analysis in its three toolset versions.

Static Analysis

Static analysis is one of the most powerful of all defect avoidance techniques. In the Safer C toolset, static defects are avoided by:-

  • Education. SCT contains animations of key areas of difficulty in the language along with discussions and reference works such as a comprehensive MISRA suite.
  • Detection. SCT can directly detect several hundred known defects in the language using its built-in knowledge base.
  • Prediction. SCT uses unique defect clustering algorithms to predict defect-prone components in a system.

The toolset also enables the following kinds of static analysis to be done:-

  • Compliance analysis. Compliance with well-known publicly available standards such as MISRA can be measured directly.
  • Forensic analysis. SCT allows the user to search for specific optional patterns from a vast collection when performing both detective or verification work. Here SCT works closely with the human analyst maximising their efficiency.
  • Inspection checklists. SCT contains a large number of inspection checklists which are often used in standard code inspections. These are fully automated by SCT greatly reducing the workload of a typical inspection.
  • Verification analysis. SCT allows the user to map messages to different tool message systems so that tool output can be easily compared.

Dynamic Analysis

Although static analysis is exceptionally powerful, there remain defect types which can not be detected statically. This is particularly a problem in embedded control systems where dynamic testing can be very expensive. The Safer C toolset has a dynamic analysis option allowing a wide class of run-time defects to be detected using its unique EAST technology, (Equivalent Asserted Source Transformation). This allows defects of the following categories to be detected at run-time on an increasingly wide class of platforms:-

  • Arithmetic expression failures such as overflows, uninitialised variables, divisions by zero, conversion loss of precision, and array bound violations.
  • Defects in standard library calls such as illegal arguments, overlapping writes, illegal file operations.
  • Dynamic memory failures such as illegal or multiple frees, illegal writes and reads and various other forms of heap or stack abuse.

Stack mirroring also allows the detection of potentially dangerous stack use.

In addition to the above, coverage information is extracted at run-time.

Note: It should be noted that dynamic analysis at this level of sophistication has a very significant penalty both in run-time performance and in space. In partial compensation, the Safer C toolset will only check what it is requested to check through its extensive options and even then it will only check dynamically if it cannot determine the relevant information statically. This version of the toolset is only available as part of a consultancy contract.