The Safer C toolset is the first C toolset to be designed from the beginning using measurement-based feedback.
Today, C is more widely used than ever and is the dominant language used in programmable embedded control systems for example. However, the cost of failure in such systems today can be very high indeed. C has many fault and failure modes, but this is balanced by the fact that more is known about how C programs fail than arguably any other language. By avoiding these fault and failure modes, C is capable of producing some of the most reliable systems ever measured, (Hatton (1995)) whilst retaining the many benefits of C such as efficiency, small footprint, portability, availability of experienced engineers and very widespread availability of good compilers.
The key question is how do we develop in C and avoid these fault and failure modes?
Safer C™: The Toolset
The Safer C toolset (SCT) was designed and built by Oakwood Computing Associates to answer this question by bringing together a vast amount of experience from around the world and placing it on the engineer's desktop as an ever-present expert, unobtrusive but always available when needed on the engineer's own code. In particular, the feedback gained by teaching more than 2500 engineers so far on our companion Safer C course proved invaluable. It became obvious when teaching this course that engineers make the same kind of mistakes in certain parts of the language. By providing a mixture of education, animation, direct and indirect defect detection and population comparison measurements, the Safer C toolset allows the vast majority of these problems to be avoided when the code first appears.
To build confidence in the toolset itself, it goes through a formidably detailed set of tests before each revision, one of which is a requirement to parse FIPS160 correctly, the international ISO C standard. The toolset is fully internationalised.
Many faults can be detected statically before they fail. Some faults can only be detected dynamically when they actually fail. To accommodate this, the Safer C toolset implements various combinations of both static and dynamic analysis in its three toolset versions.
Static analysis is one of the most powerful of all defect avoidance techniques. In the Safer C toolset, static defects are avoided by:-
The toolset also enables the following kinds of static analysis to be done:-
Although static analysis is exceptionally powerful, there remain defect types which can not be detected statically. This is particularly a problem in embedded control systems where dynamic testing can be very expensive. The Safer C toolset has a dynamic analysis option allowing a wide class of run-time defects to be detected using its unique EAST technology, (Equivalent Asserted Source Transformation). This allows defects of the following categories to be detected at run-time on an increasingly wide class of platforms:-
Stack mirroring also allows the detection of potentially dangerous stack use.
In addition to the above, coverage information is extracted at run-time.
Note: It should be noted that dynamic analysis at this level of sophistication has a very significant penalty both in run-time performance and in space. In partial compensation, the Safer C toolset will only check what it is requested to check through its extensive options and even then it will only check dynamically if it cannot determine the relevant information statically. This version of the toolset is only available as part of a consultancy contract.