Dynamic analysis

Approaches for improving handling of static analysis findings

on Feb 20, 19 • by Claude Bolduc • with No Comments

I have the privilege of presenting my paper on “Approaches for improving handling of static analysis findings” at Embedded World 2019 in Nuremberg, Germany...

Home » Static Analysis » Approaches for improving handling of static analysis findings

On Tuesday, February 26, 2019 at 5:00-5:30 p.m. (CET), I have the privilege of presenting my paper on “Approaches for improving handling of static analysis findings” at Embedded World 2019 in Nuremberg, Germany. Embedded World is the leading international conference for embedded systems. It covers a broad array of topics, such as security for electronic systems, distributed intelligence, and e-mobility. It also showcases innovations from more than 1,000 exhibitors and provides attendees with the opportunity to learn directly from industry experts presenting on a range of topics during the conference sessions.

This presentation will cover static code analysis tools, which are often used in embedded software development to improve the quality and security of embedded systems. Many of today’s static analysis tools can do deep semantic analysis to find meaningful and critical defects in software. Some can also be used to ensure the software follows specific coding standards relevant to embedded software development, such as MISRA C, MISRA C++, or AUTOSAR C++14.

A static analysis tool can generate many findings. Some of these findings may be false positives, which means the system flags it as a potential defect when in fact it is not. This ends up wasting developers’ time examining software that does not contain any critical defects. Of much more concern are false negatives, whereby the static analysis tool essentially “misses” or fails to flag a critical defect and it makes its way into production. This demonstrates the fine lines and trade-offs between precision of analysis and optimization for performance and scalability for static code analysis tools.

To help users handle findings, static analysis tools can be augmented by post-processing analyses, examples of which are ranking alarms that are most likely true defects first or clustering defects into similar groups to reduce the inspection efforts.

This presentation will also cover a brief survey of the state of the art for approaches for improving handling of static analysis findings, along with results of Rogue Wave’s experiments with our static analysis tool, Klocwork. The presentation will address different approaches that can be used effectively in safety-critical embedded systems versus non-safety-critical environments.

Rogue Wave Software will also be exhibiting at Embedded World. Stop by our booth (4-139) to speak with me and other static code analysis experts. Klocwork enables developers to deliver secure, reliable, and conformant code. It accurately identifies critical security and reliability issues and supports compliance with key coding standards, such as AUTOSAR C++14 and MISRA, through sophisticated whole program analysis of C, C++, Java, and C# code.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top