When software is used for safety-critical applications, bugs aren't just expensive annoyancesthey can kill. Faced with such dire consequences, developers of safety-critical systems go to great lengths to prevent bugs from making it into the field. These measures are undeniably effective at reducing risk. Although there have been some famous catastrophic failures over the years, if medical devices or flight-control systems failed as often as most software fails, the headlines would be much grimmer.
So how do they do it, and how can those of us who do not write safety-critical code emulate their success? Well, there are many strategies, but two stand out as being key and offer important lessons for other developersstatic analysis and rigorous testing.
Historically, static analysis had been used to enforce standards or style rules, and do some superficial syntactic checks for patterns that might indicate flaws. While helpful, especially as standards such as Misra C (misra.org.uk) or JSF C++ (www.research.att.com/~bs/JSF-AV-rules.pdf) are widely used by safety-critical software developers, these old-style tools have been difficult to use effectively, not least because of their high false-positive rate. Recently, a new breed of "advanced" static-analysis tools has emerged. These are capable of finding serious bugs such as buffer overruns, null pointer dereferences, resource leaks, and race conditions. They can also highlight inconsistencies or contradictions in the code, such as unreachable code, useless assignments, and redundant conditions, all of which often indicate programmer confusion, and correlate well with bugs. In Gerald Holzmann's "Ten Rules for Writing Safety-Critical Code" (www.spinroot.com/p10), rule 10 specifies that advanced static-analysis tools should be used proactively all through the development process.
Systematic testing is the other prong. As well as being a good idea, often it's also the law. Regulators such as the FAA specify strict rules about how code is tested before it can be deployed in a safety-critical device. In some cases, developers must demonstrate that test suites achieve full coverage of the code. The trouble with this is that it can be enormously expensive to develop these test suites. However, advanced static-analysis tools can help reduce the cost by steering developers away from futile or unnecessary work.
In this article, I focus on advanced static analysis, how it complements traditional testing, and how it can be used for both bug finding and for reducing testing costs.