Channels ▼
RSS

Tools

Detecting Bugs in Safety-Critical Code


When software is used for safety-critical applications, bugs aren't just expensive annoyances—they can kill. Faced with such dire consequences, developers of safety-critical systems go to great lengths to prevent bugs from making it into the field. These measures are undeniably effective at reducing risk. Although there have been some famous catastrophic failures over the years, if medical devices or flight-control systems failed as often as most software fails, the headlines would be much grimmer.

So how do they do it, and how can those of us who do not write safety-critical code emulate their success? Well, there are many strategies, but two stand out as being key and offer important lessons for other developers—static analysis and rigorous testing.

Historically, static analysis had been used to enforce standards or style rules, and do some superficial syntactic checks for patterns that might indicate flaws. While helpful, especially as standards such as Misra C (misra.org.uk) or JSF C++ (www.research.att.com/~bs/JSF-AV-rules.pdf) are widely used by safety-critical software developers, these old-style tools have been difficult to use effectively, not least because of their high false-positive rate. Recently, a new breed of "advanced" static-analysis tools has emerged. These are capable of finding serious bugs such as buffer overruns, null pointer dereferences, resource leaks, and race conditions. They can also highlight inconsistencies or contradictions in the code, such as unreachable code, useless assignments, and redundant conditions, all of which often indicate programmer confusion, and correlate well with bugs. In Gerald Holzmann's "Ten Rules for Writing Safety-Critical Code" (www.spinroot.com/p10), rule 10 specifies that advanced static-analysis tools should be used proactively all through the development process.

Systematic testing is the other prong. As well as being a good idea, often it's also the law. Regulators such as the FAA specify strict rules about how code is tested before it can be deployed in a safety-critical device. In some cases, developers must demonstrate that test suites achieve full coverage of the code. The trouble with this is that it can be enormously expensive to develop these test suites. However, advanced static-analysis tools can help reduce the cost by steering developers away from futile or unnecessary work.

In this article, I focus on advanced static analysis, how it complements traditional testing, and how it can be used for both bug finding and for reducing testing costs.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video