Best practices using code review tools

A code review is a methodical process for examining software source code to identify problems and improve software quality. It is an important task in the development of critical embedded systems, especially those that require certification.

A code review team typically consists of a moderator, quality engineer or manager, the software developer, and other peers. The team often uses a checklist to systematically review all pertinent aspects of the software.  For example, the team might assess code complexity  and check compliance to coding standards such as MISRA-C/C++ or JSF++.

An effective code review would be one focused on the design aspects such as meeting the design requirements, identifying missing requirements, design architecture, design of the interfaces etc. A code review focused on scanning the code for defects is highly ineffective because detecting subtle run-time errors or even simple coding defects can be extremely challenging. For example, it’s easy to miss an overflow or underflow due to complex mathematical operations that involve programmatic control. Static analysis tools such as Polyspace help to automate and streamline these activities ahead of a code review process.

The simplest use case for such tools is to check your code for compliance to coding standards such as MISRA, JSF or your own custom defined coding rules. Coding rules help maintain consistency in the coding style, improving the readability and maintainability of the code.

Furthermore, Polyspace tools can not only detect defects but also prove the absence of errors (3:44) in source code avoiding the need to spend a lot of time scanning the safe parts of your code. More importantly, you can identify and/or fix some of the defects even before you spend any time reviewing the code. This not only saves time but helps the review team focus on the important aspects such as the software design and the requirements.

Automated analysis simply cannot uncover these algorithmic functional issues and this high-level analysis requires a human brain. However, automated analysis is very cost effective in scanning the code to identify defects such as programming errors or coding defects or run time errors etc.

In addition, Polyspace tools also provide detailed information regarding the control and data flow through your code in the form of the possible variable ranges, and function call graphs and data dictionaries to show how and where variables are written to and read from. This information can be invaluable in a code review where it might be important to understand the run time behavior of the software.

This process is very scalable and you can analyze anywhere from a few hundred lines of code to more than a hundred thousand lines of code. Reports generated from the analysis can be used as an artifact in the code review process to identify which parts of the code are proven to be safe and which parts are at risk for failure.

Examples and How To

Software Reference

See also: Statis analysis with Polyspace products; verification, validation, and test; embedded systems; formal methods; abstract interpretation; source code analysis; software QA; code review videos