In embedded C/C++ development, due to the flexibility and complexity of the language, defects such as memory leaks, buffer overflows, and undefined behaviors are prevalent.
Static Code Analysis (SCA) is a technique that can identify potential issues before code compilation and execution, making it an indispensable part of building high-reliability and high-security software.
This article will delve into the standards, mainstream tools, and related learning resources for C/C++ static code analysis.
1. Why Perform Static Code Analysis?
Unlike dynamic testing (testing the program during execution), static analysis is performed directly on the source code or intermediate representation without executing the program. Its main advantages include:
- Early Detection of Defects: Problems can be identified during the coding phase or early integration, with repair costs significantly lower than during the testing phase or after deployment.
- Detection of Deep Vulnerabilities: It can detect code paths and complex logical errors that are difficult to cover through testing, such as resource leaks and null pointer dereferences.
- Improvement of Code Quality: Enforces coding standards, ensuring consistency in code style and structure, enhancing maintainability.
- Enhanced Security: Identifies potential security vulnerabilities (such as CWE Top 25), preventing threats like SQL injection and buffer overflow.
2. Core Standards and Guidelines
Static analysis tools typically define rule sets based on a series of recognized programming guidelines and defect classification standards.
Understanding these standards is key to effectively using the tools.
-
MISRA C/C++:
- Overview: Originally established by the Motor Industry Software Reliability Association, it has become a recognized C/C++ coding standard for embedded systems, especially in safety-critical areas such as automotive, aerospace, and medical. It includes a series of mandatory (Required) and advisory (Advisory) rules aimed at avoiding error-prone, undefined, or implementation-dependent behaviors in the language.
- Characteristics: Extremely strict, focusing on code reliability and predictability, sometimes sacrificing some flexibility. The new version MISRA C++:2023 is based on C++17 and aligns with the AUTOSAR C++14 standard.
- Resource Link: https://www.misra.org.uk/
CWE (Common Weakness Enumeration):
- Overview: A community-developed list of software and hardware security defects maintained by MITRE. It is not a coding standard but a dictionary of common defect types. Many static analysis tools map detected vulnerabilities to CWE IDs to align with industry-standard terminology.
- Characteristics: A common language for discussing, identifying, and classifying software weaknesses. The famous “CWE Top 25” lists the most dangerous and common software errors.
- Resource Link: https://cwe.mitre.org/
CERT C/C++ Secure Coding Standards:
-
Overview: Security coding standards published by the Software Engineering Institute (SEI) at Carnegie Mellon University. It provides numerous rules and recommendations on how to use C/C++ securely to avoid introducing vulnerabilities.
-
Characteristics: Focuses on security, with each rule accompanied by detailed risk assessments and examples, making it an important reference for developing safety-critical applications.
-
Resource Links:
SEI CERT C Coding Standard: https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard
SEI CERT C++ Coding Standard: https://wiki.sei.cmu.edu/confluence/display/cplusplus/SEI+CERT+C+++Coding+Standard
AUTOSAR C++14:
- Overview: C++14 coding guidelines established by the Automotive Open System Architecture organization for automotive software. It has a high degree of overlap with MISRA C++ and has been extended, making it a very important standard in modern automotive software development.
- Characteristics: Focused on the automotive industry, based on modern C++ (C++14), emphasizing safety, reliability, and portability.
- Resource Link: AUTOSAR Official Website: https://www.autosar.org/ (Standard documents require membership, but guideline content is supported by many tools)
Google C++ Style Guide / LLVM Coding Standards:
-
Overview: These are coding standards developed internally for large projects. Although not as universal as the aforementioned standards, they are highly influential. They focus on code readability, maintainability, and consistency.
-
Characteristics: Many open-source tools (such as
<span>clang-tidy</span>) have built-in checks for these styles. -
Resource Links:
Google C++ Style Guide: https://google.github.io/styleguide/cppguide.html
LLVM Coding Standards: https://llvm.org/docs/CodingStandards.html
3. Mainstream Static Analysis Tools
Tools are the practitioners of the standards. Here are some widely used C/C++ static analysis tools.
Commercial Tools (Powerful, highly integrated, supporting multiple standards)
-
Coverity (Synopsys)
- Overview: An industry benchmark used by many large enterprises for mission-critical systems. Its analysis engine is very powerful, with a relatively low false positive rate, capable of detecting extremely complex defects.
- Supported Standards: Fully supports MISRA, CERT, CWE, AUTOSAR, etc.
- Link: https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
Klocwork (Perforce)
- Overview: Another enterprise-level tool, particularly adept at static analysis for C/C++/C#/Java, widely used in the embedded field. It provides deep code understanding and incremental analysis.
- Supported Standards: Supports MISRA, CERT, CWE, AUTOSAR, etc.
- Link: https://www.perforce.com/products/klocwork
PVS-Studio
- Overview: A powerful tool known for detecting specific defect patterns that other tools may miss. It provides good support for both Linux and Windows environments and can be integrated into SonarQube.
- Characteristics: Offers a free Linux version for open-source projects, with a low false positive rate.
- Link: https://pvs-studio.com/en/
QAC (Perforce) / C-STAT (IAR)
-
Overview: These two are traditional strong players in the embedded development field, especially deeply integrated with specific IDEs (such as IAR Embedded Workbench), providing a seamless experience for embedded developers.
-
Supported Standards: Focused on MISRA, CERT, and other safety standards.
-
Link:
Helix QAC: https://www.perforce.com/products/helix-qac
IAR C-STAT: https://www.iar.com/cstat
Free/Open Source Tools (Easily accessible, common in CI/CD)
- Clang-Tidy (LLVM/Clang)
- Overview: A linting tool based on Clang, regarded as a Swiss Army knife for modern C++ developers. It not only checks for bugs but also enforces coding styles (such as Google, LLVM styles) and promotes modern C++ usage (such as C++ Core Guidelines).
- Characteristics: Highly configurable, allows for custom checkers to be written, and integrates well with CMake, Visual Studio, etc.
- Link: https://clang.llvm.org/extra/clang-tidy/
- Overview: A lightweight static analysis tool focused on detecting actual bugs in C/C++ code (such as undefined behavior, memory leaks) rather than style issues. Its design goal is to achieve the lowest possible false positive rate.
- Characteristics: Platform-independent, easy to integrate, suitable for basic checks in the development process.
- Link: https://cppcheck.sourceforge.io/
- Overview: An open code quality management platform. Its community edition supports C/C++ (via the SonarCFamily plugin, which is now closed source, and the community edition has limited functionality), capable of detecting bugs, vulnerabilities, and code smells.
- Characteristics: Provides a beautiful web dashboard displaying code quality trends, technical debt, etc.
- Link: https://www.sonarsource.com/products/sonarqube/
- Overview: Developed by Facebook, focused on detecting critical issues such as null pointer dereferences and resource leaks. Its analysis is performed on the intermediate code after compilation, making it very efficient.
- Characteristics: Performs excellently on large codebases, suitable for integration into CI.
- Link: https://fbinfer.com/
4. How to Choose a Tool?
When selecting a tool, consider the following factors:
- Project Requirements: Is it a general application or a safety-critical system (such as medical or aerospace)? The latter requires commercial tools that support strict standards like MISRA/CERT.
- Budget: Commercial tools are powerful but expensive; open-source tools are the preferred choice for budget-constrained or startup projects.
- Integration: Is seamless integration with IDEs (VS, Eclipse, CLion), build systems (CMake, Makefile), or CI/CD platforms (Jenkins, GitLab CI) required?
- Customizability: Is there a need to write custom rules based on internal company standards?
- False Positive Rate: A high false positive rate can severely drain developer energy, necessitating an assessment of the tool’s accuracy.
A “light and heavy” strategy is often adopted.
During the development phase, use <span>clang-tidy</span> or <span>Cppcheck</span> locally for quick feedback, and use more powerful commercial tools or <span>Infer</span> for deep scans during code submission and integration.
5. Summary and Resource Links
Static code analysis is a key technology for improving the quality and security of C/C++ code.
By adhering to industry standards such as MISRA and CERT, and utilizing tools like Coverity and Clang-Tidy, developers can eliminate a significant number of potential defects early in the development process, significantly reducing later maintenance costs and security risks.
Resource Links Summary:
- Standards:
- MISRA: https://www.misra.org.uk/
- CWE: https://cwe.mitre.org/
- CERT C: https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard
- CERT C++: https://wiki.sei.cmu.edu/confluence/display/cplusplus/SEI+CERT+C+++Coding+Standard
- Google C++ Style: https://google.github.io/styleguide/cppguide.html
- Tools:
- Coverity: https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
- Klocwork: https://www.perforce.com/products/klocwork
- PVS-Studio: https://pvs-studio.com/en/
- Clang-Tidy: https://clang.llvm.org/extra/clang-tidy/
- Cppcheck: https://cppcheck.sourceforge.io/
- Facebook Infer: https://fbinfer.com/
I hope this article provides you with a clear path and valuable references for understanding and applying C/C++ static code analysis.
END
Source: Learning Embedded Together
Copyright belongs to the original author. If there is any infringement, please contact for deletion..▍Recommended ReadingWhy is C++ rarely used in microcontroller development?Xiaomi is really stingy; a single MCU can handle all functions.Upload a PCB photo with only 2 lines of silk screen, and GPT-5 helped me solve everything!→ Follow for more updates ←