Can CodeSurfer Increase Code Inspection Efficiency?

1. Can CodeSurfer Increase Code Inspection Efficiency? A Research Infusion Project Mark Markovich - SAIC Dan Freund – NASA Principal Investigator

2. About CodeSurfer RI • About Us • JSC Safety and Mission Assurance Directorate, Flight Equipment Division - We assure software for Government Furnished Equipment (GFE). These are flight projects, usually small to moderately sized, typically ranging between 1,000 and 50,000 lines of code. : • What is CodeSurfer? • CodeSurfer is a static analysis tool from Grammatech, Inc. used for source code analysis and navigation. CodeSurfer does not itself find defects in the code. Its purpose is to make the trained reviewer more effective. CodeSurfer includes many capabilities that could decrease the amount of time required to review the code by enabling the reviewer to perform them more quickly. In addition, CodeSurfer also has capabilities that could allow the reviewer additional technical insight into the workings of the code. • What is Static Analysis? • Static analysis examines non-executing code and analyzes all known, possible behaviors that might arise at run time. The analysis of code during execution is known as dynamic analysis. • Projects • Space Integrated Global Positioning System / Inertial Navigation System (SIGI) • Health Management System Defibrillator (Defib) Power and Data Interface Module (PDIM) • Approach • Perform a code inspection without CodeSurfer, collecting appropriate metrics on time required and defects identified. Using a different software engineer, inspect the software using CodeSurfer, collecting the same metrics. Both inspectors used the same checklist.

3. CodeSurfer Features • Features • Pointer analysis, including which pointers point to which variables and procedures • Shows call graphs that are complete, even when indirect function calls are used • Shows all the variables a function uses and all the variables a function can modify • Show all statements that depend on a selected statement, including code in other files • Can search the entire application for user specified items • Shows why statements execute, and can be used to follow the control code one step at a time using the provided hyperlinks • Allows users to right-click on a macro and navigate to the macro’s definition. • Follows preprocessor directives during build. Conditionally-compiled code (not part of the current build) is color coded

4. Most Useful Capabilities • Puts code in visually appealing format allows user to quickly scan the code for problems • Checking variable initialization is very easy • Queries • Easy identification of dead code and unused variables

5. Results

6. Challenges and Recommendations • CodeSurfer can only be used to analyze code that can be compiled using one of several common compilers provided with the tool. Code analysis can be difficult where developer used a different compiler. This can be a problem when supporting multiple development labs • Export restrictions made it difficult to seek technical assistance. • Training and onsite visits by the vendor is expensive. But trying to figure it out on your own may be even more expensive. Research Infusion proposals should strongly consider including training and onsite support by the vendor • Identifying the correct files for compilation can be difficult • Regular use is required to maintain competence It is fair to note that other tools are likely to have similar problems if they require a compile or build of the software to be analyzed.