Founded in 1985 and headquartered in the UK, PRQA specialises in defect prevention and promoting safe code practices to ensure reliability of safety-critical, mission-critical and commercial systems. It maintains full voting representation on ISO working groups for ‘C’ and ‘C++,’ and is a founding member of MISRA (producer of ‘C’ and ‘C++’ standards) committee. The programming research company is also originator of high-integrity ‘C++’ coding standard (HICPP).
Sanjay Shanbhag, director- PRQA India, spoke to Abhishek Mutha and Ashwin Gopinath of EFY about the importance of static analysis and why automated solutions be preferred over manual inspection methods
Let’s start with an overview of PRQA
Established in 1985, PRQA is recognised throughout the industry as a pioneer in static analysis, championing automated coding standard inspection and defect detection, delivering its expertise through industry-leading software inspection and standards enforcement technology.
PRQA’s industry-leading tools, QA·C, QA·C++ and QA·Verify, offer the closest possible examination of C and C++ code. They contain powerful, proprietary parsing engines combined with deep accurate dataflow which deliver high fidelity language analysis and comprehension. They identify problems caused by language usage that is dangerous, overly complex, non-portable or difficult to maintain. Plus, they provide a mechanism for coding standard enforcement. PRQA has corporate offices in UK, USA, India, Ireland and Netherlands, complemented by a worldwide distribution network.
Q. What are your views on manual code inspection?
A. We advocate the use of automated code inspection process simply due to the exponential growth in the amount of code being generated and its complexity. For example, a simple washing machine now has one million lines of embedded code and it would be a gargantuan task for a human being to detect issues manually in this maze of code.
Another factor is that every time a fresh code is added to the existing code base, the entire code has to be inspected all over again, wasting time and effort when this can be automated. We, however, recognise that for the proper functioning of this automated process, human intervention is still necessary to control deviations and certain exception defects.
Q. Are manual methods of coding inspection and defect detection still prevailing in India?
A. Yes, some companies still use manual methods. The trouble is that they are worried about the cost of tool investment, rather than looking at the long-term benefits of automating the process.
Q. What is the difference between bug catching and coding standard compliance?
A. Basically, bug catching is finding defects, whereas coding standard compliance means adhering to best practices and therefore preventing introduction of defects in the first instance.
There are some static tools in the market that only look at finding defects and don’t aid in process improvement. We, on the other hand, enable our clients to improve their coding process and develop high-quality code by recommending tracking issues early and often during the development phase. We believe in the saying “prevention is better than cure.” Hence we enforce a coding standard to help our customers develop robust and high-integrity code.
The fundamental purposes of a coding standard is to define a safer sub-set of the programming language by framing a set of rules that eliminate coding constructs known to be hazardous, educating all developers to the same standard and promoting the best practice.
Q. Are there any language insecurities while coding?
A. No coding language is perfect and all come with their advantages (such as flexibility) and flaws (known as undefined behaviour). Undefined behaviour occurs when language definition is unclear and no outcome specification has been defined, or where the compiler or library vendor has some explicit freedom of implementation.
Typically, ‘C’ language is used in embedded and safety/mission-critical applications (high cost-of-failure areas such as aerospace, military, automotive and medical devices). ‘C++,’ on the other hand, could be used mainly in human-machine interface. Its use has started in embedded as well as commercial applications.
Q. How does static analysis tool assist developers in improving the quality of the code?
A. Static analysis tools are a very important means to catch bugs and identify coding issues extremely early in the development cycle, passing better code into the latter stages of the development process. At PRQA we recommend the use of a static analysis tool with a coding standard – this solution enables to detect defects, comply with best practice and prevents the introduction of bugs.
Static analysis is a crucial element of high-quality software development processes, enabling developers to identify defects in the code very early in the development process. By ensuring compliance to a coding standard, static analysis not only identifies defects that can cause program crashes but also provides best practice, enabling the developer to reach higher level of standards, and thus prevents introduction of defects.
Static analysis automates code reviews, removing the chances of human error in the process whilst ensuring a deterministic result that removes the emotion often associated with individuals reviewing another developer’s code.
