EEJournal

feature article
Subscribe Now
January 13, 2009

Coverity Enforces Software Architecture

by Jim Turley

There’s a school of thought that says that you should write your comments first and the code afterwards and that source code should be treated as a human-readable document that only incidentally contains instructions for the computer. In other words, if you write code that other programmers can understand, you’ll automatically write code that’s more efficient and maintainable. Who knows, some day you may need to revise your little gem, and you don’t want to be caught wondering, “What was this part supposed to do?”

By the same token, diagrams and flow charts aren’t just for maintenance and documentation. Writing (or even sketching) complete design documents before the code starts flying can help everyone visualize the overall application — to see what goes where. That’s particularly important for large programming teams where the work is divided up amongst individuals who may or may not share the boss’s big-picture view.

A company called Coverity is automating this whole process with its “Architecture Analyzer” product. As the name suggests, Architecture Analyzer analyzes the, uh, architecture of your software. It’s a detailed, automated, corporate safety net for large programming projects that eliminates bugs at the source. Which is to say, it prevents you from writing faulty code in the first place, rather than having to debug it afterwards.

Magic, you say? Not really. Just the methodical enforcement of good programming practices. Practices, it must be said, that many programmers despise.

Like a third-grade penmanship teacher, Coverity’s Architecture Analyzer (CAA) encourages you to write neatly and between the lines. It’s all about clarity, repeatability, and good manners. In programming terms, CAA enforces clear thinking, well-defined interfaces, and adherence to the API rules.

That’s more structure than many programmers like – but exactly what their bosses crave. CAA is the antithesis of the cowboy code jock slinging code in the middle of the night, hacking functions and fixes in a caffeine-crazed blur. In contrast, CAA is all about premeditation, good code hygiene, and clear documentation. By enforcing those rules, it eliminates the source of many bugs, reliability holes, and security leaks.

Architecture Analyzer is graphical. You diagram the overall structure of your application with boxes and arrows. Boxes represent functional units of code, while arrows reflect how data passes in and out of these boxes. No arrow, no communication with the black box. This flowcharting process is central to Coverity’s fault-checking process. It also, not incidentally, forces the programmer to take a big-picture view of his overall project and outline just how processes and functions will interrelate. Seat-of-the-pants code hackers need not apply.

You can diagram your application code any way you like. CAA doesn’t enforce any particular style or architecture; that’s up to you. What it does do is make sure you stick to your own rules, and that those rules are self-consistent. If you’ve defined a function with one data source and one sink, for example, CAA will make sure no other functions call or depend upon that module.

Once the diagramming is done, Coverity’s tool analyzes the information flow and looks for unintended back doors. Is there, for example, a way to pass information into a control block without first passing through its encryption API? Can one process snarf data from another unintentionally, accidentally, or maliciously? Have you created any circular dependencies?

What CAA doesn’t do is nit-pick individual lines of code. That’s what compilers and lint checkers are for. CAA is strictly a big-picture tool, making sure that the structure of your application is sound, reliable, and free from loopholes that might present problems later on. You’re still free to write comments and indent lines any way you like.

On one level, CAA works simply because it forces programmers to graph out their application. That’s already more discipline than some programmers usually demonstrate. The very act of diagramming a program’s overall architecture will highlight certain structural problems. In the early stages, it almost doesn’t matter that CAA even has an analysis back end; the diagrams themselves are diagnostic.

But of course, Coverity’s back end does perform elaborate and detailed analysis. Once your flow diagrams pass the “sniff test,” they become enforceable design blueprints. CAA makes sure you stick to the architecture you defined without straying from the ins and outs described in the diagrams. Naturally, you can revise your architectural diagrams whenever you like, but doing so may affect the code development already underway.

Coverity’s Architecture Analyzer can prevent (or at least forestall) software “entropy” as the design ages and the code accumulates hacks, cruft, and patches. It stands as a shining beacon of the original program architects’ intent and structure. It prevents quick fixes from circumventing (either deliberately or accidentally) intended procedures, built-in security mechanisms, bounds checking, parameter inspection, and so on. It’s a silent QA manager looking over your shoulder to be sure you don’t outsmart yourself or the other programmers or wind up creating spaghetti code that no one else can maintain. In short, CAA tries to make you a better programmer.

Not everyone wants that. Programming is often treated as a creative endeavor, undertaken by spirited and talented artistes who cannot or should not be shackled to convention, regulations, or reasonable hygiene. Get over it. Programming is a job like any other, and an employer’s responsibility is to ship a profitable product, not coddle and babysit self-indulgent hackers. While some programs can be created by individuals working solo, it’s more common for teams of coders to work cooperatively, and, for those times, a tool like CAA is probably a prudent business investment. It’s said that communication gets exponentially harder the more members involved, so it’s not surprising that miscommunication can be a big problem in large programming projects. Codifying that communication (some of it, at least) through CAA eliminates one source of miscommunication and adds rigor to an otherwise ad-hoc process. In the realm of commercial software development, that’s got to be a good thing.

Leave a Reply

featured blogs
What’s New with the Latest Bluetooth Mesh Specification
Sep 19, 2023
What's new with the latest Bluetooth mesh specification? Explore mesh 1.1 features that improve security and network efficiency, reduce power, and more....
More from Silicon Labs...
Wireless freedom in XR experiences: Introducing Qualcomm FastConnect Software Suite
Sep 20, 2023
Qualcomm FastConnect Software Suite for XR empowers OEMs with system-level optimizations for truly wireless XR....
More from Qualcomm OnQ Blog...
Discover What’s New in Fine Marine CFD
Sep 20, 2023
The newest version of Fine Marine offers critical enhancements that improve solver performances and sharpen the C-Wizard's capabilities even further. Check out the highlights: γ-ReθTransition Model and Extension for Crossflow Modeling We have boosted our modeling capabi...
More from Cadence...
New Unified Electrostatic Reliability Analysis Solution Has Your Chip Covered
Sep 20, 2023
ESD protection analysis is a critical step in the IC design process; see how our full-chip PrimeESD tool accelerates ESD simulation and violation reporting.The post New Unified Electrostatic Reliability Analysis Solution Has Your Chip Covered appeared first on Chip Design...
More from Synopsys...
Book Review: A Tourist from Petach Tikva
Sep 10, 2023
A young girl's autobiography describing growing up alongside the creation of the state of Israel...
More from Max's Cool Beans...

Featured Video

Chiplet Architecture Accelerates Delivery of Industry-Leading Intel® FPGA Features and Capabilities

Sponsored by Intel

With each generation, packing millions of transistors onto shrinking dies gets more challenging. But we are continuing to change the game with advanced, targeted FPGAs for your needs. In this video, you’ll discover how Intel®’s chiplet-based approach to FPGAs delivers the latest capabilities faster than ever. Find out how we deliver on the promise of Moore’s law and push the boundaries with future innovations such as pathfinding options for chip-to-chip optical communication, exploring new ways to deliver better AI, and adopting UCIe standards in our next-generation FPGAs.

To learn more about chiplet architecture in Intel FPGA devices visit https://intel.ly/45B65Ij

featured webinar

Secure the Future with Post-Quantum Cryptography on eFPGAs

Sponsored by QuickLogic

With the emergence of the quantum threat, the need for robust cybersecurity measures has never been more critical. Join us for an enlightening webinar that delves into the future of data protection with Xiphera's groundbreaking Post-Quantum Cryptography and QuickLogic's cutting-edge eFPGA technology. Join the webinar today and learn about the quantum threat and how it affects cybersecurity, Post-Quantum Cryptography (PQC) and how it works, how eFPGA can be used to gain maximum protection with PQC and the importance of PQC for digital design engineers, system security architects, and developers

Don't miss this timely webinar. Sign up today.

featured chalk talk

Secure Authentication ICs for Disposable and Accessory Ecosystems
Sponsored by Mouser Electronics and Microchip
Secure authentication for disposable and accessory ecosystems is a critical element for many embedded systems today. In this episode of Chalk Talk, Amelia Dalton and Xavier Bignalet from Microchip discuss the benefits of Microchip’s Trust Platform design suite and how it can provide the security you need for your next embedded design. They investigate the value of symmetric authentication and asymmetric authentication and the roles that parasitic power and package size play in these kinds of designs.
Click here for more information about the Microchip Technology DM320118 CryptoAuth Trust Platform Kit
Jul 21, 2023
7,918 views