A recent survey by IEEE Spectrum showed some interesting results. Python continues to lead in popularity and assembly language(!) entered the top ten for the first time. Of note, is the continued strong presence of C and C++ in their ranking (combined, C and C++ are by far the most popular languages.) This prevalence of C and C++ reinforces the need for software quality tools for these languages. Despite their popularity and preference in many products, such as embedded systems, C and C++ are prone to bugs and security defects, more so than other languages.
Source: IEEE Spectrum, "The 2018 Top Programming Languages", July 31, 2018.
The TIOBE Index shows a slightly different picture than the IEEE Spectrum survey. Java is the leader here with C close behind and C++ then Python following. Out of all the languages in the list, C had the largest growth in 2018.
Source: TIOBE Index for August 2018
Each list has its own measuring philosophy, so the truth is likely somewhere in the middle. Nonetheless, both lists indicate that C and C++ continue to be popular languages.
C and C++ Have Higher Defect Rates
Research has shown that C and C++ have higher defect rates (bugs per line of code) than other languages. One study found that C, C++ and Objective-C had significantly higher defect rates than languages such as Java and Haskell. Another paper compared C++ and Java defect rates and productivity – C++ not only has higher defect rates but bugs take longer to find and fix!
The combination of high usage and high defect rate means that software development teams need to be diligent when using C and C++. Due diligence includes best practices such as software inspections, coding standards, unit testing with appropriate code coverage, dynamic and static analysis tools to catch bugs that other methods of testing miss.
Reinforcing the Need for Static Analysis
The growth of C and C++ as popular languages is at least partially caused by the fact that products become more complex. The functionality in avionics control software, connected vehicles, industrial controllers is increasing in complexity, while simultaneously requiring stricter safety and security requirements. Something has to change to deal with this increased complexity and increased safety and security. Many projects are gravitating towards a continuous integration/continuous deployment workflow with increased automation and increased use of software development tools that increase productivity. Static analysis is a must-have technology in that evolution. Here are some of the other benefits that static analysis tools bring:
- Work on large volumes of code: It’s often impractical to review all of the source code as usually new code is the top priority for testing and inspection. Advanced static analysis tools can literally “review” millions of lines of code, including binary object code and libraries, for defects and security vulnerabilities.
- Narrow down the root cause of errors quickly: Errors in C and C++ can be harder to debug compared to other languages. Luckily, defects detected by static analysis include trace information back to the root cause of the warning. If the warning turns out be real (aka a true positive), the fix is usually evident in the trace information.
- Find difficult to see, obfuscated errors: Static analysis tools can detect errors that can elude visual inspection and even functional unit testing.
- Errors that span process/file boundaries: Advanced static analysis performs complex code and data path analysis. This analysis can span functions and files that may be outside the scope of a unit under test. Advanced tools also have unique concurrency checkers that detect multi-threaded/multitasking issues which are very difficult to determine with inspection.
- Detection of security vulnerabilities: Testing and reviewing for security defects is difficult and involves a different mindset than testing for correct functionality. Static analysis tools can point out vulnerabilities and insecure coding practices. In addition, tainted data analysis discovers the path of input data to its eventual use within the system and cross references these with discovered defects.
- Tool integrations: Static analysis tools integrate with various Integrated Development Environments (IDE) such as Eclipse, build systems such as Jenkins, versioning systems such as GitHub and defect reporting tools such as JIRA. This brings the power of static analysis directly to the developer and incorporates it into the regular coding, build and test activities.
- Analyzing third party code: Use of third party code such as commercial off-the-shelf software (COTS) and open source software is a fact of life in s software development. Software for outside sources needs to be managed carefully for safety and security before inclusion in a product. Static analysis tools can analyze third party source and binaries to discover defects and security vulnerabilities in software that could be impossible to test otherwise.
- Reduce the code review effort: Static analysis tools are automated, fast and effective. By running the tools on code before it’s reviewed, it reduces the number of defects in the code to be discovered manually. Static analysis tools can also enforce coding standards such as MISRA or NASA/JPL Power of Ten, removing that aspect of code reviews. Reports are available for each analysis providing supporting documentation for the review process.
C and C++ continue to be popular programing languages, with no end in sight despite their age compared to newer languages. Although C and C++ are powerful tools, they are prone to higher rates of bugs than other languages. The increased use of C/C++ emphasizes the need to improve development practices and automation in order to improve quality and security. Static analysis tools are an essential part of a modern development tool suite that brings unique benefits to software teams.