To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (an extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at

If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

Why embedded developers should use stat…

Why embedded developers should use static code analysis

Mar 12 2018

I decided to briefly highlight 3 reasons why static analysis tools for program code may be useful for embedded developers.


The first reason: no need to spend time on excruciating search for some specific errors

Static code analysis == cheapening the process of testing and device debugging. The earlier an error is detected, the less expensive it is to correct it. Static analysis allows to find bugs on the stage of writing the code, or at least during the night runs on the server. As a result, finding and correcting many of the errors is much cheaper.

Static analysis may be particularly useful when debugging embedded-systems. In such projects, developers deal not only with errors in programs, but also with errors in the device itself or with poor manufacturing layout (bad contact and etc.). As a result, the process of error detecting can be severely delayed because it is often not clear where to look for a bug. If a programmer supposes that code is written correctly, it can cause long searching involving designers and other colleagues, responsible for the hardware-part. So, it will be all the more unpleasant to return to the program code and finally discover a stupid typo. Stupendously inefficient consumption of time and efforts of a team. Sounds awesome, if a static analyzer finds such an error.

Here's such a situation that my friend once told me:

"Even still studying for master's degree, I started working in the company involved in customization of various small-scale devices. For example, automation of greenhouses or collecting information from sensors in the enterprise that nothing leaked or overheated nowhere.

I'm having another standard task which takes me just a couple of hours and I return it to two colleagues to firmware a device they created. Colleagues are surprised at how quickly everything was done, praising me, and I proudly declare, "Well, I'm kind of a professional in writing such things and generally everything is quite simple here". Colleagues leave with a flash drive where I recorded the binary file for microcontroller firmware.

And I forget about this task. There are other greater and more captivating challenges. Moreover, once they didn't come, then all is well.

But they came. But only a week later. Saying couldn't understand the matter. Tied themselves into knots. Our testing bench is not working. Rather, it works, but not quite as it should. We have already re-soldered it again and replaced the executive electromechanical parts. Does not work ... Maybe you'll have a look? May be, there is still something wrong in the program...

I open code and immediately see an error like this:

uchar A[3];
for (uchar i = 0; i != 4; i++)
  average += A[i];
average /= 3;

I took another project as a base, and the code was written using a Copy-Paste method. In one place I forgot to replace 4 with 3. I was so ashamed that I made two people waste their working week".

The second reason: program updating is expensive, impossible or too late

Errors in embedded devices are extremely unpleasant that it is impossible or nearly impossible to fix them if the serial production started. If hundreds of thousands of washing machines have been already released and sent to shops, what should I do if in a certain mode, the machine is running inappropriately? Generally, it's a rhetorical question and here are two real options:

  • Forgive, forget and receive negative customer reviews on various sites, spoiling reputation. You can, of course, release and send application instructions "not to do so", but it's also a weak option.
  • Withdraw the series and do a firmware update. Costly affair.

Moreover, regardless whether the circulation is large or small, bugs fixing may be problematic or too late. The rocket fell, the error was detected, but too late. The patients died, the error was detected, but it will not return people. Antimissile weapons system begins to overshoot, the error was found, but there is nothing pleasant in this story. Cars didn't brake, errors were found, but there is no good for injured.

The conclusion is very simple. Code of embedded devices should be tested as thoroughly as possible, especially if the errors can lead to victims or serious material losses.

Static code analysis doesn't guarantee the absence of errors in code. However, you must use every opportunity to additionally verify the correctness of code. Static analyzers can point at lots of different bugs that manage to stay in the code even after several Code-Reviews.

If in your device there will be less errors thanks to static analysis, it is amazing. Perhaps, thanks to detecting these very errors, no one will die, or the company won't lose big sums of money or reputation because of client complaints.

The third reason: a developer may not know that he's doing something wrong

Errors in programs can be figuratively divided into two types. A programmer knows about the errors of first type and they appear in code accidentally, inadvertently. Errors of the second type occur when the programmer simply doesn't know that you cannot write code this or that way. In other words, he can read such code as much as he wants, but still won't find the bug.

Static analyzers have a knowledge base about the various patterns that in certain conditions cause an error. Therefore, they may indicate an error to the programmer, the existence of which he himself would hardly have guessed. An example would be using a 32-bit type time_t, which may result in malfunction of the device after 2038.

Another example is undefined behavior, which occurs because of incorrect use of shift operators <</>>. These operators are very widely used in code of microcontrollers. Unfortunately, programmers often use these operators very negligently, making the program unreliable and dependent on the version and compiler settings. Yet the program may work, but not because it is written correctly, but due to luck.

By using a static analyzer, programmers can hedge themselves against many unpleasant situations. Additionally, the analyzer can be used to monitor the quality of code in general, which is actual, when the number of project participants increases or changes. In other words, the tool helps to track, whether a novice started to write bad code.


There is one more reason to necessarily use a static code analyzer. This is when the project must meet a certain standard of software development of the language, such as MISRA C. However, rather, it refers to administrative measures, and is a bit away from the topic.

I wanted to show that the use of static analyzer is uniquely appropriate for any embedded project. Use this method and you will be able to:

  • Reduce time for searching and fixing bugs (example);
  • Reduce the likelihood of critical bugs;
  • Reduce the likelihood of necessity to update the firmware;
  • Monitor the overall code quality (we recommend to additionally look towards SonarQube);
  • Control the quality of the work of the new team members;
  • Monitor code quality of third-party modules/libraries.

There are no reasons not to use static code analysis, except laziness and illusion of superiority.


Use static code analyzers! There are a lot of them.

Surely, we offer to pay attention to our PVS-Studio code analyzer, which has recently started to support a number of ARM-compilers.

Popular related articles
Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

Date: Nov 21 2018

Author: Andrey Karpov

A brief description of technologies used in the PVS-Studio tool, which let us effectively detect a large number of error patterns and potential vulnerabilities. The article describes the implementati…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
Appreciate Static Code Analysis!

Date: Oct 16 2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
The Last Line Effect

Date: May 31 2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…
Free PVS-Studio for those who develops open source projects

Date: Dec 22 2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →