Call graph construction in the presence of indirect calls
Safety Checker by TASKING is a Safety integrity level (SIL) aware static analyzer with the ability to check for interference in the memory space domain and the special function register domain which is helpful to prove "freedom from Interference" as described in the ISO 26262 functional safety standard.
The success of a good static analysis stands or falls to whether the tool is able to construct a correct call graph, also called a call tree. A call graph represents calling relationships between functions in an application. Constructing a call graph is rather simple if only direct calls are taken into account.
The construction of a call graph becomes much harder if indirect calls are also involved. Let’s take a look at an indirect call:
Here the address of the function my_cmpfunc() is passed as an argument to the C library function qsort(). This library function will then call the function indirectly.
The correct call graph should therefore look like this:
This can become really complicated if, for example, the return value of a function holds a function pointer which is called indirectly or is passed as argument to another function.
Let’s take a look at a more complex piece of code.
Can you still figure out what is going on?
Can you construct the call graph of this code?
Here are the other functions:
Click here to see the call graph produced by Safety Checker.
That’s the joy of programming. Once you implemented the algorithm correctly, the application can do the work faster and better than you do.
For more information about the Safety Checker by TASKING, see ASIL CODE INTEGRITY CHECK TOOL.