Last month Alexander Tarasikov wrote a blog post on Clang static analyzers and firmware, ranging from UEFI to U-Boot and other technologies:
In this blog post I mainly want to summarize my latest experiments at using clang’s static analyzer and some thoughts on what could be further done at the analyzer, and open-source software quality in general. It’s mostly some notes I’ve decided to put up.
[…]
In one of my previous posts I have drawn attention to gathering code coverage in low-level software, such as bootloaders. With GCOV being quite easy to port, I think more projects should be exposed to it. Also, AddressSanitizer now comes with a custom infrastructure for gathering code coverage, which is more extensive than GCOV.
[…]
http://allsoftwaresucks.blogspot.ru/2016/02/noted-on-firmware-and-tools.html
Firmware Security 