The Odometer of Inherited Code

By Dave Sandler, Mesa Technologies · May 2026
The Odometer of Inherited Code

Earlier this week I talked about “Project Inheritance”—that moment you step into a codebase someone else started. One of the first questions I get is: “How do you know if it’s actually any good?”

In the old days, you’d spend three days just trying to get the linker script to behave, then another week manually tracing pointers to see if they ever actually hit a NULL check. These days we simply do not have that kind of time.

Especially considering the layers of legacy code that we have to deal with. Often it is the equivalent of the old “plug and pray.” Drop thousands of lines of code on a board and then wonder why it does not work. Sometimes for weeks.

Most often, Occam hits it right. It is the simplest things. The ones we do not look at because “it cannot be that simple,” or because it is buried in the noise.

When I walk the code paths, I do not just use my eyes. I use a Mechanical Audit.

Static Analysis: The Truth Machine

I do not care what the comments say. I care what MISRA-C and CERT-C validation says. It is the difference between “I think this is safe” and “I can prove this will not crash your DMA stream.”

The Silicon Reality Check

Does the C code actually respect the ARM Cortex-M7 or PolarFire errata? A verified driver that ignores hardware silicon bugs is not verified—it is a time bomb.

Before I make your hair stand on end, I am not a purist, and I am not evangelical. Good coding practice is good. For years, I adopted forms of Ganssle’s guidelines. Today we need something we can run through a grinder and get agnostic guidance fast. MISRA or CERT-C work well as a yardstick, and among us, we can decide where we are willing to blur the lines.

Compliance as a Compass

I treat compliance reports not as paperwork, but as a map. They tell me exactly where the previous developer took shortcuts.

The Shift

With modern tool suites and local AI analysis, I can run a full compliance check on 50 KLOC while I am having my morning coffee at an RV park. I am no longer just fixing bugs. I am providing a Compliance Evidence Pack.

Because in a world of strict EU regulations like the looming CRA, working code is not enough anymore. You need proven code.

What is your go-to tool for a first-pass audit? Or do you still prefer the manual grep?

Originally published on LinkedIn as “The Odometer of Inherited Code”.

Need help stabilizing, reviewing, or inheriting an embedded project?
Mesa Technologies provides senior embedded systems consulting for firmware, board bring-up, debugging, architecture review, and project recovery.

Schedule a technical call