Weekly Edition
Return to the Front page| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
[This article was contributed by Joe 'Zonker' Brockmeier]
Back in February, Reasoning, Inc. released a study that surprised few in the Linux and open source community. Specifically, Reasoning found that the Linux kernel's TCP/IP stack had fewer defects than implementations from vendors with proprietary versions.
This time around, Reasoning has focused on Apache. Reasoning looked at Apache 2.1-dev, released at the end of January this year, and found that release to be about the same quality as commercial software. Reasoning's study was not sponsored by a vendor, nor does the company have any real motivation to find that open source is better or worse than proprietary software. Instead, the company is using studies of open source projects to help promote its testing services. Open source makes an ideal promotional device because Reasoning can actually release the full results to the study, including source code where errors are found.
The company uses a method of automated testing that tests for memory leaks, NULL pointer dereferences, bad deallocations, out of bounds array access and/or uninitialized variables. These are classified as defects. In 58,944 lines of code (LOC) spread out in 360 files, there were a total of 31 defects, or a defect density of 0.53 per thousand lines of code. According to Reasoning, the average defect density for commercial applications is 0.51 per thousand lines of code.
Of 31 defects, 29 of the defects were NULL pointer dereferences and 2 were uninitialized variables -- no memory leaks, bad deallocations or out of bounds defects were found in Apache 2.1-dev. The detailed version of Reasoning's report lists each of the 31 defects, giving the location of the defect, a description and the actual defect in a code fragment taken from the file with the defect.
One might wonder why Reasoning chose to look at a development version of Apache rather than a more mature version that had been out for a while. Certainly, very few people are likely to be deploying a development version of Apache on production sites -- making it less comparable to a release of a proprietary product. Apparently, they decided to review a less mature version of an open source project to point out how the open source development model benefits a project in the long run.
It would be interesting for Reasoning to track Apache's development and compare its quality against proprietary code after it has been released and in use for some time. One suspects that the Apache release would fare better than proprietary projects after it had been formally released and in use for some time.
Obviously, the study doesn't provide the full picture. It only measures certain types of defects, and doesn't take into account the software's features, performance or other qualities. But, at least in the area of software defects, Reasoning's study reflects well on the open source model by demonstrating what many users of open source already know -- that open source produces code of a quality that is at least comparable to proprietary software.
(Log in to post comments)
The point was to look at development code
Posted Jul 10, 2003 3:54 UTC (Thu) by iabervon (subscriber, #722) [Link]
Reasoning is, as was mentioned, doing this primarily as a method for demonstrating their software. For this reason, they're following people's suggestions for what to look at, and they did the Apache study in response to people who responded to the first study by asking how less mature Open Source code did. I suspect that they've now gotten feedback that they should study how Apache 2.1 does as it stabilizes.Of course, I suspect that Reasoning's method is not really useful for repeat application, since the Apache team will probably now fix all of the bugs that Reasoning found. The basis for these studies making any sense at all is that more subtle issues seem to correlate with these simple errors. But, of course, the subtle errors don't go away when you fix the simple ones, so the correlation fails to hold for code which has already been auditted for simple errors.
valgrind
Posted Jul 10, 2003 7:57 UTC (Thu) by oever (subscriber, #987) [Link]
The company uses a method of automated testing that tests for memory leaks, NULL pointer dereferences, bad deallocations, out of bounds array access and/or uninitialized variables.I guess they're using the excellent free software tool valgrind.
valgrind
Posted Jul 10, 2003 16:36 UTC (Thu) by cpeterso (guest, #305) [Link]
no. Reasoning does static code analysis (like Lint). Valgrind is does runtime analysis (like Purify).
the next reasoning study...
Posted Jul 10, 2003 9:41 UTC (Thu) by lyda (guest, #7429) [Link]
i think what would be interesting for reasoning to do is track the bugs in a project in development - before and after reasoning feedback. so let's say they stick with apache. they test each version of the latest dev branch of apache and generate stats along with some nice summary stats (like average number of bugs fixed and introduced). at the same time they work with the apache developers and give them feedback on each version they release starting from now (or something like nightly/weekly builds).the theory being is that reasoning's tools will reduce the bugs introduced between releases and increase the number of fixes.
pitting closed and open software against each other is amusing i suppose, but it would be of more interest to this developer to see the concrete benefits of reasoning in action. to date we've just seen snapshots, how does it benefit the flow of development?
the next reasoning study...
Posted Jul 13, 2003 3:13 UTC (Sun) by giraffedata (subscriber, #1954) [Link]
Right. Prior studies have shown that one salient difference between commercial and non-commercial software is that commercial software distributors tend not to fix bugs just because they become aware of them, whereas non-commercial distributors tend to do so.