|
|
Log in / Subscribe / Register

Is Linux Code Quality Improving? (internetnews.com)

[Posted September 24, 2009 by cook]

internetnews.com analyzes the latest Coverity Scan report on open-source software. "Coverity has seen an overall 16 percent reduction in the defect density found in the projects it has scanned over the last three years. Yet while the defect density has declined, the most recent Coverity Scan Open Source Report notes that the most common defect types are holding steady. For the last two years, the most common defect type reported by Coverity in its open source scan is something known as a 'NULLPointer Deference'."
to post comments

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 0:26 UTC (Fri) by realnc (guest, #60393) [Link] (4 responses)

Er, "deference?" I called it "dereference" my entire life...

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 1:49 UTC (Fri) by knobunc (guest, #4678) [Link] (2 responses)

It's nice that you showed internetnews.com deference by not immediately assuming a typo. However, you are absolutely correct, it is dereference.

-ben

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 5:51 UTC (Fri) by SimonKagstrom (guest, #49801) [Link] (1 responses)

Not having english as my first language, I had to look it up. WordNet certainly has some funny meanings in this context: a courteous expression (by word or deed) of esteem or regard (good that coverity finds this), a disposition or tendency to yield to the will of others (that sounds like it might be a security issue).

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 9:44 UTC (Fri) by ballombe (subscriber, #9523) [Link]

> Not having english as my first language, ...

Did you mean French ? :)

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 4:15 UTC (Fri) by charris (guest, #13263) [Link]

One dereference to rule them all.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 3:09 UTC (Fri) by MisterIO (guest, #36192) [Link]

That's definitely a funny typo!

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 12:06 UTC (Fri) by Yorick (guest, #19241) [Link] (36 responses)

Free or open-source software is still written in languages prone to the kinds of errors mentioned in the article, null pointer dereferences and uninitialised variables. I believe Coverity only scans C and maybe C++ code so there is an obvious selection bias, but either of these errors commonly occur in Java, Python etc, but not in modern statically typed languages.

Coverity's checker is proprietary software and while it would be wonderful to have an equivalent free tool, it also needs to be used. The more limited but very handy FindBugs for Java is free, but running it on a randomly selected project will very often discover errors.

However, it would be even better to get people to use and improve (and where necessary, design) languages which do not have these defects. C is hardly the ultimate notation even for implementing operating system kernels. And for application programs, alternatives exist today.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 14:34 UTC (Fri) by tetromino (guest, #33846) [Link] (20 responses)

> but either of these errors commonly occur in Java, Python etc, but not in modern statically typed languages.

Given the context of your post, I do not understand what the above phrase was intended to mean.

> However, it would be even better to get people to use and improve (and where necessary, design) languages which do not have these defects. C is hardly the ultimate notation even for implementing operating system kernels. And for application programs, alternatives exist today.

C is — unfortunately — the ultimate language for kernels, since it is the only modern language where you can more-or-less predict assembler output from the source code (and even with C, kernel bugs occasionally result from gcc's overeager optimizations). For libraries, you are stuck with C or C++ because that allows your library to be used from any other language and from any virtual machine. For applications, many nice alternatives exist, but pretty much all of them use significantly more memory than C or C++ — and the Linux desktop is already too wasteful with memory.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 14:59 UTC (Fri) by Yorick (guest, #19241) [Link] (9 responses)

Given the context of your post, I do not understand what the above phrase was intended to mean.
Null pointer dereferences and uses of uninitialised variables are common errors in C and Java but not in ML, for instance.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 15:33 UTC (Fri) by nlucas (subscriber, #33793) [Link] (6 responses)

It has been a long time since I last programmed in Java, but if I remember correctly you can't manipulate pointers in Java, so it's not possible to dereference a NULL pointer.

I believe that was the previous poster point.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 16:19 UTC (Fri) by nix (subscriber, #2304) [Link]

Java calls them references, but gives the game away in the exception you get when you dereference a null one: NullPointerException. (The correspondence is close enough that natively GCJ-compiled code converts reference dereferences directly into pointer dereferences, and produces NullPointerException by compiling with options allowing exception throwing from asynchronous signal handlers, trapping SIGSEGV, and throwing a NullPointerException from that handler.)

NullPointerException

Posted Sep 25, 2009 18:42 UTC (Fri) by man_ls (guest, #15091) [Link] (4 responses)

The equivalent idiom in Java would be to use a null object; in this case you get the dreded NullPointerException. The good news is that there is no way to turn this into a security hole.

NullPointerException

Posted Sep 27, 2009 10:17 UTC (Sun) by nix (subscriber, #2304) [Link] (3 responses)

It's trivial to turn it into a DoS attack, and if the exception propagates
out to somewhere doing a wide-scale catch() and the author didn't expect a
NullPointerException at that point, the partially initialized state of the
application might lead to execution of unexpected code.

(I can't see how you could turn it into an *arbitrary* code execution
though.)

NullPointerException

Posted Sep 27, 2009 11:47 UTC (Sun) by man_ls (guest, #15091) [Link] (2 responses)

Granted, if your software was sloppy enough not to catch an exception or restart any failed threads you might get a DoS. The worst I've seen in this area is an initialization error which caused an infinite restart loop. In Java it is often trivial to do the right thing for your whole program (catch the exception and go to a known state) and be done with it.

NullPointerException

Posted Sep 28, 2009 8:54 UTC (Mon) by nix (subscriber, #2304) [Link] (1 responses)

Yeah. The problem is, though, that NullPointerExceptions are not checked, they can propagate up from *anywhere*. This is nearly as bad as the can-be-thrown-from-anywhere C++ exceptions: every time you catch Exception, you have to consider that the exception might have come from random null pointer throws at arbitrarily strange places.

Now competent Java programmers hardly ever catch Exception except at or near the top level, but I have seen a *lot* of crappy Java code that throws and catches concrete Exceptions all over the place because declaring their own subclasses is 'too boring'. And that is vulnerable to receiving a NullPointerException when it thinks it's getting something else.

(Yes, such code sucks. There are a lot of bad Java programmers out there. It's where the people who programmed for money not love went for some considerable time, and it shows.)

NullPointerException

Posted Sep 28, 2009 19:49 UTC (Mon) by man_ls (guest, #15091) [Link]

Ugly. I have to admit that writing your own Exception hierarchy can become a hellish enterprise, so it is understandable to just throw Exception('Something is wrong') and be done with it. But people should at least write one exception class for their application (maybe using an error code for easy reference, and maybe unchecked so you don't have to throw it from everywhere) and use that consistently.

Still, being able to exploit any given instance of such sloppy code must be orders of magnitude less likely than the "trivial" exploits seen in kernel code.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 16:55 UTC (Fri) by iabervon (subscriber, #722) [Link]

There is no particular reason that the same technique for static verification of non-null values can't be applied to C and Java, at the expense of pushing another attribute through all of the libraries (similar in scope to adding "const" to everything that is actually const). It's even quite similar in compiler implementation to handling of "const", with respect to how it propagates through expressions and such (with the exception, of course, of what operations are prohibited with an annotated variable). Of course, the effort of annotating all existing C code appropriately is much higher than that of annotating all existing ML code.

Actually, Java avoids one of the problems that Eiffel has with non-detachable variables, because it has a static variable state of being declared but uninitialized, has language-specified rules for how variables leave this state, and requires that variables not be in this state in order to dereference them. So there is no issue at all with the unset value of a non-detachable local variable, and a non-detachable object field can be handled like a final one (must be assigned to by the end of the constructor, must not be dereferenced before it is assigned within the constructor).

Of course, Coverity is reporting on exactly those null deference bugs that would be found by the the compiler in either current ML or C that used Coverity's scanner as a compiler step.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 26, 2009 10:31 UTC (Sat) by alextingle (guest, #20593) [Link]

When you've got a running version of your ML kernel, I'll give it a spin for you.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 16:31 UTC (Fri) by NAR (subscriber, #1313) [Link] (9 responses)

For applications, many nice alternatives exist, but pretty much all of them use significantly more memory than C or C++ — and the Linux desktop is already too wasteful with memory.

When they start. When the C/C++ application starts to leak memory, the Python/Java/etc. application can use significantly less memory...

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 19:59 UTC (Fri) by jmm82 (guest, #59425) [Link] (8 responses)

Your comment assumes buggy code. I have seen Python code written in a *buggy* fashion and it leaked memory at a far higher rate than many c memory leaks. Also, when Python code is having issues with memory it is often abstracted and far more difficult to resolve.

The simple fact is proper c code SHOULD use less memory compared to proper Python/java code.

Maybe the reason for all the memory leaks in c are because new programmers do not learn how to manage memory anymore. This is major issue because even when programming in Python one must be aware of the implied memory allocations occurring in their code.

I like Python, but do not agree with the statement above. I work in the embedded space and can assure you that python is far less efficient than c in memory constrained environments.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 26, 2009 2:51 UTC (Sat) by drag (guest, #31333) [Link] (7 responses)

> Your comment assumes buggy code. I have seen Python code written in a
> *buggy* fashion and it leaked memory at a far higher rate than many c
> memory leaks. Also, when Python code is having issues with memory it is
> often abstracted and far more difficult to resolve.

Well actually usually memory leaks in python programs are caused by
programmers not paying attention to the scope of variables and classes.
They are generating variables that are always being referenced and thus the
garbage collection can't do it's job.

Although there are occasional instances were, yes, the python interpreter
is doing something weird and you can't figure it out. Its not perfect.

The trick here is that the chances of you having a serious memory leak that
is difficult to track down in python is dramatically less then in C or C++.

------

Also its worth mentioning that using python is no substitute for lack of
skill. Its designed as a substitute for effort. Also in the occasions were
you do need to delve to a lower level to do special optimizations you can
actually do that.

Something like:

IF Programmer Skill = A
IF Programmer Effort = B
Then, on average:
A * B * Python > A * B * C++

Although, obviously, Python is not appropriate in all cases.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 27, 2009 9:51 UTC (Sun) by jmm82 (guest, #59425) [Link] (2 responses)

>The trick here is that the chances of you having a serious memory leak that
>is difficult to track down in python is dramatically less then in C or C++.

By your logic no one should write multi-threaded applications either since the complexities which arise from concurrency issues cause debugging code to be more difficult. Some would argue that this true, but as Moore's Law comes to a halt chip manufacturers are forced to add more cores to processors to gain performance and programs are forced to be multi-threaded in order to reap the benefits.

My point is properly written multi-threaded programs run faster then the comparable single threaded programs, just as a c program uses less memory than the comparable Python program. Yes, in both cases these gains in performance come at a loss of simplicity causing a need for more skilled programmers and increased debuging efforts, but the final results from a users perspective is a better application, as far as resources are concerned.

Is Linux Code Quality Improving? (internetnews.com)

Posted Oct 3, 2009 12:37 UTC (Sat) by marcH (subscriber, #57642) [Link]

> By your logic no one should write multi-threaded applications either since the complexities which arise from concurrency issues cause debugging code to be more difficult.

Indeed. Bugs due to concurrent use of memory are an order of magnitude more costly than bugs due to uninitialized memory. They are usually just impossible to debug. So writing multi-threaded programs should be strictly forbidden to everyone but highly skilled authors of operating systems and concurrency libraries.

Quoting http://blogs.sun.com/dave/entry/parallelism_manifesto :
"Remember, true parallelism is not a feature -- it's just a remedy, and a problematic one at that. [...] I expect that the next generation of programming languages may remove threads and locking as we know it today. Explicit threading will still be available, of course, but ideally I'd like to see the world switch to a model where, by default, threads are managed by the runtime environment."

If you are an average programmer really needing concurrency TODAY and that the concurrency library that suits you does not exist yet, then instead of dangerously sharing memory use explicit inter-communication (TCP, D-BUS, MPI, etc.). Your resulting program will be infinitely easier to understand, trace and debug, often not that slower, and will naturally scale to a distributed environment.

Is Linux Code Quality Improving? (internetnews.com)

Posted Oct 7, 2009 8:45 UTC (Wed) by efexis (guest, #26355) [Link]

"but as Moore's Law comes to a halt chip manufacturers are forced to add more cores to processors"

Isn't that a bit of a contradiction? How can they add more cores if Moore's law's coming to a halt? More cores require more transistors, which is exactly what Moore's law states is increasing :-/

It's only clock speed increases that has slowed down, but that's not tied to transistor count.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 28, 2009 13:46 UTC (Mon) by nye (guest, #51576) [Link] (3 responses)

> The trick here is that the chances of you having a serious memory leak that is difficult to track down in python is dramatically less then in C or C++.

I would argue that anyone writing C++ and not finding it trivial to avoid memory leaks is really writing C, possibly with a 'class' keyword or a template thrown in here and there.

Actually one of the things I like about C++ is that deterministic destructors simplify resource management, particularly when coupled with smart pointers, which IMO are appropriate in all but the most performance-critical environments.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 29, 2009 8:42 UTC (Tue) by dgm (subscriber, #49227) [Link] (2 responses)

So true. It's the so called RIIA pattern (http://en.wikipedia.org/wiki/Resource_Acquisition_Is_Init...).

Garbage collected languages work so well, but have two severe limitations:
1. only memory is collected, file descriptors, sockets, locks, etc. are not. In C++ you can manage acquisition/release of any kind of resource.
2. the garbage collector is a brick wall. When performance starts to degrade because of it you are lost.

For me, deterministic destructors are THE feature that make C++ shine among the rest.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 29, 2009 9:04 UTC (Tue) by dgm (subscriber, #49227) [Link] (1 responses)

Silly me: it's RAII, not RIIA (sorry :-)

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 29, 2009 15:00 UTC (Tue) by nix (subscriber, #2304) [Link]

Nor RIAA (a pattern whereby innocent objects are destroyed before their lifetimes have ended by being sued into oblivion).

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 18:45 UTC (Fri) by proski (guest, #104) [Link] (14 responses)

It would be interesting to see what changes to C could be made to make it a better programming language for kernels without sacrificing kernel size or speed. Many ideas could be taken from Sparse, e.g. endian types, contexts. I'm afraid NULL pointer dereference won't be easy to avoid on the programming language level.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 19:47 UTC (Fri) by droundy (guest, #4559) [Link] (10 responses)

Actually, it seems like NULL pointers ought to be very easy to avoid at the language level. You just need to special type for them (call it notnull, analogous to const), and then a special function that converts an ordinary pointer to a notnull pointer. Then you could introduce a compiler warning when you dereference an ordinary pointer. This would have the advantage that it makes you put your assumptions into the type signatures of function arguments.

Oh, and of course, adding a constant to an ordinary pointer should give an ordinary pointer. One could still have mistakes by adding a constant to a null pointer *before* converting it to a notnull one, but that seems pretty hard to work around. Perhaps if you were to disallow arithmetic on ordinary pointers that would fix it...

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 26, 2009 0:39 UTC (Sat) by jzbiciak (guest, #5246) [Link] (5 responses)

I'm not sure I understand your idea. What would you have the compiler do in the following program: (I assume the syntax would be similar to 'restrict', in that it qualifies the pointer, and so appears after the asterisk.) 

char *notnull  fun_and_special(char *p)
{
    return p;
}

    /* Elsewhere, in another file perhaps, so the body of the above */
    /* function is not visible: */
    char *notnull ptr;
    ptr = fun_and_special(NULL);

    puts(ptr);

Splint can detect null pointer references

Posted Sep 26, 2009 15:46 UTC (Sat) by dwheeler (guest, #1216) [Link] (4 responses)

The splint program can be used to prevent null pointer dereferences in C, and it's open source, too.

Splint can detect null pointer references

Posted Sep 27, 2009 7:07 UTC (Sun) by jzbiciak (guest, #5246) [Link]

I see. So in my example above, it'd complain loudly about the function "fun_and_special" returning a possibly-null pointer as a "notnull" pointer. The various predicate qualifiers exist to help the static analyzer determine when a possibly-null pointer becomes a notnull pointer, and vice versa.

Splint can detect null pointer references

Posted Sep 27, 2009 18:22 UTC (Sun) by ballombe (subscriber, #9523) [Link] (2 responses)

Unfortunately the last release is two year old.

Splint

Posted Sep 28, 2009 14:27 UTC (Mon) by dwheeler (guest, #1216) [Link] (1 responses)

Yes, but it still works just fine.

Splint

Posted Sep 28, 2009 17:12 UTC (Mon) by ballombe (subscriber, #9523) [Link]

Good to know! Option +posixlib does not like unistd.h here (it reports an Internal Bug).

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 26, 2009 1:43 UTC (Sat) by foom (subscriber, #14868) [Link] (3 responses)

Please see
http://lwn.net/Articles/347809/
where this topic was just discussed a couple weeks ago.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 26, 2009 3:05 UTC (Sat) by proski (guest, #104) [Link] (1 responses)

And nobody even thought what memset() would do with a structure containing non-nullable pointers. Or how kzalloc() would initialize such structure.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 29, 2009 8:59 UTC (Tue) by dgm (subscriber, #49227) [Link]

Fill them with 0s, why?

The compiler could raise a warning in such cases (structs, unions, poiters to not-nullable pointers), and if asked to, emit code to check for null automatically before dereferencing the pointer.

This is not much different from:

int i = -1;
float *f = (float *)&i; /* mostly sure not a valid IEEEF floating point number */

Is Linux Code Quality Improving? (internetnews.com)

Posted Oct 3, 2009 14:30 UTC (Sat) by marcH (subscriber, #57642) [Link]

> Please see http://lwn.net/Articles/347809/ where this topic was just discussed a couple weeks ago.

By the way, having a "notnull" check was already discussed a few... decades ago:

http://qconlondon.com/london-2009/presentation/Null+Refer...

SQL has notnull. C++ has references.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 25, 2009 20:23 UTC (Fri) by janpla (guest, #11093) [Link] (2 responses)

A lot of experimentation has already happened in this area - the outcome has been languages like C++, Java, Python, ...; at least as far as I am concerned. The point is, C is what it is, not becuase the designers didn't know what they were doing, but exactly because they did. C allows the competent programmer maximum freedom to the logical extent of the language; and you have the freedom to shoot yourself in the foot.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 26, 2009 2:55 UTC (Sat) by proski (guest, #104) [Link] (1 responses)

I don't think any of those languages was created for kernel programming. Perhaps C++ could be used, as it's mostly a superset of C. But how would it prevent NULL pointer dereferences without introducing extra runtime checks that make the kernel bigger and slower?

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 27, 2009 12:59 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

You can see examples of operating system kernel code written in C++ in Haiku, the BeOS clone which after 8 years finally released an alpha a couple of weeks back. Most of their code is C++ even in the kernel (obviously there's some assembler doing very platform specific stuff)

There are some restrictions on the dialect used (basically any features that demand a lot from the runtime are unavailable because the kernel has to provide its own C++ runtime) but it looks just like the sort of C++ I used to write before I learned better and stopped altogether.

It doesn't do anything special to prevent NULL dereferences, or numerous other common problems in low-level code. On my laptop it locks up pretty quickly if I try to do a file transfer. My impression is that the core developers just like C++ (no accounting for taste, they also liked BeOS)

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 26, 2009 2:45 UTC (Sat) by adobriyan (subscriber, #30858) [Link] (1 responses)

It would be very nice if Coverity stopped spamming Linux kernel developers
with their "Webinar" junk.

Is Linux Code Quality Improving? (internetnews.com)

Posted Sep 28, 2009 21:11 UTC (Mon) by proski (guest, #104) [Link]

Montavista used to do it. Perhaps they work with the same "PR agency"?


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds