|
|
Subscribe / Log in / New account

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

[Posted February 14, 2010 by corbet]

The developers of the Coverity checker have published a lengthy article in the Communications of the ACM detailing the lessons they have learned. "No bug is too foolish to check for. Given enough code, developers will write almost anything you can think of. Further, completely foolish errors can be some of the most serious; it's difficult to be extravagantly nonsensical in a harmless way."
to post comments

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 14, 2010 18:17 UTC (Sun) by wingo (guest, #26929) [Link] (17 responses)

I laughed out loud at this:
Law: You can't check code you can't parse. Checking code deeply requires understanding the code's semantics. The most basic requirement is that you parse it. Parsing is considered a solved problem. Unfortunately, this view is naïve, rooted in the widely believed myth that programming languages exist.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 14, 2010 18:39 UTC (Sun) by dilinger (subscriber, #2867) [Link]

Heh, I just loaded the lwn comments to paste exactly that passage..

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 14, 2010 20:49 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

I've seen this somewhere, I guess that like most academic publications it is heavily cut-and-pasted from previous work (by the same authors of course, not accusing anyone of plagiarism). But where exactly did I see it? Was it on their web site?

Speaking of film at 11...

Posted Feb 14, 2010 22:31 UTC (Sun) by Max.Hyre (subscriber, #1054) [Link] (14 responses)

The line that caught my eye is
Embedded software companies make great tool customers, given the bug aversion of their customers; users don't like it if their cars (or even their toasters) crash.
Does any of the authors own a Toyota? :-/

Speaking of film at 11...

Posted Feb 15, 2010 1:18 UTC (Mon) by jordanb (guest, #45668) [Link] (12 responses)

I think Toyota is a good example of why such companies care about software defects. Toyota is in the process of taking a multi-billion dollar thrashing for what amounts to a subtle timing bug.

Speaking of film at 11...

Posted Feb 15, 2010 2:03 UTC (Mon) by drag (guest, #31333) [Link] (11 responses)

Bugs and flaws and mechanical failures are just a factor of automobiles.

I've had a throttle stick in a old car I owned once. Why did it happen? Because a rubber boot on one end of the throttle cable cracked and broke off due to old age and the cold. Moisture was able to work its way into the cable and froze. The ice jammed up the cable and thus the carb's butterfly valve was stuck open.

What did I do? I turned the motor off, pulled over, examined the cable end inside the motor, figured out what happened, loosened it up by working the cable in and out by hand, started up the motor and drove home.

------------------------------

It is not a question of designing a system not to fail. You CAN NOT DO THAT. Failure is not a option, it is a reality. What you have to do is engineer things to fail gracefully. So that WHEN they do fail they don't kill your customers.

That is why you have 2 pistons in your brake's master cylinder, for example. You have 3 independent braking systems built into your car. You have your front brake system, rear braking system, and your emergency brakes. Some modern cars have 5 independent braking systems.

So what Toyota's problem is not really a firmware issue or a software issue or anything like that. What Toyota did wrong is that they designed a system that when it failed it did the wrong thing. They designed it so that a software/firmware/computer/sensor error could make their cars run out of control. It can be anything. The software could of been a problem. The computer itself could have a hardware error. A relay could fail so it became a closed circuit. A ground could failed. Just thousands of things can go wrong.

Of course it's not Toyota's problem that people did not have the good sense to turn the motor off or throw it into neutral.

------------------------

Ideally you design the system not to fail. But you cannot prevent it from failing. So in addition to that you design it to fail in a manner that does not cause problems. Layered solutions, I suppose.

This is why things like Selinux are a good idea.

Speaking of film at 11...

Posted Feb 15, 2010 5:26 UTC (Mon) by Ed_L. (guest, #24287) [Link] (2 responses)

Of course it's not Toyota's problem that people did not have the good sense to turn the motor off or throw it into neutral.
Perhaps not. But we the people have to know several things in advance:
  • Turning off the motor might lock your steering. YMMV, but YMMB very short if you guess wrong.
  • Throwing it in neutral might blow up the motor. Now, if you are the nerd type you might realize that the ECU will limit the revs and the motor will not in fact blow up. It will only sound that way until you bring the car to a stop and then turn off the ignition.
From Toyota's FAQ:
What if you experience a sticking accelerator pedal while driving? Each circumstance may vary, and drivers must use their best judgment, but Toyota recommends taking the following actions:
  • If you need to stop immediately, the vehicle can be controlled by stepping on the brake pedal with both feet using firm and steady pressure. Do not pump the brake pedal as it will deplete the vacuum utilized for the power brake assist.
  • Shift the transmission gear selector to the Neutral (N) position and use the brakes to make a controlled stop at the side of the road and turn off the engine.
  • If unable to put the vehicle in Neutral, turn the engine OFF. This will not cause loss of steering or braking control, but the power assist to these systems will be lost.
    • If the vehicle is equipped with an Engine Start/Stop button, firmly and steadily push the button for at least three seconds to turn off the engine. Do NOT tap the Engine Start/Stop button.
    • If the vehicle is equipped with a conventional key-ignition, turn the ignition key to the ACC position to turn off the engine. Do NOT remove the key from the ignition as this will lock the steering wheel.
So one should be prepared and informed in advance. Prior experience stopping a car that has lost its vacuum brake boost would be a plus. Before this throttle issue became publicized, I'm not one to hold Average Jane commuter responsible for making the correct call in what will be a very frightening situation.

Speaking of film at 11...

Posted Feb 16, 2010 16:52 UTC (Tue) by martinfick (subscriber, #4455) [Link] (1 responses)

"I'm not one to hold Average Jane commuter responsible for making the correct call in what will be a very frightening situation."

I would perhaps not expect them to be able to make the best call, but clearly not knowing how to stop your car in an emergency highlights a real problem with our driver's license testing doesn't it? Why this never been considered important on a driver's test boggles my mind. If you can't figure out a least one way to stop your car in these situations, you really shouldn't be driving a vehicle on a road where you are putting the lives of others at risk.

Speaking of film at 11...

Posted Feb 16, 2010 23:35 UTC (Tue) by Ed_L. (guest, #24287) [Link]

I would perhaps not expect them to be able to make the best call, but clearly not knowing how to stop your car in an emergency highlights a real problem with our driver's license testing doesn't it?
Perhaps. But cars vary, so the question would be put by the on-the-road examiner (if any) along the lines "Okay. Suppose your throttle sticks wide open. How do you stop *this* car? What happens to your controls?"

Then there's the related UI question of how better might keyed and keyless ignitions be designed? The "natural impulse" is to turn off the key. On my '95 Ford that works, but the "ACC" position is between "RUN" and "LOCK". It would be very easy to turn the key too far and "LOCK" when what was really needed was "ACC". Some cars require an additional button be pressed before the key can be withdrawn from the lock. Perhaps that could be modified such that the button must be pressed before the key could be moved to the "LOCK" position in the first place.

Speaking of film at 11...

Posted Feb 15, 2010 14:48 UTC (Mon) by tialaramex (subscriber, #21167) [Link] (1 responses)

“Failure is not a option, it is a reality. What you have to do is engineer things to fail gracefully. So that WHEN they do fail they don't kill your customers.”

This is the right design principle, but it's not possible to absolutely ensure this.

The classic example of "fail safe" is the air pressure controled brake system used in trains. The initial designs were positive control "fail unsafe" systems, if air pressure was lost the train would have no brakes. So, in later systems the air pressure holds the brake off, loss of pressure engages the brakes. This system is still used today even on most fast passenger trains. But it isn't proof against all failures. Like most braking systems the ones used on trains suffer from fatigue. If a brake is partially engaged continuously as a result of a local problem it will become completely ineffective - with the same result that when you need brakes they don't work.

In the railway business they even have a name for problems where the "fail safe" doesn't, they're called "Wrong side failures".

http://en.wikipedia.org/wiki/Deelfontein_rail_crash

Deelfontein is unusual in that it's all down to a single tiny accident, splattered solder. But still, as designed this system was fail safe.

So, once in a while you will kill customers. From a business point of view this means that when you're done minimising the number of customers killed by your product you have to move on to ensuring confidence in future products. Until consumers are rational this will unfortunately sometimes mean firing staff who didn't do anything wrong but were just unlucky and apologising for things that you aren't really sorry for and will do again because they make good sense.

Speaking of film at 11...

Posted Feb 16, 2010 18:12 UTC (Tue) by jordanb (guest, #45668) [Link]

"Wrong-side failure" is an awesome term, Thanks for posting it.

Another example is the rooftop doors on the World Trade Center.

They had a locking system that would 'fail safe' by unlocking everything when power was cut. But by the time that happened, the metal in the frames had expanded from the heat in the superstructure and sealed them.

Speaking of film at 11...

Posted Feb 15, 2010 14:50 UTC (Mon) by Ajaxelitus (guest, #56754) [Link] (2 responses)

Of course it's not Toyota's problem that people did not have the good sense to turn the motor off or throw it into neutral.

Well, it _is_ Toyota's problem. They designed a push-button keyless start system that doesn't respond when people, who are in a panic situation, push it over and over. They require that one be calm and hold the button down for three seconds for the emergency cutoff to happen.

It would be best if the software turned off the engine if, say, the button is pushed five times in any three second period.

Speaking of film at 11...

Posted Feb 15, 2010 17:38 UTC (Mon) by Ed_L. (guest, #24287) [Link]

Indeed, and Toyota has announced they are redesigning (reprogramming?) their keyless ignition to do just that: press the button three times in "rapid" succession will turn off the motor.

Speaking of film at 11...

Posted Feb 23, 2010 12:43 UTC (Tue) by smipi1 (subscriber, #57041) [Link]

You would expect companies such as Toyota to design controls to do the safest
possible thing in response to panicked operator behavior. Most people
responding to their survival instincts in a panicky situation tend to do more
or less the same genetically programmed things. Measuring this in a
controlled (albeit panic inducing) situation shouldn't be too difficult.

Speaking of film at 11...

Posted Feb 16, 2010 16:57 UTC (Tue) by martinfick (subscriber, #4455) [Link] (2 responses)

"You have your front brake system, rear braking system, and your emergency brakes."

I believe that traditionally the braking system is not split into front/rear, but rather front left/right rear and front right/left rear.

Speaking of film at 11...

Posted Feb 17, 2010 20:00 UTC (Wed) by set (guest, #4788) [Link] (1 responses)

Not sure where you are from, or what traditions you refer to, but
speaking as someone who has driven mostly US made cars for over 25
years, ranging in vintage from the mid '60s to late '90s, I have
only seen two systems. A single master cylinder that controls all
four wheels, and a dual master cylinder that is split between the
front brakes and rear brakes. And I have had all points in that system
fail at some point, and had to repair it. (Including a dual master
cylinder that just completely failed -- no redundancy save there...)

Speaking of film at 11...

Posted Feb 17, 2010 22:30 UTC (Wed) by dlang (guest, #313) [Link]

I believe that what he described existed back in the days of 4-wheel drum brakes, but as disk brakes came into the picture they moved to the front/rear split (and stayed there as it was learned that preasure needed to be higher on the front wheels than on the rear wheels)

Speaking of film at 11...

Posted Feb 15, 2010 3:02 UTC (Mon) by n1ho (guest, #55855) [Link]

I had a Subaru XT6 "sports car" that had a microprocessor in the power steering subsystem with what ultimately proved to be a firmware problem. I had complained to the dealer several times of having to go into "gorilla mode" when the power steering randomly quit in mid-turn, and I barely avoided a crash. At one point, I was quoted over $1000 to replace the power steering pump, pulleys, belts and other related equipment, but I declined. A month later, Subaru issued a recall notice and ended up paying its dealers $150 (back in the late 80's) to replace a chip that ultimately resolved the problem. I've never trusted Japanese automotive firmware since then - it's fairly apparent to me that the design methodology and QC fall short of the quality needed. The latest round of problems with Toyota doesn't surprise me at all.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 14, 2010 18:31 UTC (Sun) by wingo (guest, #26929) [Link] (3 responses)

I'm amused that they complain about not having access to their customers' source code.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 14, 2010 20:58 UTC (Sun) by nix (subscriber, #2304) [Link] (2 responses)

Well, yes, of course they do. How on earth do they reproduce problems? (In
the classified case, they have to do it without *ever being allowed to
see* the source code. Ow.)

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 14, 2010 22:04 UTC (Sun) by csamuel (✭ supporter ✭, #2624) [Link] (1 responses)

I think the OP was using sarcasm to make the point that a closed source
project was complaining about lack of access to others source code.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 14, 2010 22:51 UTC (Sun) by nix (subscriber, #2304) [Link]

Yes, that is sort of unfortunate, isn't it? Especially given that it's a
closed-source project that went to considerable extra lengths (to the
degree of replacing their frontend, AIUI) to avoid having to go open. :)

The X Security Bug

Posted Feb 14, 2010 21:23 UTC (Sun) by PO8 (guest, #41661) [Link] (9 responses)

We were extremely grateful to Coverity for finding the X security bug reported in the article. That said, I was a little disappointed by the implication that this bug was "completely foolish" and "extravagantly nonsensical". It was an obvious typo, quickly and easily fixed once found. (Further, IMHO this bug only went undetected because of deficiencies in the C type system.) It's the kind of thing that's going to happen in a multi-million-line codebase, and certainly not deserving of "enormous press coverage". "Bugs may have security implications--film at 11!"

It's too bad that we have tried to write a large, reliable and secure system in C / C++ using mere mortals as programmers, but given that reality there will be the occasional dumb bug. Mocking that bug only helps if it encourages a positive change in practices; I'm not sure what what the X developers could realistically have done differently. "Don't typo" is just silly and "formally audit all security code" has proven just too expensive. Our current focus on moving appropriate X server code into the kernel should help, as the X server can then mostly run without dangerous root privileges.

The X Security Bug

Posted Feb 14, 2010 22:07 UTC (Sun) by DOT (subscriber, #58786) [Link]

I think the whole point about Coverity's extensive coverage of "stupid bugs" is precisely that even the dumbest bug will occur in a sufficiently large code base. All it takes is one programmer who couldn't get a cup of coffee that day because the machine was broken.

The X Security Bug

Posted Feb 14, 2010 23:40 UTC (Sun) by wahern (subscriber, #37304) [Link] (1 responses)

The X bug follows from C's treatment of functions as [almost] regular objects. Fortunately, the current trend in language design treats functions as first class objects, but there's the obvious downside to that treatment. One could imagine a similar bug in many other languages, new and old; I wouldn't blame the X bug on C's syntax. Perhaps something like Perl's sigil syntax would have made it more obvious.

The X Security Bug

Posted Feb 15, 2010 7:55 UTC (Mon) by nix (subscriber, #2304) [Link]

Er, you're not saying that *this* sort of bug is the obvious downside to
treating functions as first-class objects? 'cos you only get a bug like
this if you treat functions like *integers*, which is self-evidently nuts
from a practical POV, and only emerges from C because of the loony way it
indicates that a pointer is null (0 indeed!).

The X Security Bug

Posted Feb 15, 2010 0:48 UTC (Mon) by marcH (subscriber, #57642) [Link] (5 responses)

Note that the X security bug is a very minor example in the article.

The X Security Bug

Posted Feb 15, 2010 4:11 UTC (Mon) by ajross (guest, #4563) [Link] (4 responses)

And as I read it, the tone was less "Look how dumb the X developers are!",
but more "See how dumb bugs can creep into codebases as mature as X11?" I
thought it was quite respectful. The real daggers in the article are aimed
at the customers. Some of those examples are hilarious.

The X Security Bug

Posted Feb 15, 2010 7:53 UTC (Mon) by epa (subscriber, #39769) [Link]

I'm surprised that compiler warnings didn't catch that X11 bug; surely in all the variety of compilers that people have used to build X over the past few decades, at least one would have a warning for 'address of function used in comparison' or 'this comparison is always false'. But apparently not.

The X Security Bug

Posted Feb 15, 2010 9:42 UTC (Mon) by nix (subscriber, #2304) [Link] (2 responses)

And even some of those have turned up in the free software world in other forms. This one, for instance: 
int a[2], b;
memset (a, 0, 12);
"No, I meant to do that; they are next to each other."
Hilarious, sure. But when GCC got its unit-at-a-time mode, it transpired that several major codebases (including IIRC the Linux kernel) depended on the fact that, at global scope, defining two objects one after the other would lead to them appearing in a consistent ordering in the resulting object file. (I haven't yet noticed code in the free software world that depends on this at local scope.)

The X Security Bug

Posted Feb 18, 2010 18:40 UTC (Thu) by cesarb (subscriber, #6266) [Link] (1 responses)

I once saw a similar thing, in a different context. The variables were allocated in assembly, so they were guaranteed to be adjacent and in a fixed order. However, _FORTIFY_SOURCE had no way to know that, and converted a perfectly fine memcpy() into a crash.

In that case, "I meant to do that; they are next to each other" is the correct reaction.

See https://bugs.launchpad.net/ubuntu/+source/zsnes/+bug/2504... if you want more details.

The X Security Bug

Posted Feb 20, 2010 13:04 UTC (Sat) by nix (subscriber, #2304) [Link]

In this case, 'I meant to do that, they are next to each other, but maybe
I should keep -D_FORTIFY_SOURCE=1 on and do it in a less insane
fashion'...

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 15, 2010 2:46 UTC (Mon) by fest3er (guest, #60379) [Link]

This is why automated testing should be given much higher priority that it usually gets. One upon a time, I helped design and implement an automated testing system. Early in development, it found a case where two bytes were reversed. The developers insisted the tool was wrong. When the product was released to system testing across the pond and they reported the problem, the developers began to have some respect for the tool. As that tool matured and acquired many test cases, product quality increased significantly. The tool was also good at reproducing field problems.

It's laudable to find bugs before the software product is put together. It's just as laudable to do your darndest to break it--cause your system and its parts to fail--long before a customer ever sees the product; this requires automated test systems.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 15, 2010 3:26 UTC (Mon) by pabs (subscriber, #43278) [Link] (1 responses)

I wonder if there are any Linux distributions running automated static analysis tools over their source/binary archives?

I know Gürkan Sengün used to run rats over the Debian archive as part of lina, which is now discontinued unfortunately:

http://asdfasdf.debian.net/~tar/lina/

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 15, 2010 4:13 UTC (Mon) by Sho (subscriber, #8956) [Link]

While we're not a distro (well, I suppose what our Windows team is doing amounts to being a distro), KDE employs source code analysis with daily web-based reports at http://www.englishbreakfastnetwork.org/

Most of the checker plugins are relatively simple Perl scripts that look for style errors or recommend better classes to use. Some more advanced ones reuse a version of the C++ semantic framework developed for our IDE KDevelop, I believe.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 15, 2010 4:16 UTC (Mon) by anamana (guest, #2787) [Link]

Some of the basic comments in the articles fall into the category of:
"It didn't work like the project back in the lab!"

Which is true. Having worked in the software industry for many years, _nothing_ works like it does in the lab. The work in the lab ends up being 10% of the effort to make a reliable, maintainable product.

I'll also note that the solutions described in the paper describe a project that is a hack on top of a hack - in the bad sense. I can only imagine that their software is fragile and hard to maintain, likely needing many updates just to move forward with natural changes in language and library versions.

Finally, more power to them - software architecture and development is a complicated process, and building tools to simplify and validate that process are what raise the bar in software and system quality.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 15, 2010 5:28 UTC (Mon) by jzbiciak (guest, #5246) [Link] (1 responses)

It must be frustrating walking that fine line between helping your customer find his/her mistakes, and exposing him/her as an idiot. Some of those examples where the customer insisted that the tool was wrong belong on sites like TheDailyWTF.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 19, 2010 15:00 UTC (Fri) by zlynx (guest, #2285) [Link]

Yes indeed. GCC gets more picky every year and optimizes more and more code, requiring stricter compliance to every letter of the C standards.

I find it very funny when projects like Evolution start claiming that the compiler is wrong when some of their very strange code gets exposed as a bug.

open source code checker ?

Posted Feb 15, 2010 11:54 UTC (Mon) by Alterego (guest, #55989) [Link] (8 responses)

Are there some open source code-checkers, for C/C++ ?

I did not find any, except old (and unmaintained?) simple ones.

open source code checker ?

Posted Feb 15, 2010 12:05 UTC (Mon) by baldrick (subscriber, #4123) [Link] (1 responses)

Try clang's static analyser: http://clang-analyzer.llvm.org/

open source code checker ?

Posted Feb 15, 2010 16:13 UTC (Mon) by amit (subscriber, #1274) [Link]

clang is good; but there still are areas it can improve.

I have sample runs on the QEMU source code here:

http://amitshah.fedorapeople.org/clang-output/2010-02-15-1/

Some errors it detects aren't really bugs. Some it detects are real ones, and it does a good job overall, and gives a nice output with indications as to which paths, when taken, would result in badness.

open source code checker ?

Posted Feb 15, 2010 13:19 UTC (Mon) by HelloWorld (guest, #56129) [Link]

There is Dehydra/Treehydra, which is based on the gcc plugin mechanism. Then there is sparse, which is the static analysis Tool used for the Linux kernel.

open source code checker ?

Posted Feb 15, 2010 14:22 UTC (Mon) by andikleen (guest, #39006) [Link]

I agree the article was interesting, especially all the anecdotes

There are several free checkers:

- one simply one is cranking up gcc's various warning options, which
are often surprisingly useful (but again need some work to get
rid of the false positives)
- Then there's clang's checker which I personally didn't find too useful over gcc.
- Then there are the old splint (derivative of lclint).
- There's also a free lint in NetBSD, but I never found it too useful.
- for standard behaviour checker I sometimes use the tendra C compiler,
which is extremly anal in terms of standards.
- And there's sparse. The first thing about sparse is that it doesn't
parse ISO C, it parses "Linus C". Then it's not global and does sometimes
strange things. On the other hand the type based annotation is definitely
useful, if you're willing to uglify your code with that

For non-free ones I used is icc's static checker mode (a lot
of false positives, but also some gems) and gimpel lint.
gimpel lint is probably the most powerful one, but needs
a lot of work to configure for a given code base.

open source code checker ?

Posted Feb 15, 2010 15:21 UTC (Mon) by MisterIO (guest, #36192) [Link]

http://sourceforge.net/projects/cppcheck/

open source code checker ?

Posted Feb 15, 2010 16:37 UTC (Mon) by error27 (subscriber, #8346) [Link] (1 responses)

You could try my checker smatch.

It only checks C (not C++).

The good news is that smatch is easy to set up. The bad news is that I've almost totally focused on the linux kernel so the results may be bogus. Try adding the functions don't return to smatch_data/(project).no_return_funcs and using the -p=(project) option. That was just added last week so it's not documented yet.

I do all my development on an eee, but if I had a bigger compile box it maybe would be fun to test all the C in Debian unstable or something.

Here are some sample results I posted for the kernel.

open source code checker ?

Posted Feb 15, 2010 16:40 UTC (Mon) by error27 (subscriber, #8346) [Link]

Oops. This is the correct url for the sample results.

open source code checker ?

Posted Feb 16, 2010 18:21 UTC (Tue) by hppnq (guest, #14462) [Link]

Coccinelle can also check your code.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 15, 2010 18:37 UTC (Mon) by jeremy_barnes (subscriber, #3987) [Link] (1 responses)

I sat in on one of those meetings in 2006 or 2007 with a sales engineer and a sales guy. It's interesting to hear the story from their point of view; they were pretty courageous to do such a tough job.

As described in the article, they had sent us a tool that we trivially inserted into our build process (about 1 million lines of C++, normally compiled with GCC); as our build was based on GNU Makefiles it all worked fine, with the exception of a couple of compiler failures where we exploited some very dark corners of C++ and relied on GCC's specific behavior.

Before this, we had, gone through our bug database and created a file (coverity.cc) with a whole bunch of code snippets for bugs that we would have really liked to have been able to find automatically with such a tool. In our codebase, most of the low-hanging fruit had already been picked up by using -Wall and -Werror (command line flags to print all warnings and turn them into errors, so a warning would break the build), as well as idiomatic C++ usage that rarely had us dealing directly with memory management or paired operations (eg, lock() and unlock()). We also compiled with multiple versions of G++ on multiple architectures, which also uncovered a lot of potential bugs that were fixed as a matter of course. Finally, the code was run from end to end hundreds of times as part of testing each change, with extremely detailed metrics that allowed us to catch most problems early on before integration.

Their tool performed as advertised: it found about 50 or so errors in the codebase, of which 80% were real bugs, and of which a few could have been quite serious. We were obviously quite impressed.

However, when we asked, it had failed to find any bugs at all in the coverity.cc file. This was not that surprising; they were very idiomatic C++ errors (use of invalidated iterators, reference-taken-before-append, subtle deadlocks etc) that require detailed knowledge of the exact semantics of STL containers, and would be very difficult to trace through the implementation of the various methods (ie, they would need a higher level tool to be written to be useful). But it meant for us that it would not be worth paying for the tool.

The reaction of the Coverity guys was quite amusing. Once the (senior) sales guy heard the attempt of the (junior) sales engineer to explain it away (there was no explanation possible; we wanted a feature that they didn't yet have), he saw that a sale was slipping through their fingers. He immediately (and quite brutally) shut up the junior guy, said something about those features being on their roadmap, and proceeded to hand us all copious schwag including a real bug encased in plastic. 2 minutes later they were outside.

Overall, I was pretty impressed with their product, even if it couldn't take away much of our pain. Their visit also showed the value in many of the techniques (compiler warnings, multiple compiler versions, multiple platforms) that we already used. But mostly, I felt quite sorry for their field sales teams, who really had nearly everything lined up against them. To do that kind of meeting over and over again must have taken real guts: I salute them.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 16, 2010 14:07 UTC (Tue) by nye (subscriber, #51576) [Link]

It's interesting reading about all the checks they didn't include because they would confuse too many people. I wonder if the bugs you were interested in would actually have been caught by checkers they *intentionally* didn't provide.

toyota, subaru, embedded systems truly hidden

Posted Feb 15, 2010 19:55 UTC (Mon) by tonyblackwell (guest, #43641) [Link] (1 responses)

re Toyota. Recent experience of their totally closed systems and implications, and wishing for open systems in my car:

1. Wanted to be able to take out and replace at demand the 2nd row seats in Landcruiser 200; they have inbuilt airbags. Toyota absolutely refused to talk to potential customer re this. All information hidden. Even an elementary block-diagram of the electric circuits was said to be hidden behind 3 passwords, customer not allowed.

What I supposedly learnt from other sources in the industry (no responsibility for this!!):
a. you can reportedly fool the microprocessor by plugging in a resistor variously said on the quiet to be either 2.2 or 3.3 ohms, to make the car computer think the seat is still connected.
b. be careful; you might think disconnecting the seats makes them safe. Wrong; there are capacitors in the seat which actually fire the airbag out through the stitching; so you can trigger the seat in isolation - expensive and dangerous.
c. On another Toyota, not the LC200, the recommended way around this is said to be to disconnect the battery, then sit with your foot on the brake pedal for 20 sec to discharge the capacitors in the seats.
d. There is another trap; if you do it wrong, particularly with any power on the system, the computer "sets a code" which disables the vehicle and only Toyota themselves, not even a dealer, can clear this. Would have to do it with the computer completely unpowered.

2. Came to terms with all of this, just thinking it was "do-able", needed vacuum brakes for a trailer. No usable vacuum on the LC200, found a commercial 12volt unit to generate vacuum, it needed to be connected to the braking system. Word came back indirectly it couldn't be done, as would alter the vehicle braking. A sensible discussion would have elicited from the vacuum braking unit people the volume displacement of their braking connection, and then sensible discussion with toyota looked at same factors in their braking algorithm, to decide if it could be done or not. Needless to say they wouldn't even talk to the customer, let alone discuss such issues. Oh for open systems.

Didn't buy the Toyota, bought Subaru diesel instead, after reading a very forthright, open and honest multi-page Subaru document on their adventures and unexpected challenges in developing their diesel engine. Felt much more like the tone of open-source stuff. Liked it.

Will we ever see access to embedded systems like this. Even the voting system in USA I think now has source code release.

toyota, subaru, embedded systems truly hidden

Posted Feb 16, 2010 12:04 UTC (Tue) by busterb (subscriber, #560) [Link]

A lot of the information you needed was likely available at
https://techinfo.toyota.com/

Unfortunately, the site requires a subscription, and really only works 100%
if you have IE and the old Adobe SVG plugin. 2-day subscriptions are $15, but
you can start on a Friday and it is good through Monday. Best thing to do is
to download everything you need and read offline. I did this for the Prius
and got everything from how to teardown the engine to how the neural network
in the climate control operates.

Poor quality of commercial code

Posted Feb 16, 2010 10:07 UTC (Tue) by leonov (guest, #6295) [Link]

It may have been a biased reading, but what made me chuckle while reading the article was the way it echoed my own poor experiences working with and on commercial software. Opaque tools and build systems, an emphasis on shipping code above all else, and dangerous team members all sound horrible familiar...

At the risk of sounding smug, I have to contrast this with Free Software. I love its quality and transparency. It's developed, and judged, using metrics that favour quality, rather than commercial success.

BTW, in reference to the Toyota sub-thread, I own one of the affected Prius models. While the media has definitely sensationalised a pretty minor issue, it does make me uncomfortable having the braking, steering, and even acceleration systems under control of some (somebody else's) code somewhere. I'm pretty sure we're going the wrong direction with this trend...

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 16, 2010 19:44 UTC (Tue) by lopgok (guest, #43164) [Link] (7 responses)

I think the article shows just how bug prone C and C++ are. Of course you can write bugs in any language, but it should be reasonably difficult. C and C++ make it far too easy.

Languages such as Java and Eiffel initialize all variables, so there are no uninitialized variable bugs. They also do automatic memory management, eliminiting a whole class of bugs.

Languages that do array bounds checking eliminate one of the most common bugs in C/C++ which is buffer overflows.

If you have to rely on external tools to find such errors, that is a big hint that you are using the wrong language.

When I was working on a hard realtime embedded system, that had 512kb of memory, 99% was written in C, and 1% was written in assembly. That was the right mix for the conditions. There is very little justification for writing most code running on a modern processor with many hundreds of megabytes of memory in C or C++.

When I was working on another system, with tens of millions of lines of code, I knew it was doomed, as it was written in C++. There is no reasonably way to make such a large system reliable and secure when facing dedicated attackers.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 17, 2010 12:50 UTC (Wed) by hppnq (guest, #14462) [Link] (3 responses)

Take a look at CWE/SANS Top 25 Most Dangerous Programming Errors. At first glance, five of those can be related to typical C/C++ programming errors.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 17, 2010 23:35 UTC (Wed) by nlucas (guest, #33793) [Link] (2 responses)

They are too much web-centric. I would be surprised if more than 1% of the
web applications were implemented in C or C++.

If you look at a top list of bugs in general then you will certainly see
many/most as possible/common in C or C++, but you can't forget the fact they
already are the top used languages, so what else is new?

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 18, 2010 9:42 UTC (Thu) by hppnq (guest, #14462) [Link] (1 responses)

This is a list of bugs in general: the analysis is based on actual CVEs. It so happens that many bugs are indeed related to applications one typically finds on the web. That means many things, but certainly not that C and C++ are inherently error-prone languages.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 18, 2010 13:30 UTC (Thu) by nlucas (guest, #33793) [Link]

My intended point was exactly what you said (that the list is biased, so can't be used to show that C and C++ are error-prone languages).

But OK, I know I suck at being explicit in what I say. :-(

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 17, 2010 15:46 UTC (Wed) by nye (subscriber, #51576) [Link]

>There is very little justification for writing most code running on a modern processor with many hundreds of megabytes of memory in C or C++.

Well that depends on the situation. How many hundreds of megabytes of L1 cache do you have? How many milliseconds can an operation take before the latency is perceived as sluggishness by the user? How much code do you need to load from an excruciatingly slow magnetic disk?

There is indeed a large class of cases where performance doesn't matter much, but we aren't yet at the point where a developer can always happily use whatever resources they want if it makes programming easier.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 18, 2010 17:37 UTC (Thu) by etienne_lorrain@yahoo.fr (guest, #38022) [Link] (1 responses)

I know three basic kind of languages when dealing with overflow:
In C, if you add 1 to an unsigned 32 bits value, you get an unsigned 32 bits value - so the value may be trucated.
In Smalltalk, if you add 1 to a value, the type of the result may or may not be the type of the operand but the result is the initial value plus one.
In some interpreted languages, numbers are represented as strings of digits and so the value is unlimited.
Is there a different solution in Java or Eiffel or any other language?
Is there even a language which say u32 + u32 = u64 or u32 * u32 = u64 ?

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 19, 2010 8:35 UTC (Fri) by hppnq (guest, #14462) [Link]

Is there a different solution in Java or Eiffel or any other language?

Yes, detect the overflow and raise an error. ;-)

Is there even a language which say u32 + u32 = u64 or u32 * u32 = u64 ?
Well, not like that I guess, but take a look at how for instance Python solves this problem, this PEP might provide some useful information.

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (CACM)

Posted Feb 16, 2010 20:18 UTC (Tue) by pascal_cuoq (guest, #63637) [Link]

By sheer coincidence this CACM article is published at about the same time an unfortunate bug afflicts Toyota cars, and a lot of people promptly make a link between the two and comment along the lines of "ah, they should have used static analysis software, how silly of them not to have..."

There is only one little flaw in this reasoning: perhaps they did!

For all we know, Coverity's software has been run on Toyota's hybrid car. Coverity's static analyzers are quite popular, and I would be more surprised to hear that Toyota hasn't bought a license than to hear it has. Assuming the static analyzer was run on this particular piece of software, perhaps the bug was drowned out in a sea of false positives, or perhaps it wasn't detected at all.

Yes, there are bugs that are not detected by Coverity's product. This is one of the key points in the CACM article, in fact. It does not aim to be correct. Giving up correctness against conventional academic wisdom gave them leeway...(just read the article, I wouldn't do it justice).

Testing, or analyzing, software until it is reasonably sure there is no bug left, is doable. In aeronautics, engineers do it, with success, repeatedly. Simply because they have to: there is a certification authority to which they have to explain what they did and why they think it's convincing proof that the probability of a software bug remaining is negligible.

When they do it with assistance from analysis tools, they use correct static analysis tools: tools that do not remain silent in presence of a bug. This, in principle, is at the cost of more false negatives, but the state of the art has advanced enough for the number of false negatives, for well-defined verification activities, in a pre-established context, to remain contained. It's a far cry from the "buy a CD inside a cardboard box and run it on your code" attitude of Coverity, but it works too. Examples of such tools are the now commercially available Astree and the Open Source Frama-C.

There is no such authority and no equivalent obligation for the automotive industry. If you don't like the idea of dying in a car accident caused by software, write to your representative. Don't be too harsh on Toyota, though: they are only doing what everyone else is doing, because they have to to remain competitive. The same thing is bound to happen to another car integrator, unless the rules of the game are changed for everyone.


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds