Open-source Versus Commercial Software: A Quantitative Comparison

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Open-source Versus Commercial Software: A Quantitative Comparison"

Transcription

1 Open-source Versus Commercial Software: A Quantitative Comparison Rix Groenboom Reasoning NL BV

2 Agenda About Reasoning The Study Inspection Results Analysis Conclusions New results Input for Discussion April Reasoning, Inc 2

3 About Reasoning Reasoning provides an automated inspection service for organizations that develop software Enables building better software in less time and at lower cost Support C, C++, and Java Have inspected over 1B LOC April Reasoning, Inc 3

4 The Study First, some background: Proponents of Open-Source software have long claimed their code is of higher quality Power of peer review Root cause analysis on site enables easier fix Commercial software vendors have long claimed their code is of higher quality Market focused Defined processes for development and testing April Reasoning, Inc 4

5 The Study Why do the study? Our customers wanted to understand the real differences between Open-Source software and Commercial software Reasoning is uniquely positioned to provide this information When was the study performed? Open-source inspection = December 2002 Commercial inspections = Throughout 2002 April Reasoning, Inc 5

6 Used Software Inspection AKA Peer Review Implicit in Extreme Programming Examination of source code to: Detect defects Trace code to requirements Check coding standards April Reasoning, Inc 6

7 Value of Inspections Increased Reliability, Reduced Cost and Time-to-Market Without ASI Software Development Lifecycle Design Code Code Integrate Integrate Test $$$ With ASI Automated Inspections Savings April Reasoning, Inc 7

8 Types of Defects Searched for NULL Pointer Dereference Out of Bounds Array Access Memory Leak Uninitialized Variable Bad Deallocation Using an Automated Software Inspection (ASI) methodology. April Reasoning, Inc 8

9 Architecture ASI Technology Source Code Language Parser Computation Analysis Graph (CAG) Builder Summarize CAGs by Function & Level Detection Rules Symbolic Evaluation Using Value Lattices Potential Violations Reports Defect Review Potential Defects Feasible Path Analysis April Reasoning, Inc 9

10 Project Scope Open Source implementation of TCP/IP in version of Linux Kernel Five commercial implementations of TCP/IP in commercial, general purpose operating systems and telecommunications equipment Why TCP/IP? Well-defined set of published requirements Implementations have been in existence for several years Publicly available conformance tests April Reasoning, Inc 10

11 Can You Spot the Defect? static int sock_fasync(int fd, struct file *filp, int on) { struct fasync_struct *fa, *fna=null, **prev; struct socket *sock; struct sock *sk; If this is true if (on) {.. this memory leaks fna=(struct fasync_struct *)kmalloc(sizeof(struct fasync_struct), GFP_KERNEL); if(fna==null) return -ENOMEM; } sock = socki_lookup(filp->f_dentry->d_inode); if ((sk=sock->sk) == NULL) return -EINVAL;.. and this true April Reasoning, Inc 11

12 DEFECT CLASS: Memory Leak LOCATION: src\linux \net\socket.c : 750 Actual Report DESCRIPTION Local variable fna, declared on line 735, is assigned a pointer to a block of memory allocated by kmalloc on line 741. No other pointer refers to this memory block, so it is inaccessible (still allocated, but unreachable) once fna goes out of scope after line 750. PRECONDITIONS The conditional expression (on) on line 739 evaluates to true AND The conditional expression (fna==null) on line 742 evaluates to false AND The conditional expression ((sk=sock->sk) == NULL) on line 749 evaluates to true. CODE FRAGMENT 733 static int sock_fasync(int fd, struct file *filp, int on) 734 { 735 st ruct f async_st ruc t *f a, *f na=null, **pre v; 736 st r uct socke t *s ock; 737 st r uct sock *s k; i f ( on) 740 { 741 fna=(struct fasync_struct *)kmalloc(sizeof(struct fasync_stru GF P_ KERNEL) ; 742 i f ( f na==null) 743 return -ENOMEM; 744 } sock = socki _l ookup( f i l p- >f _dent r y- >d_i node) ; i f ( ( sk=s ock- >s k) == NULL) 750 re t urn - EI NVAL; l ock_sock( sk) ; pr ev=&( sock- >f as ync _l i st ) ; for (fa=*prev; fa!=null; prev=&fa->fa_next, fa=*prev) 757 i f ( f a- >f a_f i l e==f i l p) 758 br ea k; i f ( on) April Reasoning, Inc 12

13 Defect Overview Memory Leak Null Pointer Dereference Bad Deallocation Out of Bounds Array Access Uninitialized Variable Totals Total Defects in 5 Commercial Implementations Total Defects in Linux Kernel April Reasoning, Inc 13

14 Feedback Linux Developer On OOB access: Nope, not wrong, the table is indexed off-by-one. If you were right, rtnetlink would simply not work. On NPD: In the cases where SKB is NULL, opt is never NULL, check the two callers. On ML: Fixed in the subsequent release. April Reasoning, Inc 14

15 Feedback Commercial Developer For the Linux community to just shrug these off with "well the kernel works so it must be ok" doesn't really cut it. I think the NULL dereference checks should be added, and definitely the out of bounds array checking [..] For example, the out of bounds array reference could start causing a problem by just rearranging the order variables are declared. April Reasoning, Inc 15

16 Fix Rates Reported Repaired % Commercial Implementations Linux Kernel April Reasoning, Inc 16

17 Metrics Comparison D e fe c t D e n s ity Comparison Defects per KLSC W ors tt h ird M iddle Third B est Third 0.00 Industry Average Linux Kernel C om m ercial TC P /IP Linux stack: 0.10 Commercial stack: 0.55 April Reasoning, Inc 17

18 Preliminary Hypothesis Number of Defects? Commercial TCP/IP Peer Review Linux TCP/IP More Research Needed Time Initial defect densities of Open Source vs. Commercial? Defect removal rates of Open Source projects April Reasoning, Inc 18

19 Conclusions Open-source is not inherently worse More research is required Code inspections still find critical defects in extremely well tested software April Reasoning, Inc 19

20 New results Apache test Httpd 2.1-dev (development version 01/31/03) Will determine, track, and report on defect density through lifecycle Results on Java implementation Tomcat Jakarta Results on (soon) What else would you like to see? April Reasoning, Inc 20

21 New results Apache implementation Httpd 2.1-dev (development version from 01/31/03) 31 Defects in 59 KLOC; density 0.53 Normal defect density; non typical defect distribution April Reasoning, Inc 21

22 New results Java inspections: Out of Bounds Array Access NULL pointer dereferences String Comparison Jakarta Tomcat : 11 Defects in 71 KLOC; density 0.15 (Java average commercial software is 0.16). Wait for feedback from the community Next inspection will include resource leaks April Reasoning, Inc 22

23 Towards discussion OK, nice hobby horse for Reasoning and others for research on test efficiency: See SPIder News for a Stanford study on Linux Les Hatton has compared Linux and CMM level Ownership: Who finds the bugs? Who fixes the bugs? Open source: Will commercial end-user will actually make changes to the source? Who will actually review the source (e.g. for quality of the algorithms / security)? April Reasoning, Inc 23

24 Discussion!!! April Reasoning, Inc 24

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc() CS61: Systems Programming and Machine Organization Harvard University, Fall 2009 Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc() Prof. Matt Welsh October 6, 2009 Topics for today Dynamic

More information

Scoping (Readings 7.1,7.4,7.6) Parameter passing methods (7.5) Building symbol tables (7.6)

Scoping (Readings 7.1,7.4,7.6) Parameter passing methods (7.5) Building symbol tables (7.6) Semantic Analysis Scoping (Readings 7.1,7.4,7.6) Static Dynamic Parameter passing methods (7.5) Building symbol tables (7.6) How to use them to find multiply-declared and undeclared variables Type checking

More information

Oracle Solaris Studio Code Analyzer

Oracle Solaris Studio Code Analyzer Oracle Solaris Studio Code Analyzer The Oracle Solaris Studio Code Analyzer ensures application reliability and security by detecting application vulnerabilities, including memory leaks and memory access

More information

Static Analysis. Find the Bug! 15-654: Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Static Analysis. Find the Bug! 15-654: Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled Static Analysis 15-654: Analysis of Software Artifacts Jonathan Aldrich 1 Find the Bug! Source: Engler et al., Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions, OSDI

More information

Software Reliability Estimation Based on Static Error Detection

Software Reliability Estimation Based on Static Error Detection 7 th Central and Eastern European Software Engineering Conference in Russia - CEE-SECR 2011 October 31 November 3, Moscow Software Reliability Estimation Based on Static M. Moiseev, M. Glukhikh, A. Karpenko,

More information

GDB Tutorial. A Walkthrough with Examples. CMSC 212 - Spring 2009. Last modified March 22, 2009. GDB Tutorial

GDB Tutorial. A Walkthrough with Examples. CMSC 212 - Spring 2009. Last modified March 22, 2009. GDB Tutorial A Walkthrough with Examples CMSC 212 - Spring 2009 Last modified March 22, 2009 What is gdb? GNU Debugger A debugger for several languages, including C and C++ It allows you to inspect what the program

More information

How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer

How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer Agendum What the benefits of Functional Safety are What the most popular safety certifications are Why you should

More information

Fundamentals of Measurements

Fundamentals of Measurements Objective Software Project Measurements Slide 1 Fundamentals of Measurements Educational Objective: To review the fundamentals of software measurement, to illustrate that measurement plays a central role

More information

Kernel Intrusion Detection System

Kernel Intrusion Detection System Kernel Intrusion Detection System Rodrigo Rubira Branco rodrigo@kernelhacking.com rodrigo@risesecurity.org Monica's Team!! Brazilian famous H.Q. story Amazon Forest Yeah, Brazilian country! Soccer Brazilian

More information

Applying Clang Static Analyzer to Linux Kernel

Applying Clang Static Analyzer to Linux Kernel Applying Clang Static Analyzer to Linux Kernel 2012/6/7 FUJITSU COMPUTER TECHNOLOGIES LIMITED Hiroo MATSUMOTO 管 理 番 号 1154ka1 Copyright 2012 FUJITSU COMPUTER TECHNOLOGIES LIMITED Abstract Now there are

More information

Stack Allocation. Run-Time Data Structures. Static Structures

Stack Allocation. Run-Time Data Structures. Static Structures Run-Time Data Structures Stack Allocation Static Structures For static structures, a fixed address is used throughout execution. This is the oldest and simplest memory organization. In current compilers,

More information

Introduction to Static Analysis for Assurance

Introduction to Static Analysis for Assurance Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis?

More information

Two case studies of Open Source Software Development: Apache and Mozilla

Two case studies of Open Source Software Development: Apache and Mozilla 1 Two case studies of Open Source Software Development: Apache and Mozilla Audris Mockus, Roy Fielding, and James D Herbsleb Presented by Jingyue Li 2 Outline Research questions Research methods Data collection

More information

Technical paper review. Program visualization and explanation for novice C programmers by Matthew Heinsen Egan and Chris McDonald.

Technical paper review. Program visualization and explanation for novice C programmers by Matthew Heinsen Egan and Chris McDonald. Technical paper review Program visualization and explanation for novice C programmers by Matthew Heinsen Egan and Chris McDonald Garvit Pahal Indian Institute of Technology, Kanpur October 28, 2014 Garvit

More information

Client-server Sockets

Client-server Sockets Client-server Sockets 1 How to Write a Network Based Program (Using Microchip's TCP/IP Stack) A network based program that uses the Client-server architecture must create at least two separate programs,

More information

Software Engineering Concepts: Testing. Pointers & Dynamic Allocation. CS 311 Data Structures and Algorithms Lecture Slides Monday, September 14, 2009

Software Engineering Concepts: Testing. Pointers & Dynamic Allocation. CS 311 Data Structures and Algorithms Lecture Slides Monday, September 14, 2009 Software Engineering Concepts: Testing Simple Class Example continued Pointers & Dynamic Allocation CS 311 Data Structures and Algorithms Lecture Slides Monday, September 14, 2009 Glenn G. Chappell Department

More information

Operating Systems Design 16. Networking: Sockets

Operating Systems Design 16. Networking: Sockets Operating Systems Design 16. Networking: Sockets Paul Krzyzanowski pxk@cs.rutgers.edu 1 Sockets IP lets us send data between machines TCP & UDP are transport layer protocols Contain port number to identify

More information

Lecture 11 Doubly Linked Lists & Array of Linked Lists. Doubly Linked Lists

Lecture 11 Doubly Linked Lists & Array of Linked Lists. Doubly Linked Lists Lecture 11 Doubly Linked Lists & Array of Linked Lists In this lecture Doubly linked lists Array of Linked Lists Creating an Array of Linked Lists Representing a Sparse Matrix Defining a Node for a Sparse

More information

Not agree with bug 3, precision actually was. 8,5 not set in the code. Not agree with bug 3, precision actually was

Not agree with bug 3, precision actually was. 8,5 not set in the code. Not agree with bug 3, precision actually was Task 1 Task 2 Task 3 Feedback Presence SUM Matrikkel Rühm [5] [1] [2] [1] [1] [10] Feedback to students A64129 1. rühm 0 0 No submission found A72068 1. rühm 5 1 2 1 1 For Bug 3. Actually the variable

More information

No no-argument constructor. No default constructor found

No no-argument constructor. No default constructor found Every software developer deals with bugs. The really tough bugs aren t detected by the compiler. Nasty bugs manifest themselves only when executed at runtime. Here is a list of the top ten difficult and

More information

Transparent Monitoring of a Process Self in a Virtual Environment

Transparent Monitoring of a Process Self in a Virtual Environment Transparent Monitoring of a Process Self in a Virtual Environment PhD Lunchtime Seminar Università di Pisa 24 Giugno 2008 Outline Background Process Self Attacks Against the Self Dynamic and Static Analysis

More information

CPSC 213. C vs. Java. Introduction to Computer Systems. Reading. Java Hello World... C Hello World... C, Pointers, and Dynamic Allocation.

CPSC 213. C vs. Java. Introduction to Computer Systems. Reading. Java Hello World... C Hello World... C, Pointers, and Dynamic Allocation. Reading CPSC 213 Textbook New to C, Understanding Pointers, The malloc and free Functions, Why Dynamic Memory Allocation 2ed: "New to C" sidebar of 34, 310, 991-992 1ed: "New to C" sidebar of 34, 311,1091-1092

More information

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge Antonio Bianchi antoniob@cs.ucsb.edu University of California, Santa Barbara HITCON Enterprise August 27th, 2015 Agenda Shellphish The

More information

Abstract Data Type. EECS 281: Data Structures and Algorithms. The Foundation: Data Structures and Abstract Data Types

Abstract Data Type. EECS 281: Data Structures and Algorithms. The Foundation: Data Structures and Abstract Data Types EECS 281: Data Structures and Algorithms The Foundation: Data Structures and Abstract Data Types Computer science is the science of abstraction. Abstract Data Type Abstraction of a data structure on that

More information

The V8 JavaScript Engine

The V8 JavaScript Engine The V8 JavaScript Engine Design, Implementation, Testing and Benchmarking Mads Ager, Software Engineer Agenda Part 1: What is JavaScript? Part 2: V8 internals Part 3: V8 testing and benchmarking What is

More information

Detecting Critical Defects on the Developer s Desktop

Detecting Critical Defects on the Developer s Desktop Detecting Critical Defects on the Developer s Desktop Seth Hallem CEO Coverity, Inc. Copyright Coverity, Inc. 2006. All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored

More information

Does Java Technology Have Memory Leaks? Ed Lycklama Chief Technology Officer, KL Group Inc.

Does Java Technology Have Memory Leaks? Ed Lycklama Chief Technology Officer, KL Group Inc. Does Java Technology Have Memory Leaks? Ed Lycklama Chief Technology Officer, KL Group Inc. 1105130516, Ed Lycklama 1 Overview Garbage collection review What is a memory leak? Common patterns Tools & Demo

More information

Software Engineering Compiled By: Roshani Ghimire Page 1

Software Engineering Compiled By: Roshani Ghimire Page 1 Unit 7: Metric for Process and Product 7.1 Software Measurement Measurement is the process by which numbers or symbols are assigned to the attributes of entities in the real world in such a way as to define

More information

2. Names, Scopes, and Bindings

2. Names, Scopes, and Bindings 2. Names, Scopes, and Bindings Binding, Lifetime, Static Scope, Encapsulation and Modules, Dynamic Scope Copyright 2010 by John S. Mallozzi Names Variables Bindings Binding time Language design issues

More information

Static Code Analysis Procedures in the Development Cycle

Static Code Analysis Procedures in the Development Cycle Static Code Analysis Procedures in the Development Cycle Tools, Technology, and Process in Engineering at Microsoft Mooly Beeri Microsoft Haifa R&D Center Agenda Static code analysis tools PREfix and PREfast

More information

An Introduction to. Metrics. used during. Software Development

An Introduction to. Metrics. used during. Software Development An Introduction to Metrics used during Software Development Life Cycle www.softwaretestinggenius.com Page 1 of 10 Define the Metric Objectives You can t control what you can t measure. This is a quote

More information

Gold Standard Method for Benchmarking C Source Code Static Analysis Tools

Gold Standard Method for Benchmarking C Source Code Static Analysis Tools Gold Standard Method for Benchmarking C Source Code Static Analysis Tools Cyber Security Division 2012 Principal Investigators Meeting October 11, 2012 Henny Sipma Sr. Computer Scientist Kestrel Technology,

More information

Defect Prevention: A Tester s Role in Process Improvement and reducing the Cost of Poor Quality. Mike Ennis, Senior Test Manager Accenture

Defect Prevention: A Tester s Role in Process Improvement and reducing the Cost of Poor Quality. Mike Ennis, Senior Test Manager Accenture Defect Prevention: A Tester s Role in Process Improvement and reducing the Cost of Poor Quality Mike Ennis, Senior Test Manager Accenture IISP, 1996-2008 www.spinstitute.org 1 Defect Prevention versus

More information

Compiler Design Prof. Y. N. Srikant Department of Computer Science and Automation Indian Institute of Science, Bangalore

Compiler Design Prof. Y. N. Srikant Department of Computer Science and Automation Indian Institute of Science, Bangalore Compiler Design Prof. Y. N. Srikant Department of Computer Science and Automation Indian Institute of Science, Bangalore Module No. # 02 Lecture No. # 05 Run-time Environments-Part 3 and Local Optimizations

More information

Quiz 4 Solutions EECS 211: FUNDAMENTALS OF COMPUTER PROGRAMMING II. 1 Q u i z 4 S o l u t i o n s

Quiz 4 Solutions EECS 211: FUNDAMENTALS OF COMPUTER PROGRAMMING II. 1 Q u i z 4 S o l u t i o n s Quiz 4 Solutions Q1: What value does function mystery return when called with a value of 4? int mystery ( int number ) { if ( number

More information

Software Engineering Techniques

Software Engineering Techniques Software Engineering Techniques Low level design issues for programming-in-the-large. Software Quality Design by contract Pre- and post conditions Class invariants Ten do Ten do nots Another type of summary

More information

Frysk The Systems Monitoring and Debugging Tool. Andrew Cagney

Frysk The Systems Monitoring and Debugging Tool. Andrew Cagney Frysk The Systems Monitoring and Debugging Tool Andrew Cagney Agenda Two Use Cases Motivation Comparison with Existing Free Technologies The Frysk Architecture and GUI Command Line Utilities Current Status

More information

The C Programming Language course syllabus associate level

The C Programming Language course syllabus associate level TECHNOLOGIES The C Programming Language course syllabus associate level Course description The course fully covers the basics of programming in the C programming language and demonstrates fundamental programming

More information

CSE 303: Concepts and Tools for Software Development

CSE 303: Concepts and Tools for Software Development CSE 303: Concepts and Tools for Software Development Dan Grossman Spring 2005 Lecture 25 Memory-Management Idioms Dan Grossman CSE303 Spring 2005, Lecture 25 1 No tools or rule today Review: Java and C

More information

Pareon Verify. Test suite for dynamic software verification. Detect the hard-to-find errors other tools can t

Pareon Verify. Test suite for dynamic software verification. Detect the hard-to-find errors other tools can t Pareon Verify Test suite for dynamic software verification Detect the hard-to-find errors other tools can t We are going to definitely incorporate the Vector Fabrics tools as an important part of our quality

More information

Monitoring, Tracing, Debugging (Under Construction)

Monitoring, Tracing, Debugging (Under Construction) Monitoring, Tracing, Debugging (Under Construction) I was already tempted to drop this topic from my lecture on operating systems when I found Stephan Siemen's article "Top Speed" in Linux World 10/2003.

More information

A Test Suite for Basic CWE Effectiveness. Paul E. Black. paul.black@nist.gov. http://samate.nist.gov/

A Test Suite for Basic CWE Effectiveness. Paul E. Black. paul.black@nist.gov. http://samate.nist.gov/ A Test Suite for Basic CWE Effectiveness Paul E. Black paul.black@nist.gov http://samate.nist.gov/ Static Analysis Tool Exposition (SATE V) News l We choose test cases by end of May l Tool output uploaded

More information

Memory Management in Java

Memory Management in Java CMSC 433 Programming Language Technologies and Paradigms Spring 2006 Memory Management Memory Management in Java Local variables live on the Allocated at method invocation time Deallocated when method

More information

Understanding Valgrind memory leak reports

Understanding Valgrind memory leak reports Understanding Valgrind memory leak reports Aleksander Morgado aleksander@es.gnu.org Thanks to the development team of Azetti Networks not only for supplying so many example memory leaks, but also for their

More information

Extended Static Checking for Java

Extended Static Checking for Java Lukas TU München - Seminar Verification 14. Juli 2011 Outline 1 Motivation 2 ESC/Java example 3 ESC/JAVA architecture VC generator Simplify 4 JML + ESC/Java annotation language JML What ESC/Java checks

More information

Effective Software Verification for Medical Devices

Effective Software Verification for Medical Devices STERLINGTECH AND KLOCWORK WHITE PAPER NOVEMBER 2009 Effective Software Verification for Medical Devices Achieving compliance and meeting productivity goals with static analysis In addition to producing

More information

Introduction to Software Engineering. 8. Software Quality

Introduction to Software Engineering. 8. Software Quality Introduction to Software Engineering 8. Software Quality Roadmap > What is quality? > Quality Attributes > Quality Assurance: Planning and Reviewing > Quality System and Standards 2 Sources > Software

More information

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland Software Testing & Analysis (F22ST3) Static Analysis Techniques Andrew Ireland School of Mathematical and Computer Science Heriot-Watt University Edinburgh Software Testing & Analysis (F22ST3): Static

More information

Group number 24 Joni Saarinen Daniel Kullberg

Group number 24 Joni Saarinen Daniel Kullberg C# Group number 24 Joni Saarinen Daniel Kullberg C# (pronounced C sharp) is a multi paradigm programming language developed by Microsoft. It is primarily an imperative language but support for functional

More information

Secure Programming with Static Analysis. Jacob West jacob@fortify.com

Secure Programming with Static Analysis. Jacob West jacob@fortify.com Secure Programming with Static Analysis Jacob West jacob@fortify.com Software Systems that are Ubiquitous Connected Dependable Complexity U Unforeseen Consequences Software Security Today The line between

More information

The FDA Forensics Lab, New Tools and Capabilities

The FDA Forensics Lab, New Tools and Capabilities U. S. Department of Health and Human Services The FDA Forensics Lab, New Tools and Capabilities Symposium on Static Code Analysis and Complex Medical Devices University of Minnesota July 23, 2009 Static

More information

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY. 6.828 Operating System Engineering: Fall 2005

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY. 6.828 Operating System Engineering: Fall 2005 Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.828 Operating System Engineering: Fall 2005 Quiz II Solutions Average 84, median 83, standard deviation

More information

Software testing. Objectives

Software testing. Objectives Software testing cmsc435-1 Objectives To discuss the distinctions between validation testing and defect testing To describe the principles of system and component testing To describe strategies for generating

More information

COVERITY SCAN: 2013 OPEN SOURCE REPORT. Coverity Scan: 2013 Open Source Report

COVERITY SCAN: 2013 OPEN SOURCE REPORT. Coverity Scan: 2013 Open Source Report Coverity Scan: 2013 Open Source Report Coverity Scan: A Brief Introduction 2 Open Source is Eating the World 3 The State of Open Source Software Quality: C/C++ 6 Linux: Through the Years 12 Key Differences:

More information

Jonathan Worthington Scarborough Linux User Group

Jonathan Worthington Scarborough Linux User Group Jonathan Worthington Scarborough Linux User Group Introduction What does a Virtual Machine do? Hides away the details of the hardware platform and operating system. Defines a common set of instructions.

More information

Molecular Dynamics Simulations with Applications in Soft Matter Handout 7 Memory Diagram of a Struct

Molecular Dynamics Simulations with Applications in Soft Matter Handout 7 Memory Diagram of a Struct Dr. Martin O. Steinhauser University of Basel Graduate Lecture Spring Semester 2014 Molecular Dynamics Simulations with Applications in Soft Matter Handout 7 Memory Diagram of a Struct Friday, 7 th March

More information

Fully Automated Static Analysis of Fedora Packages

Fully Automated Static Analysis of Fedora Packages Fully Automated Static Analysis of Fedora Packages Red Hat Kamil Dudka August 9th, 2014 Abstract There are static analysis tools (such as Clang or Cppcheck) that are able to find bugs in Fedora packages

More information

Linux Kernel. Security Report

Linux Kernel. Security Report Linux Kernel Security Report September 25 Authors: Andy Chou, Bryan Fulton and Seth Hallem Coverity has combined two years of analysis work carried out in a commercial setting at Coverity with four years

More information

General Introduction

General Introduction Managed Runtime Technology: General Introduction Xiao-Feng Li (xiaofeng.li@gmail.com) 2012-10-10 Agenda Virtual machines Managed runtime systems EE and MM (JIT and GC) Summary 10/10/2012 Managed Runtime

More information

Darshan Institute of Engineering & Technology Unit : 7

Darshan Institute of Engineering & Technology Unit : 7 1) Explain quality control and also explain cost of quality. Quality Control Quality control involves the series of inspections, reviews, and tests used throughout the software process to ensure each work

More information

Measuring Software Complexity to Target Risky Modules in Autonomous Vehicle Systems

Measuring Software Complexity to Target Risky Modules in Autonomous Vehicle Systems Measuring Software Complexity to Target Risky Modules in Autonomous Vehicle Systems M. N. Clark, Bryan Salesky, Chris Urmson Carnegie Mellon University Dale Brenneman McCabe Software Inc. Corresponding

More information

Variables. CS181: Programming Languages

Variables. CS181: Programming Languages Variables CS181: Programming Languages Topics: Static vs. dynamic typing Strong vs. weak typing Pointers vs. references Vladimir Vacic, Christos Koufogiannakis, University of California at Riverside 2

More information

Semantic Analysis: Types and Type Checking

Semantic Analysis: Types and Type Checking Semantic Analysis Semantic Analysis: Types and Type Checking CS 471 October 10, 2007 Source code Lexical Analysis tokens Syntactic Analysis AST Semantic Analysis AST Intermediate Code Gen lexical errors

More information

Professional Android Application Development

Professional Android Application Development Course Outline: Professional Android Application Development 1. Introduction to Android Overview of Android and Android SDK History of Android Android Features Development 2. Android Architecture Overview

More information

Coverity Scan. Big Data Spotlight

Coverity Scan. Big Data Spotlight Coverity Scan Big Data Spotlight Coverity Scan Service The Coverity Scan service began as the largest public-private sector research project in the world focused on open source software quality and security.

More information

Java Monitoring. Stuff You Can Get For Free (And Stuff You Can t) Paul Jasek Sales Engineer

Java Monitoring. Stuff You Can Get For Free (And Stuff You Can t) Paul Jasek Sales Engineer Java Monitoring Stuff You Can Get For Free (And Stuff You Can t) Paul Jasek Sales Engineer A Bit About Me Current: Past: Pre-Sales Engineer (1997 present) WaveMaker Wily Persistence GemStone Application

More information

Deploying Containers in Production and at Scale

Deploying Containers in Production and at Scale sunil@mesosphere.io Deploying Containers in Production and at Scale 1. Mesosphere and the DCOS 2. Running a Production Cluster: Four Themes 2 About Me Engineer at Mesosphere who wants to make life easier

More information

Development Testing for Agile Environments

Development Testing for Agile Environments Development Testing for Agile Environments November 2011 The Pressure Is On More than ever before, companies are being asked to do things faster. They need to get products to market faster to remain competitive

More information

SOFTWARE ENGINEERING 2: OBJECT ORIENTED SOFTWARE ENGINEERING

SOFTWARE ENGINEERING 2: OBJECT ORIENTED SOFTWARE ENGINEERING SOFTWARE ENGINEERING 2: OBJECT ORIENTED SOFTWARE ENGINEERING 1. This is a general question about Object Oriented Software Engineering. a) Compare and contrast how software complexity is handled in Structured

More information

Memory Debugging with TotalView on AIX and Linux/Power

Memory Debugging with TotalView on AIX and Linux/Power S cico m P Austin Aug 2004 Memory Debugging with TotalView on AIX and Linux/Power Chris Gottbrath Memory Debugging in AIX and Linux-Power Clusters Intro: Define the problem and terms What are Memory bugs?

More information

Source Code Security Analysis Tool Functional Specification Version 1.0

Source Code Security Analysis Tool Functional Specification Version 1.0 Special Publication 500-268 Source Code Security Analysis Tool Functional Specification Version 1.0 Paul E. Black Michael Kass Michael Koo Software Diagnostics and Conformance Testing Division Information

More information

LINKED DATA STRUCTURES

LINKED DATA STRUCTURES LINKED DATA STRUCTURES 1 Linked Lists A linked list is a structure in which objects refer to the same kind of object, and where: the objects, called nodes, are linked in a linear sequence. we keep a reference

More information

Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur

Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur Module 10 Coding and Testing Lesson 23 Code Review Specific Instructional Objectives At the end of this lesson the student would be able to: Identify the necessity of coding standards. Differentiate between

More information

Dynamic Memory Management

Dynamic Memory Management Dynamic Memory Management 1 Goals of this Lecture Help you learn about: The need for dynamic* memory management (DMM) Implementing DMM using the heap section Implementing DMM using virtual memory * During

More information

Tomcat Tuning. Mark Thomas April 2009

Tomcat Tuning. Mark Thomas April 2009 Tomcat Tuning Mark Thomas April 2009 Who am I? Apache Tomcat committer Resolved 1,500+ Tomcat bugs Apache Tomcat PMC member Member of the Apache Software Foundation Member of the ASF security committee

More information

Application-Level Debugging and Profiling: Gaps in the Tool Ecosystem. Dr Rosemary Francis, Ellexus

Application-Level Debugging and Profiling: Gaps in the Tool Ecosystem. Dr Rosemary Francis, Ellexus Application-Level Debugging and Profiling: Gaps in the Tool Ecosystem Dr Rosemary Francis, Ellexus For years instruction-level debuggers and profilers have improved in leaps and bounds. Similarly, system-level

More information

CPSC 330 Software Engineering

CPSC 330 Software Engineering CPSC 330 Software Engineering Lecture 4: Unit ing, JUnit, and Software Development Processes Today Unit ing and JUnit Software Development Processes (as time allows) Reading Assignment Lifecycle handout

More information

Verification and Validation of Software Components and Component Based Software Systems

Verification and Validation of Software Components and Component Based Software Systems Chapter 5 29 Verification and Validation of Software Components and Component Based Christina Wallin Industrial Information Technology Software Engineering Processes ABB Corporate Research christina.wallin@mdh.se

More information

Data Structure with C

Data Structure with C Subject: Data Structure with C Topic : Tree Tree A tree is a set of nodes that either:is empty or has a designated node, called the root, from which hierarchically descend zero or more subtrees, which

More information

Know or Go Practical Quest for Reliable Software

Know or Go Practical Quest for Reliable Software Know or Go Practical Quest for Reliable Software Dr.-Ing. Jörg Barrho Dr.-Ing. Ulrich Wünsche AVACS Project meeting 25.09.2014 2014 Rolls-Royce Power Systems AG The information in this document is the

More information

Test-driving static analysis tools in search of C code vulnerabilities

Test-driving static analysis tools in search of C code vulnerabilities Test-driving static analysis tools in search of C code vulnerabilities George Chatzieleftheriou Aristotle University of Thessaloniki Department of Informatics Thessaloniki, Greece e-mail: gchatzie@csd.auth.gr

More information

Security types to the rescue

Security types to the rescue Security types to the rescue p. 1 Security types to the rescue David Wagner and Rob Johnson {daw,rtjohnso}@cs.berkeley.edu University of California, Berkeley Security types to the rescue p. 2 Problem statement

More information

Software Engineering Prof. Umesh Bellur Dept. of Computer Science & Engineering IIT Bombay

Software Engineering Prof. Umesh Bellur Dept. of Computer Science & Engineering IIT Bombay Software Engineering Prof. Umesh Bellur Dept. of Computer Science & Engineering IIT Bombay Verification & Validation, Inspection, Clean room development Lecture # 22 Today we are going to be talking about

More information

TOOL EVALUATION REPORT: FORTIFY

TOOL EVALUATION REPORT: FORTIFY TOOL EVALUATION REPORT: FORTIFY Derek D Souza, Yoon Phil Kim, Tim Kral, Tejas Ranade, Somesh Sasalatti ABOUT THE TOOL Background The tool that we have evaluated is the Fortify Source Code Analyzer (Fortify

More information

Linux Titan Distribution. Presented By: Adham Helal Amgad Madkour Ayman El Sayed Emad Zakaria

Linux Titan Distribution. Presented By: Adham Helal Amgad Madkour Ayman El Sayed Emad Zakaria Linux Titan Distribution Presented By: Adham Helal Amgad Madkour Ayman El Sayed Emad Zakaria What Is a Linux Distribution? What is a Linux Distribution? The distribution contains groups of packages and

More information

An Overview of a Compiler

An Overview of a Compiler An Overview of a Compiler Department of Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Outline of the Lecture About the course

More information

DHCP and DNS Protocols

DHCP and DNS Protocols DHCP and DNS Protocols DHCP (Dynamic Host Configuration Protocol) is an industry standard protocol that lets a DHCP server (Unix/Window/As400 system) allocate temporary IP addresses and other network parameters

More information

BEAJRockit. Using the BEA JRockit. Memory Leak Detector

BEAJRockit. Using the BEA JRockit. Memory Leak Detector BEAJRockit Memory Leak Detector Using the BEA JRockit Memory Leak Detector JRockit 5.0 Service Pack 2 June 2005 Copyright Copyright 2005 BEA Systems, Inc. All Rights Reserved. Restricted Rights Legend

More information

System Security Fundamentals

System Security Fundamentals System Security Fundamentals Alessandro Barenghi Dipartimento di Elettronica, Informazione e Bioingegneria Politecnico di Milano alessandro.barenghi - at - polimi.it April 28, 2015 Lesson contents Overview

More information

Multiprocessor Scheduling and Scheduling in Linux Kernel 2.6

Multiprocessor Scheduling and Scheduling in Linux Kernel 2.6 Multiprocessor Scheduling and Scheduling in Linux Kernel 2.6 Winter Term 2008 / 2009 Jun.-Prof. Dr. André Brinkmann Andre.Brinkmann@uni-paderborn.de Universität Paderborn PC² Agenda Multiprocessor and

More information

(Refer Slide Time: 01:52)

(Refer Slide Time: 01:52) Software Engineering Prof. N. L. Sarda Computer Science & Engineering Indian Institute of Technology, Bombay Lecture - 2 Introduction to Software Engineering Challenges, Process Models etc (Part 2) This

More information

Memory management. Announcements. Safe user input. Function pointers. Uses of function pointers. Function pointer example

Memory management. Announcements. Safe user input. Function pointers. Uses of function pointers. Function pointer example Announcements Memory management Assignment 2 posted, due Friday Do two of the three problems Assignment 1 graded see grades on CMS Lecture 7 CS 113 Spring 2008 2 Safe user input If you use scanf(), include

More information

Upping the game. Improving your software development process

Upping the game. Improving your software development process Upping the game Improving your software development process John Ferguson Smart Principle Consultant Wakaleo Consulting Email: john.smart@wakaleo.com Web: http://www.wakaleo.com Twitter: wakaleo Presentation

More information

Baseline Code Analysis Using McCabe IQ

Baseline Code Analysis Using McCabe IQ White Paper Table of Contents What is Baseline Code Analysis?.....2 Importance of Baseline Code Analysis...2 The Objectives of Baseline Code Analysis...4 Best Practices for Baseline Code Analysis...4 Challenges

More information

The Virtualization Practice

The Virtualization Practice The Virtualization Practice White Paper: Managing Applications in Docker Containers Bernd Harzog Analyst Virtualization and Cloud Performance Management October 2014 Abstract Docker has captured the attention

More information

Smooks Dev Tools Reference Guide. Version: 1.1.0.GA

Smooks Dev Tools Reference Guide. Version: 1.1.0.GA Smooks Dev Tools Reference Guide Version: 1.1.0.GA Smooks Dev Tools Reference Guide 1. Introduction... 1 1.1. Key Features of Smooks Tools... 1 1.2. What is Smooks?... 1 1.3. What is Smooks Tools?... 2

More information

Confirmation Bias as a Human Aspect in Software Engineering

Confirmation Bias as a Human Aspect in Software Engineering Confirmation Bias as a Human Aspect in Software Engineering Gul Calikli, PhD Data Science Laboratory, Department of Mechanical and Industrial Engineering, Ryerson University Why Human Aspects in Software

More information

LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS

LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS CEA S SOFTWARE SAFETY LABORATORY 1995: LEAP FROM DYNAMIC TO STATIC CODE ANALYSIS! CAVEAT: ARCHITECTURE C source code VC Generator Formal specifications

More information

School of Computing and Information Sciences. Course Title: Computer Programming III Date: April 9, 2014

School of Computing and Information Sciences. Course Title: Computer Programming III Date: April 9, 2014 Course Title: Computer Date: April 9, 2014 Course Number: Number of Credits: 3 Subject Area: Programming Subject Area Coordinator: Tim Downey email: downeyt@cis.fiu.edu Catalog Description: Programming

More information

Software Engineering Introduction & Background. Complaints. General Problems. Department of Computer Science Kent State University

Software Engineering Introduction & Background. Complaints. General Problems. Department of Computer Science Kent State University Software Engineering Introduction & Background Department of Computer Science Kent State University Complaints Software production is often done by amateurs Software development is done by tinkering or

More information