Linked by Thom Holwerda on Tue 19th Jul 2005 19:23 UTC, submitted by Just_A_User
FreeBSD On Tuesday, code-analysis software maker Coverity announced that its automated bug finding tool had analyzed the community-built operating system FreeBSD and flagged 306 potential software flaws, or about one issue for every 4,000 lines of code. The low number of flaws found by the system underscores that FreeBSD's manual auditing by project members has reduced the vulnerabilities in the operating system, said Seth Hallem, CEO of Coverity.
Thread beginning with comment 6419
To read all comments associated with this story, please click here.
the shape of things to come
by butters on Tue 19th Jul 2005 20:48 UTC
Member since:

Static analysis has become the rule as opposed to the exception. It started with large commericial projects, but the development of world-class static analysis tools has been helped enormously by open source projects. The extent of their use is so significant that the rest of the commericial software development world is following suit to remain competitive.

Microsoft was mentioned in the article, but my job right now is integrating static analysis into IBM's AIX development process. The tool we use is called BEAM (Bugs, Errors, And Mistakes), and yes, I will do my best to convince management to consider open sourcing it. We do use it for developing Linux on POWER as well as for many other C/C++ systems programming applications. My project is to make sure that all source code that gets checked into AIX is "beamed" beforehand, and that all problems are properly resolved.

Open source apps definitely have fewer statically identifiable problems than does proprietary software. Most of the problems we find are edge cases where an uninitialized variable, null dereference, or memory leak can result. Static analysis tools also report lots of false positives. Most commonly these involve passing null pointers to functions that check their parameters properly, malloc-like functions, or functions that exit.

Lint or Splint is available open source, and Coverity offers a free trial or their Prevent software.

Reply Score: 5

RE: the shape of things to come
by on Wed 20th Jul 2005 00:00 in reply to "the shape of things to come"
Member since:

<SNIP> "Open source apps definitely have fewer statically identifiable problems than does proprietary software." <SNIP>

I'm sure I'm not the only one that would LOVE to see you back this statement up with facts, but I'm quite confident you will never be able to do so, because you can't get a proper set of proprietary software samples, no matter how hard you try, to prove or disprove this statement/theory. Until you can actually analyze a statistically meaningful amount of proprietary code, this statement is pure ideology driven: there's no proof that either proprietary (not open for public analysis) or open (available for public review) code has a better overall error rate.

For as many publically known and well-designed/implemented chunks of Open Source, there's a huge number of Open Source applications (far more than the good quality ones) that would tilt the numbers in a negative way. Hopefully, though, those poorly written applications rightfully earn their Darwin Awards before they become known outside of a very select few victims and their creators. So, too, it'd be best if that happened with really bad proprietary software, but at least it's easier to trace the comings and goings of publically released proprietary software (and there's a lot that isn't released to the public! A lot of that is mission critical and specialized to that user) because there's usually press releases and marketing, while most OSS stuff is word-of-mouth until some distributor like Red Hat decides to throw it on their wares.

So, in summary, Proprietary code cannot be assessed on the whole as being inferior in quality to Open Source Software, or the other way around, because it is practically impossible to get enough data to prove or disprove the debate one way or the other. Any claims to the contrary are pure wishful BS, along with 77.5% of statistics that are made up on the spot.

Reply Parent Score: 1

RE[2]: the shape of things to come
by on Wed 20th Jul 2005 05:20 in reply to "RE: the shape of things to come"
Member since:

Well as the story title says, "...possible bugs...". So I'm not really certain how useful this story is. If we had tools that could prove bugs over and above what we mormally use? Then I would think we would all be using them, and BSD and GPL alike would benefit. So no, "thousand eyes...all bugs shallow" must still remain in the land of "feel-good" slogans.

Reply Parent Score: 0