Post on 14-Dec-2015
InroductionParasoft® C++test™ is an integrated solution for automating a broad range of tools to improve software development, team productivity and software quality for C and C++:
Static analysis – static code analysis, data flow static analysis, and metrics analysis
Peer code review process automation–preparation, notification, and tracking
Unit testing – unit test creation, execution, optimization, and maintenance
Runtime error detection – memory access errors, leaks, corruptions, and more
2236800 - Parasoft® C++test by Alon Bialik
Introduction – features Some of the features :
Static analysis of code for compliance with user-selected coding standards Graphical RuleWizard editor for creating custom coding rules Static code path simulation for identifying potential runtime errors Automated code review with a graphical interface and progress tracking Application monitoring/memory analysis Automated generation and execution of unit and component-level tests Flexible stub framework Full support for regression testing Code coverage analysis with code highlighting Runtime memory error checking during unit test execution Full team deployment infrastructure for desktop and command line usage
3236800 - Parasoft® C++test by Alon Bialik
Introduction – Cross Platform
Cross Platform Supported Host Environments:
Host PlatformsWindows NT/2000/XP/2003/Vista/7 Linux kernel 2.4Linux kernel 2.6Solaris 7, 8, 9, 10IBM AIX 5.3 and a PowerPC processor
IDEsEclipse for C/C++ Developers 3.2, 3.3, 3.4, 3.5 (32-bit) Microsoft Visual Studio .NET 2003, 2005, 2008 with Microsoft Visual C++ Wind River Workbench 2.6, 3.0, 3.1, 3.2 Texas Instruments Code Composer Studio 4.x ARM Workbench IDE for RVDS 3.0, 3.1, 4.0 QNX Momentics IDE 4.5 (QNX Software Development Platform 6.4)
Host CompilersWindows
Microsoft Visual C++ 6.0, .NET (7.0), .NET 2003 (7.1), 2005 (8.0), 2008 (9.0) GNU and MingW gcc/g++ 2.95.x, 3.2.x, 3.3.x, 3.4.x GNU gcc/g++ 4.0.x, 4.1.x, 4.2.x, 4.3.x Green Hills MULTI for Windows x86 Native v4.0.x
Linux (x86 target platform) GNU gcc/g++ 2.95.x, 3.2.x, 3.3.x, 3.4.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x
Linux (x86_64 target platform) GNU gcc/g++ 3.4.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x
Target/Cross CompilersARM (Windows hosted)
ARM RVCT 2.2, 3.x, 4.x ARM ADS 1.2
Embedded Linux (Windows, Linux, Solaris hosted) GNU gcc/g++ 2.95.x, 3.2.x, 3.3.x, 3.4.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x
Green Hills (Windows, Solaris hosted) Green Hills optimized compilers line 4.0.x
IAR (Windows hosted) IAR ANSI C/C++ Compiler V5.30 for ARM (C only)
Keil (Windows hosted) ARM/Thumb C/C++ Compiler, RVCT3.1 for uVision C51 Compiler V8.18 (static analysis only)
Microsoft (Windows hosted) Microsoft Visual C++ for Windows Mobile 8.0, 9.0 Microsoft Embedded Visual C++ 4.0
QNX (Windows hosted) GCC 2.9.x, 3.3.x, 4.2.x
STMicroelectronics (Windows hosted) ST20 (static analysis only) ST40 (static analysis only)
Texas Instruments (Windows hosted) TMS320C6x C/C++ Compiler v5.1 TMS320C6x C/C++ Compiler v6.0 TMS320C2000 C/C++ Compiler v4.1 (static analysis only) Source Control
AccuRev SCM Borland StarTeam CVS IBM/Rational ClearCase Microsoft Team Foundation Server Microsoft Visual SourceSafe Perforce SCM Serena Dimensions Subversion (SVN) Telelogic Synergy
4236800 - Parasoft® C++test by Alon Bialik
Embedded and Cross-Platform Development
C++test’s customizable workflow allows users to test code as it’s developed, then use the same tests to validate functionality in target environments
For embedded and cross-platform development, C++test can be used in both host-based and target-based code analysis and test flows.
5236800 - Parasoft® C++test by Alon Bialik
Overview - Static analysisWhat is Static Analysis?Static analysis is the term applied to the analysis of computer software that is performed without actually executing programs.
- wikipedia
Low-tech static analysis:• Software inspection• Simple syntactic standards and manual checks
High-tech static analysis• Enforced syntactic checks• Well-formedness checks in specifications, designs, and
code (e.g., matching connectors in design diagrams)• Automated program analyses
Often based on data flow analysis• Finite-state verification and other “high-power” analyses of models
6236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysisAutomate Code Analysis for Monitoring Compliancea properly implemented coding policy can eliminate entire classes of programming errors by establishing preventive coding conventions.C++test statically analyzes code to check compliance with such a policy.
static code analysis tool monitors whether code follows industry-standard or customized rules for ensuring that code meets uniform expectations around security, reliability, performance, and maintainability. User can choose out from over 1400 built-in rules, custom existing rules or define new ones.
7236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis cont’dexample
Let’s review this example
class A {public: A(int xval, int yval) : _x(xval), _y(yval) {} friend A& operator+(const A& p1, const A& p2);private: int _x, _y;};A& operator+(const A& p1, const A& p2) { A *result = new A(p1._x + p2._x, p1._y + p2._y); return *result; }
// Violation
Returning a reference to a local object or a dereferenced pointer initialized by new within the function may cause a memory leak.
C++ test has a built-in rule you can select:Never return a dereferenced local pointer initialized by new in function scope
8236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis cont’d example cont’d
class A {public: A(int xval, int yval) : _x(xval), _y(yval) {} friend A& operator+(const A& p1, const A& p2);private: int _x, _y;};A& operator+(const A& p1, const A& p2) { A *result = new A(p1._x + p2._x, p1._y + p2._y); return *result; // Violation }
Implementation of this rule is advised by Scott Meyers in his book "Effective C++: 50 Specific Ways to Improve Your Programs and Design“.
9236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis cont’d
Define your own rule sets with built-in and custom rules. This is a good way to enforce standards of coding techniques like naming conventions that are customary in a programming team, variables initialization etc.
#include <string>using namespace std;class A {public: A( const char* file, const char* path ) { myFile = file; // Violation myPath = path; // Violation }private: string myFile; string myPath;};
and A( const char* file, const char* path ) : myFile(file), myPath(path) {} // OK
Where
Little anecdote for those who took MATAM before 2008, there is a rule Prefer initialization to assignment in constructors.
10236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis cont’d
11236800 - Parasoft® C++test by Alon Bialik
C++Test - Resources
Herb Sutter, Andrei Alexandrescu, C++ Coding Standards Scott Meyers – Effective C++ & More Effective C++ Ellemtel Coding Standards (1990) MISRA-C 2004, MISRA-C++ 2008 Motorola Coding Standards Meyers-Klaus Rules JSF Coding Standards (2005)
C++test - Static analysis cont’d
12236800 - Parasoft® C++test by Alon Bialik
Rules Categories
Coding Convention Rules Comments Rules Exceptions Rules Formatting Rules Initialization Rules Metrics Rules MISRA 2004 Rules Memory and Resource Management Rules Naming Convention Rules
OOP Rules Optimization Rules Portability Rules Possible Bugs Rules Physical File Org. Rules Qt Best Practices Rules Security Rules STL Best-Practices Rules Templates Rules Bug Detective (*)
Coding Conventions:For example: Magic numbers Default in Switch-case Const non-const conversion Naming conventions
int small = 20000;int big = small * 2; // 40000 or -25536?if (small < big) {}
Q : Will the if’s body be executed? A : Depends… Rule: Use: UINT8, INT16, UINT32 etc…
Initialization rulesFor example:Globals, static, member in C’tor etc
Exception rules For example:Not from D’tor … (prevent stack unwinding)
OOP Rules For example: Multiple inheritance (diamond inheritance) Avoid calling virtual-methods/global-data from C’tor / D’tor Avoid public data members Avoid down-casting If a class has virtual functions it shall have a virtual D’tor
C++test - Static analysis cont’d
Define your test
13236800 - Parasoft® C++test by Alon Bialik
Configure your static analysis testC++test configurations
C++test - Static analysis cont’d
Define your test
17236800 - Parasoft® C++test by Alon Bialik
Configure your static analysis testRule Editor
C++test - Static analysis cont’d
Run Test
19236800 - Parasoft® C++test by Alon Bialik
Run static analysis test on you code
C++test - Static analysis cont’dTest your code – test summary
20236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis cont’dTest your code – static analysis output
21236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis cont’d
Define your test
22236800 - Parasoft® C++test by Alon Bialik
Configure your static analysis testBug Detective
C++test - Static analysis cont’d
26236800 - Parasoft® C++test by Alon Bialik
Resource Leaks Allocation misuse of memory, pipes, file descriptors, and other system resources.
Bugs Runtime errors such as division by zero, array bounding and indexing flaws, NULL pointer dereferencing, and data
initialization errors. Security Vulnerabilities Detect read, write or indexing of potentially tainted data.
Bug Detective – cont’d
C++test - Static analysis cont’dBug Detective - Examples
28236800 - Parasoft® C++test by Alon Bialik
void example(int src[100], int dest[100]){
int size;scanf("%d", &size);memcpy(dest, src, size); // VIOLATION ("size" is an arbitrary
value possibly < 0 or > 100)}
Buffer Overflow Security example
Dereferencing a NULL Pointerint main(int argc, char* argv[]){
Point* point = 0;if (argc > 3) {
point = new Point(atoi(argv[1]), atoi(argv[2]));}point->reflectAcrossX(); // VIOLATION ("point" might be NULL at
this point)return 0;
}
C++test - Static analysis cont’d
Run Test
29236800 - Parasoft® C++test by Alon Bialik
Run Bug Detective test on you code
C++test - Static analysis cont’dTest your code – test summary
30236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis
How does it work?
31236800 - Parasoft® C++test by Alon Bialik
An educated guess
C++test
C++test - Static analysis how it is done?
IDE Error
Handler
Syntaxanalyzer
Lexical analyzer
C/C++ Source
program
Semanticanalyzer
Symboltable
Propertiestable
C++ EBNF
User chosen rules
32236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Lexical analysis in a nut shell
Lex is a program (generator) that generates lexical analyzers
Lex
It reads the input stream (specifying the lexical analyzer )
and outputs source code implementing the lexical analyzer
in the C programming language. Lex will read patterns (regular expressions) then produces
C code for a lexical analyzer that scans for identifiers.
Lexical analyzer
Stream of characters Stream of Tokens
33236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Lexical analysis in a nut shell – cont’d
Lex
#include <iostream>#include <string>#include <cctype> // for std::isspace(), etc.void someFunc(const std::string &data);
Lexical analyzer
[#] "include" [<] "iostream" [>] [#] "include" [<] "string" [>] [#] "include" [<] "cctype" [>] [/] [/] "for" "std" [:] [:] "isspace" [(] [)] [,] "etc" [.] "void" "print“ “someFunc" [(] "const" "std" [:] [:] "string" [&] "data" [)] [;] "int" "main" [(] [)] [{] "std" [:] [:] "string"
Line:4Column:6
Text:some FuncEtc..
37236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Syntax analyzer in a nut shell
reads the Grammars written in Backus Normal Form (BNF) . and generate C code from Lex
YACC
Generate Symbols table
Reports to IDE about syntax errors
Semanticanalyzer
Stream of Tokens
BNF grammer rules
BNF grammar used to express context-free languages
uses bottom-up or shift-reduce parsing
Syntaxanalyzer
Symboltable
38236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Syntax analyzer in a nut shell
YACC – an example%%statement : expression { printf (“ = %g\n”, $1); }expression : expression ‘+’ expression { $$ = $1 + $3; } | expression ‘-’ expression { $$ = $1 - $3; } | NUMBER { $$ = $1; }%%
According these two productions, 5 + 4 – 3 + 2 is parsed into:
statement
expression
expression
expression
expression
expression
expressionexpression
number
number
number
number
+-+ 2345 39
C++test - Static analysis Syntax analyzer
syntax analyzer
At this point the syntax analyzer builds the symbol table and save all the properties of a symbol
For example:
Class symbol
Name: Name ObjectDeclared?
Pure virtual?
Variables List Variable ..
Methods List Variable ..
Static?
Virtual?46236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Syntax analyzer in a nut shell
Semantic analyzer
Semantic analyzer test the generated symbol table against the defined rules and matches unwanted paterns
Class symbol
Name: Name ObjectDeclared?
Pure virtual?
Variables List Variable ..
Methods List Variable ..
Static?
Virtual?47236800 - Parasoft® C++test by Alon Bialik
C++test – Bug Detective
How does it work?
48236800 - Parasoft® C++test by Alon Bialik
An educated guess
Bug Detective
C++test - Static analysis Bug Detective
Tree structure Intermediate Representation
Semantics-safe Tree structureSemantic
Analyzer
CFG Generator
Tree……
Data Flowanalysis
Control Flow analysis
CFG
49236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Bug Detective
Compile-time reasoning about the run-time flow of
values in the program Represent facts about the run-time behavior Represent effect of executing each basic block Propagate facts around the control flow graph
Data Flow Analysis
50236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Bug Detective
Data Flow Analysis – cont’d
Formulated as a set of simultaneous equations- Sets attached to the nodes and edges- Lattice to describe the relation between values- Usually represented as a bit or bit vectors
Solve equations using iterative framework- Start with initial guess of facts at each node- Propagate until stabilizes at maximal fixed point.- Would like meet over all paths (MOP) solution
51236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Bug Detective
52236800 - Parasoft® C++test by Alon Bialik
Data-flow analyses equations are distinguished by Direction Gen Kill May/Must Merge Flow values (initial guess, type)
Data Flow analysis equation properties
C++test - Static analysis Bug Detective
Reaching definitions
A definition of a variable x is a statement that may assign a value to x
A definition may reach a program point p if there exists some path from the point immediately following the definition to p such that the assignment is not killed along that path- A definition of a variable x is killed if there is any other definition of x
anywhere along the path
Concept: relationship between definitions and uses
53236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Bug Detective
Reachability Analysis: Step 1 For each block, compute local (block level) information
- DEDef(B): the set of downward-exposed definitions in Bo Those for which the defined name is not subsequently redefined by the exit from B
- DEFKill(B): the set of definitions that are obscured by a definition of the same name in Bo Also consider definition points outside B
This information does not take control flow between blocks into account
56236800 - Parasoft® C++test by Alon Bialik
Reaching Definitions Exampled1 i = m – 1d2 j = nd3 a = u1
B1
B2
B3
B4
d4 i = i + 1d5 j = j - 1
d6 a = u2
d7 i = u2
DEDef = 4,5DEFKill = 1,2,7
DEDef = 1,2,3DEFKill = 4,5,6,7
DEDef = 7DEFKill = 1,4DEDef = 6
DEFKill = 3
DEFKill need to consider the set of all definition points: {1,2,3,4,5,6,7}
C++test - Static analysis Bug Detective
57236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Bug Detective
58236800 - Parasoft® C++test by Alon Bialik
Reachability Analysis: Step 2
Definitions that reach the exit point of predecessor x
Compute REACHES set for each block in a forward direction
- REACHES(b): the set of definitions that reach the entry to a block b- Start with REACHES(n0) = Ø
- REACHES(b)=
xpred(b)(DEDef(x)(REACHES(x)-DEFKill(x)) )
Iterative algorithm: keep computing REACHES sets until a fixed point is reached
Locally defined in x Propagated into x and not killed by any definition in x
C++test - Static analysis Bug Detective
59236800 - Parasoft® C++test by Alon Bialik
Reachability Analysis: Step 2-cont’d
Information propagated across blocks
Information propagated within blocks
Compute REACHES set for each block in a forward direction
- REACHES(b): the set of definitions that reach the entry to a block b- Start with REACHES(n0) = Ø
- REACHES(b)= xpred(b)OUT(x)- OUT(x) = DEDef(x)(REACHES(x)-DEFKill(x))
o OUT(x) is the set of definitions that reach the exit from a block x, which include definitions that are
- Either generated within the block (DEDef(x)), or- Reach on entry to x and not killed by any definition in x (REACHES(x)-DEFKill(x))
C++test - Static analysis Bug Detective
Array out of boundaries detection using Reaching Definition
d1 i = 0d2 j = nd3 k = a[i]
B1
B2
B3
B4
d4 i = i + 1d5 j = j - 1
d6 i = 0
d7 k = a[i]
DEDef = 4,5DEFKill = 1,2,7
DEDef = 1,2,3DEFKill = 4,5,6,7
DEDef = 7DEFKill = 3DEDef = 6
DEFKill = 1,4
int a[10]
60236800 - Parasoft® C++test by Alon Bialik
C++test - Static analysis Bug Detective
Array out of boundaries detection using Reaching Definition – cont’d
For every use of operator[] , i.e a[i] on block b, we check all paths leading to block b for possible definitions of i that are out of a’s bounderies
May – true on some path (set union)
61236800 - Parasoft® C++test by Alon Bialik
Disadvantage of this way: search of all paths can yield not feasible pathsAdvantage of this way: at most cases reaching definitions that sets value of indexes are very short and not complicated
C++test - Static analysis Bug Detective
“Conditions that always evaluated the same” detection using Reaching Definition
In a similar way we could go over the CFG and look for Boolean conditions and check if it always (on all paths evaluates the same)
Must – true on all paths (set intersection)
62236800 - Parasoft® C++test by Alon Bialik
Reaching Definition can also be used the same way to detect Division by zero,Unreachable switch branchesAnd more..
C++test - Static analysis Bug Detective
63236800 - Parasoft® C++test by Alon Bialik
The CFG contains all function calls, uses of global variables, uses of parameter pointer variables, and optionally uses of all local variables, concurrency operations.
The CFG includes the symbolic information for these objects, such as their names, types, whether an access is read or write, whether a variable is a parameter or not, whether a function or variable is static or not, the line number, etc.
Control Flow Analysis
C++test - Static analysis Bug Detective
64236800 - Parasoft® C++test by Alon Bialik
Traverse the whole system CFG can find
- Dead code.
- Resources not freed.
- Not allocated/initilized memory access.
and more..
Control Flow Analysis
C++test - Static analysis Comparing models
65236800 - Parasoft® C++test by Alon Bialik
Tool Static /dynamic Completeness Soundness customizable OS
Blast Static Yes No –false alarms
No windows
CBMC Static No Yes No windows
C++test Static+dynamic No C+ test does not proof you code
Yes – all violations can happen
highly Windows/Linux/Solaris and more
Conclusion
66236800 - Parasoft® C++test by Alon Bialik
Disadvantages… Slow… Not Open-Source No “Quick-Fix” Expensive… Does not prove your code
Advantages… Easy to operate Highly customizable Can verify your code meets coding standards Prevents errors that compromise security, reliability, and performance