Parasoft® C++test Comprehensive Code Quality Tools for C/C++ Development.

Parasoft® C++testComprehensive Code Quality Tools for

C/C++ Development

InroductionParasoft® C++test™ is an integrated solution for automating a broad range of tools to improve software development, team productivity and software quality for C and C++:

Static analysis – static code analysis, data flow static analysis, and metrics analysis

Peer code review process automation–preparation, notification, and tracking

Unit testing – unit test creation, execution, optimization, and maintenance

Runtime error detection – memory access errors, leaks, corruptions, and more

2236800 - Parasoft® C++test by Alon Bialik

Introduction – features Some of the features :

Static analysis of code for compliance with user-selected coding standards Graphical RuleWizard editor for creating custom coding rules Static code path simulation for identifying potential runtime errors Automated code review with a graphical interface and progress tracking Application monitoring/memory analysis Automated generation and execution of unit and component-level tests Flexible stub framework Full support for regression testing Code coverage analysis with code highlighting Runtime memory error checking during unit test execution Full team deployment infrastructure for desktop and command line usage


Introduction – Cross Platform

Cross Platform Supported Host Environments:

Host PlatformsWindows NT/2000/XP/2003/Vista/7 Linux kernel 2.4Linux kernel 2.6Solaris 7, 8, 9, 10IBM AIX 5.3 and a PowerPC processor

IDEsEclipse for C/C++ Developers 3.2, 3.3, 3.4, 3.5 (32-bit) Microsoft Visual Studio .NET 2003, 2005, 2008 with Microsoft Visual C++ Wind River Workbench 2.6, 3.0, 3.1, 3.2 Texas Instruments Code Composer Studio 4.x ARM Workbench IDE for RVDS 3.0, 3.1, 4.0 QNX Momentics IDE 4.5 (QNX Software Development Platform 6.4)

Host CompilersWindows

Microsoft Visual C++ 6.0, .NET (7.0), .NET 2003 (7.1), 2005 (8.0), 2008 (9.0) GNU and MingW gcc/g++ 2.95.x, 3.2.x, 3.3.x, 3.4.x GNU gcc/g++ 4.0.x, 4.1.x, 4.2.x, 4.3.x Green Hills MULTI for Windows x86 Native v4.0.x

Linux (x86 target platform) GNU gcc/g++ 2.95.x, 3.2.x, 3.3.x, 3.4.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x

Linux (x86_64 target platform) GNU gcc/g++ 3.4.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x

Target/Cross CompilersARM (Windows hosted)

ARM RVCT 2.2, 3.x, 4.x ARM ADS 1.2

Embedded Linux (Windows, Linux, Solaris hosted) GNU gcc/g++ 2.95.x, 3.2.x, 3.3.x, 3.4.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x

Green Hills (Windows, Solaris hosted) Green Hills optimized compilers line 4.0.x

IAR (Windows hosted) IAR ANSI C/C++ Compiler V5.30 for ARM (C only)

Keil (Windows hosted) ARM/Thumb C/C++ Compiler, RVCT3.1 for uVision C51 Compiler V8.18 (static analysis only)

Microsoft (Windows hosted) Microsoft Visual C++ for Windows Mobile 8.0, 9.0 Microsoft Embedded Visual C++ 4.0

QNX (Windows hosted) GCC 2.9.x, 3.3.x, 4.2.x

STMicroelectronics (Windows hosted) ST20 (static analysis only) ST40 (static analysis only)

Texas Instruments (Windows hosted) TMS320C6x C/C++ Compiler v5.1 TMS320C6x C/C++ Compiler v6.0 TMS320C2000 C/C++ Compiler v4.1 (static analysis only) Source Control

AccuRev SCM Borland StarTeam CVS IBM/Rational ClearCase Microsoft Team Foundation Server Microsoft Visual SourceSafe Perforce SCM Serena Dimensions Subversion (SVN) Telelogic Synergy


Embedded and Cross-Platform Development

C++test’s customizable workflow allows users to test code as it’s developed, then use the same tests to validate functionality in target environments

For embedded and cross-platform development, C++test can be used in both host-based and target-based code analysis and test flows.


Overview - Static analysisWhat is Static Analysis?Static analysis is the term applied to the analysis of computer software that is performed without actually executing programs.

- wikipedia

Low-tech static analysis:• Software inspection• Simple syntactic standards and manual checks

High-tech static analysis• Enforced syntactic checks• Well-formedness checks in specifications, designs, and

code (e.g., matching connectors in design diagrams)• Automated program analyses

Often based on data flow analysis• Finite-state verification and other “high-power” analyses of models


C++test - Static analysisAutomate Code Analysis for Monitoring Compliancea properly implemented coding policy can eliminate entire classes of programming errors by establishing preventive coding conventions.C++test statically analyzes code to check compliance with such a policy.

static code analysis tool monitors whether code follows industry-standard or customized rules for ensuring that code meets uniform expectations around security, reliability, performance, and maintainability. User can choose out from over 1400 built-in rules, custom existing rules or define new ones.


C++test - Static analysis cont’dexample

Let’s review this example

class A {public: A(int xval, int yval) : _x(xval), _y(yval) {} friend A& operator+(const A& p1, const A& p2);private: int _x, _y;};A& operator+(const A& p1, const A& p2) { A *result = new A(p1._x + p2._x, p1._y + p2._y); return *result; }

// Violation

Returning a reference to a local object or a dereferenced pointer initialized by new within the function may cause a memory leak.

C++ test has a built-in rule you can select:Never return a dereferenced local pointer initialized by new in function scope


C++test - Static analysis cont’d example cont’d

class A {public: A(int xval, int yval) : _x(xval), _y(yval) {} friend A& operator+(const A& p1, const A& p2);private: int _x, _y;};A& operator+(const A& p1, const A& p2) { A *result = new A(p1._x + p2._x, p1._y + p2._y); return *result; // Violation }

Implementation of this rule is advised by Scott Meyers in his book "Effective C++: 50 Specific Ways to Improve Your Programs and Design“.


C++test - Static analysis cont’d

Define your own rule sets with built-in and custom rules. This is a good way to enforce standards of coding techniques like naming conventions that are customary in a programming team, variables initialization etc.

#include <string>using namespace std;class A {public: A( const char* file, const char* path ) { myFile = file; // Violation myPath = path; // Violation }private: string myFile; string myPath;};

and A( const char* file, const char* path ) : myFile(file), myPath(path) {} // OK

Where

Little anecdote for those who took MATAM before 2008, there is a rule Prefer initialization to assignment in constructors.




C++Test - Resources

Herb Sutter, Andrei Alexandrescu, C++ Coding Standards Scott Meyers – Effective C++ & More Effective C++ Ellemtel Coding Standards (1990) MISRA-C 2004, MISRA-C++ 2008 Motorola Coding Standards Meyers-Klaus Rules JSF Coding Standards (2005)



Rules Categories

Coding Convention Rules Comments Rules Exceptions Rules Formatting Rules Initialization Rules Metrics Rules MISRA 2004 Rules Memory and Resource Management Rules Naming Convention Rules

OOP Rules Optimization Rules Portability Rules Possible Bugs Rules Physical File Org. Rules Qt Best Practices Rules Security Rules STL Best-Practices Rules Templates Rules Bug Detective (*)

Coding Conventions:For example: Magic numbers Default in Switch-case Const non-const conversion Naming conventions

int small = 20000;int big = small * 2; // 40000 or -25536?if (small < big) {}

Q : Will the if’s body be executed? A : Depends… Rule: Use: UINT8, INT16, UINT32 etc…

Initialization rulesFor example:Globals, static, member in C’tor etc

Exception rules For example:Not from D’tor … (prevent stack unwinding)

OOP Rules For example: Multiple inheritance (diamond inheritance) Avoid calling virtual-methods/global-data from C’tor / D’tor Avoid public data members Avoid down-casting If a class has virtual functions it shall have a virtual D’tor


Define your test


Configure your static analysis testC++test configurations

C++test - Static analysis cont’dDefine your test







Define your test


Configure your static analysis testRule Editor

18


Run Test


Run static analysis test on you code

C++test - Static analysis cont’dTest your code – test summary


C++test - Static analysis cont’dTest your code – static analysis output



Define your test


Configure your static analysis testBug Detective

C++test - Static analysis cont’dBug Detective


C++test - Static analysis cont’dBug Detective – cont’d






Resource Leaks Allocation misuse of memory, pipes, file descriptors, and other system resources.

Bugs Runtime errors such as division by zero, array bounding and indexing flaws, NULL pointer dereferencing, and data

initialization errors. Security Vulnerabilities Detect read, write or indexing of potentially tainted data.

Bug Detective – cont’d



C++test - Static analysis cont’dBug Detective - Examples


void example(int src[100], int dest[100]){

int size;scanf("%d", &size);memcpy(dest, src, size); // VIOLATION ("size" is an arbitrary

value possibly < 0 or > 100)}

Buffer Overflow Security example

Dereferencing a NULL Pointerint main(int argc, char* argv[]){

Point* point = 0;if (argc > 3) {

point = new Point(atoi(argv[1]), atoi(argv[2]));}point->reflectAcrossX(); // VIOLATION ("point" might be NULL at

this point)return 0;

}


Run Test


Run Bug Detective test on you code

C++test - Static analysis cont’dTest your code – test summary


C++test - Static analysis

How does it work?


An educated guess

C++test

C++test - Static analysis how it is done?

IDE Error

Handler

Syntaxanalyzer

Lexical analyzer

C/C++ Source

program

Semanticanalyzer

Symboltable

Propertiestable

C++ EBNF

User chosen rules


C++test - Static analysis Lexical analysis in a nut shell

Lex is a program (generator) that generates lexical analyzers

Lex

It reads the input stream (specifying the lexical analyzer )

and outputs source code implementing the lexical analyzer

in the C programming language. Lex will read patterns (regular expressions) then produces

C code for a lexical analyzer that scans for identifiers.

Lexical analyzer

Stream of characters Stream of Tokens


C++test - Static analysis Lexical analysis in a nut shell – cont’d

Lex

#include <iostream>#include <string>#include <cctype> // for std::isspace(), etc.void someFunc(const std::string &data);

Lexical analyzer

[#] "include" [<] "iostream" [>] [#] "include" [<] "string" [>] [#] "include" [<] "cctype" [>] [/] [/] "for" "std" [:] [:] "isspace" [(] [)] [,] "etc" [.] "void" "print“ “someFunc" [(] "const" "std" [:] [:] "string" [&] "data" [)] [;] "int" "main" [(] [)] [{] "std" [:] [:] "string"

Line:4Column:6

Text:some FuncEtc..


C++test - Static analysis Syntax analyzer in a nut shell

reads the Grammars written in Backus Normal Form (BNF) . and generate C code from Lex

YACC

Generate Symbols table

Reports to IDE about syntax errors

Semanticanalyzer

Stream of Tokens

BNF grammer rules

BNF grammar used to express context-free languages

uses bottom-up or shift-reduce parsing

Syntaxanalyzer

Symboltable



YACC – an example%%statement : expression { printf (“ = %g\n”, $1); }expression : expression ‘+’ expression { $$ = $1 + $3; } | expression ‘-’ expression { $$ = $1 - $3; } | NUMBER { $$ = $1; }%%

According these two productions, 5 + 4 – 3 + 2 is parsed into:

statement

expression

expression

expression

expression

expression

expressionexpression

number

number

number

number

+-+ 2345 39

C++test - Static analysis Syntax analyzer

syntax analyzer

At this point the syntax analyzer builds the symbol table and save all the properties of a symbol

For example:

Class symbol

Name: Name ObjectDeclared?

Pure virtual?

Variables List Variable ..

Methods List Variable ..

Static?

Virtual?46236800 - Parasoft® C++test by Alon Bialik


Semantic analyzer

Semantic analyzer test the generated symbol table against the defined rules and matches unwanted paterns

Class symbol

Name: Name ObjectDeclared?

Pure virtual?

Variables List Variable ..

Methods List Variable ..

Static?

Virtual?47236800 - Parasoft® C++test by Alon Bialik

C++test – Bug Detective

How does it work?


An educated guess

Bug Detective

C++test - Static analysis Bug Detective

Tree structure Intermediate Representation

Semantics-safe Tree structureSemantic

Analyzer

CFG Generator

Tree……

Data Flowanalysis

Control Flow analysis

CFG



Compile-time reasoning about the run-time flow of

values in the program Represent facts about the run-time behavior Represent effect of executing each basic block Propagate facts around the control flow graph

Data Flow Analysis



Data Flow Analysis – cont’d

Formulated as a set of simultaneous equations- Sets attached to the nodes and edges- Lattice to describe the relation between values- Usually represented as a bit or bit vectors

Solve equations using iterative framework- Start with initial guess of facts at each node- Propagate until stabilizes at maximal fixed point.- Would like meet over all paths (MOP) solution




Data-flow analyses equations are distinguished by Direction Gen Kill May/Must Merge Flow values (initial guess, type)

Data Flow analysis equation properties


Reaching definitions

A definition of a variable x is a statement that may assign a value to x

A definition may reach a program point p if there exists some path from the point immediately following the definition to p such that the assignment is not killed along that path- A definition of a variable x is killed if there is any other definition of x

anywhere along the path

Concept: relationship between definitions and uses



Reachability Analysis: Step 1 For each block, compute local (block level) information

- DEDef(B): the set of downward-exposed definitions in Bo Those for which the defined name is not subsequently redefined by the exit from B

- DEFKill(B): the set of definitions that are obscured by a definition of the same name in Bo Also consider definition points outside B

This information does not take control flow between blocks into account


Reaching Definitions Exampled1 i = m – 1d2 j = nd3 a = u1

B1

B2

B3

B4

d4 i = i + 1d5 j = j - 1

d6 a = u2

d7 i = u2

DEDef = 4,5DEFKill = 1,2,7

DEDef = 1,2,3DEFKill = 4,5,6,7

DEDef = 7DEFKill = 1,4DEDef = 6

DEFKill = 3

DEFKill need to consider the set of all definition points: {1,2,3,4,5,6,7}





Reachability Analysis: Step 2

Definitions that reach the exit point of predecessor x

Compute REACHES set for each block in a forward direction

- REACHES(b): the set of definitions that reach the entry to a block b- Start with REACHES(n0) = Ø

- REACHES(b)=

xpred(b)(DEDef(x)(REACHES(x)-DEFKill(x)) )

Iterative algorithm: keep computing REACHES sets until a fixed point is reached

Locally defined in x Propagated into x and not killed by any definition in x



Reachability Analysis: Step 2-cont’d

Information propagated across blocks

Information propagated within blocks

Compute REACHES set for each block in a forward direction

- REACHES(b): the set of definitions that reach the entry to a block b- Start with REACHES(n0) = Ø

- REACHES(b)= xpred(b)OUT(x)- OUT(x) = DEDef(x)(REACHES(x)-DEFKill(x))

o OUT(x) is the set of definitions that reach the exit from a block x, which include definitions that are

- Either generated within the block (DEDef(x)), or- Reach on entry to x and not killed by any definition in x (REACHES(x)-DEFKill(x))


Array out of boundaries detection using Reaching Definition

d1 i = 0d2 j = nd3 k = a[i]

B1

B2

B3

B4

d4 i = i + 1d5 j = j - 1

d6 i = 0

d7 k = a[i]

DEDef = 4,5DEFKill = 1,2,7

DEDef = 1,2,3DEFKill = 4,5,6,7

DEDef = 7DEFKill = 3DEDef = 6

DEFKill = 1,4

int a[10]



Array out of boundaries detection using Reaching Definition – cont’d

For every use of operator[] , i.e a[i] on block b, we check all paths leading to block b for possible definitions of i that are out of a’s bounderies

May – true on some path (set union)


Disadvantage of this way: search of all paths can yield not feasible pathsAdvantage of this way: at most cases reaching definitions that sets value of indexes are very short and not complicated


“Conditions that always evaluated the same” detection using Reaching Definition

In a similar way we could go over the CFG and look for Boolean conditions and check if it always (on all paths evaluates the same)

Must – true on all paths (set intersection)


Reaching Definition can also be used the same way to detect Division by zero,Unreachable switch branchesAnd more..



The CFG contains all function calls, uses of global variables, uses of parameter pointer variables, and optionally uses of all local variables, concurrency operations.

The CFG includes the symbolic information for these objects, such as their names, types, whether an access is read or write, whether a variable is a parameter or not, whether a function or variable is static or not, the line number, etc.

Control Flow Analysis



Traverse the whole system CFG can find

- Dead code.

- Resources not freed.

- Not allocated/initilized memory access.

and more..

Control Flow Analysis

C++test - Static analysis Comparing models


Tool Static /dynamic Completeness Soundness customizable OS

Blast Static Yes No –false alarms

No windows

CBMC Static No Yes No windows

C++test Static+dynamic No C+ test does not proof you code

Yes – all violations can happen

highly Windows/Linux/Solaris and more

Conclusion


Disadvantages… Slow… Not Open-Source No “Quick-Fix” Expensive… Does not prove your code

Advantages… Easy to operate Highly customizable Can verify your code meets coding standards Prevents errors that compromise security, reliability, and performance

Parasoft® C++test Comprehensive Code Quality Tools for C/C++ Development.

Documents

x gnu gccg

x arm ads

x green hills windows

x arm workbench ide

x green hills multi

static analysis of code

st40 static analysis

windows mobile