Loading in 2 Seconds...
Loading in 2 Seconds...
ISO 26262 (automotive) up to ASIL level D IEC 61508 (general industrial) up to SIL 4 EN 50128 (railways) up to SW-SIL 4 IEC 62304 (medical devices) up to level C IEC 60880 (nuclear power).
Brief Overview: Company, Software Products & MethodsDr. Evgueni Kolossov, R&D DirectorSecond HiPEAC Industry Partner ProgramTallinn, 8 October 2013
Over 25 years track record with focus on static analysis C / C++, defect prevention, coding standards compliance and effective code reviews
Stakeholders extend through the organisation:
Many organisations handle this in an ad-hoc manner today...
Summary Analysis results
OEM/Customer Summary Information and Reports
Distributed development /outsourcing
Supervisory and management control
Input and control
JSF++ (Joint Strike Fighter - BjarneStroustrup)
HICPP (our company standard from 2003, new version 3 October 2013)
Not all bugs are dataflow or resource usage based
Incorrect language usage can result in hard (expensive) to detect bugs
Our software extends the defensive language analysis to provide for language based bug checking:
Calling an implicitly defined member function, where sister function has been explicitly declared.
Heap object of derived type undergoing derived to base conversion without a virtual destructor.Language Misuse
Checking is not limited to memory
create, open, close, fopen, fclose, strdup, dup
Analysis uses Syntax Usage Engine; tracking is performed by inter-function analysis within the translation unit.
Special handling of constructors and destructors allows for checking that resources allocated in a constructor are freed in a destructor.Resource Misuse
Buffer overflows (security)
NULL pointer dereference
Undefined mathematical operations
Use of unset variables
Results are accurate and precise due to in-depth modelling of the language combined with a state of the art Satisfiability Modulo Theories (SMT Yices 2) solver.
(Dutertre, B., de Moura, L.: A fast Linear-Arithmetic solver for DPLL(T). In: Ball, T., Jones, R. B. (eds.) Computer Aided Verification. LNCS, vol. 4144, pp. 81--94. Springer, Heidelberg (2006))Deep-flow Dataflow
Software highlights obvious defects where cause and effect are localized, or where project wide knowledge is required to determine there are no issues.
Inter variable dependencies tracked ensuring low false positives/negatives
Tracking of values referred to by pointers increases both depth of analysis as well as improving modelling through function boundaries.Deep-flow Dataflow (Continue)
Initial analysis takes place during parsing where code is checked for conformance to the respective language standard. Both parsers are written to conform to the standards, and deviations from "legal code" is highlighted with a message and in some cases it is then controlled under a configuration option. The default behaviour is to comply to the standard.
The parser builds an internal Abstract Syntax Tree for the source code and then the rest of the analysis takes place.
Most of the analysis in QA C++ (and some in QA C) is performed in the reverse order of the call tree, ie. 'leaf functions' are analysed before their callers. This allows QA C++ to use information about a called function during the analysis of the caller. This is especially important for 'dataflow' and is a core requirement for inter function analysis within the translation unit.General Description
A common dataflow engine is used by QA C and QA C++. QA C++ translates C++ constructs into an equivalent C representation and this is then passed into the dataflow engine.
The resulting flow graph is further simplified and SMT solver is then used to search for defects.
As part of analysis, a semantic representation is also produced and this is then checked during Cross Module Analysis (CMA). A significant amount of undefined behaviour goes undetected by most of the available linkers, for example different function declarations etc. CMA performs this checking.General Description (Continue)
The output format used for the semantic representation is verbose, and in the case of C++ can result in huge amounts of information being written (and therefore being read). As projects have increased in size, and with libraries such as boost, this is becoming more of an issue. We're working to change the output format to improve this situation.
Once this change is made we should be able to widen the scope of our existing analysis and provide new richer analysis for the entire program.General Description (Continue)
Architectural analysis of our dataflow with the target for implementation:
Interprocedural Dataflow Analysis
Security Issues Analysis
Parallel Processing Issues
Information about compilers new features & switches
Timing Analysis (executable, run-time)
New methods in code parsing, etc.
Types of Collaboration: different types are available – subject for discussionsWhat we are looking for?
Fails to report
Dr Marijn Temmerman from TERA-Labs observed, “On paper all the selected tools claimed to provide comprehensive MISRA C compliance checking - but the reality was different!”