We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byBryson Sharps
Modified about 1 year ago
© Programming Research www.programmingresearch.com Brief Overview: Company, Software Products & Methods Dr. Evgueni Kolossov, R&D Director Second HiPEAC Industry Partner Program Tallinn, 8 October 2013 ISO 26262 (automotive) up to ASIL level D IEC 61508 (general industrial) up to SIL 4 EN 50128 (railways) up to SW-SIL 4 IEC 62304 (medical devices) up to level C IEC 60880 (nuclear power)
© Programming Research PRQA Overview (www.programmingresearch.com) Code audits Coding standards development Training - languages, standards, products Custom integrations – compiler, IDE, VCS UK: Hersham (HQ) US: Boston + San Jose India: Bangalore Ireland: Dublin Netherlands: Zeist Ukraine: Lviv Romania: Bucharest Distributors: Germany Japan China Korea Technical: Products:LocationsPartners Services: Over 25 years track record with focus on static analysis C / C++, defect prevention, coding standards compliance and effective code reviews
© Programming Research Standing in the Software Community Committee (BSI Sector) Member ISO C Committee voting Members ISO C++ Committee Founding Member MISRA C (Motor Industry Software Reliability Association) Committee Founding Member MISRA C++
© Programming Research Multiple Stakeholders Stakeholders extend through the organisation: o Developers & Project Leads, Test operations, QA managers, Senior VP management, Customers, Suppliers Many organisations handle this in an ad-hoc manner today... Project Devs/Leads Is my project meeting compliance on each release? Corporate VPs Which projects present the greatest risk? Customers How does this release compare to the last one? QA Manager Is our overall software quality improving over time?
© Programming Research PRQA Global Solution Build Server Summary Analysis results Build Server PRQA Server Central Analysis Supervisory and management control PRQA Server Central Analysis PRQA Server Central Analysis PRQA Server Central Analysis PRQA Server Central Analysis Distributed development /outsourcing In-house Development OEM/Customer Summary Information and Reports Management Policy Input and control Local Analysis
© Programming Research PRQA Enterprise Solution Build Server Local Analysis PRQA Server Central Analysis
© Programming Research PRQA Professional Solution Build Server PRQA Server Central Analysis
© Programming Research Components
© Programming Research Static Analysis Types Lint-Like Inexpensive Limited Analysis Capability High False Positive and False Negative rates Bug Catchers Strong on Simulation Strong on whole program test verification Multi-Language support Often part of Swiss Army knife solution: bundled with testing tools High false negative rates. Poor Language Usage, Portability and Preventative analysis Automatic Code Inspection Strong on 4 technology types: pattern-based, simulation, metrics, and comprehension. Facilitates code review and pretest checking with code collaboration, sophisticated suppression management and measurement analysis Low False Positive and False Negative rates. Weak on multi-language support Weak on whole program static test
© Programming Research What & How we are Analyzing? - Pattern-Based Analysis – This is the scanning of source code and checking for patterns that indicate issues correlating (within various degrees of severity) to defects in software. This involves checks for quality characteristics (or lack thereof) in Portability, Style, Language Usage, and Preventative Practices - S imulation (Deep Data Flow) is a technique in identifying likely Run-time Defects (otherwise known as “Bugs” during execution). It is a form of testing without actually executing the code - Metrics – It has often been stated that if you can’t measure it, you can’t improve it. For example, since complex code has been highly correlated to buggy code and impacts the testability and maintainability of software, metrics that measure these aspects can provide great insight into the quality of the code and act as an indicator to where concentrated improvement needs to be made. - Comprehension – Static Analysis of code can also provide many different views upon the actual structure of the code in forms of graphs and diagrams that help in comprehension, helping with architectural decisions using tools that provide meaningful abstractions Simulation Structure Metrics Pattern- Based
© Programming Research Language Misuse PRQA is industry leader in analysis of defensive coding practices JSF++ (Joint Strike Fighter - Bjarne Stroustrup) MISRA C++ MISRA C HICPP (our company standard from 2003, new version 3 October 2013) Not all bugs are dataflow or resource usage based Incorrect language usage can result in hard (expensive) to detect bugs Our software extends the defensive language analysis to provide for language based bug checking: Calling an implicitly defined member function, where sister function has been explicitly declared. Heap object of derived type undergoing derived to base conversion without a virtual destructor.
© Programming Research Resource Misuse Acquired resources are tracked to ensure that they are released. Checking is not limited to memory create, open, close, fopen, fclose, strdup, dup Analysis uses Syntax Usage Engine; tracking is performed by inter-function analysis within the translation unit. Special handling of constructors and destructors allows for checking that resources allocated in a constructor are freed in a destructor.
© Programming Research Deep-flow Dataflow Dataflow analysis provides a mechanism to detect serious runtime behaviour problems: Buffer overflows (security) NULL pointer dereference Undefined mathematical operations Use of unset variables much more... Results are accurate and precise due to in-depth modelling of the language combined with a state of the art Satisfiability Modulo Theories (SMT Yices 2) solver. (Dutertre, B., de Moura, L.: A fast Linear-Arithmetic solver for DPLL(T). In: Ball, T., Jones, R. B. (eds.) Computer Aided Verification. LNCS, vol. 4144, pp. 81--94. Springer, Heidelberg (2006))
© Programming Research Deep-flow Dataflow (Continue) Analysis is performed across function boundaries within a translation unit. Software highlights obvious defects where cause and effect are localized, or where project wide knowledge is required to determine there are no issues. Inter variable dependencies tracked ensuring low false positives/negatives Tracking of values referred to by pointers increases both depth of analysis as well as improving modelling through function boundaries.
© Programming Research Screenshots
© Programming Research Screenshots
© Programming Research Screenshots
© Programming Research General Description First and foremost we must parse the code correctly: Requires a fully functional C and C++ pre-processor and parser. Initial analysis takes place during parsing where code is checked for conformance to the respective language standard. Both parsers are written to conform to the standards, and deviations from "legal code" is highlighted with a message and in some cases it is then controlled under a configuration option. The default behaviour is to comply to the standard. The parser builds an internal Abstract Syntax Tree for the source code and then the rest of the analysis takes place. Most of the analysis in QA C++ (and some in QA C) is performed in the reverse order of the call tree, ie. 'leaf functions' are analysed before their callers. This allows QA C++ to use information about a called function during the analysis of the caller. This is especially important for 'dataflow' and is a core requirement for inter function analysis within the translation unit.
© Programming Research General Description (Continue) A benefit of using our own parser technology is that we are not limited in the information that can be used for analysis. Macro history, instantiation history etc. that can normally be dropped by the compiler when generating code can be kept around. This aspect will again be used for some new C++ '11 checking, for example of the 'auto' keyword. A common dataflow engine is used by QA C and QA C++. QA C++ translates C++ constructs into an equivalent C representation and this is then passed into the dataflow engine. The resulting flow graph is further simplified and SMT solver is then used to search for defects. As part of analysis, a semantic representation is also produced and this is then checked during Cross Module Analysis (CMA). A significant amount of undefined behaviour goes undetected by most of the available linkers, for example different function declarations etc. CMA performs this checking.
© Programming Research General Description (Continue) Areas with limited support: The output format used for the semantic representation is verbose, and in the case of C++ can result in huge amounts of information being written (and therefore being read). As projects have increased in size, and with libraries such as boost, this is becoming more of an issue. We're working to change the output format to improve this situation. Once this change is made we should be able to widen the scope of our existing analysis and provide new richer analysis for the entire program.
© Programming Research What we are looking for? Collaboration in areas: –Architectural analysis of our dataflow with the target for implementation: Interprocedural Dataflow Analysis Security Issues Analysis Multi-threading Issues Parallel Processing Issues – Information about compilers new features & switches –Timing Analysis (executable, run-time) –New methods in code parsing, etc. Types of Collaboration: different types are available – subject for discussions
© Programming Research Questions? Evgueni_Kolossov@programmingresearch.com
© Programming Research Customer Case study “QA·C is above other tools when it comes to coding standard compliance” Site Software Director
© Programming Research “Since we began using the MISRA C Compliance Module, the quality and consistency of our first generation code has skyrocketed, and our final products have been virtually error-free” Stuart Jobbins, Head of Software Development Customer case study
© Programming Research Customer Case study “QA·C++ provides an efficient, robust, fully automated environment to introduce and enforce coding standards” Benjamin Pitzer, Senior Research Engineer
© Programming Research Customer Case study “With QA·C our prototypes retain much of their integrity, because most defects are caught early... even as our goals evolve and the code changes, our product quality remains consistently high.” Dana Sawyer, Senior Software Designer
© Programming Research Customer Case study “For us, it’s critical to focus on detecting issues early and tools like QA·C will help there” Samir Kulkarni, Head of Productivity
© Programming Research No False Positives All False Positives Reports every violation Fails to report true violation Dr Marijn Temmerman from TERA-Labs observed, “On paper all the selected tools claimed to provide comprehensive MISRA C compliance checking - but the reality was different!” Independent research on Static Analysis Tools / MISRA Compliance by TERA-Labs
Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.
CHAPTER 9: VERIFICATION AND VALIDATION 1. Objectives To introduce software verification and validation and to discuss the distinction between them
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 13Slide 1 Architectural Design u Establishing the overall structure of a software system.
1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.
Architectural Design portions ©Ian Sommerville 1995 Establishing the overall structure of a software system.
CS223: Software Engineering Lecture 21: Unit Testing Metric.
1 Lecture 12: Chapter 16 Software Quality Assurance Slide Set to accompany Software Engineering: A Practitioner’s Approach, 7/e by Roger S. Pressman Slides.
Computer Science CS425/CS6258/23/20011 Architectural Design Establishing the overall structure of a software system.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 10Slide 1 Architectural Design l Establishing the overall structure of a software system.
Copyright 2001 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Chapter 1 The Systems.
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
HNDIT23082 Lecture 09:Software Testing. Validations and Verification Validation and verification ( V & V ) is the name given to the checking and analysis.
Copyright 2004 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Second Edition Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Chapter.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.
Verification and Validation. Topics covered Verification and validation planning Software inspections Automated static analysis.
1.Quality-“a characteristic or attribute of something.” As an attribute of an item, quality refers to measurable characteristics— things we are able to.
FDT Foil no 1 On Methodology from Domain to System Descriptions by Rolv Bræk NTNU Workshop on Philosophy and Applicablitiy of Formal Languages Geneve 15.
Architectural Design Yonsei University 2 nd Semester, 2014 Sanghyun Park.
Chapter 10: Developing UNIX/Linux Applications in C and C++ Guide To UNIX Using Linux Third Edition.
Chapter 2: A Brief History Object- Oriented Programming Presentation slides for Object-Oriented Programming by Yahya Garout KFUPM Information & Computer.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 10Slide 1 Chapter 10 Architectural Design.
COMP 208/214/215/216 Lecture 6 Managing Software Quality.
Software Quality Assurance For Software Engineering && Architecture and Design.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Lecturer: Sebastian Coope Ashton Building, Room G.18 COMP 201 web-page: Verification.
CPSC Compiler Tutorial 9 Review of Compiler.
C++ Code Analysis: an Open Architecture for the Verification of Coding Rules Paolo Tonella ITC-irst, Centro per la Ricerca Scientifica e Tecnologica
Architectural Design. Recap Introduction to design Design models Characteristics of good design Design Concepts.
SOFTWARE PROJECT MANAGEMENT Project Quality Management Dr. Ahmet TÜMAY, PMP.
Slide 1 Chapter 8 Architectural Design. Slide 2 Topics covered l System structuring l Control models l Modular decomposition l Domain-specific architectures.
Introduction to Compilers. Related Area Programming languages Machine architecture Language theory Algorithms Data structures Operating systems Software.
QUALITY ASSURANCE: QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.
CASE Tools And Their Effect On Software Quality Peter Geddis – pxg07u.
9/7/20151 Compiled by Arthur Alexander Reyes. Introduction to Software Quality Assurance (SQA)
Software Engineering Configuration Management Slide 1 Software Engineering Configuration Management (CM)
1 The Software Development Process Systems analysis Systems design Implementation Testing Documentation Evaluation Maintenance.
Introduction to Carilex Medical. Overview Manufacturer and designer of OEM and Carilex-branded wound care products o Specializing in therapeutic support.
Supplement 02CASE Tools1 Supplement 02 - Case Tools And Franchise Colleges By MANSHA NAWAZ.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Verification and Validation.
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.
Software Testing and QA Theory and Practice (Chapter 11: System Test Design) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
Quality Control Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours Project Management.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.
An Introduction to Software Architecture Software Engineering Lab. Summer 2006.
These slides are designed to accompany Software Engineering: A Practitioner’s Approach, 7/e (McGraw-Hill 2009). Slides copyright 2009 by Roger Pressman.1.
What is Software Engineering? the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software”
© 2017 SlidePlayer.com Inc. All rights reserved.