Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Programming IT Technology

Code Analysis Software? 9

Posted by Cliff from the byte-sized-fine-toothed-combs dept.
Bryan Andersen asks: "What is there available in open source code analysis software? I'm about to embark on a project that will make use of lots of open source software. I need to make sure that the software used is as bullet proof as possible with a limited staff. I'd like to make sure there aren't surprises like buffer overflows, race conditions, etc. in the code that we write."
This discussion has been archived. No new comments can be posted.

Code Analysis Software? More

Code Analysis Software?

Comments Filter:

  • you can find a few on freshmeat (Score:5, Informative)

    by Dr. Tom ( 23206 ) <tomh@nih.gov> on Tuesday December 25, 2001 @05:13AM (#2749018) Homepage
    http://freshmeat.net/projects/its4/
    http://freshmeat.net/projects/r.a.t.s./
    http://freshmeat.net/projects/qaudit/

  • One approach (Score:4, Informative)

    by pong ( 18266 ) on Tuesday December 25, 2001 @07:39AM (#2749085) Homepage
    Make sure that everything you write yourself is covered by unit tests. This will catch many problems with the open-source libraries and components you use, but another important benefit in this context is, that it allows you to refactor your code and replace one library with an alternative implementation with confidence.
    • So much for the theory (e.g. extreme programming methodology).

      Yes, it should be like this, but in reality it will be done by teams only that have either enough man power to have spare time for this test implementation or that have an established product in a consolidation phase.

  • For JAVA: RECODER (Score:4, Informative)

    by angel'o'sphere ( 80593 ) <angelo.schneider@nOSpam.oomentor.de> on Tuesday December 25, 2001 @10:39AM (#2749317) Journal
    Well, the asker did not ask for what kind of software he needs that.

    For JAVA I would recomend RECODER, hosted on sourceforge.net. https://sourceforge.net/tracker/?group_id=28173

    A compiler, loading a bunsch of JAVA files just like a VM would do, but instead of compiling it builds a "data base" of all structures.

    Ok, for the gurus: its a AST with extensive query and manipulations possibilities.

    Partial parsing from strings(create a method by letting a string parsed and inserted into a class).

    The project is pretty mature as it is a > 3 years work of several Phd.'s and some diploma thesises.

    In general that question would have been easyer answered by the asker himslef if he simply had searched the web ....

    Regards,
    angel'o'sphere
  • Journal articles seem to contain a wealth of information that is being re-discovered, and projects that are being re-implemented in non-academic circles all the time. One project that might be particularly relevent to your needs is:

    1. Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, and Thomas Anderson. Eraser: a dynamic race detector for multithreaded programs. ACM Transaction on Computer Systems 15, 4 (November 1997) pages 391-411. Also appeared in the Proc. Sixteenth ACM Symposium on Operating Systems Principles (October 1997).

    The Association for Computing Machinery web site (acm.org) has a search engine, but you may find Google and/or your local library to be more useful interfaces if you are not an ACM member.

    http://citeseer.nj.nec.com also turned up in a cursory web search as a source for some interesting articles, which are apparently freely available.
    • Actually, this isn't what the guy is looking for. He's looking for something that can automatically check for Time-of-check, time-of-use file-based race conditions. They're race conditions between multiple processes, not multiple threads. You can certainly have security bugs resulting from thread-based race conditions, but it's not all that common in the grand scheme of things.

      Additionally, that work is dynamic, which requires you to actually run the program. The person seems to be looking for static source code analysis tools. The best one right now is RATS (www.securesw.com). It scans in a bunch of different languages. Nonetheless, it has a lot of false positives... it's easy to imagine a tool that's a lot better.

      I also don't think it's very likely that anyone not devoted to building this kind of a technology is going to find it very easy to build something that constitutes "real" analysis (though merely mimicing something like RATS doesn't take much effort).
  • There is one coming on SourceForge, I believe called SourceCheck. From what I have been told by the guy developing it, it parses Java files up to 1.3 and looks for standards and problematic conditions in the code on a static level, generating an HTML report at its conclusion. Should be pretty neat, if it ever gets going.
  • Even though it is not open source, at $250 per seat including unlimited support, it is the best software development tool that I have ever seen. I understand why you want to write open source, but do all of you tools also have to be open source?

Slashdot Top Deals

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Close