SlideShare une entreprise Scribd logo

Finding Defects in C#: Coverity vs. FxCop

Télécharger en tant que PPTX, PDF
Coverity
Coverity

These slides provide the high-level results of our comparison of FxCop and the Coverity platform. We used a third party codebase of approx. 100k lines of code and analyzed it using the "fxcop" from Visual Studio 2013 and Coverity 6.6. Perhaps most surprising is how the two solutions (both static analysis tools for C# that aim to improve quality and security) are so different and yet so complementary.

Technologie
1  sur  13
Finding Defects in C#
Selecting the Right Solution Key Considerations • • • • • • Does it find critical defects? What is the false positive rate? Is it actionable? Is it accurate? Is it integrated to my workflow? How do I manage persistency
Varying Levels of Static Analysis Exist • Compiler warnings: verifies a program is type safe • Byte code analysis: identifies defects in the intermediate language and tries to map it back to the source code • Source code analysis: understanding the meaning and intention of the program – produces the most accurate results
Source vs. Byte Code Analysis (Example) Indentations Don’t Match Boundaries: if (x == 0) do_something(x); x = 1; • Source code analysis solution can infer the developer’s intent: “x=1” to happen in the same block as “do_something” call • Developer is warned because “x==0” block does not actually include both statements
Coverity and FxCop Case Study Complementary Solutions
Coverity Makes FxCop Enterprise-Grade Stand-alone FxCop is good; FxCop + Coverity is better Analysis • Find more critical defects • Improve accuracy of FxCop analysis Efficiency • Manage all quality and security issues in one workflow • Improved defect management Governance • Improve visibility into quality and security trends over time and across the supply chain
Case Study • Analysis of paint.net project (formerly open source) • Version 3.22 • 100K lines of code • Analysis done using • Coverity 7.0 • Microsoft Visual Studio 2013/FxCop 12.0 • Coverity and FxCop look for different things • Coverity Static Analysis looks for code defects using: • Bug Pattern Matching, Sophisticated Inter-procedural Dataflow Analysis, Abstract Interpretation, False Path Pruning, Boolean Satisfiability, Design Pattern Intelligence, Change Impact Analysis • FxCop checks conformance to Microsoft’s .NET Framework Design Guidelines
Different Solutions for Different Things • Difference in depth vs. breadth • No issues found by both Coverity and FxCop • Numbers in orange indicate number of findings Coverity Critical Defects FxCop Coding style & standard issues
Critical Defects vs. Coding Style Defects Type Coverity 7.0 FxCop Shared defects Resource leaks 75 0 0 Concurrency problems 20 4 0 Logic errors 4 2 0 Hierarchy problems 5 2 0 Unhandled exceptions (incl. 21 0 0 Critical Defect Subtotal 125 8 0 Coding Standards, Best Practices, Other 3 970 0 Total Bugs 128 978 0 NULL deref)
The “Big 3” Classes of Defects in C# 1. Null references 2. Resource issues 3. Threading issues
Issues You Can Find via Source Code Analysis Resource Leaks • Database connection leaks • Resource leaks • Socket & Stream leaks API usage errors • Use of freed resources Concurrent data access violations • Values not atomically updated • Data race conditions Performance inefficiencies • Unnecessary synchronization Program hangs • Thread deadlock • Infinite loop Logic Errors • Dead code Error handling issues • Unchecked return value Code maintainability issues • Static set in non-static method Class hierarchy inconsistencies • Failure to call base.close() or base.dispose() • Missing call to base class Control flow issues • Suspicious extraneous semicolon • Inconsistent comparison usage • Comparison of incompatible types Null pointer dereferences • Dereference after null check • Dereference before null check • Dereference null return value Suspicious code • Copy/paste errors • Significant indentation anomalies • Swapped arguments Arithmetic errors • Incorrect shift operation • Incorrect expressions • Overflow while evaluating expression
Conclusion • Different analysis tools often find different but complementary issues • Use the right solution to find the issues that are important to you
Want to try Coverity on your code? For a free trial visit: www.coverity.com

Recommandé

Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting AgileCoverity
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
The Psychology of C# Analysis
The Psychology of C# AnalysisThe Psychology of C# Analysis
The Psychology of C# AnalysisCoverity
 
OSS Java Analysis - What You Might Be Missing
OSS Java Analysis - What You Might Be MissingOSS Java Analysis - What You Might Be Missing
OSS Java Analysis - What You Might Be MissingCoverity
 
Resource Leaks in Java
Resource Leaks in JavaResource Leaks in Java
Resource Leaks in JavaCoverity
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoveritySamsung Open Source Group
 
Utility of Test Coverage Metrics in TDD
Utility of Test Coverage Metrics in TDDUtility of Test Coverage Metrics in TDD
Utility of Test Coverage Metrics in TDDXP Conference India
 

Recommandé

Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting AgileCoverity
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
The Psychology of C# Analysis
The Psychology of C# AnalysisThe Psychology of C# Analysis
The Psychology of C# AnalysisCoverity
 
OSS Java Analysis - What You Might Be Missing
OSS Java Analysis - What You Might Be MissingOSS Java Analysis - What You Might Be Missing
OSS Java Analysis - What You Might Be MissingCoverity
 
Resource Leaks in Java
Resource Leaks in JavaResource Leaks in Java
Resource Leaks in JavaCoverity
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoveritySamsung Open Source Group
 
Utility of Test Coverage Metrics in TDD
Utility of Test Coverage Metrics in TDDUtility of Test Coverage Metrics in TDD
Utility of Test Coverage Metrics in TDDXP Conference India
 
Concurrency Errors in Java
Concurrency Errors in JavaConcurrency Errors in Java
Concurrency Errors in JavaCoverity
 
Code review
Code reviewCode review
Code reviewAbhishek Sur
 
Code Review for iOS
Code Review for iOSCode Review for iOS
Code Review for iOSKLabCyscorpions-TechBlog
 
Code Review
Code ReviewCode Review
Code ReviewMikalai Alimenkou
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best PracticesTrisha Gee
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
Code Review
Code ReviewCode Review
Code ReviewDivante
 
Improving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis codeImproving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis codeJohan Carlin
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Sung Kim
 
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Sung Kim
 
Code Review
Code ReviewCode Review
Code ReviewR M Shahidul Islam Shahed
 
How to get the most out of code reviews
How to get the most out of code reviewsHow to get the most out of code reviews
How to get the most out of code reviewsJavaDayUA
 
Working Effectively With Legacy Code
Working Effectively With Legacy CodeWorking Effectively With Legacy Code
Working Effectively With Legacy CodeExcella
 
Automated Unit Testing and TDD
Automated Unit Testing and TDDAutomated Unit Testing and TDD
Automated Unit Testing and TDDGreg Sohl
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
TDD Workshop UTN 2012
TDD Workshop UTN 2012TDD Workshop UTN 2012
TDD Workshop UTN 2012Facundo Farias
 
Code Review Matters and Manners
Code Review Matters and MannersCode Review Matters and Manners
Code Review Matters and MannersTrisha Gee
 
Code Review
Code ReviewCode Review
Code Reviewrantav
 
Clean code - Getting your R&D on board
Clean code - Getting your R&D on boardClean code - Getting your R&D on board
Clean code - Getting your R&D on boardRuth Sperer
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
Code Coverage
Code CoverageCode Coverage
Code CoverageErnani Omar Cruz
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 

Contenu connexe

Tendances

Concurrency Errors in Java
Concurrency Errors in JavaConcurrency Errors in Java
Concurrency Errors in JavaCoverity
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best PracticesTrisha Gee
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
Code Review
Code ReviewCode Review
Code ReviewDivante
 
Improving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis codeImproving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis codeJohan Carlin
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Sung Kim
 
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Sung Kim
 
How to get the most out of code reviews
How to get the most out of code reviewsHow to get the most out of code reviews
How to get the most out of code reviewsJavaDayUA
 
Working Effectively With Legacy Code
Working Effectively With Legacy CodeWorking Effectively With Legacy Code
Working Effectively With Legacy CodeExcella
 
Automated Unit Testing and TDD
Automated Unit Testing and TDDAutomated Unit Testing and TDD
Automated Unit Testing and TDDGreg Sohl
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
Code Review Matters and Manners
Code Review Matters and MannersCode Review Matters and Manners
Code Review Matters and MannersTrisha Gee
 
Code Review
Code ReviewCode Review
Code Reviewrantav
 
Clean code - Getting your R&D on board
Clean code - Getting your R&D on boardClean code - Getting your R&D on board
Clean code - Getting your R&D on boardRuth Sperer
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 

Tendances (20)

Concurrency Errors in Java
Concurrency Errors in JavaConcurrency Errors in Java
Concurrency Errors in Java
 
Code review
Code reviewCode review
Code review
 
Code Review for iOS
Code Review for iOSCode Review for iOS
Code Review for iOS
 
Code Review
Code ReviewCode Review
Code Review
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best Practices
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Code Review
Code ReviewCode Review
Code Review
 
Improving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis codeImproving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis code
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)
 
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
 
Code Review
Code ReviewCode Review
Code Review
 
How to get the most out of code reviews
How to get the most out of code reviewsHow to get the most out of code reviews
How to get the most out of code reviews
 
Working Effectively With Legacy Code
Working Effectively With Legacy CodeWorking Effectively With Legacy Code
Working Effectively With Legacy Code
 
Automated Unit Testing and TDD
Automated Unit Testing and TDDAutomated Unit Testing and TDD
Automated Unit Testing and TDD
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 
TDD Workshop UTN 2012
TDD Workshop UTN 2012TDD Workshop UTN 2012
TDD Workshop UTN 2012
 
Code Review Matters and Manners
Code Review Matters and MannersCode Review Matters and Manners
Code Review Matters and Manners
 
Code Review
Code ReviewCode Review
Code Review
 
Clean code - Getting your R&D on board
Clean code - Getting your R&D on boardClean code - Getting your R&D on board
Clean code - Getting your R&D on board
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 

En vedette

Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
LISTADO OPOSICION + MERITOS
LISTADO OPOSICION + MERITOSLISTADO OPOSICION + MERITOS
LISTADO OPOSICION + MERITOSguest0dbad523
 
03 cv mil_probability_distributions
03 cv mil_probability_distributions03 cv mil_probability_distributions
03 cv mil_probability_distributionszukun
 
Animales en peligro de extincion
Animales en peligro de extincionAnimales en peligro de extincion
Animales en peligro de extincionlosdonkey
 
Paradigmas tecnoeconomicos
Paradigmas tecnoeconomicosParadigmas tecnoeconomicos
Paradigmas tecnoeconomicosMARIELIPALENCIA
 
Presentacion de economica politica
Presentacion de economica politicaPresentacion de economica politica
Presentacion de economica politicaabelardoac
 
Ahead Week 1 Key Slides
Ahead Week 1 Key SlidesAhead Week 1 Key Slides
Ahead Week 1 Key Slidesaltonbaird
 
ExcelCertificate18122014
ExcelCertificate18122014ExcelCertificate18122014
ExcelCertificate18122014Peter Garces
 
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!Aitor BV
 
Republic of Angola: Governmental Strategy for its Mining Sector
Republic of Angola: Governmental Strategy for its Mining SectorRepublic of Angola: Governmental Strategy for its Mining Sector
Republic of Angola: Governmental Strategy for its Mining SectorMining On Top
 
Ss for b,ed
Ss for b,edSs for b,ed
Ss for b,edanoop kp
 

En vedette (17)

Code Coverage
Code CoverageCode Coverage
Code Coverage
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
LISTADO OPOSICION + MERITOS
LISTADO OPOSICION + MERITOSLISTADO OPOSICION + MERITOS
LISTADO OPOSICION + MERITOS
 
03 cv mil_probability_distributions
03 cv mil_probability_distributions03 cv mil_probability_distributions
03 cv mil_probability_distributions
 
Cloud Computing - Gina Franco
Cloud Computing - Gina FrancoCloud Computing - Gina Franco
Cloud Computing - Gina Franco
 
Animales en peligro de extincion
Animales en peligro de extincionAnimales en peligro de extincion
Animales en peligro de extincion
 
PNUTS
PNUTSPNUTS
PNUTS
 
Paradigmas tecnoeconomicos
Paradigmas tecnoeconomicosParadigmas tecnoeconomicos
Paradigmas tecnoeconomicos
 
Presentacion de economica politica
Presentacion de economica politicaPresentacion de economica politica
Presentacion de economica politica
 
Ahead Week 1 Key Slides
Ahead Week 1 Key SlidesAhead Week 1 Key Slides
Ahead Week 1 Key Slides
 
ExcelCertificate18122014
ExcelCertificate18122014ExcelCertificate18122014
ExcelCertificate18122014
 
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
 
Republic of Angola: Governmental Strategy for its Mining Sector
Republic of Angola: Governmental Strategy for its Mining SectorRepublic of Angola: Governmental Strategy for its Mining Sector
Republic of Angola: Governmental Strategy for its Mining Sector
 
VIH-AIDS 2008.
VIH-AIDS 2008.VIH-AIDS 2008.
VIH-AIDS 2008.
 
Windows Phone Apps por Salvador Encalada
Windows Phone Apps por Salvador EncaladaWindows Phone Apps por Salvador Encalada
Windows Phone Apps por Salvador Encalada
 
Seminario..
Seminario..Seminario..
Seminario..
 
Ss for b,ed
Ss for b,edSs for b,ed
Ss for b,ed
 

Similaire à Finding Defects in C#: Coverity vs. FxCop

The Dark Side of Code Metrics
The Dark Side of Code MetricsThe Dark Side of Code Metrics
The Dark Side of Code MetricsDonald Belcham
 
Quality metrics and angular js applications
Quality metrics and angular js applicationsQuality metrics and angular js applications
Quality metrics and angular js applicationsnadeembtech
 
CS4443 - Modern Programming Language - I Lecture (1)
CS4443 - Modern Programming Language - I Lecture (1)CS4443 - Modern Programming Language - I Lecture (1)
CS4443 - Modern Programming Language - I Lecture (1)Dilawar Khan
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)lqi
 
Compeition-Level Code Generation with AlphaCode.pptx
Compeition-Level Code Generation with AlphaCode.pptxCompeition-Level Code Generation with AlphaCode.pptx
Compeition-Level Code Generation with AlphaCode.pptxSan Kim
 
10 Reasons You MUST Consider Pattern-Aware Programming
10 Reasons You MUST Consider Pattern-Aware Programming10 Reasons You MUST Consider Pattern-Aware Programming
10 Reasons You MUST Consider Pattern-Aware ProgrammingPostSharp Technologies
 
Полезные метрики покрытия. Практический опыт и немного теории
Полезные метрики покрытия. Практический опыт и немного теорииПолезные метрики покрытия. Практический опыт и немного теории
Полезные метрики покрытия. Практический опыт и немного теорииSQALab
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
Technical debt management strategies
Technical debt management strategiesTechnical debt management strategies
Technical debt management strategiesRaquel Pau
 
Code Analysis-run time error prediction
Code Analysis-run time error predictionCode Analysis-run time error prediction
Code Analysis-run time error predictionNIKHIL NAWATHE
 
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...Iosif Itkin
 
Software Coding- Software Coding
Software Coding- Software CodingSoftware Coding- Software Coding
Software Coding- Software CodingNikhil Pandit
 
Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?XebiaLabs
 
How to Have Code Reviews That Developers Actually Want
How to Have Code Reviews That Developers Actually WantHow to Have Code Reviews That Developers Actually Want
How to Have Code Reviews That Developers Actually WantCameron Presley
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your CodeNate Abele
 
Improving the Quality of Existing Software
Improving the Quality of Existing SoftwareImproving the Quality of Existing Software
Improving the Quality of Existing SoftwareSteven Smith
 

Similaire à Finding Defects in C#: Coverity vs. FxCop (20)

The Dark Side of Code Metrics
The Dark Side of Code MetricsThe Dark Side of Code Metrics
The Dark Side of Code Metrics
 
Quality metrics and angular js applications
Quality metrics and angular js applicationsQuality metrics and angular js applications
Quality metrics and angular js applications
 
Code Inspection
Code InspectionCode Inspection
Code Inspection
 
CS4443 - Modern Programming Language - I Lecture (1)
CS4443 - Modern Programming Language - I Lecture (1)CS4443 - Modern Programming Language - I Lecture (1)
CS4443 - Modern Programming Language - I Lecture (1)
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)
 
Compeition-Level Code Generation with AlphaCode.pptx
Compeition-Level Code Generation with AlphaCode.pptxCompeition-Level Code Generation with AlphaCode.pptx
Compeition-Level Code Generation with AlphaCode.pptx
 
10 Reasons You MUST Consider Pattern-Aware Programming
10 Reasons You MUST Consider Pattern-Aware Programming10 Reasons You MUST Consider Pattern-Aware Programming
10 Reasons You MUST Consider Pattern-Aware Programming
 
Полезные метрики покрытия. Практический опыт и немного теории
Полезные метрики покрытия. Практический опыт и немного теорииПолезные метрики покрытия. Практический опыт и немного теории
Полезные метрики покрытия. Практический опыт и немного теории
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
Technical debt management strategies
Technical debt management strategiesTechnical debt management strategies
Technical debt management strategies
 
Code Analysis-run time error prediction
Code Analysis-run time error predictionCode Analysis-run time error prediction
Code Analysis-run time error prediction
 
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
 
Basics of Programming.pptx
Basics of Programming.pptxBasics of Programming.pptx
Basics of Programming.pptx
 
Code coverage
Code coverageCode coverage
Code coverage
 
Software Coding- Software Coding
Software Coding- Software CodingSoftware Coding- Software Coding
Software Coding- Software Coding
 
Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?
 
How to Have Code Reviews That Developers Actually Want
How to Have Code Reviews That Developers Actually WantHow to Have Code Reviews That Developers Actually Want
How to Have Code Reviews That Developers Actually Want
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your Code
 
Improving the Quality of Existing Software
Improving the Quality of Existing SoftwareImproving the Quality of Existing Software
Improving the Quality of Existing Software
 

Dernier

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Dernier (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Finding Defects in C#: Coverity vs. FxCop

  • 2. Selecting the Right Solution Key Considerations • • • • • • Does it find critical defects? What is the false positive rate? Is it actionable? Is it accurate? Is it integrated to my workflow? How do I manage persistency
  • 3. Varying Levels of Static Analysis Exist • Compiler warnings: verifies a program is type safe • Byte code analysis: identifies defects in the intermediate language and tries to map it back to the source code • Source code analysis: understanding the meaning and intention of the program – produces the most accurate results
  • 4. Source vs. Byte Code Analysis (Example) Indentations Don’t Match Boundaries: if (x == 0) do_something(x); x = 1; • Source code analysis solution can infer the developer’s intent: “x=1” to happen in the same block as “do_something” call • Developer is warned because “x==0” block does not actually include both statements
  • 5. Coverity and FxCop Case Study Complementary Solutions
  • 6. Coverity Makes FxCop Enterprise-Grade Stand-alone FxCop is good; FxCop + Coverity is better Analysis • Find more critical defects • Improve accuracy of FxCop analysis Efficiency • Manage all quality and security issues in one workflow • Improved defect management Governance • Improve visibility into quality and security trends over time and across the supply chain
  • 7. Case Study • Analysis of paint.net project (formerly open source) • Version 3.22 • 100K lines of code • Analysis done using • Coverity 7.0 • Microsoft Visual Studio 2013/FxCop 12.0 • Coverity and FxCop look for different things • Coverity Static Analysis looks for code defects using: • Bug Pattern Matching, Sophisticated Inter-procedural Dataflow Analysis, Abstract Interpretation, False Path Pruning, Boolean Satisfiability, Design Pattern Intelligence, Change Impact Analysis • FxCop checks conformance to Microsoft’s .NET Framework Design Guidelines
  • 8. Different Solutions for Different Things • Difference in depth vs. breadth • No issues found by both Coverity and FxCop • Numbers in orange indicate number of findings Coverity Critical Defects FxCop Coding style & standard issues
  • 9. Critical Defects vs. Coding Style Defects Type Coverity 7.0 FxCop Shared defects Resource leaks 75 0 0 Concurrency problems 20 4 0 Logic errors 4 2 0 Hierarchy problems 5 2 0 Unhandled exceptions (incl. 21 0 0 Critical Defect Subtotal 125 8 0 Coding Standards, Best Practices, Other 3 970 0 Total Bugs 128 978 0 NULL deref)
  • 10. The “Big 3” Classes of Defects in C# 1. Null references 2. Resource issues 3. Threading issues
  • 11. Issues You Can Find via Source Code Analysis Resource Leaks • Database connection leaks • Resource leaks • Socket & Stream leaks API usage errors • Use of freed resources Concurrent data access violations • Values not atomically updated • Data race conditions Performance inefficiencies • Unnecessary synchronization Program hangs • Thread deadlock • Infinite loop Logic Errors • Dead code Error handling issues • Unchecked return value Code maintainability issues • Static set in non-static method Class hierarchy inconsistencies • Failure to call base.close() or base.dispose() • Missing call to base class Control flow issues • Suspicious extraneous semicolon • Inconsistent comparison usage • Comparison of incompatible types Null pointer dereferences • Dereference after null check • Dereference before null check • Dereference null return value Suspicious code • Copy/paste errors • Significant indentation anomalies • Swapped arguments Arithmetic errors • Incorrect shift operation • Incorrect expressions • Overflow while evaluating expression
  • 12. Conclusion • Different analysis tools often find different but complementary issues • Use the right solution to find the issues that are important to you
  • 13. Want to try Coverity on your code? For a free trial visit: www.coverity.com