Firefox Analyzed for Bugs by Software

eldavojohn writes "In a brief article on CNet, a company named Coverity announced that Firefox is using software to detect flaws in Firefox's source code. Even more interesting is the DHS initiative for Coverity to use this same bug detection software on 40 open source projects." An interesting tidbit from the article: "Most of the 40 programs tested averaged less than one defect per thousand lines of code. The cleanest program was XMMS, a Unix-based multimedia application. It had only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines of code. The buggiest program is the Advanced Maryland Automatic Network Disk Archiver, or AMANDA, a Linux backup application first developed at the University of Maryland. Coverity found 108 bugs in its 88,950 lines of code, or about 1.214 bugs per thousand lines of code." We've covered this before, only now Firefox is actually licensing the Coverity software and using it directly.

Math

That's .051 bugs per thousand lines of code for XMMS, an order of magnitude better.

Re:Math

Quite possibly because XMMS is practically stagnant. I don't even use it, but Amarok is by far the best audio app I've tried for Linux, quite possibly because the people developing it have some idea of which decade they're in.

If this is the same

If this is the same as most automated testing software I've seen, it detects many things which aren't truly bugs as bugs. Accuracy on automated testing tools I've been exposed to is around 40%.

Re:If this is the same

Sorry about the link.
Corrected link [coverity.com]. Unfortunately there are only 2 examples since there are trade secrets involved with bug reports.
This might look like a slashvertisement, but I didn't submit the original story (which does pick up on a press release)

That would tend to reccomend it to me

I will definitely take another look at Coverity's products, if the Firefox team is finding value in it.

Errr...

I hope these Coverity guys aren't pompous enough to think that their tool can find ALL bugs in a program with... magic...

Hmm, they should run their tool on its own source code, that would be fun.

Re:Errr...

Finding all POSSIBLE bugs in a software program means traversing all possible paths in the code with all possible inputs. That's a HUGE problem. You can "model" the code using Logic Equations and that helps some but any errors in the conversion from code to logic equations invalidate results. The DoD and NASA have spent many millions on solving this problem over the last 10-12 yrs. When I was at NASA we used several different tools (CodeSurfer, Purify, Lint, Polyspace as I recall) as each tool was better at one thing (i.e memory leaks vs null pointer dereferences). A The complete process took a couple of days to weeks and then human eyes and expertise were still needed to remove false positives. A good site for all the tools out there, old & new is http://spinroot.com/static/ [spinroot.com]. Looks like Coverty might be a good one to look into, as the best I had seen was CodeSurfer. All the good tools I have seen are commercial (NOT open Source) and EXPENSIVE!! I'd love to see a decent open source tool to run as a first pass before applying the other tools. Another point is that these tools are STATIC analysis. Run-Time Analysis is a whole 'nother animal but that area is improving with tools like DTRACE in Solaris.

Re:Errr...

I had some extensive conversations with the team at CodeSurfer and they think they the problem is NOT impossible, maybe more like Polynomial time. The DOD was funding them (this was about 3 yrs) ago to try to develop a solution that worked for C/C++ and Ada. NASA wanted to tag along on the research but we were told it was "classified" and DOD only. It's rare when someone turns down research money so they must be on to something.

Re:Errr...

A function that always returns the same value given its inputs is part of functional programming, not object-oriented programming. Most OO code is littered with side-effects and state-dependent behaviour. If you like to program in such a way, you may find yourself much more comfortable with a functional programming language. Languages like Haskell even enforce this.

Re:Errr...

I hope these Coverity guys aren't pompous enough to think that their tool can find ALL bugs in a program
We aren't (I'm a Coverity employee). We find real bugs, and we find false positives (but not too many of those).
Hmm, they should run their tool on its own source code, that would be fun.
We do that regularly.

this slashdot news is already outdated

if you look at the coverity site ( http://scan.coverity.com/ [coverity.com] ) you will see that there are already multiple projects who have brought there bugs down to zero. samba being on of the earliest.

Re:this slashdot news is already outdated

there are already multiple projects who have brought there bugs down to zero.

You mean "who have brought down the count of their bugs that this tool can detect down to zero." I'm sure they will have other bugs in code and design.

How does this tool compare to tools that do analysis by introspection on bytecode from languages like C# and Java. I use FxCop [gotdotnet.com] on C# code, and while it is very cool, using it is not newsworthy at all. Does this tool do more? Is is the news that it's used in a high-profile C++ program?

Integrating tools like this into your build process may be cutting-edge best-practice at present, but give it a while.

Re:this slashdot news is already outdated

You mean "who have brought down the count of their bugs that this tool can detect down to zero." I'm sure they will have other bugs in code and design.
Yeah, if they could make a program that would detect all bugs in a program, it would violate Turing's proof that the halting probelm is undecidable. [wikipedia.org]

From the articles, it sounds like they're basically looking for mistakes that could lead to security flaws, e.g., buffer overflows. If AMANDA is particularly buggy by their metric (detectable bugs per thousand lines of code), it's probably because AMANDA doesn't interface to the web, so the people coding it knew that certain classes of buffer overflow "bugs" wouldn't be a problem, because they wouldn't be exploited through an internet-facing interface. If you went back and ran this program on Unix apps written in C from the 1980's, you'd probably find zillions of bugs, but it wouldn't indicate low quality, it would just mean that the programs weren't written for an internet-facing environment in the year 2006, when the internet has become a battle zone for evil spammers, botnets, etc. If the only way such a bug can show up is for the user to supply carefully tailored input, and the result is simply that the program dumps core, then that's not a bug for a program that isn't facing the modern internet.

Interesting...

I find the AMANDA results interesting because AFAIK it hasn't recieved a code rewrite since the early 90's. I think an interesting study would be the to compare older projects with ones that have been rewritten from the ground up. Comparing the rate of new bugs introduced as opposed to those hidden in legacy code.

Bug/Lines of Code

"It had only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines of code."

Sounds like someone needs to run this debugger on their calculator.

Once detected can they also fix the flaws?

Or that job is left for the monkeys banging on the keyboards.

AMANDA is cross-platform

Amanda works on many unix and unixoid operating systems, it's not a "linux" backup system. It's used primarily for driving remote backups to big tape libraries, most /. reading linux users would never have systems large enough to justify its use. :-)

Amanda IS, however being very actively developed right now, lots of new features -> lots of new bugs. Other issue is that it's a componenty, plugin architecture, made of a few processes communicating over pipes and sockets. A failure in one component won't necessarily be a security risk or take the whole system down, it's extremely robust in normal operation in my experience, despite this "high bug count". Unlike XMMS, various contributed plugins (e.g. tape changer robot drivers) are redistributed in the source tarball but only used by very small numbers of people with outlandish hardware.
I suspect if you included various XMMS plugins in the XMMS count, things would be different...

None of that *really* excuses a high bug count - but what really pisses me off is coverity's "we've found X bugs, but we're not going to tell you what they are or substantiate our claims (some of amanda is quite old code, has a lot of strcpys, I know that some automated security checkers will treat a strcpy as a "bug" even if it's safe), just FUD your project in various public fora...

Which type of bugs?

One has to wonder if these are coding/language bugs or logical bugs. Finding coding bugs is of course a valuable time saver, but the challenging and usually most costly bugs are of the logical sort, and invariably app specific.

"Meh. So much for the 'many eyes' theory"

Even more interesting is the DHS initiative for Coverity to use this same bug detection software on 40 open source projects.

Before the F/OSS nay sayers toss out the obligatory (and to be expected) "Meh. So much for the 'many eyes' theory" let's point out that having the ability to run a code checker on source code is only possible to the holders of said source code. So, while absolutely true that a proprietary vendor can run the code checker on their code as well as an open source project, there is a huge difference when it comes to the customer/user of said software: with Open Source the user has the freedom to run such a tool over the source code themselves.

In this age of SarbOx and risk management there is a real competitive advantage to F/OSS over proprietary code to large companies: audit-ability. In previous roles I've had to attest under HIPPA::Security that proprietary code was "secure" -- how? All I could do was obtain a vendor statement that was as non-commital and burden-shifting as possible. Yet, with a true ability to audit the code my pharmaceutical company depended on it would tilt the balance between similar-featured Closed vs Open source solutions. Especially today.

Ok, maybe nobody really cares about the 'many eyes' theory anymore. Regardless, the "open the hood" theory still applies, perhaps more than ever.

Meanwhile...

Coverity segfaulted whilst auditing MS Vista.

For those who are interested in Firefox' results

Here are some links to show the bugs in the Bugzilla database which were turned up by Coverity.
Open Coverity Bugs [mozilla.org]
All Coverity Bugs [mozilla.org]

Why AMANDA is buggy

AMANDA could easily be the buggiest OSS program in existence, and it would still be OK. The reason? It just has to be less buggy than Netbackup, and more usable than Legato. Luckily for the AMANDA developers, this are very very difficult criteria to miss.

AMANDA (and others) have fixed the defects

Coverity's own site [coverity.com] shows how many defects each product has fixed. the number of outstanding defects on AMANDA is now zero. zdnet reported the fixes back in April. [zdnet.com]

Those that follow amanda-hackers will know that there was less than a week [yahoo.com] between when coverity released the report on March 6th and it was announced that all bugs were fixed in AMANDA on March 12th.

I dislike the idea of Coverity

Coverity sounds like a scam. It is not possible for a program to analyze another program and find all the bugs; see halting problem [wikipedia.org].

I would find heuristic analysis annoying. I'd get quite annoyed if the program says "fix this buffer overflow" 1000 times because I use "strcpy" somewhere - even though I'm very careful and only use it when I know it can't overflow.

I should write a program that searches for odd perfect numbers [wikipedia.org] and terminates if it finds one. I wonder whether Coverity would say it is an infinite loop.

Coverity sounds like scare tactics to make money by claiming to do the impossible. They won't even disclose what their algorithm is. I would never trust them, especially on closed-source programs. Firefox doesn't have that risk, but they are wasting money.

Microsoft's PREfast is simpler but seems like a much more realistic solution: mark up your code to say how things are supposed to be used and the compiler can decidably sense problems. I'd just get tired of typing 2 underscores a million times.

Melissa

Re:I dislike the idea of Coverity

It is not possible for a program to analyze another program and find all the bugs; see halting problem .

Wrong. It is quite possible to analyze a program and find all the bugs that violate the language constraints (null pointers, buffer overflows, etc.). That's what program verification is for. For some programs, you can't tell whether a bug condition will occur, so you treat that as a bug.

Automated program verification is a good idea that went away because C and C++ have such ambiguous semantics. It's hopeless for those languages. The "pointer equals array" concept alone makes it very tough, because the language has no idea how big an array is. Worst idea in the language, and the root cause of buffer overflows.

Good verifiers were written for Pascal (I headed one of those projects [animats.com]), a good one was written for Java [dec.com] (at DEC, just before DEC went under), and Microsoft is working on one for C#. [microsoft.com]

The halting problem is not an issue

The halting problem is not an issue for program verification. This claim is raised repeatedly by the clueless, and it just isn't an issue.

Yes, you can construct a program that's formally undecideable. It's a hard way to write a bad program. It takes some work, and the resulting program is unlikely to be useful.

Most crash-type and security-hole problems in programs are entirely decidable. This is because almost all subscript calculations are composed from addition, multiplication by constants, and logic operations. Those are totally decideable, and there are good decision algorithms for that problem. Only when multiplication of two variables (both non-constant) is introduced can formal undecidability appear. See Presburger arithmetic [wikipedia.org].

In fact, halting is decidable for all deterministic machines with finite memory. Either you repeat a previous state, or halt within a finite number of cycles. The decision process may be made arbitrarily hard, but that's not undecidability. True undecidability in the Turing sense requires infinite memory.

Most of the practical problems with program verification come from dealing with interactions between various parts of the program. Containing those interactions well enough that you can localize problems is constraining on the programmer. "Design by contract" languages like Eiffel try to do that, but they're not popular. Retrofitting design by contract into C and C++ has been discussed, but the proposed schemes all have holes you could drive a truck through. A big truck.

Although software work seldom uses proof of correctness techniques, there's a whole industry doing it for hardware. There was a machine-generated formal proof of correctness for the FPU in AMD's K7 processor. [onr.com] AMD thus avoided the "Pentium division bug".

Re:I dislike the idea of Coverity

If you'd followed the lkml, you could have seen actual patches fixing real bugs, found by Coverity. Just run this search on google: "by coverity" patch site:lkml.org to convince yourself.
The fact that it is impossible to solve the whole problem of program correctness and that false positives will come up doesn't mean that the problem Coverity is adressing isn't usefull.

Regards,

No rsync?

Funny selection of programs; I don't see rsync on the list. From the article: DHS wants to reinforce the quality of open-source programs supporting the U.S. infrastructure. So, XMMS (an MP3 player) is more important to the U.S. infrastructure than rsync?

In defense of amanda

I'm somewhat surprised to see amanda being badmouthed here by this tool. It was mentioned on the amanda-users list a few months back that the amanda tree had been checked by coverity, and the 2 bugs coverity found were promptly fixed.

Thats not to say that as new features are added, new bugs haven't been too, but to actually call amanda a truely buggy application does stretch this users belief a wee bit. I'm currently running a 20060424 dated snapshot of the 2.5.0 tree, with no hiccups at all.

--
Cheers, Gene

So then ...

can they run these programs on the source of the program itself to look for bugs? Or would that be like the human brain being able to completely understand itself inside and out (aka. not possible)

VMware Uses It Too

We were using it since it was the Meta Compiler. I believe we had some interns from the project. They used our codebase to research their algorithms and we got free scanning. We may well be using the Coverity commercial code today.

Firefox is again the most unstable program...

Firefox is, once again, the most unstable program in common use [slashdot.org].

The 1.5.0.4 version of Firefox was quite stable, if the Flashblock extension was installed. The 1.5.0.6 version is unstable again. The CPU-hogging bug is back!

This comment posted from a copy of Firefox that is constantly using 2.8% of the CPU, even when all pages have been loaded, and there is no active content. That's 2.8% on the way to 70% or more, making it necessary to close Firefox and reboot Windows XP.

There are some bugs found by Coverity [mozilla.org] left unfixed, but so far things have gotten worse since 1.5.0.4, not better.

Types of bugs

After looking at some of the results from the Firefox sources, I see that "bugs" include unreferenced variables and dead code that never gets executed.

It looks like most of the real bugs consist of not checking return values, the worst being routines that act upon an object allocated by another routine without checking for null pointer.

Dan East

Homeland Security Tested XMMS?!

XMMS, a multimedia/mp3 player was tested as part of what the article calls a "$1.2 million, three-year grant [the Department of Homeland Security] awarded to a team consisting of Coverity, Stanford University and Symantec Corp" that was setup to "reinforce the quality of open-source programs supporting the U.S. infrastructure".

40 programs were tested. 40 open source programs. Not even all the programs installed by, or regularly used on, a default install of a particular distro or two; just 40 programs. I thought maybe these 40 were just the first 40 tested, but the original announcement of the award of the grant states that 40 programs would be tested.

And yet they didn't test BIND? ssh? Also, PostgreSQL is on the results list, but MySQL isn't? Did Homeland Security put this list together?! Using a dartboard and a list of open source applications, or what?!

This seems like a great software package, and I'm glad that Homeland Security acknowledges that "much of the critical infrastructure runs on open source", but I could think of a few other ways they could've spent $1.2 million, or at least a few other applications they should've tested before they got to XMMS.

Managed Code?

It seems silly to me that we're still looking for memory leak bugs, buffer overrun/strcpy-type stuff, and pointer dereferencing bugs. These problems have been fundamentally solved (or at least all but abstracted from the programmer) by managed code environments like Java, .NET, and others.

Why are we in the IT world still causing ourselves problems by using C/C++ in any situation except those which call for the strengths of C/C++ -- strengths which are quickly being matched by their managed counterparts.

Realtime? Embedded? Video game? Ok, use C/C++ (though even video games you could make an argument...). For everything else, there's managed code. No more memory pointer leaks (well, the hard-to-find kind caused by poor pointer management in C/C++), no more buffer overruns that aren't immediately fixable in one place, etc, etc.

C'mon, we, as the IT profession, have evolved past that. Why are we still trying to work around these already-solved problems?

Is this supposed to be news?

The software industry has been focused QA for pretty much its entire existance. This software they are using is just a testing framework, albeit an intricite one. Unit testing, code coverage, black box, system tests... all marketing buz words for excersizing your software. If you are'nt familiar with the software dev qa process, here is how it generally works in production:

Hiring dozens of QA people to discover discover a broken error path that a developer could have fixed in 5 minutes is inefficant and slow. Instead, developers can find many bugs quickly by excerising the data paths of their own code. After (or even better, before) writing a new snippet of code, a motivated developer writes a unit test for it. The test is simple: given certain specific conditions, your code should return some predictable result.

Example- I need to write code that tell me which of two numbers between 1 and 10 is larger. I would need to write at least 6 simple tests that would guarantee this code will work in virtually every scenario. I would need to three tests to make sure it works when the input in valid, and another 3 tests to make sure it works when the input is invalid. Sample inputs:

• 3 and 8, valid(8)
• 7 and 4, valid(7)
• 0 and 7, invalid(0 lt 1)
• 11 and 5, invalid(11 gt 10)
• 12 and -12, invalid(range)

After a while there will be dozens, hundreds of even thousands of these simple tests. They will not mean much alone, but chained together they can provide a very stable testing bed. By running all the tests every time you release another version, developers can be pretty sure that everything that worked in the past will still work. (see regression testing).

Anyway, I didn't mean to start a lecture on basic testing principles... This post was motivated by the claims in the article regarding code quality. I would take the claim that 'XMMS is the most bug free software' with a grain of salt; a big grain. The results of any testing procedures are only as good as the individual tests. Lets say that the above example was one of the tests that Coverity was using in XMMS. Maybe it passed, great! But what where to happen if a user input -13 instead of 12? or maybe -5,000,000,000 and 1? How about the letter A as an argument?

They don't even give us code coverage numbers, or a count of tests... just a claim. I would bet that the AMANDA project had 10 times as many tests per line of code as XMMS. That would make AMANDA the most bug free software. Oh, and on another note, i noticed some comments about IE testing. I don't use IE, but I am 100% certain that Microsoft has an internal testing framework that puts this one to shame.

But how much does it cost?

For a company selling a software product, they seem stupidly protective of how much the damn thing is going to cost me to obtain. Try and find a price sheet on their website. It isn't there.

The less up-front anybody is about costs, the less worthwhile their product usually is. And the more variable the cost usually is (ie: as they figure out how much they can overcharge you). And no, I will not register with them for the "honor" of finding out more information. I'm guessing that it's something stupidly outrageous since the cost of running their application on a bunch of Open Source programs cost $1.2 million - which anyone with a single copy and a free weekend probably could have done for themselves.

They also don't disclose what their product actually does. So I'll join with the other voices here in calling for the need of an open-source alternative to this project - an alternative that has full disclosure about what the product is capable of and what it's going to cost you to use.

Coverity on Windows?

"Coverity was also run on the Windows source code. Unfortunately, the 32-bit integer iterator in Coverity was 1 count too small to store the count of the number of bugs found, and so Coverity's counter rolled-over, showing that Windows actually has -2,147,483,648 bugs. Microsoft employees were ecstatic at the results, and Steve Ballmer was said to be seen dancing in his office, yelling 'developers, developers, developers, developers!!'."

From the Amanda Wiki:

Coverity and Klocwork have been running their static analysis tools on the latest Amanda source code and making the results available for the Amanda developers to analyse and fix the defects. Currently (July 7, 2006), we have zero defects found by these tools. We are thankful to these companies for making these tools available and in general, helping to improve quality of open source projects.

http://wiki.zmanda.com/index.php/Developer_documen tation [zmanda.com]

coverity

http://www.coverity.com/news/nf_news_06_27_05_stor y_9.html [coverity.com]

Patch gratitude

It's pretty detremental to spurring increase in collective effort for addressing bugs in software, when people on the receiving end (the ones with CVS/SVN commit access) behave like jerks. I can't even recall the number of development lists I've been on where some committer has some grudge with a minute detail of a patch and simply responds "no way" or "This won't be committed because the indentation is not to my liking" or similar. Instead of being arses, why not fix the tiny details they complain about and submit the patch while responding to the submitter with "Thanks alot for the contribution, we really appreciate your work".

An example from one of the submissions for the Coverity bugs in Mozilla where the coder who made the patch actually had the balls to set the arrogant committer prick right.

Description: Pointer "value" dereferenced before NULL check

------- Comment #1 From timeless 2006-05-07 06:30 PDT [reply] -------

Created an attachment (id=221174) [edit]
reorder null check

------- Comment #2 From Nelson Bolyard 2006-05-07 18:09 PDT [reply] -------

(From update of attachment 221174 [edit])
Sorry, file changes that include lots of gratuitous tab->space conversion will
not be acceptable.

------- Comment #3 From timeless 2006-05-08 00:03 PDT [reply] -------

that's fine. it's not my job to fix your bugs. i provide patches as a courtesy

Re:not just any software?

Err?... I always thought Bugzilla was just where you reported bugs in Mozilla suite products?...

How does this bug detection software work anyway?

Re:not just any software?

Didn't they always use software of some sort, Bugzilla, etc?

Bugzilla is a issue tracking software; it's useful only after you've already found a bug. The only other bug-related tool they use is the FullCircle crash reporter thingy, again, after-the-fact thing. This is different - this tool finds flaws from the source code automatically.

Re:GNAA

Looks like somebody failed troll academy ;)

Firefox is a browser

I assume they specifically mean "Firefox is using Coverity software to detect flaws in Firefox's source code."

And I'm assuming that they mean "Mozilla is using Coverity..." or "Firefox developers are using Coverity...". After all you don't hear about what Internet Explorer is doing, but rather what MS are doing with it.

Wouldn't it be great if the summary was clearer and neither of us had to make mental amendments? :(

Re:Check the checker

The real question is, what happens if they run it on itself and it reports that it DOES have bugs? Suddenly we're in "this statement is false" territory...

Re:not just any software?

Didn't they always use software of some sort, Bugzilla, etc?

Unfricking believable! You obviously know nothing about this subject, so please, please keep your trap shut and let the grown-ups talk.

Re:not just any software?

You're begging to get flamed, aren't you? Anyway it's great that OSS projects are doing code auditing much like closed source ones often do.

Re:not just any software?

Detecting flaws != reporting flaws. The summary was clear as day to me.