Coverity Inc. says the new release of its Prevent static code-analysis software embodies a new approach to "software mapping" that finds more bugs in embedded and enterprise software than previous technologies. The Prevent Software Quality System (SQS) also includes new defect- tracking capabilities and Java support.
Static code analysis can find bugs in software by analyzing source code, without any need to execute the program. Coverity's Prevent has a long list of checks for such problems as null pointer dereferences, memory leaks, buffer overflows, logic errors and stack overflow. The primary usage so far has been for embedded software, said Benjamin Chelf, vice president and chief technology officer of Coverity (San Francisco).
In Prevent SQS, a technology called software DNA builds a map of an entire software application and allows Prevent to analyze individual files within the context of that overall map. Until now, Chelf said, most static code analyzers have simply parsed individual files, without taking into account how those files would be used in a running executable.
"Our notion of software DNA mapping is to understand what's going on not only in the source code, but also in the build system that puts the source code together," Chelf said. "We make sure the files [going into the analyzer] are compiled in the right way so the analysis most closely represents what's going to run."
Embedded users often build the same source code for multiple targets, Chelf said. In such cases, he said, it's not sufficient to look at individual source files only. "If you don't understand the notion of software DNA mapping, there are going to be a lot of false positives," he said. "A lot of work we've done on the mapping side is a direct result of our primary customer base being embedded designers."
The software DNA-mapping capability allows the new version of Prevent to find 30 percent more defects than the previous version, Chelf said. This has been validated over millions of lines of open-source code, he said.
Coverity has also improved the management of software defects in an attempt to mirror the customer's existing quality control process with Prevent's workflow capabilities. "Every defect needs an owner, and it needs to get distributed to the right developer depending on where it is in the source code," Chelf said. "Severity and actions are associated with any defect-tracking system." Prevent SQS, he said, lets users employ the same terminology to describe severity and actions--and the same workflow capabilities--that they use in their own bug-tracking systems.
Prevent SQS supports all major compilers and language extensions, Coverity said. It works for Java, C and C++, and it supports compilers from ANSI, ARM, GCC, Green Hills, Intel, Microsoft, QNX, Wind River and others. The tool is available now, starting at $12,000 a year.