• No results found

Open-source Versus Commercial Software: A Quantitative Comparison

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Open-source Versus Commercial Software: A Quantitative Comparison"

Copied!
24
0
0

Loading.... (view fulltext now)

Download now ( 24 Page )

Full text

(1)

Open-source Versus Commercial

Software:

A Quantitative Comparison

Open-source Versus Commercial

Software:

A Quantitative Comparison

Rix Groenboom

Reasoning NL BV

(2)

Agenda

Agenda

™

About Reasoning

™

The Study

™

Inspection Results

™

Analysis

™

Conclusions

™

New results

(3)

About Reasoning

About Reasoning

™

Reasoning provides an automated

inspection service for organizations that

develop software

™

Enables building better software in less

time and at lower cost

™

Support C, C++, and Java

(4)

The Study

The Study

First, some background:

™

Proponents of Open-Source software

have long claimed their code is of higher

quality

Power of peer review

Root cause analysis on site enables easier fix

™

Commercial software vendors have long

claimed their code is of higher quality

(5)

The Study

The Study

Why do the study ?

™

Our customers wanted to understand the real

differences between Open-Source software

and Commercial software

Reasoning is uniquely positioned to provide this information

When was the study performed ?

™

Open-source inspection = December 2002

(6)

Used Software Inspection

Used Software Inspection

™

AKA Peer Review

™

Implicit in Extreme Programming

™

Examination of source code to:

Detect defects

Trace code to requirements

(7)

Increased Reliability,

Reduced Cost and Time-to-Market

Value of Inspections

Value of Inspections

Software Development Lifecycle

Without ASI

Design Test

Savings

$$$

Code Integrate

With ASI Automated

Inspections

Integrate Code

(8)

Types of Defects Searched for

Types of Defects Searched for

™

NULL Pointer Dereference

™

Out of Bounds Array Access

™

Memory Leak

™

Uninitialized Variable

™

Bad Deallocation

Using an Automated Software Inspection (ASI)

methodology.

(9)

ASI Technology

ASI Technology

Source Code Reports

Architecture

Architecture

Language Parser Potential Violations Summarize CAGs by Function & Level Symbolic Evaluation Using Value Lattices Computation Analysis Graph (CAG) Builder Detection Rules Potential Defects Defect Review Feasible Path Analysis

(10)

Project Scope

Project Scope

™

Open Source implementation of TCP/IP in

version 2.4.19 of Linux Kernel

™

Five commercial implementations of TCP/IP

in commercial, general purpose operating

systems and telecommunications equipment

™

Why TCP/IP ?

(11)

static int sock_fasync(int fd, struct file *filp, int on) { struct fasync_struct *fa, *fna=NULL, **prev; struct socket *sock;

struct sock *sk; if (on)

{

fna=(struct fasync_struct *)kmalloc(sizeof(struct fasync_struct), GFP_KERNEL);

if(fna==NULL) return -ENOMEM; }

sock = socki_lookup(filp->f_dentry->d_inode); if ((sk=sock->sk) == NULL)

Can You Spot the Defect?

Can You Spot the Defect?

If this is true

.. and this true

.. this memory leaks

(12)

Actual Report

Actual Report

DEFECT CLASS: Memory Leak

LOCATION: src\linux-2.4.19\net \socket.c : 750

DESCRIPTION Local variable fna, declared on line 735, is assigned a pointer to a block of memory allocated by kmalloc on line 741. No other pointer refers to this memory block, so it is inaccessible (still allocated, but unreachable) once fna goes out of scope after line 750.

PRECONDITIONS The conditional expression (on) on line 739 evaluates to true AND

The conditional expression (fna==NULL) on line 742 evaluates to false AND The conditional expression ((sk=sock->sk) == NULL) on line 749 evaluates to true.

CODE FRAGMENT 73 3 s t a t i c i n t s oc k_ f a s yn c ( i nt f d, s t r u c t f i l e * f i l p, i n t on ) 73 4 { 73 5 s t r uc t f a s ync _ s t r uc t *f a, *f na=NULL, **pr e v; 73 6 s t r u c t s o c ke t *s oc k ; 73 7 s t r u c t s o c k *s k; 73 8 73 9 i f ( on) 74 0 { 74 1 f na=( s t r uc t f a s y nc _ s t r uc t *) kma l l oc ( s i z e of ( s t r uc t f a s y nc _ s t r u GFP_ KERNEL) ; 74 2 i f ( f na==NULL) 74 3 r e t u r n - ENOMEM; 74 4 } 74 5 74 6 74 7 s o c k = s o c ki _l oo kup ( f i l p- >f _d e nt r y - >d _i no de ) ; 74 8 74 9 i f ( ( s k=s oc k- >s k) == NULL)

(13)

Defect Overview

Defect Overview

8 312 Totals 3 9 Out of Bounds Array Access 1 132 Uninitialized Variable 0 0 Bad Deallocation 3 128 Null Pointer Dereference 1 43 Memory Leak Total Defects in Linux Kernel Total Defects in 5 Commercial Implementations

(14)

Feedback Linux Developer

Feedback Linux Developer

™

On OOB access

:

Nope, not wrong, the table is indexed off-by-one. If you were right, rtnetlink would simply not work.

™

On NPD:

In the cases where SKB is NULL, opt is never NULL, check the two callers.

™

On ML:

(15)

Feedback Commercial Developer

Feedback Commercial Developer

For the Linux community to just shrug

these off with "well the kernel works so

it must be ok" doesn't really cut it. I

think the NULL dereference checks should

be added, and definitely the out of

bounds array checking [..] For example,

the out of bounds array reference could

start causing a problem by just

rearranging the order variables are

declared.

(16)

Fix Rates

Fix Rates

12.5 1 8 Linux Kernel 2.4.19 75.3 235 312 Commercial Implementations % Repaired Reported

(17)

Metrics Comparison

Metrics Comparison

0 .0 0 0 .2 0 0 .4 0 0 .6 0 0 .8 0 1 .0 0 1 .2 0 D e fe c ts p e r K L S C In d u s try A ve ra g e L in u x K e rn e l 2 .4 .1 9 C o m m e rc ia l T C P /IP D e fe ct D e n sity C o m pa riso n W o rs t T h ird M id d le T h ird B e s t T h ird – Linux stack: 0.10Commercial stack: 0.55

(18)

Preliminary Hypothesis

Preliminary Hypothesis

N u m b er o f D e fect s Time Peer Review ? Commercial TCP/IP Linux 2.4.19 TCP/IP

(19)

Conclusions

Conclusions

™

Open-source is not inherently worse

™

More research is required

™

Code inspections still find critical defects

(20)

New results

New results

™

Apache test

Httpd 2.1-dev (development version 01/31/03)

Will determine, track, and report on defect density through lifecycle

Results on www.reasoning.com

™

Java implementation

Tomcat Jakarta

(21)

New results

New results

™

Apache implementation

Httpd 2.1-dev (development version from 01/31/03)

31 Defects in 59 KLOC; density 0.53

(22)

New results

New results

™

Java inspections:

Out of Bounds Array Access

NULL pointer dereferences

String Comparison

™

Jakarta Tomcat 4.1.24:

11 Defects in 71 KLOC; density 0.15 (Java average commercial software is 0.16).

(23)

Towards discussion

Towards discussion

™

OK, nice “hobby horse” for Reasoning and

others for research on test efficiency:

See SPIder News for a Stanford study on Linux

Les Hatton has compared Linux and CMM level

™

Ownership:

Who finds the bugs ?

Who fixes the bugs ?

™

“Open” source:

Will commercial end-user will actually make changes to the source ?

Who will actually review the source (e.g. for quality of the algorithms / security) ?

(24)

Discussion !!!

References

Download now ( PDF - 24 Page - 674.76 KB )

Related documents

Modeling great depressions: the depression in Finland in the 1990s

income effects that induce households to provide more labor in the market than they would have done if the tax revenues were rebated. Finally, notice that the model with

Development of control strategies for hybrid energy storage

To achieve these goals, the EDLC is used as support of the battery to extend its lifetime as well as reducing the total cost of the system. In fact, as explained in the

CRAFTING TYPE ON THE WEB

For example, when choosing a typeface for long body copy, you would likely look for a serif or sans-serif option.. Slab serifs could also be considered, but you’d want to

we ll be your number 1 groupies made4media Publicity Package is made4music

It gives you the edge over other bands who are still operating out of their Myspace, and it gives you a platform to link all your so- cial media to.. It also gives you a

Conifer Revenue Cycle Solutions, LLC

Commercial Skills (35%) - Training will be provided to Claims Representatives and Payment Processing Staff, Patient Services Staff and Support Staff to ensure that

Impact of Early Pelvic Floor Rehabilitation After Transurethral Resection of the Prostate

We examined the results of teaching pelvic floor muscle exercises (PME) on micturition parameters, urinary incontinence, post-micturition dribbling, and quality of life in

Strengthening of Concrete Beams Using FRP Composites

Comparison between pervious experimental results (Kachlakev and McCurry, 2000) and theoretical results (Kachlakev and Miller, 2001) with the current results

NOTICE OF CONTRACT NO. 071B between THE STATE OF MICHIGAN and

Contractor must: (a) perform the Contract Activities in a timely, professional, safe, and workmanlike manner consistent with standards in the trade, profession, or industry; (b)