Polyspace Static Analysis Notes

Read through the latest posts to learn more about Polyspace® products.

Robustness and Contextual Code Verification: Part 2

By Anirban Gangopadhyay and Ram Cherukuri

In part one of this two part series, we discussed robustness code verification, a method in which you verify your unit of code in isolation from the rest of the code base. We outlined a few examples, and we discussed the pros and cons of using this approach.

In this post, we will discuss contextual code verification, in which you verify your unit of code in context of the code base where the unit will be integrated. This post will walk you through the concepts behind contextual code verification using the same examples as in the last post, and it will then outline the best practices for using both types of code verification (robustness and contextual).

Read more

Robustness and Contextual Code Verification: Part 1

By Anirban Gangopadhyay and Ram Cherukuri

This is part one of a two part series outlining code verification methods.

We begin with a question: At what stage of software development should I verify my code?

The answer is simple. You should verify it right after you have compiled it, when the code is fresh on your mind. Once you are shown potential errors, reviewing and fixing those errors can be almost trivial. Fixing errors never gets easier after that stage in the workflow.

Read more

Misconception: Static Analysis Is Only About Finding Bugs

By Ram Cherukuri, Jeff Chapple, Stefan David, and Jay Abraham

Faster time-to-market trends could possibly be driving the misconception that static analysis is only about finding bugs. Software developers must eliminate as many bugs as possible and will use a quick bug finding tool, though it is likely that some bugs will remain. This practice may be sufficient for non safety-critical applications such as smartphone apps, but it may be insufficient for safety-critical applications. Safety-critical applications, therefore, require more rigorous methods to verify safety and robustness, which is where the other benefits of static analysis come in. In this article we will bust the misconception that static analysis is only about finding bugs, and prove that it can help verify compliance to coding standards, produce metrics about code quality, and be used at any stage of software development.

Read more

Detecting the Apple Goto Fail Vulnerability

By Jay Abraham, Ram Cherukuri, and Christian Bard

In February 2014, technology blogs and news outlets were abuzz about a newly discovered vulnerability in Apple’s iOS iPhone, iPod, iPad, and Mac OS X devices. There was a problem in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) code that could be exploited by what is known as Man in the Middle attack (MitM). The vulnerability was dubbed Goto Fail, and Apple quickly patched the defect with iOS 7.0.6 for its mobile platform and OS X 10.9.2 for the desktop platform.

Read more