C++Test from Parasoft

Unit-Test & Code-Compliance

By: Ori Arad

2/43

C++Test - General

� Static Code-Review

� Unit-Test Generator

� Coverage Analysis

3/43

C++Test - Resources

� Herb Sutter, Andrei Alexandrescu, "C++ Coding Standards," Addison-Wesley

� Scott Meyers – ECPP & MECPP

� Ellemtel Coding Standards (1990)

� MISRA-C 2004, MISRA-C++ 2008

� Motorola Coding Standards

� Meyers-Klaus Rules

� JSF Coding Standards (2005)

4/43

Rules Categories

� Coding Convention Rules

� Comments Rules

� Exceptions Rules

� Formatting Rules

� Initialization Rules

� Metrics Rules

� MISRA 2004 Rules

� Memory and Resource Management Rules

� Naming Convention Rules

� OOP Rules

� Optimization Rules

� Portability Rules

� Possible Bugs Rules

� Physical File Org. Rules

� Qt Best Practices Rules

� Security Rules

� STL Best-Practices Rules

� Templates Rules

� Bug Detective (*)

5/43

Coding Conventions

� For example:

� Magic numbers

� Default in Switch-case

� Const � non-const conversion

6/43

Coding Conventions

� Always provide a default branch for switch statements

� [preferred – throw an exception… or Error msg]

switch (EMyEnum)

{

case VALUE_1:

// bla bla

break;

case VALUE_2:

// yada yada

break;

}

switch (EMyEnum)

{

case VALUE_1:

// bla bla

break;

case VALUE_2:

// yada yada

break;

}

7/43

Coding Conventions

� Will the if’s body be executed?...

� Use only Boolean expressions in ifs…

int i = 1;

int j = 2;

if (i = j) {

……

}

int i = 1;

int j = 2;

if (i = j) {

……

}

8/43

Coding Conventions

� One more…

� Will the if’s body be executed?...

int small = 20000;

int big = small * 2; // 40000

if (small < big) {

……

}

int small = 20000;

int big = small * 2; // 40000

if (small < big) {

……

}

9/43

Coding Conventions

� Q: Will the if’s body be executed?...

� A: Depends… /-:

� Rule: Use: UINT8, INT16, UINT32 etc…

int small = 20000;

int big = small * 2; // 40000 or -25536?

if (small < big) {

……

}

int small = 20000;

int big = small * 2; // 40000 or -25536?

if (small < big) {

……

}

10/43

Coding ConventionsWrong…

void foo()

{

int array[2];

*(array+1) = 0; // Violation

*array = 0; // Violation

}

Right…

void foo()

{

int array[2];

array[1] = 0; // OK

}

Wrong…

void foo()

{

int array[2];

*(array+1) = 0; // Violation

*array = 0; // Violation

}

Right…

void foo()

{

int array[2];

array[1] = 0; // OK

}

Array elements shall

be accessed by the

array operator

11/43

Coding Conventions C++

� (not OOP – mostly syntax)

� Declare reference parameters as const references whenever possible

� Constructors allowing for conversion should be made explicit

� CPP casts instead of C-Cast

12/43

CPP casts instead of C-Cast

� Hard to find in code.

� (int)i Vs. static_cast<int>(i)

� Constness…

� const_cast<…>(…)

� Ugly?... Good… (-:

13/43

Coding Conventions C++

class CLocation {

public:

CLocation(double lat = 0.0, double long = 0.0);

double m_lat;

double m_long;

// more methods and other declarations…

class CLocation {

public:

CLocation(double lat = 0.0, double long = 0.0);

double m_lat;

double m_long;

// more methods and other declarations…

14/43

Coding Conventions C++

foo.cpp

CLocation.h

CLocation(double lat = 0.0, double long = 0.0);

double m_lat; double m_long;

CLocation(double lat = 0.0, double long = 0.0);

double m_lat; double m_long;

explicit CLocation(double lat = 0.0, double long = 0.0);explicit CLocation(double lat = 0.0, double long = 0.0);

CLocation myLoc;

myLoc.m_lat = 2.0;

myLoc = 3.0; // Oops… should be: myLoc.m_long = 3.0;

CLocation myLoc;

myLoc.m_lat = 2.0;

myLoc = 3.0; // Oops… should be: myLoc.m_long = 3.0;

15/43

More…

� Exception rules� Not from DTOR… (prevent stack unwinding)

� Initialization rules� Globals, static, member in CTOR etc

� Memory and Resource management� Delete (e.g. new in C’tor, no delte in D’tor)� Copy CTOR and operator=� Memcpy for copy vars… etc

� Preprocessor Rules� Macros, #define…

16/43

Initialization rules

� Popular problem… hard to detect:

� Debug-version OK, release – fails

� PC - OK, target – fails

� Lab – OK, Customer – fails…

� January – OK, February – fails

� Stack-variables… (no auto initialization)

� Static initialization order fiasco

17/43

Metrics

� Public methods per class

� Lines per file

� Cyclomatic Complexity

� Deep nesting

� Comments to code ratio…

18/43

More (2)…

� Formatting

� Spacing, {}, tabs, indentation etc.

� Naming Conventions

� MY_CONST, myFunction, myVar

� Comments rules

� // instead of /* */

� Comment every file, every method etc.

19/43

OOP Rules

� Multiple inheritance (diamond inheritance)

� Avoid calling virtual-methods/global-data from CTOR/DTOR

� Avoid public data members

� Avoid down-casting

� If a class has virtual functions it shall have a virtual destructor

20/43

Optimization Rules

� Unused variables

� Pass object by reference instead of by-value

� ++i instead of i++

21/43

Optimization Rules

class A

{ // Violation

char c1;

int i1;

short s;

int i2;

char c2;

};

class A

{ // OK

int i1;

int i2;

short s;

char c1;

char c2;

};

22/43

Portability Rules

� The type char shall always be declared as unsigned char or signed char

� Casting int to pointer and vice-versa

� Casting long to int and vice-versa

23/43

Possible Bugs Rules

� Don't treat arrays polymorphically

� Avoid assigning out-of-range value to char type

� TInt8 i1 = 150;

� TUInt16 i2 = -30;

� Don’t return a reference to local vars

24/43

Physical file Organization Rules

� Use multiple include guards

� #ifndef FILENAME_H #define FILENAME_H // code #endif

� An include file should not contain more than one class definition

25/43

Security Rules

� Use of printf, scanf, get() etc.

� getenv(),

� strncpy(), strcmp(), strlen() etc.

� Thread-safe, buffer-overrun etc.

26/43

Rules Categories

� Coding Convention Rules� Comments Rules� Exceptions Rules� Formatting Rules� Initialization Rules� Metrics Rules� MISRA 2004 Rules� Memory and Resource Management Rules

� Naming Convention Rules

� OOP Rules� Optimization Rules� Portability Rules� Possible Bugs Rules� Physical File Org. Rules

� Qt Best Practices Rules� Security Rules� STL Best-Practices Rules� Templates Rules� Bug Detective (*)

27/43

Disadvantages…

� Slow…

� Compilation-Unit limitation.

� Not Open-Source

� No “Quick-Fix”

� Not certified

� Expensive…

28/43

Bug Detective

� Resource Leaks –� Allocation misuse of memory, pipes, file descriptors, and other system resources.

� Bugs –� Runtime errors such as division by zero, array bounding and indexing flaws, NULL pointer dereferencing, and data initialization errors.

� Security Vulnerabilities –� Detect read, write or indexing of potentially tainted data.

29/43

Bug Detective (cont.)

1 void example(int src[100], int dest[100])

2 {

3 int size;

4 scanf("%d", &size);

5 memcpy(dest, src, size); // VIOLATION ("size"

is an arbitrary value possibly < 0 or > 100)

6 }

1 void example(int src[100], int dest[100])

2 {

3 int size;

4 scanf("%d", &size);

5 memcpy(dest, src, size); // VIOLATION ("size"

is an arbitrary value possibly < 0 or > 100)

6 }

� Buffer Overflow Security example

30/43

Bug Detective (cont.)

1 int main(int argc, char* argv[])

2 {

3 Point* point = 0;

4 if (argc > 3) {

5 point = new Point(atoi(argv[1]), atoi(argv[2]));

6 }

7 point->reflectAcrossX();

8

9 return 0;

10 }

1 int main(int argc, char* argv[])

2 {

3 Point* point = 0;

4 if (argc > 3) {

5 point = new Point(atoi(argv[1]), atoi(argv[2]));

6 }

7 point->reflectAcrossX();

8

9 return 0;

10 }

� Dereferencing a NULL Pointer

31/43

C++Test Plug-in to VS8

32/43

C++Test Plug-in to VS8 (cont)

33/43

RuleWizard

34/43

Rule-Wizard

� Basic – Regular-Expressions

� Semantic rules

� Python scripts

35/43

Popular bugs in code…

� Initialization

� Buffer-overruns

� Casting

� signed-unsigned

� Implicit/explicit

� Const to non-const

36/43

Unit-Tests

� Automatic Unit-Test Generation

� CppUnit compatible

� Stub, harnesses/drivers generating…

� Test-Cases

� Automatic execution and collect the results

� Coverage Analysis

37/43

Coverage

38/43

Coverage

� Function coverage –

� Has each function in the program been executed?

� Statement coverage –

� Has each line of the source code been executed?

� Decision coverage (also known as Branch coverage) –

� Has each control structure (such as an if statement) evaluated both to true and false?

39/43

Coverage

� Condition coverage –

� Has each Boolean sub-expression evaluated both to true and false (this does not necessarily imply decision coverage)?

� Path coverage –

� Has every possible route through a given part of the code been executed?

� Entry/exit coverage –

� Has every possible call and return of the function been executed?

40/43

More Features

� Various Operating-Systems

� Windows, Linux, VxWorks, Integrity and more

� Various compilers

� Team work

� Code-Review

� Rule and Configuration sharing

� Synchronized with Source-Control tool

41/43

Other Tools in Market

� QAC

� Lint

� LDRA� PolySpace

� C++Test� Klocwork

42/43

Questions?...

DEMO…