Agitar Software is a company with a great ambition: provide code analysis tools that not only attempt to locate bugs, but also present optimized alternatives to the current solutions. This is a marvellous example of what I’m desperately missing in software development: more automation. Many tasks can be performed by machines instead of letting developers waste their time.

There’s a problem with code analysis tools, however. Look at this code snippet:

for( socket = sockets; socket; socket = socket->next )
{
    if( 0 == strncmp( ip->name, socket->socket.name, strlen( ip->name ) ) )
    {
        choice = &socket->socket;
    }
}

Looks pretty decent, doesn’t it? This is a piece of code I encountered as I investigated a problem with the wrong IP address being used in DHCP relay in certain cases. First I started checking if the sockets were bound correctly – of course they were. Then I investigated the data structures to see if something was omitted – of course it wasn’t. The guy who wrote this code had done a good job, in fact – it all ticked along like clockwork. In most cases. I must have glanced at the code piece above a dozen times without noticing anything strange; it looks okay, doesn’t it? Must be somewhere else that things go wrong.

Well, I’m sure that some of you have noted something fishy about it already. One obvious thing struck me immediately: why is there no break after finding the correct choice? Silly thing, to continue looping. But I didn’t see the main problem for quite some time: what happens if ip->name and socket->socket.name have the same prefix, which incidentally happens to be just as long as ip->name? (For those unfamiliar with C code: strncmp compares two strings and returns 0 if they are equal up to the length specified by the last parameter.)

In a test case where things went wonky, there were three interfaces: Wlan, Wan and Wlan2 (in that order) and the incoming traffic came from Wlan. Yeah, isn’t it stupid? The corrected version is of course:

for( socket = sockets; socket; socket = socket->next )
{
    if( 0 == strcmp( ip->name, socket->socket.name ) )
    {
        choice = &socket->socket;
        break;
    }
}

My point in telling you this is not to flaunt a coding error, or to let you chuckle at how I didn’t see that error directly when I started investigating the issue; it has to do with automatic bug corrections. What automatic tool can help when the bugs are logic-related instead of simple bugs? I’ve seen a fair share of memory leaks and out-of-bounds memory accessing, but the number of logic errors vastly shadows those. After all, the real bugs leave a greater impact most of the time – these logic errors are more subtle.

And additionally: this may just be a single example, but what would have happened if this code had gone through a code optimizing tool? It probably wouldn’t have noticed the strncmp error, but it might have complained that a break was missing. Then this problem would only have become visible if the interface order was Wlan2, Wan and Wlan, or something similar – not a very intuitive way to configure things, but it might have happened in a real environment. Our test personnel would – with all probability – not have found this error, though.

Quite ironic, eh?

I love automation and I’m all for using automatic tools to a great extent; but the human mind is capable of infinite stupidity, so I’m not prepared to trust them as much as Agitar. “Cut development time while slashing the cost of bugs by 90%” they claim on their webpage. “Paah!” says I.

This entry was posted on Wednesday, August 16th, 2006 at 12:58 pm and is filed under Software Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.