HERSHAM, UK, May 2 2011 / — PRQA | Programming Research today announced a new release of its industry leading QA·C product with sophisticated technology to perform deep-flow dataflow analysis. QA·C 8.0 identifies critical coding issues relating to control-flow, variable state and library usage.
“The embedded software industry, dominated by the use of C and C++ languages, welcomes our new dataflow analysis capability,” said Fergus Bolger, Chief Technical Officer at PRQA. “QA·C 8.0 overcomes a limitation of many current static analysis tools, since it focuses on detailed code semantics rather than abstracting summary data and analyzing it at the software interface layers. QA·C 8.0 provides a precise and detailed functional analysis, literally on the bits and bytes of critical software-based systems.”
The new dataflow analysis technology contains an advanced industry-proven Satisfiability Modulo Theories (SMT) solver engine, a first for deep-flow static analysis products. The combination of SMT solver technology and in-house language and parsing expertise in function control flow and detailed semantics takes analysis checks for C code to a new level.
The strength of the PRQA solution is seen in the set of analysis checks available. These cover all the well-known language vulnerabilities, as well as additional value-sensitive operations that are particularly relevant to embedded applications:
- Invalid Pointer Operations: dereference and arithmetic operations on a null pointer, computing or dereferencing an invalid pointer value, e.g. buffer under- and overrun, pointer operations on unrelated pointers.
- Dangerous Arithmetic Operations: division by zero, arithmetic operations resulting in overflow or wraparound, converting a negative value to unsigned and other representation issues in conversions, bit-shifting operations that result in truncation or invalid values.
- Flow control anomalies: redundant initializations or assignments, invariant logical operations and flow-control expressions, unreachable code, infinite loops, unset variables, return value mismatches.
QA·C 8.0, with its dataflow solution, includes analysis of standard library API calls; coupled with pointer checking, this delivers a comprehensive language-based detection of security vulnerabilities. Upon detecting a coding defect, path and value trace is provided by means of sub-messages.
Utilizing the strength of a commercially-hardened SMT solver, QA·C 8.0 delivers a number of sophisticated code-modeling capabilities:
- Interdependencies between variables are included in the code modeling, both for assignments and in determination of conditional expressions (control flow).
- Modeling includes a bi-directional approach, where, for example, later conditional tests can identify earlier suspicious variable usage.
- Loop iterations are modeled accurately, including increments by other than ‘1’, multiple loop control variables, and nested loops.
- Bit-fields are modeled exactly as the compiler will handle them, matching the true size of all types, and yielding intelligence on unions and bit-field operations.
Software engineers and their organizations need to address quality of code, in terms of prevention-oriented coding standards compliance as well as accurate and precise bug-detection. QA·C 8.0, with its advanced deep-flow dataflow DF^2 module, and now enhanced with 118 new diagnostic messages addresses this important need. The product is available immediately through PRQA and its worldwide partner network.
About PRQA | THE PROGRAMMING RESEARCH GROUP
Established in 1986, PRQA is recognized throughout the industry as “the coding standard expert”. PRQA pioneered coding standard inspection and now delivers its expertise through industry-leading software inspection and standards enforcement technology, worldwide. PRQA has corporate offices in UK, USA, India, Ireland and The Netherlands, complemented by a worldwide distribution network.
PRQA’s industry-leading tools, QA·C and QA·C++, offer the closest possible examination of C and C++ code. Both contain powerful, proprietary parsing engines which deliver high fidelity language analysis and comprehension. They identify problems caused by language usage that is dangerous, overly complex, non-portable, or difficult to maintain. Plus, they include the basic building blocks for coding standard enforcement.
