Author Topic: Commercial product source code  (Read 33700 times)

0 Members and 1 Guest are viewing this topic.

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2051
  • Country: nl
Re: Commercial product source code
« Reply #75 on: April 28, 2014, 09:28:17 pm »
C programming culture is its own worst enemy.
Humanity is it's own worst enemy, so that C programming culture fits right in. ;D

Quote
static code analysis tools have been around a long time, and would have easily found the openssl bug.
On the subject of heartbleed & static code analysis, that's actually kinda interesting. As in, check out the offending version of openssl and run a bunch of default configured static analysis tools on it. Would be a bit sad if indeed that specific bug is pinpointed that way.

And regarding static code analysis, what do you guys use for that for embedded C/C++? Or non-embedded for that matter.
I have "add cppcheck" on the todo list, since it looks to have both standalone and eclipse integration.
 

Offline HackedFridgeMagnet

  • Super Contributor
  • ***
  • Posts: 2028
  • Country: au
Re: Commercial product source code
« Reply #76 on: April 29, 2014, 12:52:13 am »
Code: [Select]
#ifndef HSE_VALUE
#define HSE_VALUE    ((uint32_t)8000000) /*!< Value of the External oscillator in Hz*/
#else
#error 1234 // just an example or no error raise at all.
#endif

If one must use a #define for some reason, then your version is already a lot safer than that happy go lucky summer intern style #define with a tip no-one will read. It's also a lot more verbose, but that's the price you pay... And I would rather have a big fat error and my code refusing to compile, than the mcu silently being configured at the wrong frequency. Or using the wrong frequency value to calculate for example some ADC/DAC settings. (Been there, done that, didn't like it).

What I don't get (except for the economic expedience of using summer interns to produce all that crazy code customers seem to expect) is why they don't use some const expressions for that.

Code: [Select]
static const uint32_t HSE_VALUE = 8000000;

Unless I'm missing something, that should take care of business. No need to explicitely do an #ifdef to check if you are accidentally overwriting a previous definition. Because unlike the preprocessor case, the compiler will whine loudly if you try to redeclare that const variable.

For ueber old code from an era where compiler optimization was maybe not super-duper, okay. But for libraries written in this century I'd think that maybe using const expressions would be better. Better in the sense that it is safer, and it optimizes exactly as well as the #define case.

I guess for setting constants in library code you have a few possibly conflicting requirements.
    One is a default setting, so that people can start using the library with a minimum of fuss.
    Another is the ability to change the value of that constant at compile time if it suits their purposes.
    Also it should be done in such a way that if the library has a new version then you can easily integrate the new version of the library into your projects without accidentally overwriting changes you have made.

I dont think the static const would help with this last requirement. Though it would obviously prevent redefines.

I think the best way is write the library and keep its #define dependencies (or constants) all in one file, which is kept somehow separately from the main library.
Then the user can keep the bulk of the library untouched and just fiddle with the constants file, a copy of which is added to each project.

IMO this would be better than sprinkling your project code with overwrites of these #defines.


 

Offline Rigby

  • Super Contributor
  • ***
  • Posts: 1476
  • Country: us
  • Learning, very new at this. Righteous Asshole, too
Re: Commercial product source code
« Reply #77 on: April 29, 2014, 01:24:46 pm »
lots of talk here about lots of stuff, and commercial source code is hard to obtain for one of the exact same reasons (at least) that open source is promoted by lots of folks: all bugs are shallow and obvious if enough people look at it.

Goto Fail and Heartbleed suggest otherwise.

those suggest that eyeballs aren't actually looking, not that looking doesn't help find bugs.
 

Online gmb42

  • Frequent Contributor
  • **
  • Posts: 294
  • Country: gb
Re: Commercial product source code
« Reply #78 on: April 29, 2014, 03:06:27 pm »
Coverity, who sell an expensive static code analyzer, do scan open source projects for free.  They have been scanning OpenSSL since 2006.  Unfortunately their analyzer didn't pick up on HeartBleed, see their blog entry here for more info.
 

Offline zapta

  • Super Contributor
  • ***
  • Posts: 6189
  • Country: us
Re: Commercial product source code
« Reply #79 on: April 29, 2014, 04:04:57 pm »
Ok, I'll bite. What is retarded about the code?

He he, you felt for it.  That's Danny's MO. He often baits with a cryptic message and waits for a sucker to ask.

;-)
 

Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5550
  • Country: us
Re: Commercial product source code
« Reply #80 on: April 29, 2014, 04:53:12 pm »
Actually not this time, the comment mentions that you can pre-define it on the compiler, but that header will override it anyways.

But for what I can see , that has been fixed on the current source.
 

Offline HackedFridgeMagnet

  • Super Contributor
  • ***
  • Posts: 2028
  • Country: au
Re: Commercial product source code
« Reply #81 on: April 30, 2014, 06:51:15 am »
Ok, I'll bite. What is retarded about the code?

He he, you felt for it.  That's Danny's MO. He often baits with a cryptic message and waits for a sucker to ask.

;-)

Well I knew it was coming, but I was expecting it to be a bigger issue than what it was.

As for Danny's MO, well it is kind of amusing so happy to play along.
 

Offline Richard Crowley

  • Super Contributor
  • ***
  • Posts: 4317
  • Country: us
  • KJ7YLK
Re: Commercial product source code
« Reply #82 on: April 30, 2014, 03:47:44 pm »
If "everybody" is responsible, then nobody is responsible.

Perhaps for something so critical, the open-source community should conduct formal code-review sessions where several pairs of eyes review and discuss the code, line by line.
 

Offline Rigby

  • Super Contributor
  • ***
  • Posts: 1476
  • Country: us
  • Learning, very new at this. Righteous Asshole, too
Re: Commercial product source code
« Reply #83 on: April 30, 2014, 05:24:23 pm »
You said that open source proponents cite many people looking at popular software as an advantage. They were incorrect. I suppose you will claim you were merely repeating what you had heard, not endorsing it, but no-one is going to fall for that.

If people look, they will see the bugs.  They just didn't look.  It's yet another failing of open source software.  If something is trusted it doesn't see much attention.

more eyeballs will find bugs faster.  they just didn't think to look in this case.  such is the case in most open source software i suspect.
 

Online IanB

  • Super Contributor
  • ***
  • Posts: 11790
  • Country: us
Re: Commercial product source code
« Reply #84 on: April 30, 2014, 05:33:29 pm »
such is the case in most open source software i suspect

I don't think this is limited to just open source software. If a software house or development team gets a code library to use, whether free or commercial, they don't tend to look closely at the code inside it. They look at the documentation, ask some questions, do a few tests, and then go ahead and use it.

Third party code doesn't tend to get examined in detail until problems surface. As you say, people tend to trust it. Commercial code is no different in this regard from open source code.
 

Offline HackedFridgeMagnet

  • Super Contributor
  • ***
  • Posts: 2028
  • Country: au
Re: Commercial product source code
« Reply #85 on: May 01, 2014, 04:03:21 am »
Sounds like the heartbeat bug got fixed.

No sure how much trouble it caused, but at least the people who found it weren't sued by a large corporation.

I think plenty of other closed source bugs have caused more trouble than this.
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
Re: Commercial product source code
« Reply #86 on: May 02, 2014, 07:46:10 pm »
Perhaps for something so critical, the open-source community should conduct formal code-review sessions where several pairs of eyes review and discuss the code, line by line.

In light of Hearbleed:

http://www.linuxfoundation.org/programs/core-infrastructure-initiative
73 de VE7XEN
He/Him
 

Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5550
  • Country: us
Re: Commercial product source code
« Reply #87 on: May 02, 2014, 11:42:38 pm »
Perhaps for something so critical, the open-source community should conduct formal code-review sessions where several pairs of eyes review and discuss the code, line by line.

In light of Hearbleed:

http://www.linuxfoundation.org/programs/core-infrastructure-initiative

So let's see, in order to fix open source, companies that depend on it will put professionals to make sure things don't go unchecked.

And there you have it, open source commercial code  :clap:

Of course Linus Torvalds will have veto power, right?
 

Offline dannyf

  • Super Contributor
  • ***
  • Posts: 8221
  • Country: 00
Re: Commercial product source code
« Reply #88 on: May 03, 2014, 12:28:38 am »
Quote
open source commercial code  :clap:

I never understood people's fascination with "open source" anything: shit, however free and open, is still shit.
================================
https://dannyelectronics.wordpress.com/
 

Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5550
  • Country: us
Re: Commercial product source code
« Reply #89 on: May 03, 2014, 01:05:46 am »
Quote
open source commercial code  :clap:

I never understood people's fascination with "open source" anything: shit, however free and open, is still shit.

I'm all for commercial code and it was a tongue in cheek comment. But since you just quoted the middle sentence by itself then I'll clarify by saying that in order to fix the open source, companies are resorting to actually have professionals (as in being paid to do the task) to ensure the quality they need.

No fascination at all on open sore like I tend to call it.
 


Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5550
  • Country: us
Re: Commercial product source code
« Reply #91 on: May 03, 2014, 03:31:49 am »
Weird, I did receive an XP security update for Internet Explorer (after end of life) just yesterday:

http://support.microsoft.com/kb/2964358
 

Online madires

  • Super Contributor
  • ***
  • Posts: 7694
  • Country: de
  • A qualified hobbyist ;)
Re: Commercial product source code
« Reply #92 on: May 03, 2014, 10:55:35 am »
Weird, I did receive an XP security update for Internet Explorer (after end of life) just yesterday:

Bonus update :-) But what's really weird is that you have your XP PC still connected to the internet  >:D
 

Online Mechatrommer

  • Super Contributor
  • ***
  • Posts: 11534
  • Country: my
  • reassessing directives...
Re: Commercial product source code
« Reply #93 on: May 03, 2014, 01:51:10 pm »
what's really weird is that you have your XP PC still connected to the internet  >:D
its not weird to maintain a stable and practical OS. its not weird if its not data sensitive or server PC. its not weird when there are 3rd party security softwares supporting it. whats weird is humanity embracing darwinism novelties.
Nature: Evolution and the Illusion of Randomness (Stephen L. Talbott): Its now indisputable that... organisms “expertise” contextualizes its genome, and its nonsense to say that these powers are under the control of the genome being contextualized - Barbara McClintock
 

Offline tjaeger

  • Regular Contributor
  • *
  • Posts: 101
Re: Commercial product source code
« Reply #94 on: May 03, 2014, 04:48:49 pm »
whats weird is humanity embracing darwinism novelties.

Wow, I really didn't think it was possible, but we sunk to another low...
 

Offline jaxbird

  • Frequent Contributor
  • **
  • Posts: 778
  • Country: 00
Re: Commercial product source code
« Reply #95 on: May 03, 2014, 05:43:29 pm »
Haven't read every single post, but I see plenty of assumptions and speculations on how commercial software if produced.

I can say from experience with some of the largest software "manufacturers" in the world, that it's a tightly controlled process, no feature is written unless it's been ordered, tracked and tested.

Everything is contained in a source control system with full history of who did what and when with who allowed it and why. Sure you have Git in open source, but try tell the contributors they need code reviews and approvals before they are allowed to check anything in :) And Git is like a toy compared to the features in a modern system.

In production every line of code is reviewed by at least two people, usually an initial review of someone on the same level, then a review by a superior/senior/principal before allowed attempting a check in. Expect to be rejected at least 2-3 times before check in. Can be minor or a total rejection caused by wrong approach.

No check in is allowed to break existing code, so if you need to break compatibility, you need to fix everything that is broken by your change as part of the check in.

Coding style needs to be tightly controlled for easy maintainability, so automated tools will take care of that, no check in until you fixed it all.

Security, automated tools will be run against your code to make sure you have no known open vulnerabilities in your code. No check in unless you pass.

Once you finally get your few lines of code changes checked in, the test team will start their work, they will run a series of specifically designed tests against whatever feature you have been working on. Plus all the tests that cannot easily be automated, everything from memory leaks to slow performance. Plus at number of regression tests.

And that is just for the stuff produced by all the code monkeys, the really important stuff needs to go trough multiple design reviews and much more strict control.

Also it's required that all employees pass a test on the latest security vulnerabilities on a yearly basis. No pass. no job. Sorry.

And yeah, 3rd party libraries, not allowed unless full source available, and full source passes the same security standards required for internally produced code. Any exception requires director level management approval.

Analog Discovery Projects: http://www.thestuffmade.com
Youtube random project videos: https://www.youtube.com/user/TheStuffMade
 

Online Mechatrommer

  • Super Contributor
  • ***
  • Posts: 11534
  • Country: my
  • reassessing directives...
Re: Commercial product source code
« Reply #96 on: May 03, 2014, 06:06:16 pm »
largest sofware manufacturer? http://en.wikipedia.org/wiki/List_of_the_largest_software_companies yeah right! scroll few posts behind, we just discussing IE8 bug that didnt "checked in" for 20 years or so. and oh, you expect 3rd party source code? my advice... make your own libraries, the largest company that is.
Nature: Evolution and the Illusion of Randomness (Stephen L. Talbott): Its now indisputable that... organisms “expertise” contextualizes its genome, and its nonsense to say that these powers are under the control of the genome being contextualized - Barbara McClintock
 

Offline jaxbird

  • Frequent Contributor
  • **
  • Posts: 778
  • Country: 00
Re: Commercial product source code
« Reply #97 on: May 03, 2014, 06:18:31 pm »
largest sofware manufacturer? http://en.wikipedia.org/wiki/List_of_the_largest_software_companies yeah right! scroll few posts behind, we just discussing IE8 bug that didnt "checked in" for 20 years or so. and oh, you expect 3rd party source code? my advice... make your own libraries, the largest company that is.

Yes, I have both worked and done consulting for companies on that list.

Not trying to pull anyone's leg, just adding some factual information to this thread instead of guesses and assumptions.

Analog Discovery Projects: http://www.thestuffmade.com
Youtube random project videos: https://www.youtube.com/user/TheStuffMade
 

Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5550
  • Country: us
Re: Commercial product source code
« Reply #98 on: May 03, 2014, 08:08:27 pm »
largest sofware manufacturer? http://en.wikipedia.org/wiki/List_of_the_largest_software_companies yeah right! scroll few posts behind, we just discussing IE8 bug that didnt "checked in" for 20 years or so. and oh, you expect 3rd party source code? my advice... make your own libraries, the largest company that is.

Yes, I have both worked and done consulting for companies on that list.

Not trying to pull anyone's leg, just adding some factual information to this thread instead of guesses and assumptions.

jaxbird is spot on how we do things at work, other than we do just single peer reviews at the beginning of the project.

As we get closer to release, any change no matter how small requires very good reasons to change (director approved) and dual peer reviews. Even changes that might make total sense can be flagged as risky if it touches too many systems and it gets shelved for future projects. The closer we get to release day, the tighter it gets to change anything.

We all specialize on specific parts of the code. The company doesn't care how much to you have to research something to make sure is spot on and discussed with peers, so it's more about quality than quantity of code they look after.

We also require source for third party libraries and we compile the libraries ourselves. Of course they are glad to give us the source since we pay for the privilege.

And I don't or didn't work ever for any of those companies on that list. Even if we fall between Oracle and SAP but not for software only so we are not there.

 

Offline jaxbird

  • Frequent Contributor
  • **
  • Posts: 778
  • Country: 00
Re: Commercial product source code
« Reply #99 on: May 03, 2014, 08:34:29 pm »
Jaxbird is spot on how we do things at work...

Thanks, yeah, most people don't realize how much work goes into writing a single line of production worthy code.

Easy to think if you know a bit of programming you can easily do 1000s of lines of code a day, but that will change once you need to get every single line of code reviewed.

And knowing everything you write will be included in your yearly review, where the bottom x% gets the pink slip:D

So yeah, production code quality is by definition much higher quality than open source.

« Last Edit: May 03, 2014, 09:16:23 pm by jaxbird »
Analog Discovery Projects: http://www.thestuffmade.com
Youtube random project videos: https://www.youtube.com/user/TheStuffMade
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf