Coverity, profile picture
Uploaded byCoverity
PPTX, PDF5,713 views

Finding Defects in C#: Coverity vs. FxCop

The document discusses considerations for selecting the right static analysis tools for finding defects in C#, particularly comparing Coverity and FxCop. It highlights the importance of various factors such as critical defect detection, false positive rates, and integration into workflows. Additionally, the document presents a case study on the paint.net project, demonstrating the complementary strengths of Coverity and FxCop in identifying different types of defects and improving overall code quality.

Embed presentation

Downloaded 77 times
Finding Defects in C#
Selecting the Right Solution Key Considerations • • • • • • Does it find critical defects? What is the false positive rate? Is it actionable? Is it accurate? Is it integrated to my workflow? How do I manage persistency
Varying Levels of Static Analysis Exist • Compiler warnings: verifies a program is type safe • Byte code analysis: identifies defects in the intermediate language and tries to map it back to the source code • Source code analysis: understanding the meaning and intention of the program – produces the most accurate results
Source vs. Byte Code Analysis (Example) Indentations Don’t Match Boundaries: if (x == 0) do_something(x); x = 1; • Source code analysis solution can infer the developer’s intent: “x=1” to happen in the same block as “do_something” call • Developer is warned because “x==0” block does not actually include both statements
Coverity and FxCop Case Study Complementary Solutions
Coverity Makes FxCop Enterprise-Grade Stand-alone FxCop is good; FxCop + Coverity is better Analysis • Find more critical defects • Improve accuracy of FxCop analysis Efficiency • Manage all quality and security issues in one workflow • Improved defect management Governance • Improve visibility into quality and security trends over time and across the supply chain
Case Study • Analysis of paint.net project (formerly open source) • Version 3.22 • 100K lines of code • Analysis done using • Coverity 7.0 • Microsoft Visual Studio 2013/FxCop 12.0 • Coverity and FxCop look for different things • Coverity Static Analysis looks for code defects using: • Bug Pattern Matching, Sophisticated Inter-procedural Dataflow Analysis, Abstract Interpretation, False Path Pruning, Boolean Satisfiability, Design Pattern Intelligence, Change Impact Analysis • FxCop checks conformance to Microsoft’s .NET Framework Design Guidelines
Different Solutions for Different Things • Difference in depth vs. breadth • No issues found by both Coverity and FxCop • Numbers in orange indicate number of findings Coverity Critical Defects FxCop Coding style & standard issues
Critical Defects vs. Coding Style Defects Type Coverity 7.0 FxCop Shared defects Resource leaks 75 0 0 Concurrency problems 20 4 0 Logic errors 4 2 0 Hierarchy problems 5 2 0 Unhandled exceptions (incl. 21 0 0 Critical Defect Subtotal 125 8 0 Coding Standards, Best Practices, Other 3 970 0 Total Bugs 128 978 0 NULL deref)
The “Big 3” Classes of Defects in C# 1. Null references 2. Resource issues 3. Threading issues
Issues You Can Find via Source Code Analysis Resource Leaks • Database connection leaks • Resource leaks • Socket & Stream leaks API usage errors • Use of freed resources Concurrent data access violations • Values not atomically updated • Data race conditions Performance inefficiencies • Unnecessary synchronization Program hangs • Thread deadlock • Infinite loop Logic Errors • Dead code Error handling issues • Unchecked return value Code maintainability issues • Static set in non-static method Class hierarchy inconsistencies • Failure to call base.close() or base.dispose() • Missing call to base class Control flow issues • Suspicious extraneous semicolon • Inconsistent comparison usage • Comparison of incompatible types Null pointer dereferences • Dereference after null check • Dereference before null check • Dereference null return value Suspicious code • Copy/paste errors • Significant indentation anomalies • Swapped arguments Arithmetic errors • Incorrect shift operation • Incorrect expressions • Overflow while evaluating expression
Conclusion • Different analysis tools often find different but complementary issues • Use the right solution to find the issues that are important to you
Want to try Coverity on your code? For a free trial visit: www.coverity.com

More Related Content

PPTX
Static Analysis Primer
byCoverity
 
PPTX
Adopting Agile
byCoverity
 
PPTX
DevBeat 2013 - Developer-first Security
byCoverity
 
PPTX
The Psychology of C# Analysis
byCoverity
 
PPTX
OSS Java Analysis - What You Might Be Missing
byCoverity
 
PPTX
Resource Leaks in Java
byCoverity
 
PDF
Static Analysis of Your OSS Project with Coverity
bySamsung Open Source Group
 
PPTX
Utility of Test Coverage Metrics in TDD
byXP Conference India
 
Static Analysis Primer
byCoverity
 
Adopting Agile
byCoverity
 
DevBeat 2013 - Developer-first Security
byCoverity
 
The Psychology of C# Analysis
byCoverity
 
OSS Java Analysis - What You Might Be Missing
byCoverity
 
Resource Leaks in Java
byCoverity
 
Static Analysis of Your OSS Project with Coverity
bySamsung Open Source Group
 
Utility of Test Coverage Metrics in TDD
byXP Conference India
 

What's hot

PPTX
Concurrency Errors in Java
byCoverity
 
PPTX
Code review
byAbhishek Sur
 
PDF
Code Review for iOS
byKLabCyscorpions-TechBlog
 
PPTX
Code Review
byMikalai Alimenkou
 
PPTX
Code Review Best Practices
byTrisha Gee
 
DOCX
Code review guidelines
byLalit Kale
 
PDF
Code Review
byDivante
 
PDF
Improving the accuracy and reliability of data analysis code
byJohan Carlin
 
PPT
Crowd debugging (FSE 2015)
bySung Kim
 
PDF
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
bySung Kim
 
PPTX
Code Review
byR M Shahidul Islam Shahed
 
PDF
How to get the most out of code reviews
byJavaDayUA
 
PPTX
Working Effectively With Legacy Code
byExcella
 
PPT
Automated Unit Testing and TDD
byGreg Sohl
 
PDF
Code Review: How and When
byPaul Gower
 
PDF
TDD Workshop UTN 2012
byFacundo Farias
 
PDF
Code Review Matters and Manners
byTrisha Gee
 
PPT
Code Review
byrantav
 
PPTX
Clean code - Getting your R&D on board
byRuth Sperer
 
PDF
Code Review: How and When
byPaul Gower
 
Concurrency Errors in Java
byCoverity
 
Code review
byAbhishek Sur
 
Code Review for iOS
byKLabCyscorpions-TechBlog
 
Code Review
byMikalai Alimenkou
 
Code Review Best Practices
byTrisha Gee
 
Code review guidelines
byLalit Kale
 
Code Review
byDivante
 
Improving the accuracy and reliability of data analysis code
byJohan Carlin
 
Crowd debugging (FSE 2015)
bySung Kim
 
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
bySung Kim
 
Code Review
byR M Shahidul Islam Shahed
 
How to get the most out of code reviews
byJavaDayUA
 
Working Effectively With Legacy Code
byExcella
 
Automated Unit Testing and TDD
byGreg Sohl
 
Code Review: How and When
byPaul Gower
 
TDD Workshop UTN 2012
byFacundo Farias
 
Code Review Matters and Manners
byTrisha Gee
 
Code Review
byrantav
 
Clean code - Getting your R&D on board
byRuth Sperer
 
Code Review: How and When
byPaul Gower
 

Viewers also liked

PDF
Code Coverage
byErnani Omar Cruz
 
PPTX
Survey and Analysis of ICS Vulnerabilities (Japanese)
byDigital Bond
 
PDF
LISTADO OPOSICION + MERITOS
byguest0dbad523
 
PPTX
03 cv mil_probability_distributions
byzukun
 
PDF
Cloud Computing - Gina Franco
byImage Tech - Web & Multimedia Solutions
 
ODP
Animales en peligro de extincion
bylosdonkey
 
PPT
PNUTS
byRuchika Mehresh
 
PPTX
Paradigmas tecnoeconomicos
byMARIELIPALENCIA
 
PPTX
Ahead Week 1 Key Slides
byaltonbaird
 
PDF
ExcelCertificate18122014
byPeter Garces
 
PPTX
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
byAitor BV
 
PPTX
Republic of Angola: Governmental Strategy for its Mining Sector
byMining On Top
 
PDF
VIH-AIDS 2008.
byRafa Cofiño
 
PDF
Windows Phone Apps por Salvador Encalada
byImage Tech - Web & Multimedia Solutions
 
PDF
Seminario..
byOmarguid Cordero
 
PPTX
Ss for b,ed
byanoop kp
 
Code Coverage
byErnani Omar Cruz
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
byDigital Bond
 
LISTADO OPOSICION + MERITOS
byguest0dbad523
 
03 cv mil_probability_distributions
byzukun
 
Cloud Computing - Gina Franco
byImage Tech - Web & Multimedia Solutions
 
Animales en peligro de extincion
bylosdonkey
 
PNUTS
byRuchika Mehresh
 
Paradigmas tecnoeconomicos
byMARIELIPALENCIA
 
Ahead Week 1 Key Slides
byaltonbaird
 
ExcelCertificate18122014
byPeter Garces
 
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
byAitor BV
 
Republic of Angola: Governmental Strategy for its Mining Sector
byMining On Top
 
VIH-AIDS 2008.
byRafa Cofiño
 
Windows Phone Apps por Salvador Encalada
byImage Tech - Web & Multimedia Solutions
 
Seminario..
byOmarguid Cordero
 
Ss for b,ed
byanoop kp
 

Similar to Finding Defects in C#: Coverity vs. FxCop

PPTX
Static-Analysis-in-Industry.pptx
byShivashankarHR1
 
PPTX
Static Analysis Tools for C# Demo
byAdriano Ueda
 
PDF
[India Merge World Tour] Coverity
byPerforce
 
PPTX
Static code analysis
byRune Sundling
 
PPT
Introducing fx cop
byNick Harrison
 
PPTX
Combining Static Analysis with Code Coverage for Better Test Quality
bySophie Lane
 
PPTX
How To Improve Quality With Static Code Analysis
byPerforce
 
PPT
Codingstandards matiar
byMatiar Rahman
 
PDF
Reading Summary - Static Analysis to find Bugs & ROI Models for Static Analys...
byArtemisa Yescas Engler
 
PPTX
Static code analysis
bymashaathukorala
 
PPTX
Static code analysis
byRushana Bandara
 
PPT
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
byEngineering Software Lab
 
PPT
Verifcation &validation
byssusere50573
 
PPTX
White box testing
byNeethu Tressa
 
PDF
[Europe merge world tour] Coverity Development Testing
byPerforce
 
PPT
Automating C# Coding Standards using StyleCop and FxCop
byBlackRabbitCoder
 
PDF
Debugging in Software Engineering SE Unit-4 Part-6.pdf
byiron57441
 
PPT
Code Coverage in Theory and in practice form the DO178B perspective
byEngineering Software Lab
 
PPT
Code coverage in theory and in practice form the do178 b perspective
byEngineering Software Lab
 
PPTX
How To Avoid Continuously Delivering Faulty Software
byErika Barron
 
Static-Analysis-in-Industry.pptx
byShivashankarHR1
 
Static Analysis Tools for C# Demo
byAdriano Ueda
 
[India Merge World Tour] Coverity
byPerforce
 
Static code analysis
byRune Sundling
 
Introducing fx cop
byNick Harrison
 
Combining Static Analysis with Code Coverage for Better Test Quality
bySophie Lane
 
How To Improve Quality With Static Code Analysis
byPerforce
 
Codingstandards matiar
byMatiar Rahman
 
Reading Summary - Static Analysis to find Bugs & ROI Models for Static Analys...
byArtemisa Yescas Engler
 
Static code analysis
bymashaathukorala
 
Static code analysis
byRushana Bandara
 
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
byEngineering Software Lab
 
Verifcation &validation
byssusere50573
 
White box testing
byNeethu Tressa
 
[Europe merge world tour] Coverity Development Testing
byPerforce
 
Automating C# Coding Standards using StyleCop and FxCop
byBlackRabbitCoder
 
Debugging in Software Engineering SE Unit-4 Part-6.pdf
byiron57441
 
Code Coverage in Theory and in practice form the DO178B perspective
byEngineering Software Lab
 
Code coverage in theory and in practice form the do178 b perspective
byEngineering Software Lab
 
How To Avoid Continuously Delivering Faulty Software
byErika Barron
 

Recently uploaded

PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Website Redesign Vs Website Refresh, What’s Right for You in 2026?
byAnuj Kumar Singh
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Website Redesign Vs Website Refresh, What’s Right for You in 2026?
byAnuj Kumar Singh
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
How to build hackthon projects from ZERO!
byishantyadav1111
 

Finding Defects in C#: Coverity vs. FxCop

  • 1.
  • 2.
    Selecting the RightSolution Key Considerations • • • • • • Does it find critical defects? What is the false positive rate? Is it actionable? Is it accurate? Is it integrated to my workflow? How do I manage persistency
  • 3.
    Varying Levels ofStatic Analysis Exist • Compiler warnings: verifies a program is type safe • Byte code analysis: identifies defects in the intermediate language and tries to map it back to the source code • Source code analysis: understanding the meaning and intention of the program – produces the most accurate results
  • 4.
    Source vs. ByteCode Analysis (Example) Indentations Don’t Match Boundaries: if (x == 0) do_something(x); x = 1; • Source code analysis solution can infer the developer’s intent: “x=1” to happen in the same block as “do_something” call • Developer is warned because “x==0” block does not actually include both statements
  • 5.
    Coverity and FxCopCase Study Complementary Solutions
  • 6.
    Coverity Makes FxCopEnterprise-Grade Stand-alone FxCop is good; FxCop + Coverity is better Analysis • Find more critical defects • Improve accuracy of FxCop analysis Efficiency • Manage all quality and security issues in one workflow • Improved defect management Governance • Improve visibility into quality and security trends over time and across the supply chain
  • 7.
    Case Study • Analysisof paint.net project (formerly open source) • Version 3.22 • 100K lines of code • Analysis done using • Coverity 7.0 • Microsoft Visual Studio 2013/FxCop 12.0 • Coverity and FxCop look for different things • Coverity Static Analysis looks for code defects using: • Bug Pattern Matching, Sophisticated Inter-procedural Dataflow Analysis, Abstract Interpretation, False Path Pruning, Boolean Satisfiability, Design Pattern Intelligence, Change Impact Analysis • FxCop checks conformance to Microsoft’s .NET Framework Design Guidelines
  • 8.
    Different Solutions forDifferent Things • Difference in depth vs. breadth • No issues found by both Coverity and FxCop • Numbers in orange indicate number of findings Coverity Critical Defects FxCop Coding style & standard issues
  • 9.
    Critical Defects vs.Coding Style Defects Type Coverity 7.0 FxCop Shared defects Resource leaks 75 0 0 Concurrency problems 20 4 0 Logic errors 4 2 0 Hierarchy problems 5 2 0 Unhandled exceptions (incl. 21 0 0 Critical Defect Subtotal 125 8 0 Coding Standards, Best Practices, Other 3 970 0 Total Bugs 128 978 0 NULL deref)
  • 10.
    The “Big 3”Classes of Defects in C# 1. Null references 2. Resource issues 3. Threading issues
  • 11.
    Issues You CanFind via Source Code Analysis Resource Leaks • Database connection leaks • Resource leaks • Socket & Stream leaks API usage errors • Use of freed resources Concurrent data access violations • Values not atomically updated • Data race conditions Performance inefficiencies • Unnecessary synchronization Program hangs • Thread deadlock • Infinite loop Logic Errors • Dead code Error handling issues • Unchecked return value Code maintainability issues • Static set in non-static method Class hierarchy inconsistencies • Failure to call base.close() or base.dispose() • Missing call to base class Control flow issues • Suspicious extraneous semicolon • Inconsistent comparison usage • Comparison of incompatible types Null pointer dereferences • Dereference after null check • Dereference before null check • Dereference null return value Suspicious code • Copy/paste errors • Significant indentation anomalies • Swapped arguments Arithmetic errors • Incorrect shift operation • Incorrect expressions • Overflow while evaluating expression
  • 12.
    Conclusion • Different analysistools often find different but complementary issues • Use the right solution to find the issues that are important to you
  • 13.
    Want to tryCoverity on your code? For a free trial visit: www.coverity.com