All posts by Code Curmudgeon

I've been working in Software Development at Parasoft since 1992 - which in my opinion is before the epoch (my measure being the first real use of the web). I've been involved deeply in creating software, creating software tools, and helping customers address their software problems including automotive, cybersecurity and embedded. The views and opinions expressed herein are those of the author and do not necessarily reflect the views of anyone else on the planet. Caveat lector. You can follow me on twitter @CodeCurmudgeon, Google+, Static Analysis for Fun and Profit, Facebook, and LinkedIn.

Developing Clouds in the Forecast

These days everyone it seems like everyone has their head in the cloud. At least from an interest level that is. When it comes to actually using the cloud, they’re not necessarily ready for a real cloud deployment. The conversation usually goes something like this:

Clouds © by karindalziel
“Do you support cloud?”

“Sure, what did you have in mind?”

“We don’t know, but we know we want to do cloud at some point. Can you make your tools available to us in the cloud?”

“Yes, I can, what model do you want to use and will fit your security needs?”

“We can’t actually open our firewall, and we can’t share our source code outside the network. Maybe a private cloud…”

And it goes on from there. I’ve played this script over and over again. Lots of intellectual interest in cloud, but without any real understanding of both the issues involved as well as the benefits. Why on earth would you be switching to the cloud if you didn’t have some idea of what it was going to do for you? And yet people do it all the time.

Perhaps they are simply falling for the hype – cloud providers are claiming lower start-up costs, less overhead, better scalability and reliability, streamlined process, and cures for cancer. OK, I made that last one up, but it’s close. Seriously, a commenter to my piece on What Went Wrong with Static Analysis? said that all the potential pitfalls of static analysis are avoided if you simply use the cloud. As you’ve probably guessed, he worked at a company providing cloud services.

I don’t want to dive into a detailed list of what cloud can and cannot do at this point, although I may at a later date. But I do want to caution people to at least think about it. If someone says that the cloud will make your life better, ask them to explain how. If it makes sense, great. If not, beware of snake oil.

With that in mind, I want to talk about something that actually will make your life easier, namely a special kind of private cloud called micro cloud. This is an especially useful tool for software development that can make your life easier.

It’s not secret that I’m a VMware (VMW) fan. One of the aspects I like best is that it’s well suited for extreme scalability. You can start with desktop use, like running an alternate OS on your machine without having to reboot. Then you can push that onto an ESXi box in your server room when the virtual machine you were using unexpectedly becomes something useful you actually depend on. And ultimately you can push it off into the cloud as needed and scale it up as needed.

This is where the connection to software development comes in. One of the tedious pieces of getting a software project up and running is setting up the infrastructure. This is known as Application Lifecycle Management, or ALM. You need to have quite a few different goodies available, and while none of them are super complicated, it takes time to put the whole thing together. And then at some point you realize you either need another one, and have to do it again, or the one you have is tool small/slow for the team as the project has grown.

The list of necessary tools includes things like requirements management, project management, source control, compilers, development IDE, build management, continuous integration, testing, reporting, static analysis, code coverage, etc. Each of the items isn’t the complicated by itself. Putting them all together just takes more time than it should. In addition, it turns out the software developers really aren’t the best choice for system administrators, and don’t always deploy infrastructure in the way that you want. This is an excellent fit for virtualization.

Instead of putting together your software in an ad hoc way that has a tendency to grow like Frankenstein’s monster (come on, we know it happens to all of us) you can plan and coordinate between developers, architects, managers, and sysadmins. Figure out what kind of tools you’re going to need all the time, layout the requirements for them, and get the admin guys to build you up a virtual machine that has everything you want. Then test it, fix it, and from then on you can use use it over and over again.

Do it on a virtual machine rather than a physical one, that way when you need a new one for a new project, you can just stand up a new instance of the virtual machine. When you outgrow your hardware, scale it up on the back-end in the hypervisor. If you need to share geographically push it out to a cloud provider or data center.

Or…

You can use one that someone else has already built. If you have a small project and you don’t have security issues that preclude you putting your code outside your own firewall, there are a couple of pure cloud plays that have pretty much what you need. For example you could go to GitHub and use their tools. Or you can check out Cloud Foundry, which also uses Git as a source control system.

If you can’t put your source in the cloud for whatever reason, or if Git isn’t your cup of tea, then you should look for a micro cloud instead. This is a virtual machine pre-built that you can use on a desktop, or in your own server room or even scale it up to your datacenter. Again, you could do all this yourself, but if you can find one that has what you need, you can save a lot of time.

[Disclaimer]
As a reminder, I work for Parasoft, a company that make a variety of tools for software development, including an ALM virtual machine suitable for micro cloud. This is however my personal blog, and everything said here is my personal opinion and in no way the view or opinion of Parasoft or possibly anyone else at all.
[/Disclaimer]

With that behind me, let me relate a personal story. I was working on a personal project at home and wanted to setup a source control system. I happen to be an SVN guy, so I normally setup a subversion server and then use Apache to access it. The SVN install is quick and easy. Apache isn’t too difficult, but by the time you get HTTPS up and running with certificates and the WebDAV SVN connector going it can be difficult. Add to that the normal scenario that you don’t do it very often and it’s easy to forget the little things that will trip you up during setup. Need to say, I wasn’t looking forward to setting the darn thing up.

I started with using a VM like I always do, and as I was adding Apache and SVN to it, I got a feeling of deja vu. I knew of course that I had done it before, many times. Then I figured out why the deja vu. I helped create the VM for Parasoft that just happened to have everything I needed in it. So I download that VM, started it up on my desktop, and set the configuration for what I needed. Other than download time, total setup and configuration was about 20 minutes. Total time and frustration saved: a lot.

Micro cloud is a great way to not only handle your development infrastructure, you can also do tech support on specific environments, setup complicated QA, provide quick POC projects etc. This is one of the cases where it’s easy to see how cloud helps – it not only drastically reduces start-up time and costs, but leaves you in good shape to scale quickly and efficiently.

If there are clouds in your forecast, micro cloud might be the place to start.

That Bright Light You Saw was the End of Flash

It’s finally official – at least for those who are aware of how the web works. Yesterday Adobe (ADBE) announced that they will be discontinuing flash support for mobile devices.

HTML5 © by Josef Dunne

A couple of brief quotes from their blog post follow:

“However, HTML5 is now universally supported on major mobile devices, in some cases exclusively. This makes HTML5 the best solution for creating and deploying content in the browser across mobile platforms. …”

“Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores. We will no longer continue to develop Flash Player in the browser to work with new mobile device configurations…”

To be sure they did plenty of backpedaling about renewed focus and new features for the desktop, but make no mistake, they see the light at the end of the tunnel, and they finally figured out it’s a train. Hello HTML5 Express!

As I’ve said before this is a fine thing. The truth is that many years ago Adobe was the only way to do animation, video, and interactivity at all. And after that, it was just the best way. And after that, the most common way.

Today the need for Flash has greatly diminished. HTML5 has already delivered on the promise in the area of video, and AJAX works very well for interactive web applications.

Three things really killed them. I’ll take them in reverse order, since the third was just a symptom, but most think it was the cause. Namely, Steve Jobs. At Apple (AAPL), Jobs figured out that Flash not only doesn’t work well for mobile, but it probably wasn’t every going to, at least not before HTML5 would catch on. But Jobs didn’t kill Flash, he was just more vocal about it’s shortcomings.

Number one was that the need for Flash simply isn’t there the way it once was. Web pages used to be really static. In the beginning there were almost completely text. Then people started adding more images. Then came databases and data-driven apps. Then video, sound, and fully interactive applications.

But before the last, there was a gap, people wanted video and apps, but it just wasn’t easy. Most applications consisted of some special code that had to be downloaded on your machine, and were essentially client-server programs that used the web simply as a transport mechanism. Flash is pretty much the same as the others, with the exception that it was pretty easy to use, and it managed to catch on. With critical mass, it started to be supported by most browsers, and off it went.

Today we can get streaming video quite easily without Flash. Any web site that doesn’t provide video feeds in HTML5 simply cuts off millions of potential users, which is generally a poor business decision.

As for apps, the simple web applications that are in Flash will continue to live on, but the great desire for them has changed. Now users can download free and inexpensive games all day long on their mobile devices, which is where they normally play the little time wasters. (I’m not judging, I do it myself.) So why do you need Flash?

That leaves us with advertisers – and they have a problem there. People without Flash simply don’t get their message. From the producer side it’s a problem anyway, as a consumer, I’m happy to turn Flash of in my browser, and only click when I know it’s something I need. AJAX is where advertising will end up, and actually it’s very well suited to the task, seeing as the first A in AJAX stands for asynchronous, which is perfect for advertising.

So reason number one is that the need for Flash has melted away. I was tempted to say evaporated, but it wasn’t that quick. It’s been a slow steady change in how the web works, from proprietary thick browser plug-ins to open dynamic lightweight AJAX. And that’s a good thing, both for consumers and for the people who run the pipes that the internet is carried over.

I’ve always said that the value Adobe brings to the table isn’t so much Flash itself as the amazing tools they provide for web development. The designer shouldn’t have to care so much about whether the application is Flash or HTML5, they should be able to just code. Adobe should be able to quickly get in front of this by providing everything Flash does in HTML5. And to do that, they had to finally admit that HTML5 is killing Flash. Mobile is just the first step.

As for reason number 2 (for those who’ve been keeping track… 3,1,2) it explains why mobile is the first step. And that reason is that Flash is ill-suited for mobile for various reasons. One is performance. It’s easy to see that Flash is a hog no matter what the platform.

Try a simple test – fully charge the battery on your laptop. Fully disable Flash and spend a couple hours surfing the web. Then charge the battery again, turn Flash back on, and repeat. You’ll be shocked at the results. Bear in mind, I’m not talking about playing Flash games and video even, just surf the web. Not only do you avoid advertising, but you’re battery lasts longer and everything runs faster. Who would have that that dumping Flash was a way of going green? But it is. Now imaging trying the same thing on a device with a tiny battery, slower processor and a lot less memory. Painful.

The other part of the equation is the usage paradigm. Early in the iPhone era people started writing articles about how to program an iPhone. Many articles described handling the touch interface exactly the way you would a mouse. This is of course ridiculous, especially now with multi-touch and gesture.

Even without that, a finger simply doesn’t behave the way a mouse does. For instance, you can pick a finger up and put it down somewhere and the cursor moves with it. If you pick up a mouse and set it down the cursor is either where you started or in some random place – not the most useful feature.

The touch interface is just one aspect of mobile programming that makes Flash painful on a mobile device. Silly things like x controls that let you close a Flash animation are frequently too small to be used. Add that all up and you find that the basic concept of Flash is flawed, namely to be a “write-once run-anywhere” works fine on the desktop, but doesn’t translate well to the mobile touch-enabled world. Which leads us back to Steve Jobs, 1-2-3.

And a funny footnote. RIM (RIMM) has announced that unlike Adobe, they will continue to support Flash development for the Blackberry Playbook. They just don’t know when to give up, do they? It’s not surprising coming from the people who thought that no one would want mp3 files on their phones. As ZDnet
put it:

But to continue to support an already dead platform on a dying tablet is like throwing salt in the wound of an already squashed slug.

So when HTML5 gets better and your mobile device gets stronger, you can thank Adobe for finally recognizing the inevitable – Flash is dead.

[Update]
Google has a tool that you can use to convert Flash to HTML5.
[/Update]

False Positives and Other Misconceptions in Static Analysis

wrong answer © by Sean MacEntee
In ongoing discussions here at the blog and elsewhere, I keep seeing the topic of false positives in static analysis come up. It’s certainly a very important issue when dealing with static analysis, but the strange thing is that people have very different opinions of what a false positive is, and therefore different opinions of what static analysis can do and how to properly use it.

In the simplest sense, a false positives means that the message that a rule was violated is incorrect, or in other words the rule was not violated – the message was false. In other words, a false positives should mean that static analysis said it found a pattern in your code but the pattern doesn’t actually exist in your code when you review it. Now, that would be a real false positive.

Pattern-based false positives

False positives and “not false positives” (false negatives) are in two different areas. One is pattern based static analysis, which also includes metrics. There is also flow-based static analysis. One thing to remember is that pattern based static analysis doesn’t typically have false positives. If it has a false positive, it’s really a bug in the rule or pattern definition, because the rule should not be ambiguous. If the rule doesn’t have a clear pattern to look for, it’s a bad rule.

This doesn’t mean that when a rule lists a violation that there is necessarily a bug, which is important to note and the source of much of the confusion. A violation simply means that the pattern was found. You have to look and say I am choosing these patterns and flagging these patterns because they are dangerous to my code. When I look at pattern, I ask myself, does this apply to my code, or doesn’t it apply? If it applies, I fix the code, if it doesn’t apply I suppress it.

It’s best to suppress it in the code itself rather than an external location such as your UI or a configuration file, so that it’s visible and others can look at it, and you won’t end up having to review it a second time. It’s a bad idea to not suppress the violation explicitly, because then you will constantly be reviewing the same violation. The beauty of in-code suppression is that it’s independent of the engine. Anyone can look at the code and see that the code has been reviewed and that this pattern has been deemed acceptable in this code.

This is the nature of pattern-based static analysis. It’s based on an understanding that certain things are bad ideas and may not be safe. This doesn’t mean you cannot do them in a particular context, but that such things should be done carefully.

Flow Analysis false positives

In flow analysis you have to address false positives because it will always have false positives. Flow analysis cannot avoid false positives, for the same reason unit testing cannot generate perfect unit test cases. When you have code that uses some kind of library, for instance your java code calls the OS and something come back, who knows what it’s sending? It’s going to be a false positive because we have to make assumptions about what’s coming back.

We try to err on the side of caution. Be careful here, if it’s possible that something strange might be returned protect against this. This finds bugs, that’s why it’s so valuable. You also need to understand the power and weakness of flow analysis. The power of flow analysis is that it goes through the code and tries to find hot spots and find problems around the hot spots.

The weakness is that it is going some number of steps around the code it’s testing, like a star pattern. The problem is that if you start thinking you’ve cleaned all the code because your flow analysis is clean, you are fooling yourself. Really, you’ve found some errors and you should be grateful for that.

The real question with flow analysis is the amount of time you spend going through results to find false positives, suppress them, and fix real bugs quickly before it goes into functional testing where it would be more difficult to find with debugging.

Lets say you spend an hour to fix and suppress a dozen flow analysis items at something like a 50% false positive ratio , which is pretty nasty. Now lets say one or two of these real bugs leaks into field, by the time you get info back from the field report to support and development, it may cost a half-day or even 2-3 days of time to address the issue. It is your decision which way is more time saving and effective.

In addition to flow analysis you should really think about using runtime error detection. Runtime error detection allows you to find much more complicated problems than flow analysis can find. Runtime error detection doesn’t have false positives, because the code is executed with a known value and had an actual failure.

Being Successful

The key to success is to choose which rules you want to adhere to, and then get the code clean progressively. Which means start with code you’re currently modifying and extend it throughout the code base until you are done. At some point when you see that there are very few violations, you can run it on the whole code base, rather than just recently changed code. In other words, set a small initial rule set with a cutoff-date of “today”. Then when you see violations dying out, add new rules, run it on the whole code, and review – we’ll discuss how to do the review in a moment. But we recommend extending the cutoff-date backward before adding new rules, because your initial rule set is only things that you feel are critical.

Rules/configurations should really be based on real issues you’re facing. IE if you take feedback from QA, code review, field reported bugs, etc. and then find static analysis rules to address those problems.

Sometimes developers fall into the trap of labeling any error message they don’t like as a false positive, but this isn’t really correct. They may label it a false positive because they simply don’t agree with the rule, they may label it because they don’t understand how it applies in this situation, or they may label it because they don’t think it’s important in general or in this particular case. The best way to deal with this head-on is to make sure that the initial rule set you start with has a small number of rules that everyone can agree on. It should product reasonable results that can be dealt with in a reasonable amount of time.

Resources

AI Smackdown – Siri vs Eliza

John McCarthy © by eschipul
John McCarthy, creator of LISP, and father of modern artificial intelligence (AI) died today. He was one of the first guys to work seriously on getting computers to do things that you wouldn’t normally have expected computers to do, like play Chess or have a conversation.

One of the most common AI applications programmers have played with over the years is Eliza. Like others at the time, one of my first attempts at writing an interesting piece of software in my youth was to alter an Eliza program written in BASIC (as taken from the pages of Creative Computing, for all you old-timers). Eliza is a simple software psychoanalyst created in the 60’s by Joseph Weizenbaum. While Eliza wasn’t written by McCarthy, she was certainly a product of his inspiration on the industry.

Ever since the new iPhone came out with Siri, the digital assistant, I’ve been thinking about comparing her to Eliza. I don’t often get to play with AI here at Parasoft and the death of McCarthy brought the topic to my mind again. I’ve put together a small comparison of questions and answers from Siri and Eliza. Note that with Siri, your mileage may vary, she doesn’t always answer the same way. I’ve obviously skipped most of the “useful” things that Siri can do, as it would be an unfair comparison for poor old Eliza, who doesn’t have all the modern advantages that Siri does.

It’s interesting because while they share a common logical bond, their personalities are very different. Siri was designed to be helpful and amusing. Eliza was specifically designed not to be helpful, in that she’s supposed to be a therapist and lead you to your own conclusions rather than give you answers. Eliza isn’t an assistant, she’s an attempt to play the “imitation game” also known as the turing test.

For the samples below I used a java version of Eliza that you can try for yourself on the web.

Samples:
Q: Can you help me?
E: You believe I can help you don’t you ?
S: You can say thinks like… (A list of sample queries)

Q: What are you doing?
E: Why do you ask ?
S: Just thinking

Q: Who is your favorite composer?
E: Why are you concerned over my favorite composer?
S: I guess I don’t have one.

Q: Are you married?
E: Why are you interested in whether I am married or not ?
S: We were talking about you, not me.

Q: What is your name?
E: I am not interested in names.
S: My name? It’s Siri.

Q: You are beautiful
E: What makes you think I am beautiful?
S: Oh, Stop.

Q: I love you
E: Perhaps in your fantasies we love each other.
S: Oh, Stop.

Q: How are you?
E: Does that question interest you?
S: I am well ____ (name)

Q: What do you think?
E: What is it you really wanted to know?
S:It’s nice of you to ask, but it doesn’t really matter what I think
or I think differently.

Q: Good night
E: I’m not sure I understand you fully.
S: Ah… it’s still only _____ (fill in the time)
or other answers depending on the time of day.

Q: Can you send a message to my brother?
E: Tell me more about your family.
S: I don’t know who your brother is, To whom shall I send it, I need a contact name, phone number, or email address.
orWhat do you want to say to ____ (your brother)?

I’m not sure about all of the reasons they’re so different. Sure, the state of the art in AI has come a long way since the 60’s. Or is it just that men’s expectations of women have changed? I was tempted to write that perhaps people are more friendly or helpful now than in the 60’s but that’s ridiculous. Perhaps it’s only that computers are now more helpful and friendly than they were. Is it possible that Eliza’s seeming bad mood had something to do with her obvious handicaps in memory and CPU. Maybe she was aware of this, and it caused her to be ill-tempered? In any case, Eliza comes across as a bit cynical, while Siri is much more light-hearted most of the time. Siri’s mood can definitely change as you can see from some of the answers.

It occurs to me that it would be funny to get Siri to talk to Eliza – would Eliza help Siri, or would Siri end up making Eliza more friendly?

So if your computer was nice to you today, thank John McCarthy.

[Update I added a few more links and minor clarification as well as AI resources]

Here’s a list of my favorite fiction books about killer AI.

Some resources on AI artificial intelligence:

Artificial Intelligence: The Basics

Artificial Intelligence for Humans, Volume 1: Fundamental Algorithms

Artificial Intelligence in the 21st Century (Computer Science)

The Artificial Intelligence Revolution: Will Artificial Intelligence Serve Us Or Replace Us?

Books on AI at Amazon