Skip over menu

Software Safety Home Page
"Tools for making Tools"
Last Modified on: Fri Sep 26 20:15:09 2008
Navigation Menu Left:

Books to read
Compliers with safety in mind Reactive Programing Language
Guidelines for better software
Hardware Design Tips
ISO9000, the correct meaning
Internationalization (I18N & L10)

The right software, delivered defect free, on time, on cost, every time, require the correct tools.

Navigation Menu Right:

Metrics Gone Bad
Past Visitors
Photosensitive Epilepsy
Software Patents Gone Bad
Translate the Software Safety web site

If you think that I could be of some assistance to you or your organization let me know,
American Society for Quality  Certified Software Quality Engineer.

Software Safety now has a blog! Check it out.

This site has been listed as the EG3 Editor's Choice in the Embedded Safety category for February 2004.

eCLIPS gives this site four of five stars in the September 7th 2004 SAFETY CRITICAL - DESIGN GUIDE.

Site Search by PicoSearch 
Text Search

[Added Aug/06/2006:]

Automation for the people: Continuous Inspection Free yourself from mundane, manual inspections with software inspectors.

When starting new projects, most of us plan to review code before actually releasing it into production; however, when delivery schedules supersede other factors, reviews tend to be the first practice thrown out. What if you were able to perform a portion of these reviews automatically? In this first article of the new series Automation for the people, development automation expert Paul Duvall begins with a look at how automated inspectors like CheckStyle, JavaNCSS, and CPD enhance the development process and when you should use them.

[Added Jan/01/2006:]

This Is Broken A project to make businesses more aware of their customer experience, and how to fix it

[Added Nov/26/2005:]

Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.  The Valgrind distribution currently includes three tools: a memory error detectors, a cache (time) profiler and a heap (space) profiler. It runs on the following platforms: x86/Linux, AMD64/Linux, PPC32/Linux.

[Added Sept/18/2005:]

SLOCCount, a set of tools for counting physical Source Lines of Code (SLOC) in a large number of languages of a potentially large set of programs. As of Sept/18/2005 SLOCCount works with 27 different languages.
SLOCCount will even automatically estimate the effort, time, and money it would take to develop the software. Prove to the boss that your estimate was correct and his was unrealistic to put it politely. is a resource to help Windows users find the best free daily-use software, free from nasties: adware, spyware, harmful/intrusive components, and threats to privacy.

National Security Agency Security Configuration Guides

[Added July/17/2005:]

Writing software requirements specifications as XML documents has quite a few advantages. Using open source tools like Emacs, PSGML, CVS and xsltproc gives us a powerful Requirements Engineering tool.

[Added July/16/2005:]

CAN in Automation (CiA) now has a chip and set of tools that are certified to IEC61508-SIL3.

To get my hardware design business off the ground I have managed to get the Open Source Compiere Enterprises Resource Planing (ERP) program up on my Gentoo Linux system, using the Fyracle data base abstraction layer.

David's Advanced Revision Control System is yet another replacement for CVS.
I am starting to migrate my code to DARCS. [I switched to SubVersion, as DARCS did nothing but crash on Windows, seems fine on my Linux box.]

[Added Jun/05/2005:]

Computer Rage --> Take the SURVEY!

[Added Apr/30/2005:]

Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.

My personal preference is Gimpel Software's Lint, however they both have strengths in different areas and should be used together. Splint is stronger when it comes to issues of security, hence the name Secure Programming Lint.

Test your skills with Gimpel's The Bug of the Month.

Past colleagues have told me that "Lint is to hard to use because of the number of warnings it produces". That is exactly Lints job, to be "Nit-picky". I look at as a game, can I beat Lint today and have code with no errors or warnings on my first run of Lint on new code?

Lout is high-level language for document formatting system that targets the same audience as LaTex, but is much easier to set up and maintain.

The Goal Structuring Notation (GSN) is a graphical argumentation notation explicitly represents the individual elements of any safety argument (requirements, claims, evidence and context) and (perhaps more significantly) the relationships that exist between these elements (i.e. how individual requirements are supported by specific claims, how claims are supported by evidence and the assumed context that is defined for the argument.)

When the elements of the GSN are linked together in a network they are described as a goal structure. The principal purpose of any goal structure is to show how goals (claims about the system) are successively broken down into sub-goals until a point is reached where claims can be supported by direct reference to available evidence (solutions). As part of this decomposition, using the GSN it is also possible to make clear the argument strategies adopted (e.g. adopting a quantitative or qualitative approach), the rationale for the approach and the context in which goals are stated (e.g. the system scope or the assumed operational role.)

GNU cflow analyzes a collection of C source files and prints a graph charting control flow within the program.

Current implementation is able to produce both direct and inverted flow-graphs for C sources. Optionally a cross-reference listing can be generated. Two output formats are implemented: POSIX and GNU (extended).

Input files can optionally be preprocessed before analyzing.

The package also provides Emacs major mode for examining the produced flowcharts in Emacs.

Archimedes is a tool for development of semiconductor devices, incorporating some intensive mathematics.

In the present release, GNU Archimedes is able to simulate electrons and heavy holes in Silicon and GaAs (Gamma and L-valleys) devices (holes are simulated by means of a simplified MEP model).

lcc-win32: A Compiler system for windows by Jacob Navia.

This software is not freeware, it is copyrighted by Jacob Navia. It is free for non-commercial use, if you use it professionally you have to have to buy a license.

The Galileo Project pursues basic and applied research in two fields: software design and engineering, and dynamic fault tree analysis. The project revolves around Galileo, an experimental software tool supporting dynamic fault tree analysis and having, as additional properties, ease of use, rich non-analysis functions (printing, display, etc), low development costs, and a case for the dependability of its core modeling functions based on mathematical validation and verification.

For commercial use contact Exelix, L.L.C.

[Added Sep/21/2004:]

Foremost is a console program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.

Developed by the United States Air Force Office of Special Investigations [Its primary responsibilities are criminal investigations and counterintelligence services.], foremost has been opened to the general public.

PScan: A limited problem scanner for C source files. Are you tired of yet more externally exploitable buffer overflows in C programs? Do you want to audit your source for common mistakes?

Gnu Arch revision control system. I found Arch to be hideously slow for the one project I checkout with it.

[Added Aug/01/2004:]

Study Of Steganography And The Art Of Hiding Information by Alain Brainos.

Static analysis tools find tough problems fast By Jack Ganssle,


The most important part of creating safe software is proper documentation.  I found the easiest way to document software is to place the documentation in the source code itself.  This way you have only one document to maintain, and you don't have to worry about keeping multiple documents synchronized when a change is made.  Doxygen is a software package that makes it easy to properly document your software.

Doxygen is a documentation system for C++, C, Java, IDL (Corba, Microsoft, and KDE-DCOP flavors) and to some extent PHP and C#.

It can help you in three ways:

  1. It can generate an on-line documentation browser (in HTML) and/or an off-line reference manual (in ) from a set of documented source files. There is also support for generating output in RTF (MS-Word), PostScript, hyper-linked PDF, compressed HTML, and Unix man pages. The documentation is extracted directly from the sources, which makes it much easier to keep the documentation consistent with the source code.
  2. Doxygen can be configured to extract the code structure from undocumented source files. This can be very useful to quickly find your way in large source distributions. The relations between the various elements are be visualized by means of include dependency graphs, inheritance diagrams, and collaboration diagrams, which are all generated automatically.
  3. You can even `abuse' Doxygen for creating normal documentation (as I did for this manual).

Doxygen is developed under Linux, but is set-up to be highly portable. As a result, it runs on most other Unix flavors as well. Furthermore, executables for Windows 9x/NT and Mac OS X are available.

Susan Dart
once wrote: "The goals of using CM (Configuration Management) are to ensure the integrity of a product and to make its evolution more manageable. Although there is overhead involved in using CM, it is generally agreed that the consequences of not using CM can lead to many problems and inefficiencies. The overhead of using CM relates to time, resources, and the effects on other aspects of the software life-cycle."  
Configuration Management is some times referred to as "Version Control".

Still asking what version control is and why you should use it? One nice introduction is the book Practical Software Configuration Management, which discusses storing your software in version control and handling basic situations, like coordinating edits by several people. It uses RCS in the examples, but many of the concepts would apply to CVS or other version control systems as well.

If you face challenges like these ...:

I have used TLIB and always been happy with it. They think enough of their product to put links to their competitors on their own site.

   Do you think they'll put links to Burton Systems Software on their Web sites?

Open Source Configuration Management:

Aegis is a transaction-based software configuration management system. It provides a framework within which a team of developers may work on many changes to a program independently, and Aegis coordinates integrating these changes back into the master source of the program, with as little disruption as possible.

The FHist package contains 3 utilities, a file history tool ``fhist'', a file comparison tool ``fcomp'', and a file merging tool ``fmerge''. All three are bundled together, because they all use the same minimal-difference algorithm.

The history tool presented here, fhist, is a minimal history tool. It provides no locking or branching. This can be useful in contexts where the configuration management or change control be being provided by some other tool.

The history tool, fhist is able to handle binary files. The file comparison tool, fcomp, usually does a line-for-line plain-text comparison, however it is also capable of a byte-for-byte binary comparison.

CVS is the Concurrent Versions System, the dominant open-source network-transparent version control system.  CVS is useful for everyone from individual developers to large, distributed teams: the CVS FAQ-O-Matic system is up. you can contribute by adding new items.
Configuration Management FAQ

Version Control Rethought

The goal of the Subversion project is to build a revision control system that is a compelling replacement for CVS in the open source community. The software is released under an Apache/BSD-style open source license.

"If C gives you enough rope to hang yourself, think of Subversion as a sort of rope storage facility." - Brian Fitzpatrick

File comparison and merge tools Bug Tracking System

What is Bugzilla?

Bugzilla is one example of a class of programs called "Defect Tracking Systems", or, more commonly, "Bug-Tracking Systems". Defect Tracking Systems allow individual or groups of developers to keep track of outstanding bugs in their product effectively. Bugzilla was originally written by Terry Weissman in a programming language called "TCL", to replace a crappy bug-tracking database used internally for Netscape Communications. Terry later ported Bugzilla to Perl from TCL, and in Perl it remains to this day. Most commercial defect-tracking software vendors at the time charged enormous licensing fees, and Bugzilla quickly became a favorite of the open-source crowd (with its genesis in the open-source browser project, Mozilla). It is now the de-facto standard defect-tracking system against which all others are measured.

Scarab: Issue Tracking Built for the Ages

The goal of the Scarab project is to build an Issue / Defect tracking system that has the following features:

  • A full feature set similar to those found in other Issue / Defect tracking systems: data entry, queries, reports, notifications to interested parties, collaborative accumulation of comments, dependency tracking
  • In addition to the standard features, Scarab has fully customizable and unlimited numbers of Modules (your various projects), Issue types (Defect, Enhancement, etc), Attributes (Operating System, Status, Priority, etc), Attribute options (P1, P2, P3) which can all be defined on a per Module basis so that each of your modules is configured for your specific tracking requirements.
  • Built using Java Servlet technology for speed, scalability, maintainability, and ease of installation.
  • Import/Export ability via XML allowing for easy migration from other systems (like Bugzilla).
  • Modular code design that allows manageable modifications of existing and new features over time.
  • Fully customizable through a set of administrative pages.
  • Easily modified UI look and feel.
  • Can be integrated into larger systems by re-implementing key interfaces.

Although the final product will have a strong feature set, many of these features will be based on support in an underlying library of collaboration components. For example, Scarab will not implement its own notification system or localization system, that should be a reusable component of the underlying framework.

Scarab is licensed under a BSD/Apache style license.

 Dart, an open-source, distributed, software quality system. Dart allows software projects to be tested at multiple sites in multiple configurations (hardware, operating systems, compilers, etc.). Results from a build/test sequence are transmitted to a central server using standard Internet protocols. The server produces concise dashboards, summarizing the current state of a software system. The dashboards link to detailed reports on inter- and intra- configuration results. Testing results are tracked over time, allowing developers to trace the history of development.

Dart empowers every developer in a distributed software development team to track the quality of their project. Furthermore, Dart allows a developer to experiment with a locally modified version of their software and submit the results of their experiments to a central dashboard for all developers to see.

Dart consists of a server and several client machines. Dart clients build and test a software project and submit build logs and test results to the Dart server. Dart clients encode build logs and test results in XML and transmit these reports to the Dart server over the Internet. The Dart server summarizes the information from the clients and produces dashboards and reports.

Seven Tools of Quality

With the exception of the "Checksheet" (See ArgoUML above, or TUTOS below for CheckList program), the program Ploticus is a great resource for plotting The Seven Tools diagrams:
  1. Cause-And-Effect-Diagram
  2. Checksheet
  3. Control Chart
  4. Histogram
  5. Pareto Diagram
  6. Run Chart
  7. Scatter Diagram

GraphViz Visualization Project

Small State Machine Diagram

 The official site is at: AT&T Research.

What does it do?

GraphViz provides a collection of tools for manipulating graph structures and generating graph layouts. Example applications:

The Tigris Mission: Promoting Open Source Software Engineering Community Scope: provides information resources for software engineering professionals and students, and a home for open source software engineering tool projects. We also promote software engineering education and host some undergraduate senior projects.

Software engineering practices are key to any large development project. Unfortunately, software engineering tools and methods are not widely used today. Even after over 30 years as a engineering profession, most software developers still use few software engineering tools. Some of the reasons are that tools are expensive and hard to learn and use, also many developers have never seen software engineering tools used effectively.

The open source software development movement has produced a number of very powerful and useful software development tools, but it has also evolved a software development process that works well under conditions where normal development processes fail. The software engineering field can learn much from the way that successful open source projects gather requirements, make design decisions, achieve quality, and support users. Open source projects are also a great for developers to keep their skills current and plug into a growing base of shared experience for everyone in the field.
The Ultimate TeamOrganisation Software

TUTOS is a tool to manage the the organizational needs of small groups, teams, departments ...
To do this it provides some web-based tools:

All these parts are heavily linked together to give a unique interface for the day to day needs of people involved in project management and development.

Project: Unravel Program Slicing Tool

The goal of the Unravel project is to provide (free of charge) a prototype program slicing tool that can be used to statically evaluate ANSI C source code.

Ticketsmith is an all-in-one web-based email support ticket system. Messages sent to your support email list will be inserted into a database and cataloged for easy viewing on the web. Replies, both staff and customer, are also cataloged, even though your customer uses a regular mail client. Other features include internal staff comments about tickets, fast sorting and searching capabilities, and email notification upon ticket receipt.

FlawFinder, a program that examines source code and reports possible security weaknesses (``flaws'') sorted by risk level. It's very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. See ``how does Flawfinder work?'', below, for more information on how it works.

Maven defines itself as a project-management and project-comprehension tool. Its project object model (POM) controls the development and management of a project. The POM controls builds, document creation, site publication and distribution publication and can be stored in an XML file. Maven also provides a set of tools to enable developers to automatically generate a number of critical items, such as source metrics; mailing, developer and dependency lists; software development process documentation; change logs based directly on source repository; and source cross-references.

Select from the menu other areas of Software Safety that you would like to explore.

If you think that I could be of some assistance to you or your organization let me know,
American Society for Quality  Certified Software Quality Engineer.

Go Back To The  Software Safety Home Page