NICTA touts prototype code-analysis tool

At the NICTA Techfest exhibition in Sydney on Wednesday, formal methods researchers Dr Gerwin Klein and Dr Ralf Huuck were demonstrating the tool, called Goanna.

Klein told ZDNet Australia that Goanna is able to scan code written in C or C++ and look for errors that would not stop the code from compiling but could result in computational errors or open security vulnerabilities -- such as a buffer overflow.

As an example of Goanna's abilities, Klein staged a "Spot the Bug" test on the stand. It consisted of a short piece of code containing six errors that the tool would be able to highlight.

View the code sample
View the code and the error report

According to Klein, although there are a number of code analysis tools on the market, Goanna is very fast and allows its user to predefine different scanning rules for different projects.

"Some analysis tools out there are very deep and will tell you there is definitely going to be an error ... but it could run for a whole day or two. This one is pretty fast -- it does 1,000 lines of code per second -- maybe twice the time it takes to compile something.

"One cool thing about this is you can write your own rules. You can say, 'I am interested in this set of sorting guidelines for my company and a stricter set for that particular project'," said Klein.

The Goanna project, which has been running since April 2005, is almost ready to be released as a commercial application but Klein said he was unsure whether the code would be made open source or kept proprietary.

"It is a research prototype. We are basically now getting to the stage where we are looking at commercialisation. We have talked to some of our own business development guys.

"We might make it open source totally or we might make it available free at first as a closed-source version to try it out. I am just a researcher and that is a business decision," added Klein.