450 Million Lines of Code Can't Be Wrong: How Open Source Stacks Up

← Back to Stories (view on slashdot.org)

450 Million Lines of Code Can't Be Wrong: How Open Source Stacks Up

Posted by timothy on Tuesday May 7, 2013 @02:07AM from the all-a-blur-at-this-point dept.

An anonymous reader writes "A new report details the analysis of more than 450 million lines of software through the Coverity Scan service, which began as the largest public-private sector research project focused on open source software integrity, and was initiated between Coverity and the U.S. Department of Homeland Security in 2006. Code quality for open source software continues to mirror that of proprietary software — and both continue to surpass the industry standard for software quality. Defect density (defects per 1,000 lines of software code) is a commonly used measurement for software quality. The analysis found an average defect density of .69 for open source software projects, and an average defect density of .68 for proprietary code."

33 of 209 comments (clear)

Min score:

Reason:

Sort:

Correction by Sla$hPot · 2013-05-07 02:09 · Score: 3, Insightful

"450 Million Lines of Code Can't Be Wrong"
should have been
"450 Million Lines of Code Can't ALL Be Wrong"
1. Re:Correction by hduff · 2013-05-07 03:01 · Score: 4, Funny
  
  It mean over 300,000 lines of code are wrong, most of it in the app I keep trying to use.
  
  --
  "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
65 million lines of HOST file can't be wrong by Anonymous Coward · 2013-05-07 02:10 · Score: 3, Funny

Just ask apk!
Defects fixed for proprietary may differ. by CodeReign · 2013-05-07 02:10 · Score: 2, Informative

Propietary defects are ones that may cause financial harm. FOSS defects are ones that cause annoyance.
I know that our code has more defects than we'd consider fixing purely because the CBA isn't there.
1. Re:Defects fixed for proprietary may differ. by Cenan · 2013-05-07 02:20 · Score: 4, Insightful
  
  Propietary defects are ones that may cause financial harm. FOSS defects are ones that cause annoyance.
  I know that our code has more defects than we'd consider fixing purely because the CBA isn't there.
  I'm guessing you mean defects in propietary software only gets fixed if they have an impact on the bottom line? Otherwise that whole reply makes no sense.
  Anyways, that is not much different from the OSS model. Whoever cares about the sub-system that has a bug, fixes it, and if nobody cares (or has the skills to fix it) it can go ignored for years. The selector for OSS is different, but the end result is the same: nobody gives a fuck about the end user unless it directly affects their day/paycheck/e-peen.
  
  --
  ... whatever ...
2. Re:Defects fixed for proprietary may differ. by Bigby · 2013-05-07 03:40 · Score: 2
  
  No, I think the GP is getting at the point that code analyzed in the analysis likely includes critical proprietary software. Software that needs to work and so they invest the time in making sure it does.
  Meanwhile, the open source side probably included code that is not critical, based on reverse engineering, or experimental in nature. Not that both the proprietary and open source code bases didn't contain both, but I think the context of the code is quite different.
  The results would be much more meaningful if they compared the code quality of GIMP vs Photoshop, Firefox vs IE, or Linux/X/KDE/Gnome vs Windows. Comparing anything in the open source world to code using in NASA missions or medical devices is bad, especially when you include those with useless stuff like xclock or some open source tetris.
3. Re:Defects fixed for proprietary may differ. by jellomizer · 2013-05-07 05:45 · Score: 2
  
  So hows that Kool-Aid?
  Somehow the idea on how a product is licensed will affect its quality is very absurd.
  For most open source projects you will only have a small handful of contributors about the same many for a traditional software company. You got good developers and bad ones. Some OSS software is just crap, others strive to be excellent. The same with commercial applications too.
  Any differences in the community vs commercial interest really tend to balance themselves out.
  You have a problem in your code. A small fraction of people will actually go into the source and fix it for themselves, as they risk having a separate fork and cannot upgrade their systems. A small fraction of people will pay the company extra money to fix the problem. Most will either decide if they can deal with the issue or not. And either not use the OSS project (reducing the popularity of the project and causing less involvement) or not buy the product making giving the software development firm less money to create software.
  The real advantage of Free as in beer software vs commercial is the fact you can try a bunch of lemons before you make your final decision. For a comerical app you often need to pay up front and deal with what you got.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
4. Re:Defects fixed for proprietary may differ. by Cenan · 2013-05-07 07:01 · Score: 2
  
  Correct, as a developer I'd like to fix bugs in my enterprise level software but the overhead required to do so is high enough to outway the benefits.
  On the other hand, if you are a developer for a FOSS project you are able to correct broken code at your leisure, submit it for peer review and have it accepted. The overhead is still there but it's spread out to feel less visible (IMHO). I'm perfectly fine writing a fix and having it be rejected for being inadequate. I'm less okay with spending 4 hours having people sign things so that I can correct a defect that takes 2 minutes of development work.
  Well sure, but that really has nothing to do with the cost of a bug. The motivation for fixing the bug may be different, but the data release tells us that the two have nearly identical impact when ground down to a (useless) number.
  We could go into the merits of using static analysis of code to say anything about code quality other than: "there are 0.69 rookie mistakes for every 1000 lines of code", but that is a whole other story.
  The article does a poor job of covering up that this is Coverity peddling their --Warnings_as_Errors --Pedantic solution to a problem the compiler people have solved already.
  
  --
  ... whatever ...
it contradicts the definition by nimbius · 2013-05-07 02:13 · Score: 5, Interesting

the very definition of 'proprietary software' indicates you dont have access to the code to calculate defect density, and even if you did you cannot independently verify the code you have is production code. how did the researchers quantify it?

--
Good people go to bed earlier.
1. Re:it contradicts the definition by GrugVoth · 2013-05-07 02:18 · Score: 5, Informative
  
  We use coverity where I work on proprietary code and part of their service is to report, anonymously obviously, the defect count, type and lines of code etc back to coverity if you want to. Via this they can get an idea of the defects found using their tool over a very large code base.
2. Re:it contradicts the definition by Anonymous Coward · 2013-05-07 02:29 · Score: 2, Insightful
  
  Wrong. There are quite a few organizations who have access to Windows source code, yet Windows is still proprietary software. Proprietary just means that you cannot freely share, not that you have no chance to get the source code.
3. Re:it contradicts the definition by Chris+Mattern · 2013-05-07 02:58 · Score: 5, Interesting
  
  We use coverity where I work on proprietary code and part of their service is to report, anonymously obviously, the defect count, type and lines of code etc back to coverity IF YOU WANT TO.
  Am I detecting a selection bias here? Coverity can run their tests against all of open source. Coverity can run their tests only against that proprietary code that decides to use it and report the results--and it strikes me that only the better, and more open, proprietary shops would be doing this. Is Mircrosoft reporting their code? I doubt it. Is Oracle?
4. Re:it contradicts the definition by Registered+Coward+v2 · 2013-05-07 04:01 · Score: 2
  
  We use coverity where I work on proprietary code and part of their service is to report, anonymously obviously, the defect count, type and lines of code etc back to coverity IF YOU WANT TO.
  Am I detecting a selection bias here? Coverity can run their tests against all of open source. Coverity can run their tests only against that proprietary code that decides to use it and report the results--and it strikes me that only the better, and more open, proprietary shops would be doing this. Is Mircrosoft reporting their code? I doubt it. Is Oracle?
  I doubt they ran it against all open source software; just some subset that ideally mirrored the proprietary code in complexity and application. If so it would be a reasonable comparison. Since TFA says they used some 300 OSS programs of various sizes I'd say it was a reasonable approximation of real world defect rates. Since the TFA doesn't name any proprietary products included in the survey it is harder to decide if they are valid results but I am willing to give them the benefit of doubt.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
5. Re:it contradicts the definition by steelfood · 2013-05-07 04:19 · Score: 2
  
  Is Mircrosoft reporting their code?
  That would be unfairly skewing the numbers upwards against proprietary software, what with both Windows RT and 8 being completely defective and all.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
6. Re:it contradicts the definition by shreak · 2013-05-07 04:44 · Score: 2
  
  Coverity performs "Static Analysis". Static analysis is a well respected technique in the industry and can find classes of software defects that are typically difficult to find through code inspection and testing.
  Specifically it can analyze entire call chains and find access to null or un-initialized variables. Compilers typically only do this within a single compilation unit (i.e. a file) while an SA tool like Coverity will do it over an entire call chain over multiple files.
  Other classes of defects that SA will find:
  - Memory leaks or double frees
  - variables passed out of range
  - unreachable code
  - Buffer overruns (BUFFER OVERRUNS!)
  - Sign issues
  It can be very painful to start using SA late in your project development. Getting a clean SA run is a major pain since you've probably got tons of little errors. Once you have a clean run (or if you start with SA analysis) keeping it clean saves you major headaches (and keeps your code reviews a little less frustrating)
7. Re:it contradicts the definition by Onymous+Coward · 2013-05-07 05:19 · Score: 2
  
  Even then not a reasonable comparison. The ability for the scanned proprietary softwares' teams to decide on inclusion feels to me like it would really influence the stats.
  Would you expect there to exist any correlation between how shoddy software is and how likely the authors are to share information about how shoddy their software is? I would expect some correlation.
8. Re:it contradicts the definition by Registered+Coward+v2 · 2013-05-07 05:51 · Score: 2
  
  Even then not a reasonable comparison. The ability for the scanned proprietary softwares' teams to decide on inclusion feels to me like it would really influence the stats.
  Would you expect there to exist any correlation between how shoddy software is and how likely the authors are to share information about how shoddy their software is? I would expect some correlation.
  Let's accept the premise that proprietary vendors only submitted what they considered their best code. If the code bases tested matched similar function OSS codebases, then it is a valid comparison of similar types of software. It would say that OSS and proprietary software; of similar functionality, has similar defect rates (for certain size code bases). As with any study, the results should be taken with a grain of salt until you see the underlying methodology and data. That, of course, will not stop people form trumpeting the results as proof *their* OSS project is as good as proprietary in terms of errors, even though such a conclusion is not valid; but it does give people some assurance that OSS code, in general, is as reasonably good as its proprietary equivalent. It would be interesting to see exactly what was included in each data sets and such information would help shed light on the conclusions. In addition, depending on what OSS software was included, you could make a case that much shoddy OSS software was left out depending on what was included in the sample; which is why I conclude that as long as similar types of programs were tested it is a valid comparison.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
and all the children are above average by Anonymous Coward · 2013-05-07 02:15 · Score: 5, Funny

"Code quality for open source software continues to mirror that of proprietary software — and both continue to surpass the industry standard for software quality."
What is this third kind of software that is neither open source nor proprietary which is bringing down the average industry standard for software quality? Because if there is only open source and proprietary then they can't both be better than average. Or perhaps the programmers are from Lake Wobegon?
1. Re:and all the children are above average by clodney · 2013-05-07 02:20 · Score: 2
  
  "Code quality for open source software continues to mirror that of proprietary software — and both continue to surpass the industry standard for software quality."
  What is this third kind of software that is neither open source nor proprietary which is bringing down the average industry standard for software quality? Because if there is only open source and proprietary then they can't both be better than average. Or perhaps the programmers are from Lake Wobegon?
  I had the same reaction, right down to the Lake Wobegon reference. Perhaps they are differentiating between software offered for sale versus tools internal to a business? To some extent that would also explain the difference in quality - cost to fix is much higher if you have shipped thousands of copies, versus telling the one consumer of a report in finance to ignore the one number that is wrong.
2. Re:and all the children are above average by ZahrGnosis · 2013-05-07 02:33 · Score: 2
  
  Wow, yeah, I posted an almost identical sentence myself. Eerie. (Although I didn't have a Wobegon reference... sorry). But yeah, it seems like an odd sentiment. Internal use software is still either "proprietary" or "open source"... isn't it? But good point. If someone calculated the bugs in my excel macros as if they could be used for general purpose computing I'd be in sad shape. (ObNote: I use excel macros as rarely as possible, and normally only at gunpoint).
3. Re:and all the children are above average by ZorroXXX · 2013-05-07 02:43 · Score: 3, Insightful
  
  The selection of sample projects is biased. For proprietary software, the data is taken from projects that at least cares as much for code quality that they run some tools (e.g. at least Coverity) to analyse it. I would suspect that the industry standard is below that because there exists some companies that mostly only consider "get the product out the door". For open source the selection is probably also somewhat scewed, in that they have analysed relatively large, mature and highly successfull projects. I would assume those have higher quality than the average sourceforge/github project.
  
  --
  When you are sure of something, you probably are wrong (search for "Unskilled and Unaware of It").
4. Re:and all the children are above average by hardluck86 · 2013-05-07 02:54 · Score: 2
  
  Industry Standard != Industry Average
5. Re:and all the children are above average by Gr33nJ3ll0 · 2013-05-07 02:59 · Score: 3, Interesting
  
  This is a good point. To build on it, the results reported from the propertiary code has had coverity at least run against it, and usually the problems that it reports fixed. This does not appear to have been done in the case of the Open Source software, which was just scanned, but never given a chance to fix. In that circumstance I would have expected a much much higher result for the Open Source software, because Coverity often reports on very pedantic issues, which are often not important to overall software quality. Further these issues would not show up in anything other than Coverity, making the initial scan the first time these issues were brought to life.
Some things can't be measured objectively by Hentes · 2013-05-07 02:16 · Score: 2, Insightful

Errors per lines of code may give you a hard number, but that number has nothing to do with the quality of code. It only takes one well-placed error to ruin a piece of software.
1. Re:Some things can't be measured objectively by MadKeithV · 2013-05-07 02:43 · Score: 2
  
  It's still a better measure than not trying to measure it at all
2. Re:Some things can't be measured objectively by gorzek · 2013-05-07 03:36 · Score: 3, Insightful
  
  You are wrong, and here's why.
  With no measurements at all, you cannot make informed judgments about the quality of your software. You can only guess. This means you would be unable to convince anyone (sane and intelligent) that your product has n bugs. "Because I say so" is not a metric.
  With a poor measurement--such as one that ranks all defects equally--you have information, but now it's bad information. If you share the information but not the method(s) used to gather it, you can convince people you're right, because you have data about it. Never mind if you are stacking up Product A with 1 show-stopping bug against Product B with 50 cosmetic bugs or unhandled corner cases. By this bugcount-only metric, Product A looks better, and that's just stupid.
  You need good measurements, and sometimes that includes measurements which cannot be quantitatively calculated without human intervention. A human programmer (or QA or other support person) who is familiar with a product will know just how severe a given bug is in terms of its impact. It is why, after all, bug tracking systems generally allow you to prioritize work by severity, fixing the worst bugs first.
  Poor information is worse than no information because it can lead you to make the wrong decisions with confidence. With no information, at least you know you are shooting in the dark.
  
  --
  Check out my world simulator thingy.
The study is not really conclusive by brainscauseminds · 2013-05-07 02:22 · Score: 2

Actually, this study does not say anything directly about code quality, because Density = Total Defects Found / Code Size. The problem is with the "Total Defects Found" part. How they are found and how they are reported may differ vastly from one project/company to other. The report sais that the quality of code increases with larger codebases in propertiary projects. In fact, the best you can say is that the metric decreases with larger codebases in propertiary projects. Maybe many of the defects have not been found yet in propertiary projects. Maybe they have less manpower to seek the errors, maybe they just don't care as long anything does not crash. But smaller defects may be in the code. Open source code is more open to "finding the defects", thus possibly obtaining worse "quality" they are talking about in the article. I think this has to be kept in mind when reading the report.
OSS defects by Cyko_01 · 2013-05-07 02:26 · Score: 2

Everyone knows OSS doesn't have defects, it just develops random features
What else is in the "industry"? by ZahrGnosis · 2013-05-07 02:28 · Score: 4, Insightful

and both [proprietary and open-source software] continue to surpass the industry standard for software quality
... What else is there? And why is this unknown third type of code dragging down the "industry"?
Unforeseen consequences by tedgyz · 2013-05-07 02:29 · Score: 2

Quality metrics can have unexpected side effects.

--
"No matter where you go, there you are." -- Buckaroo Banzai
The quality fairy by swm · 2013-05-07 02:34 · Score: 2

FTA:

As projects surpass one million lines of code, there’s a direct correlation between size and quality for proprietary projects, and an inverse correlation for open source projects.
The article gives numbers: above 1M LOC, defect density increases for open source projects, and decreases for proprietary projects.
Increasing defect density with size is plausible: beyond a certain size, the code base becomes intractable.
Decreasing defect density with size is harder to understand: why should the quality fairy only visit specially big proprietary projects?
Perhaps the way those proprietary projects get into the MLOC range in the first place is with huge tracts of boilerplate, duplicated code, or machine-generated code.
That would inflate up the denominator in the defects/KLOC ratio.
But then that calls the whole defects/KLOC metric into question.
Code quality by 140Mandak262Jamuna · 2013-05-07 02:40 · Score: 2

First of all code quality is difficult to measure, and the number of (known) defects per 1000 lines of code is a very poor metric. I could do more (good and bad) in one line of code than a novice who write voluminous code. Leaving that aside, what drives/motivates creating good quality code?
In open source, a defect gets fixed when someone feels the urge to fix it. Most of the time it is because it is their own dog food. Many open source projects are actually used by their own developers and they fix the issues that irritate them most. And rest of the bugs are based on impact on other users and passion about the software project
In a closed source project, it is often the bugs that affect the loudest paying customer gets fixed. If it is not going to advance sales, it wont get fixed.
Given this dynamic it is not at all surprising both methods have similar levels of that elusive "quality". I think software development should eventually follow the model of academic research. There is scientific research done by the universities that have no immediate application or exploitation potentials. The tenured academic professors teach courses and do research on such topics. Then as the commercialization potential gets understood, it starts going towards sponsored projects and eventually it goes into commercial R&D and product development.
Similarly we could envision people who teach programming languages to college maintaining open source projects. The students develop features and fix bugs for course credit. As the project matures, it might go commercial or might stay open source or it could become a fork. The professors who maintain such OSS projects should get similar bragging rights and prestige like professors who publish academic research on language families or bird migration or the nature of urban planning in ancient Rome.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Re:Fight'n Words by bzipitidoo · 2013-05-07 03:31 · Score: 2

Sure makes the emacs vs vi wars look petty. This is a religious dispute between the believers in greedy capitalism, who think such forces lead to the best balance of highest possible quality at reasonable expense, in all endeavors, and everyone else.
The greedy capitalists think that if you aren't sweating and stressing over your job and the money it provides to feed your hungry children, not to mention your house and car payments, fearing that the loss of your job will ruin your career so that you will never be able to find another, then you aren't motivated enough to really help a capitalist endeavor succeed. They pressure you to put yourself on the hook with none too subtle hints, couched in plausibly deniable talk of "team spirit" and "dedication" and "commitment". The coworker who buys a new car gets all kinds of praise for, in essence, being such a good wage slave/capitalist consumer. If that doesn't do the trick, managers reveal a few personal details about their choices in housing and transportation, to set an example, and encourage a little bit of "keeping up with the Joneses" envy. If that still doesn't work, they remove the people who aren't falling for it, as those sort set a bad example. Makes for a good object lesson for the survivors of the layoff. Extreme balances on credit cards, massive house payments, and other such horrible burdens become, in this whacked out world, bragging rights. The savvy worker therefore has to appear to toe the party line, while carefully holding back in ways that do not show, because sometimes one ends up stuck under a boss who doesn't know when to quit pushing, and the only healthy alternative the worker has is to leave.
Naturally, they're afraid of open source, readily equating it with Socialism and even (gasp!) Communism, which they have feared for decades. They don't understand the motivations behind open source, and therefore don't trust it. They've been told that open source fits just fine with capitalism (and it does!), but they can't believe that. I think that attitude more than anything, this dogmatic belief in the holiness of wealth and ownership, has propped the likes of Microsoft up beyond all reasonable objective assessment of the true value of their offerings.

--
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"