Parasoft Insure++

Recently my employer purchased a license for Parasoft’s Insure++ for my use.

The idea of Insure++ is that you build your C/C++ application with their Insure++ tool, and it instruments your application to identify buffer overruns, etc.

NOTE BENE: The Insure++ instrumented build will only run on the machine on which Insure++ is licensed. You can’t build your application with Insure++ on your development machine and execute it on any other machine (e.g. a ‘lab rat’ test machine) without purchasing an additional license.

NOTE BENE: The license only covers one OS. It’s $4000 for the Linux version. And another $4000 for the Windows version. Etc.

Installing Insure++

I’m currently running Ubuntu 16.04. There were dependencies not covered in the installation documentation: specifically you will need to install ‘motif’ and another ‘.so’ (an X Printing Extension: Xprint) client library. Perform the following to get Parasoft Insure++ to work:

apt install libmotif-dev

And, append this line to /etc/apt/sources.list:
deb http://security.ubuntu.com/ubuntu precise-security main

Then:
apt update
apt install libxp6

A Simple Example

Parasoft includes an example makefile that compiles numerous example projects. It was not immediately obvious to me how to apply the given example(s) to my particular project. So, for an initial example, I still think it’s hard to beat K&R’s “Hello world”. Here’s how to instrument that with Insure++:

#include

int main(void) {
printf("Hello, world\n");
return 0;
}

You will need the following voodoo (not covered in the documentation that I could find) to successfully build this trivial program:

insure gcc -Wl,--no-as-needed -g main.c -o main

Insure++ and CMake

Insure++ assumes you are using old-school make files. Being an old-school developer I’m quite comfortable with those. Meanwhile, today I also use the JetBrains line of IDEs, including CLion, which depends on CMake for its underlying make engine.

Enabling Insure++ requires you to modify your ‘makefile’, basically replacing ‘gcc’ with ‘insure gcc’. Even after a Google search it was far from obvious how to accomplish that with CMake. So I called tech support to find out how to implement Insure++ with CMake. Mind you, theJetBrains/Clion IDE (depending as it does on mainstream technologies like gcc and CMake) is a dominant player in Linux C/C++ development. So imagine my surprise when the support tech’s questions made it clear that he had no idea what CMake was about.

In the end I ended up creating a make file (in parallel with our existing CMake CMakeLists.txt file) just so I could implement Insure++.

Insure++ and a Real C++ Program

Armed with the above, I was still unable to build a real C++ application. The following additional voodoo was required:

OPTIONS="-O0 -g"
SOURCE="*.cpp"
insure gcc $OPTIONS $SOURCE -Zvm -Zvm -Zvm -Zvm -o myapp

(That is not a typo: tech support said I needed ‘-Zvm -Zvm -Zvm -Zvm’ in my command line. Which resulted in successfully compiling the program. So far no useful/actionable results.)

Tentative Conclusion

Purchasing Insure++ was motivated by tracking down a segmentation fault that occurs occasionally. (A seg fault that Valgrind wasn’t finding either.) In parallel with implementing Insure++ I did deeper research on existing capabilities of gcc (and other open source resources). To my pleasant surprise there is much more debug instrumentation available with gcc than I knew. (See my blog C/C++ Stack & Heap Testing with gcc). So far this additional gcc instrumentation has flushed out several issues, where Insure++ has yet to flush out even one. And I personally have five ‘labrat’ test machines at my disposal, and they can all run gcc-instrumentation-enhanced debug builds of our app, whereas I can’t apply Insure++ to ANY of those testing resources without a considerable additional fee. Which might be OK if it were delivering results.

Even when it’s my own personal wallet, I have no problem paying for software that is useful. So far Insure++ has yet to deliver anything close to the results of [free] gcc capabilities. I’ll revise this blog if that assessment changes.

Leave a Reply

Your email address will not be published. Required fields are marked *