Polyspace Code Prover Reviews

Efficiency and speed are the advantages I see in Code Sonar over Polyspace Code Prover. We have company servers running Code Sonar that are easily integratable into the CI toolchain that we have. That brings commercial benefits as execution time benefits, so performance.

The only reason we're still using Polyspace Code Prover is the mathematical proving of correctness. That's the one thing where we still think that Polyspace Code Prover has significant advantages over Code Sonar.

Execution speed of the tests and generally the integration into AWS-driven CI work chains or workflows represent how it can be improved in my opinion. Performance issues plus license costs are two main driving factors. The CI environments that we use employ up to around 40,000 virtual CPUs per day in peak, running at the same time. We always have problems distributing licenses accordingly with other products. I can talk to the experts doing the integration, but as far as I know, I was involved with Polyspace Code Prover and we had a lot of difficulties integrating it into our Bazel-driven CI toolchain, plus integrating it on the AWS environments in Linux that we use. It was much more straightforward using Code Sonar there.

The reason is the execution speed, integration with Azure and stuff, and pricing. The CI integration and maybe a better-suited license model for CI-driven execution are other areas I recommend improving. That's something we discussed with all of the software companies whose products we use, such as compilers. We have a lot of parallel builds, and each call to a license server is actually problematic in the long run.

We are actually trying to consolidate everything into one solution. To reduce, that might also be a new solution, but we're not currently actively looking for that. It's just that we'd prefer to find solutions that are more suitable for a highly performant continuous integration environment, where we see a lot of deficiencies in Code Sonar and Polyspace Code Prover.

We require the analytic assessment and the mathematical proving of correctness. That is one issue that we need as per the standards in our company to allow vehicles to go on the road with FuSa software that needs to be inspected. The inspection level that we reach with Polyspace Code Prover is still considered to be higher than with Code Sonar for highly relevant safety applications.

I have used the color-coded verification feature in Polyspace Code Prover for manual reviews. I need to verify that with the team, because it used to be very helpful when doing manual analysis of the code, and for manual inspection. We now only use Polyspace Code Prover for very specific FuSa applications in very high-security environments, ASIL C and D. Due to the manual nature of the inspections, it is helpful.

We do use the automated report generation with Polyspace Code Prover. Normally, we have a lot of dashboards controlling software quality metrics. Because we had difficulties in efficiently integrating Polyspace Code Prover into our CI toolchain, these tests are mostly run manually and only occasionally. Then reports are being obviously manually scanned. It is not that we use Polyspace Code Prover for general observation of code quality over the whole ECU software that we create.

We still use QAC for static analysis and Code Sonar for more dynamic analysis. Currently, we're not evaluating any options directly. If something comes up on the market that would wake our interest, we might have a look.

We do have a strong collaboration with MathWorks because we use their other products such as Simulink, Stateflow, and MATLAB itself. We made it clear that for Polyspace Code Prover, there is really only very limited applicability in our eyes, and we just use it because of our own standards.

We are currently trying to get only one tool in our workflow, and currently the favorite is Code Sonar. We've evaluated a lot of different tools, but in the end, a couple of years ago, we decided to go for Code Sonar. We used Teamscale a lot and also integrated Code Sonar into Teamscale, but currently, we're really trying to reduce the number of tools being called.

I rate Polyspace Code Prover four out of five.

We use it for all projects where we write our own code. So, it could be vertical control, cluster infotainment, or competitor systems; we use it everywhere.

We use it for smaller models and for Simulink models. However, it crashes when we have too many files/functions. When we use Code Prover on large applications, it sometimes crashes.

I work with Simulink models, where Prover is fully integrated.

Prover enhanced our code verification process. That's why we use this type of tool. We need a static code analysis tool. 

When we work on safety modules, it is mandatory to fulfill ISO 26262 compliance. Using Prover helps fulfill the standard on top of many other quality checks, like division by zero, data type casts, and null pointer dereferences. So, we have numerous checks that improve our code.

We leverage many features that are effective for identifying bugs because they all complement each other. Just using one wouldn't be enough for quality purposes. We need the whole set.

There are two main areas of improvement. 

1. False negatives and false positives. 
2. The speed of the validation itself.

Another area I see for improvement is scalability, particularly when dealing with large software systems. While Polyspace is effective for individual components and smaller applications, its performance can be impacted when analyzing entire systems all at once.

There are limitations with handling large-scale applications.

I started using Code Prover recently since it became integrated into MATLAB just six months ago in my company. It works well.

We need to compare it to similar tools Fortify, Checkmarx, etc.

They often detect more quality issues, especially related to code flow, and they're generally faster. 

However, there is a trade-off in these tools: speed versus quality. It's not ideal to sacrifice one for the other entirely. But, some other tools have a better balance.  

While finding bugs is good, it's hard to quantify the exact impact. 

We understand it's more expensive, but we lack concrete data to prove using it definitively gives us a clear benefit.

We use the paid version. 

If you're using Simulink and Stateflow models within MATLAB, integrating with Polyspace Code Prover is very convenient because they're fully supported. There's a link between the code in the Simulink blockset, which makes verification efficient and practical.

Overall, I would rate the solution a six out of ten. It is not a bad tool, it is just not the best tool. 

We are testing it.

I like how easy it is to use. We have specific hardware, and it's quite simple to choose the compiler, eversion, and everything else.

I'm still trying to use constraints with range propagation, but I can't get it to work properly, and I haven't found any documentation. It require support. There could be an issue with range propagation when applying constraints to the variables.

I have been using Polyspace Code Prover for a couple of weeks.

I rate the solution’s stability a nine out of ten.

It's quite easy to use on a greater scale.

We are comparing it with LDRR and LDRA. Our company currently uses LDRA, but we're looking to choose another software that does the same job, only better. So, we're testing Polyspace.

I searched extensively online and found some comments on various websites about this, specifically regarding static analysis tools. 

The initial setup is straightforward and takes a couple of days to complete.

It would have been faster if I had straightforwardly implemented it, maybe four or five hours.

I advise you to read the documentation first. The start guide's quite complete, so it's the best way to use it.

Overall, I rate the solution a nine out of ten.

We use this solution to develop software components flashed on ECUs for electronic control units.

Polyspace Code Prover has made me realize it differs from other static code analysis tools because it runs the code. So it's quite distinct in that aspect. We primarily use it in the automotive industry, where we develop components that need to meet certain safety standards.

Polyspace Code Prover helps us minimize the risk associated with these components by identifying potential problems in the code, such as invalid pointer accesses or divisions by zero. These are issues that could be missed during regular code reviews or unit testing, which focus on individual parts and specific input combinations. By leveraging Polyspace Code Prover, we aim to minimize risks as much as possible when developing safe components.

One of the main disadvantages is the time it takes to initiate the first run. Usually, there are a lot of errors initially, and you need to remove dependencies, such as compounded dependencies, to have an initial run. When we compared different tools, we found that the only drawback of Polyspace is the lead time required to have an output.

There's something that can bypass the red errors. This is because you cannot base the policy solely on the presence of a red line or error. Sometimes, this mocks other errors from being reported.

I have been a customer of Polyspace Code Prover for six years. We have the latest version.

The solution is stable.

The solution is scalable. We are a medium enterprise.

There is a lot of help available online that you should consider before talking to someone. However, sometimes it's not about the support; it's about having a case-by-case issue that is harder to solve. In such cases, you need the support team to be involved in your specific use case and provide the necessary help. There are many dependencies on the compiler and other factors. Therefore, each use case will have its own set of problems.

Positive

We use Klocwork, but it is not a substitute for public space. Klocwork offers different functionalities compared to what we need. They have a solution called Bug Finder, which is similar to Klocwork. We are using Klocwork instead of Bug Finder. As for the code approver, there isn't a similar product on the market. We use Clockwork for all our software components except for the safety-critical ones. For the components that require the highest quality, we utilize Polyspace Code Prover instead of Klocwork. This decision is made based on our priority for safety. So, we use Polyspace Code Prover for safety-critical components and Klocwork for all other components.

The initial setup is not so difficult.

The installation takes a couple of hours or less than an hour or two. But it's like cutting up our software, the whole software. It shouldn't take days—maybe seven to eight days—to have an initial run with no errors and all the dependencies removed.

Two engineers are assigned per project for this activity, and they work on it throughout the entire project. They are not typically responsible for the entire component. The benefit of their involvement is that they can assist the developers at the front end of the component, but they are not involved in developing all of the components. Generally, we assign this task to two engineers who receive the report and deliver it to the other developers.

We are required to maintain it. We have to rerun it every time there is a code change.

Two persons are required per project for maintenance. However, in our organization, we have a large volume of projects. Therefore, it requires a significant number of people. We have multiple sites and around 50 projects. We enforce policies, ensure their strength, and provide maintenance.

The solution is not really cheap, but it wouldn't cost too much either. It is something you need. Its benefits outweigh its cost. It has a good price point. It has a yearly license fee.

I advise you to check what exactly you need out of this tool. Sometimes, you might not need something as complex as a code prover. However, in a use case where you want to check all possible combinations and inputs to ensure that the software does not behave incorrectly, you will definitely need to use Polyspace Code Prover. It is not humanly possible to perform these checks manually. If you are delivering a product with a quality rating or if it will impact people's lives in some way, then Polyspace Code Prover is essential.

But if your application is not that critical, if it does not significantly impact people's lives, and if you can afford not to use it, then you can definitely go without it. Polyspace Code Prover finds many problems that are missed during normal unit testing. However, if you cannot afford the cost, you must evaluate the importance of quality.

Overall, I rate it an eight out of ten because of the time it takes.

We use the solution to check the runtime issues of our programming.

The product runs the code based on our application loop and tries to find run time overflows of the variable and out-of-boundary memory issues. The product detects memory corruptions. It also detects undefined memory access and memory dereference. These are value-adding features.

The run time analysis process must be improved. If we do not run with the main loop, it generates its own main and doesn’t allow developers to modify the execution sequences. The solution must provide more flexibility to the developers to manipulate the runtime analysis tools. The developer must be allowed to modify the main sequence. It will be very easy for them to test their use cases. Otherwise, Polyspace generates a random main file and executes all the functions randomly.

I have been using the solution for four months.

The tool has some stability issues. It is 90% stable. It provides false positive reports sometimes. It must be stabilized.

The product is scalable. We have 20 people in our team.

The support provides good suggestions and resolves our issues.

Positive

I have used Coverity. It only does the static analysis of the code. I have also used Helix QAC. Polyspace gives more reliable information compared to Coverity and Helix QAC.

The installation is easy, but the people working on it must be trained.

We deployed the tool in-house.

I recommend the product to others. Overall, I rate the tool an eight out of ten.

We have some code files generated from the development, which we did for different vehicles. With the individual code files, there is a static analysis that we perform based on the checks. We look at what checks are violated. We look at what possible rules will be violated. From there we can make efficient fixes. 

The solution doesn't just show you there is an issue. This product will highlight the particular code file and tell you what the issue is. This makes fixing issues very efficiently. 

It is easy to set up. 

The solution is stable

The outputs are very reliable.

The speed is slow based on the bandwidth of the server we are using. The solution could be faster. 500KB of C-files will take 35 minutes to get results, and this could be sped up.

Only .XML files are available for importing. I'd like the data to be taken from any format. 

I've used the solution for four years. 

The product is stable enough. It never gives us any issues unless it is a licensing issue. 

The server has a job query, and users assign a ticket, and you get in line. The solution can work with any number of users. It does the results one by one either way. If you have ten users or 200 users, it will run each one by one. However, if the results were generated faster, you could get more results faster to be able to scale up very high.

We have 200 to 300 users using the solution on a daily basis throughout the world. They are mostly developers. 

We've never faced any errors or issues and therefore have never contacted technical support. 

It is easy to set up the solution. 

We can actually modify it using script also. It's pretty easy to link it with our in-house toolchain with the Polyspace configuration settings. 

If we have small amounts of data, it's quick and you can set it up within ten to 15 minutes. However, depending on the size of the data and the variables, it could take a while since you have to provide a range for all variables. If you have, for example, 500 variables, you'll be configuring a lot. However, the input extremes can be fed using an Excel file or some other format.

The ROI depends on the client. If the client has excess demands, it is worth exploring the solution. 

Every company would be unique in terms of pricing. I can't speak to the exact cost.

I'm an end-user.

We have the solution on our own server, and I have worked with an AWS-based server also in other organizations. 

We chose the solution due to the fact that the outputs are very reliable. I'd recommend the solution to others to see if it will produce the results desired based on the code. Users should be able to expect the results they will get and be able to cross-verify.

I'd rate the solution eight out of ten. 

I used this software for an online project, specifically for an automotive project. Polyspace Code Prover is a powerful static code analysis tool that can check for numeric or other data.

The primary use case is for my unit testing part. My background is in automotive embedded software engineering, and we need to develop requirement-based components for automotive software applications. To test the functionality of these components, we need to check the generated code from the model or any hand-coded components before flashing it onto the processor.

So, for that, we need to perform static code checks at the unit level. That's why I used Polyspace Code Prover as a tool for this purpose.

First of all, Polyspace Code Prover is a very user-friendly tool. Once you import the respective RTP, you can simulate it with the minimum amount of stimulus or input files. It will drive the code and allow you to detect issues such as overflow or division by zero. These issues are important in functional safety and can be impacted at the software level. With the help of Polyspace Code Prover, you can easily detect these kinds of issues.

Additionally, the tool is user-friendly and integrated into the simulated environment used in most automotive software industries. It means that you do not need to use any other tools, and once you generate a code in the same environment, you can take that code and bring it into the Polyspace Code Prover environment to test it for unit testing.

I found it easy to access and handle. There is no need for any tool switching, and integration can be done easily.

There is room for improvement in automation related to the policies. We can work on scripting so that the tool automatically pops up, and with just a minimal amount of user input, we can repeat the execution. While manual processes are fine, automation is also required in today's industry, where time constraints exist in every delivery. Automation could be a challenge, but it is necessary for improvement.

In the next release, I would like to have an automated testing environment integrated with Polyspace Code Prover, which can be activated with a single click.

I have been using this solution for a few years now. Polyspace Code Prover is an add-on product available through MathWorks. So, you need to have it installed first, and then you can install this tool based on your user ID registration.

Based on my experience using it for two years, I found it stable. However, there were some bugs during that time. Later, when I heard from my colleagues, those issues were resolved. So, there were errors during my usage, but those bugs are likely resolved now. I cannot track it properly, but further updates may have resulted in stability improvements.

When I used that particular product, it was part of a floating license. So if it is a floating license, there will be some dependencies. For instance, if two users have been assigned a six-point license, then only two users can use that particular license. If a third person tries to use that license, they cannot do that. So, there is a limitation to using that tool in respect of a floating license. For six points, only one user can use it at a time.

They are good in terms of technical support, but their response time could be improved. We don't get an immediate response when we reach out to them with an issue, and it takes some time for them to check and come up with a solution, and I have faced some issues that took extra time to resolve.

Neutral

The setup is easy if you are aware of the process for policy-based tools. They provide guidelines, and it is a plug-in tool. Once you install it and provide the license, the tool pops up with a proper environment. There is project-specific guidance available, and help documents show how to check artifacts.

It is an expensive tool.

I would recommend Polyspace with respect to the updated versions; it is quite user-friendly. They have made some improvements as well. However, I have not used other tools. For example, there is a policies analytics check tool, and there is Polyspace Code Prover provided by MathWorks; I would definitely go with MathWorks. I never found any glitches as a user. They have improved a lot in terms of automation. They might have fixed the glitches.

Overall, I would rate Polyspace Code Prover an eight out of ten because it provides an integrated development scope where I can input my code and check it at both the unit level and meter guidelines. Additionally, I am able to check for any necessary policy-related items, as well as conduct static analytics checks. This feature allows me to ensure that all necessary checks are completed efficiently.