Array
(
    [content] => 
    [params] => Array
        (
            [0] => /forum/index.php?threads/coverity-scan-report.6339/
        )

    [addOns] => Array
        (
            [DL6/MLTP] => 13
            [Hampel/TimeZoneDebug] => 1000070
            [SV/ChangePostDate] => 2010200
            [SemiWiki/Newsletter] => 1000010
            [SemiWiki/WPMenu] => 1000010
            [SemiWiki/XPressExtend] => 1000010
            [ThemeHouse/XLink] => 1000970
            [ThemeHouse/XPress] => 1010570
            [XF] => 2021370
            [XFI] => 1050270
        )

    [wordpress] => /var/www/html
)

Coverity Scan Report

S

Staf_Verhaegen

Guest
Coverity, now part of Synopsys put out their yearly Open Source Scan Report: Coverity Scan Open Source Report Shows Commercial Code Is More Compliant to Security Standards than Open Source Code

What strikes me is the change in emphasis now on how closed source software is better standard conformant. But they mention it still has higher defect density than open source software. Or to put it differently even without following standards, open source code can write code with less defect density. Likely not the message the Synopsys marketing wanted to bring forward :)
 
For the right kind of project there is no doubt that open source is clearly the most effective way to write code. "with enough eyes all bugs are shallow". A lot of the projects that use the Coverity scan are the big projects with a huge number of contributors and professional management. It is easy to assume most open source projects are like Linux and Firefox but they are apparently often tiny with poor quality code.

The big problem with open source is the business model. With very big and widely used mission critical projects like Linux or Android, big companies are dependent enough to pay some of their top programmers to participate. Some projects, like Android, have some sort of way at least indirectly to recover their investment. But if projects require very specialized knowledge then typically that ends up being delivered as closed source since programmers like to earn a decent living and peer prestige is not enough.
 
The big problem with open source is the business model. With very big and widely used mission critical projects like Linux or Android, big companies are dependent enough to pay some of their top programmers to participate. Some projects, like Android, have some sort of way at least indirectly to recover their investment. But if projects require very specialized knowledge then typically that ends up being delivered as closed source since programmers like to earn a decent living and peer prestige is not enough.

Recent developments in the cloud space with projects like OpenStack and Docker indicate that what you say is not a necessity. And the EDA industry is not a small industry either.

What I see as major road block to open source adaption in this world is that open source prevents vendor lock-in. If for example OpenAccess would be really open it would open more competition in the full custom design field. Additionally, open source does also reduce the control the strategy, marketing and legal side of the company has on the technical side.
When you look at things like EDA360 of Cadence this is actually quite some things of the open source world applied to EDA. But unless they are prepared to make OpenAccess really open and make it the OpenStack of the EDA services world, it's actually not much more than expensive talk. I also don't want to single out Cadence; all three big EDA companies are still holding on to the last century vendor lock-in principle which even Microsoft seem to have given up (I was suprised how good the online version of office365 seems to work in firefox on Linux).
In the end I do think several of the current problems in the semiconductor industry could be solved by having an EDA services industry based on an open source framework. For example discussion between designer and services companies and between foundry and services companies could be based on software patches; not on bug reports that can't be reproduced or are added to a long list of bugs which are then prioritized by the vendor.
But to get to this more optimal point for the whole industry will need common investment of time and resources of the EDA companies and a so-called paradigm shift. But I don't see the necessary trust between them available. Additionally you have some active investor in the companies for which short term ROI is more important than the long time. For this reason I don't see this ever happening unless they are really strong-armed by the foundries. The necessary investment needed is simply too big for one party to take if in the end all parties will profit from the benefits.

For the cloud services companies which was basically a new industry it was much more natural to evolve to this more optimal industry setup. For existing industries it seems very difficult to impossible to naturally evolve to this way of working without external disruption.

To conclude, in my opinion the EDA companies still act like pure software and IP vendors but should start to think more like services companies.
 
I was at Cadence 15 years ago when we were debating whether and when to put openAccess in the public domain (open source lite, if you like).

The thing that made Cadence give it to SI2 was that large customers (think Intel, TI etc although I don't remember specifically who they were) had internal developments to do their own database and would not use openAccess unless it was...er...open. In the long run, it would be easier for Cadence to support a single database than get forced to support a proprietary database for every major customer. Even though it would enable a lot of Cadence competition. A lot of the effectiveness of an EDA tool is in the database (remember what it was that Avant! stole from Cadence, the database).

But, as you point out, Cadence (and the other EDA companies, I too am not singling out one) make a lot of money with a closed source model. Back in that era when I ran custom IC we were making something like $50+M per quarter from Virtuoso and the stuff around it. If Cadence open sourced Virtuoso, then that would drop precipitately since large semiconductor companies would put a team on making their own version of Virtuoso and give Cadence $0, and probably some companies would do a sort of EDA Redhat and provide a production Virtuoso release and support. Of course Cadence could do that too, but there is no guarantee that they would even be the best at doing that.

Of course it would be positive for the semiconductor industry if Cadence open-sourced Virtuoso, just as it would be if they dropped the price to $0.50. But neither would be good for Cadence. I just don't see how you can get from where EDA is today to an open source EDA world where the EDA companies just make money from services. $5B is a lot of services. It might even end up like the Android world where Google makes no (direct) money from it, but to use it you need a Microsoft patent license, so every copy of Android makes more for Microsoft than for Google, and also makes money for an ecosystem of little service companies that help phone manufacturers bring up and customize Android. It is not that farfetched to imagine a world where Synopsys open sourced DC but you need a patent license from Cadence to use it to design chips.

When you say the EDA companies still act like pure software and IP vendors but should start to think more like services companies you need to give a reason why it is in the EDA companies' interest to do that since they have the keys to the castles. It is obviously in the customers' interest if the EDA companies gave their software away.
 
Back
Top