Product News

GCC 14 -fanalyzer improvements for buffer overflows and more -- David Malcolm

For anyone interested in the top source of memory safety issues, out-of-bounds accesses... GCC 14 will be able to catch more cases, and even show them with some colorful retro ASCII art:

Improvements to static analysis in the GCC 14 compiler

by David Malcolm

It does require some source code annotation, but also delivers safety value in return.

From the article:

So for GCC 14, I've added the ability for the analyzer to emit text-based diagrams visualizing the spatial relationships in a predicted buffer overflow. ... [For example,] this diagram shows the destination buffer populated by the content from the strcpy call, and thus the existing terminating NUL byte used for the start of the strcat call. For non-ASCII strings ... it can show the UTF-8 representation of the characters ...

... [Another improvement] is that the analyzer now simulates APIs that scan a buffer expecting a null terminator byte, and will complain about code paths where a pointer to a buffer that isn't properly terminated is passed to such an API.

Plus more, such as:

The analyzer has a form of "taint analysis", which tracks attacker-controlled inputs, places where they are sanitized, and places where they are used without sanitization. In previous GCC releases this was too buggy to enable by default, with lots of false positives, so I hid it behind an extra command-line argument. I've fixed many bugs with this, so for GCC 14 I've enabled this by default when -fanalyzer is selected. This also enables these 6 taint-based warnings:

Using Copilot Chat with C++ in VS Code -- Sinem Akinci

copilotchat.pngIf you are a C++ developer who uses VS Code as your editor, Copilot Chat can help you with many of your everyday coding tasks by allowing you to iterate with your code in natural language.

Using Copilot Chat with C++ in VS Code

by Sinem Akinci

From the article:

We have just released a new YouTube video demonstrating the power of Copilot Chat in C++ code:

We cover how Copilot Chat can provide enhancements to your C++ coding scenarios like:

  • Simplifying and refactoring existing code
  • Generating new code and iterating with the prompt
  • Generating and explaining new test cases
  • Refactoring test cases to new frameworks
  • Understanding errors with your code
  • … and more!

Seastar, ScyllaDB, and C++23

Seastar announces that now that C++23 is available, they will support C++23 and C++20 (dropping support for C++17) in accordance with their support policy

Seastar, ScyllaDB, and C++23

By Avi Kivity

From the article:

Seastar is an open-source (Apache 2.0 licensed) C++ framework for I/O intensive asynchronous computing, using the thread-per-core model. Seastar underpins several high- performance distributed systems: ScyllaDB, Redpanda, and Ceph Crimson. Seastar source is available on github. As a C++ framework, Seastar must choose which C++ versions to support. The support policy is last-two-versions. That means that at any given time, the most recently released version as well as the previous one are supported, but earlier versions cannot be expected to work. This policy gives users of the framework three years to upgrade to the next C++ edition while not constraining Seastar to ancient versions of the language.

Now that C++23 has been ratified, Seastar now officially supports C++20 and C++23. The previously supported C++17 is now no longer supported.

PVS-Studio 7.29: Boost smart pointers, plugin for Qt Creator on macOS

PVS-Studio 7.29 has been released. Now you can analyze Java projects in a plugin for VS Code, check Boost smart pointers, use the PVS-Studio plugin for Qt Creator 12 on macOS, and that's not all.

PVS-Studio 7.29: Java code check in VS Code, Boost smart pointers, and plugin for Qt Creator on macOS

by Gleb Aslamov

From the article:

The C++ analyzer now supports smart pointers from the Boost library: boost::unique_ptr and boost::shared_ptr. Now the PVS-Studio analyzer is able to detect errors such as null pointer dereferences when these classes are used.

mp-units 2.1.0 released -- Mateusz Pusz

We are happy to announce that mp-units 2.1.0 has been released and is available for download in Conan.

mp-units 2.1.0 released!

by Mateusz Pusz

About the release

Please check our blog post to read more about the improvements and some, unfortunately, breaking changes.



CppDepend 2024.1 Released! - Unveiling New Features and Improvements

We are thrilled to announce the launch of CppDepend 2024.1, a significant update that introduces a plethora of enhancements and new features to further bolster your C/C++ development workflow.

CppDepend 2024.1 Released! - Unveiling New Features and Improvements

by the CppDepend Team

From the Article:

The latest version of CppDepend comes packed with an array of improvements and several new features that are designed to streamline project management, enhance code quality monitoring, and provide deeper insights into code bases. Key highlights of this release include an advanced source explorer, support for C++23/C++20/C++17, Improved Incremental analysis, and much more.


Top 10 errors in C and C++ projects in 2023

New Year is coming! It means, according to tradition, it's time to recall 10 of the most interesting bugs that PVS-Studio found during 2023.

Top 10 errors in C and C++ projects in 2023

by Alexey Gorshkov

From the article:

In this case, the developers wanted to fill the keyEventList array with zeros. Pay attention to the third parameter — the number of bytes the developers wanted to fill with zeros. In this case, sizeof(keyEventList) evaluates the pointer size instead of the array size. It depends on the target platform, but most often it's 4 or 8 bytes. However, the size of the structure is clearly larger than 4 or 8 bytes.

PVS-Studio 7.28: support for ARM, analysis of Unreal Engine projects without Unity Build, and more

Now you can run the analyzer on the ARM architecture, analyze .NET 8 projects, and check Unreal Engine projects without Unity Build — and there is more to come.

PVS-Studio 7.28: support for ARM, .NET 8, analysis of Unreal Engine projects without Unity Build, and more

by Gleb Aslamov

From the article:

When analyzing Unreal Engine projects with PVS-Studio, we often encounter issues with high memory usage and analysis slowdown. They usually arise when individual translation units are combined into a single file (the Unity Build system). Although the merging of translation units may have a positive impact on the compilation time, the large file size may increase the resource requirements for analysis.

No, C++ static analysis does not have to be painful -- Geoffray Adde

Static analysis as part of your CI pipeline has long been possible -- but tedious, at best, to setup. Sonar are upending that with an innovative new approach.

No, C++ static analysis does not have to be painful

by Geoffray Adde

From the article:

It seems impossible to offer serious C++ static analysis with a great configuration experience. Users must suffer the pain, or not use it at all.
Well, at Sonar we believe in making the impossible, possible and so we've gone ahead and solved this once and for all!

PVS-Studio 7.26: running analysis in VS Code and Qt Creator, integration with DefectDojo, and more

PVS-Studio 7.26 has been released. Now you can run the analysis in plugins for VS Code and Qt Creator; upload the analysis results to DefectDojo, and more. In this note, we'll take a closer look at these and other enhancements.

PVS-Studio 7.26: running analysis in VS Code and Qt Creator, integration with DefectDojo, and more

by Sergey Vasiliev

From the article:

Now the PVS-Studio plugins for Visual Studio Code and Qt Creator support the analysis of C and C++ projects. Moreover, the plugins support mass suppression of analyzer warnings (with the help of suppress files). This mechanism enables you to hide warnings for legacy code and work only with new warnings. In this way, the integration of the analyzer into the project will be much easier.