Home » Blog » Categories » Product News

Product News

Part 2: Upsetting Opinions about Static Analyzers

By Andrey Karpov | Oct 16, 2020 01:27 AM | Tags: volatile static code analysis pvs-studio false positives

By writing the article "Upsetting Opinions about Static Analyzers" we were supposed to get it off our chest and peacefully let it all go. However, the article unexpectedly triggered robust feedback. Unfortunately, the discussion went in the wrong direction, and now we will make a second attempt to explain our view of this situation.

Part 2: Upsetting Opinions about Static Analyzers

by Andrey karpov

From the article:

And started coming up with cases when it might be justified, which means that the PVS-Studio analyzer warning was a false-positive. Some speculations about the change in memory between two checks came into play which occurs due to:

  • running parallel threads;
  • signal/interrupt handlers;
  • the variable X is a reference to the element A[0];
  • hardware, such as performing DMA operations;
  • and so on.

After heated debate on the analyzer's inability to comprehend all cases, they left to cut down forest with axes. In other words, they found an excuse why they could still avoid using a static code analyzer in their work.

Clang 11.0.0 Release Notes — Clang 11 documentation

By Adrien Hamelin | Oct 14, 2020 12:59 PM | Tags: community

The new version is here.

Clang 11.0.0 Release Notes — Clang 11 documentation

From the article:

This document contains the release notes for the Clang C/C++/Objective-C frontend, part of the LLVM Compiler Infrastructure, release 11.0.0. Here we describe the status of Clang in some detail, including major improvements from the previous release and new feature work. For the general LLVM release notes, see the LLVM documentation. All LLVM releases may be downloaded from the LLVM releases web site.

Upsetting Opinions about Static Analyzers

By Andrey Karpov | Oct 12, 2020 06:39 AM | Tags: static code analysis static analyzer pvs-studio data-flow analysis code analysis

Static analysis tools have advanced far over the time they've been around. They no longer resemble the "linters" that were in active use 20 years ago. But some programmers still view them as extremely primitive tools. And that's very sad.

Upsetting Opinions about Static Analyzers

by Andrey Karpov

From the article:

Of course, any modern static analyzer tracks the changes of variables' values. If a variable doesn't change, a warning is issued. If it does, no warning is issued. To ensure that, analyzers rely on data stream analysis. And that's exactly how PVS-Studio works. Let's take a look at the following synthetic example.


 

Winning the race against TOCTOU vulnerabilities in C & C++ -- Ann G. Campbell

By ganncamp | Oct 11, 2020 12:07 PM | Tags: None

Researchers were surprised to find that their Time of Check to Time of Use (TOCTOU) attack succeeded 85% of the time, even when the critical operations were "separated only by a few milliseconds."

To better understand this vunlerability and what you can do, read:

Winning the race against TOCTOU vulnerabilities in C & C++

by G. Ann Campbell

From the article:

With TOCTOU, the idea is that there's a window of opportunity between when a privileged program checks a file (Does the file exist? Are permissions okay for what we're about to do? …)  and when it operates on that file (Create the file. Write to the file. …). In that window, an attacker could replace the file with e.g. a symlink to `/etc/passwd`, and the operation you meant to perform on `/home/ann/tmp` happens to an important system file instead.

Broader coverage of C++ Core Guidelines & broken access control detection with SonarQube and SonarCl

By ganncamp | Oct 8, 2020 11:35 AM | Tags: None

SonarSource recently improved C++ analysis to provide even broader coverage of the C++ Core Guidelines and to add detection of broken access control vulnerabilities

C++ analyzer provides a broader coverage of the C++ Core Guidelines and detects broken access control security issues

By Alexandre Gigleux

From the article:

We’re proud to announce the following improvements to the C++ analyzer:

  • security rules detecting broken authentication and access control issues
  • broader coverage of the C++ Core Guidelines


Security Rules

We implemented 6 rules related to broken access control (incorrect permission assignments, privilege escalations, unprotected APIs …):

Why it is important to apply static analysis for open libraries that you add to your project

By Andrey Karpov | Oct 2, 2020 01:48 PM | Tags: static code analysis static analysis open source code review code quality

If there are several options, it is useful to take time to analyze open libraries in order to choose the best one.

Why it is important to apply static analysis for open libraries that you add to your project

by Andrey Karpov

From the article:

Because of a typo, the original vector is returned, not the new scaledVector container. The same error occurs in the division operator. Facepalm. Again, these errors don't mean anything separately. Although, this is a hint that this library isn't used much and there is highly likely that there are other serious undetected errors in it.

False positives are our enemies, but may still be your friends -- Loic Joly

By ganncamp | Oct 2, 2020 10:44 AM | Tags: None

Insights into how static analysis rules are structured, why false positives exist, how they're fought, and why - hard as we try - they may always be with us. 

False positives are our enemies, but may still be your friends

By Loic Joly

About the article:

When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a false positive is often far easier than fixing it. In this post, I’ll discuss how the different types of rules give rise to different types of false positives, which ones are easier to fix than others, and how you can help. I’ll end with insight into how issues that are false positives can still be true indicators that the code needs to change.

Getting timely, accurate feedback on your C++ from the SonarQube ecosystem -- G. Ann Campbell

By ganncamp | Oct 2, 2020 10:34 AM | Tags: None

The SonarQube ecosystem offers C++ developers feedback throughout the workflow: in-IDE for the individual, in PRs for peer review, and in SonarQube for the team

Getting timely, accurate feedback on your C++ from the SonarQube ecosystem

By G. Ann Campbell

From the article

Late feedback is a pain in the butt. Regardless of how it comes, hearing "that thing you did two weeks ago was wrong" is unwelcome at best. Good feedback is immediate, actionable and at least dispassionate, if not compassionate. That's why we help you integrate C++ static analysis throughout your workflow, so you and your team get the feedback you need when and where it's most useful. In this post, I'll walk through how SonarQube and SonarLint integrate smoothly into your workflow and your team to give you the right data at the right time and in the right place.

HPX V1.5.1 released -- STE||AR Group

By Hartmut Kaiser | Oct 1, 2020 06:21 PM | Tags: performance parallelism heterogeneous computing distributed computing concurrency c++20 c++17 c++14 c++11

The STE||AR Group has released V1.5.1 of HPX -- A C++ Standard library for parallelism and concurrency.

HPX V1.5.1 Released

The newest version of HPX (V1.5.1) is now available for download! This is a relatively small bug-fix release that fixes some problems we discovered in the 1.5.0 release.

    HPX is a general purpose parallel C++ runtime system for applications of any scale. It implements all of the related facilities as defined by the C++ Standard. As of this writing, HPX provides the only widely available open-source implementation of the new C++17 parallel algorithms. Additionally, HPX implements functionalities proposed as part of the ongoing C++ standardization process, such as large parts of the features related parallelism and concurrency as specified by the upcoming C++20 Standard, the C++ Concurrency TS, Parallelism TS V2, data-parallel algorithms, executors, and many more. It also extends the existing C++ Standard APIs to the distributed case (e.g. compute clusters) and for heterogeneous systems (e.g. GPUs).

    HPX seamlessly enables a new Asynchronous C++ Standard Programming Model that tends to improve the parallel efficiency of our applications and helps reducing complexities usually associated with parallelism and concurrency.

 

New C++ features in GCC 10--Marek Polacek

By Adrien Hamelin | Sep 28, 2020 12:19 PM | Tags: community

Compiler improving.

New C++ features in GCC 10

by Marek Polacek

From the article:

The GNU Compiler Collection (GCC) 10.1 was released in May 2020. Like every other GCC release, this version brought many additions, improvements, bug fixes, and new features. Fedora 32 already ships GCC 10 as the system compiler, but it’s also possible to try GCC 10 on other platforms (see godbolt.org, for example). Red Hat Enterprise Linux (RHEL) users will get GCC 10 in the Red Hat Developer Toolset (RHEL 7), or the Red Hat GCC Toolset (RHEL 8).

This article focuses on the part of the GCC compiler on which I spend most of my time: The C++ front end. My goal is to present new features that might be of interest to C++ application programmers. Note that I do not discuss developments in the C++ language itself, although some language updates overlap with compiler updates. I also do not discuss changes in the standard C++ library that comes with GCC 10.

We implemented many C++20 proposals in GCC 10. For the sake of brevity, I won’t describe them in great detail. The default dialect in GCC 10 is -std=gnu++14; to enable C++20 features, use the -std=c++20 or -std=gnu++20 command-line option. (Note that the latter option allows GNU extensions.)...