Product News

PVS-Studio in 2022

It's January 2023, which means it's time to look back at our achievements in 2022. In this article, we'll tell you what we accomplished and show you what features appeared in PVS-Studio in 2022. Let's go.

PVS-Studio in 2022

by Polina Alekseeva

From the article:

Speaking of cross-platform. As of now, the analyzer runs on Windows, Linux, and macOS on the x86_64 architecture. It is currently impossible to run the analyzer natively on the same operating systems under ARM (except for C and C++ analyzer on ARM-based macOS: you can run it via Rosetta). We're wondering if there are many people among our readers who want to natively use the analyzer on ARM. How critical is the build and analysis of projects on the ARM architecture for you?

Top 10 bugs found in C++ projects in 2022

New Year is coming! It means, according to tradition, it's time to recall 10 of the most interesting warnings that PVS-Studio found during 2022.

Top 10 bugs found in C++ projects in 2022

by Vladislav Stolyarov

From the article:

Here the analyzer detected that a function, marked as noexcept, calls a function that throws an exception. If an exception arises from the nothrow function's body, the nothrow function calls std::terminate, and the program crashes. It could make sense to wrap the setName function in the function-try-block and process the exceptional situation there — or one could use something else instead of generating the exception.

libstdc++ gets C++20 chrono

Screenshot_2022-12-24_094211.pngImagine Jonathan Wakely in a red suit with his helper elves, delivering presents:

libstdc++ gets C++20 <chrono>

As seen on Reddit:

It looks like Jonathan Wakely has just today contributed a huge amount of effort towards <chrono>.

He's added the time zones, leap seconds, all that good stuff.

He's even added GDB pretty printers for inevitable date time debugging!

And these features are supported in <format>, which libstdc++13 has, if you weren't already aware. He's also made many other various improvements. Lets give a round of applause to Jonathan Wakely!

High-confidence Lifetime Checks in Visual Studio version 17.5 Preview 2 -- Gabor Horvath

More safety please:

High-confidence Lifetime Checks in Visual Studio version 17.5 Preview 2

by Gabor Horvath

From the article:

The C++ Core Guidelines’ Lifetime Profile, aims to detect lifetime problems, like dangling pointers and references, in C++ code. ... Lately, there has been an increased push in the C++ community to introduce lifetime-related safety features, which has led us to revisit the lifetime analysis in MSVC.

We spent the last couple of months looking into the results of using the lifetime analysis on real world code. This blog post summarizes our experience and the improvements we made along the way. The biggest change is the introduction of a new set of warnings. These warnings are the high-confidence versions of the existing warnings. Users who want less noise can enable only the high-confidence warnings, while users who want more rigorous checks at the cost of noise can enable both the old and the new warnings. As of 17.5, the high-confidence warnings are still experimental, but depending on the feedback we might include them in some of the recommended profiles in future versions...

Boost 1.81.0: Major release now available

Just in time for the holidays, a major new Taylor Swift album Boost library release just dropped:

Boost verison 1.81.0 released

Release managers: Marshall Clow and Glen Fernandes

From the announcement:

New Libraries

  • URL:A library for parsing, modifying, and printing URLs using only C++11, from Vinnie Falco and Alan de Freitas. Features include fast compilation, strong invariants, and strict compliance using a memory-friendly approach.

Updated Libraries

  • Asio:
    • Added the consign completion token adapter, which can be used to attach additional values to a completion handler.
    • Added any_completion_handler<>, which can be used to type-erase completion handlers.
    • Added experimental::co_composed to enable lightweight implementations of user-defined asynchronous operations using C++20 coroutines.
    • Add range-based experimental::make_parallel_group() overloads.
    • Added any_completion_executor, a type-erased wrapper for executors that are associated with completion handlers.
    • Added missing context query to use_future's executor.
    • Added nothrow constructor overloads to execution::any_executor<> and any_io_executor.
    • Optimised representation of empty execution::any_executor objects to improve the performance of copy and move operations.
    • Added an associated_cancellation_slot specialisation for std::reference_wrapper.
    • Changed I/O objects to return their executors by const reference.
    • Changed associated to use deduced return types for all two-argument get functions.
    • Fixed spawn implementation to catch unhandled exceptions and rethrow them outside of the spawned "thread".
    • Fixed spawn to ensure the completion handler is dispatched through the correct executor.
    • Fixed cleanup of of terminal-state spawn "thread" objects.
    • Fixed spawn and co_spawn implementations to dispatch cancellation handlers on the correct executor.
    • Changed semantics of 'dispatch' to mean the executor is used as-is.
    • Deprecated the execution::execute customisation point and sender/receiver facilities.
    • Added a C++11 parallel_group example.
    • Fixed example code to not use the deprecated resolve conversions.
    • Fixed an ambiguity in experimental::channel_traits specialisations.
    • Added a specialised channel implementation for the for R(error_code) signature.
    • Made cancelled() public on the async_compose 'self' object.
    • Added io_executor_type and get_io_executor to the async_compose 'self' object.
    • Fixed implementation of release() for Windows overlapped handles.
    • Enabled deferred awaiting for experimental::coro, regularised experimental::use_coro, and fixed allocator handling.
    • Cleaned up experimental::promise and made it an asynchronous operation object.
    • Constrained post/defer overloads on ability to require blocking.never.
    • Changed descriptor implementation to fall back to fcntl if ioctl fails with ENOTTY when setting non-blocking mode.
    • Fixed Xcode deprecation warnings related to use of sprintf.
    • Fixed the arguments passed to select_reactor::run when it is run on an internal thread.
    • Fixed compilation errors when BOOST_ASIO_DISABLE_SMALL_BLOCK_RECYCLING is defined.
    • Updated detection of C++20 coroutine support on clang 14 and later.
    • Changed standard library feature detection to always enable std::invoke_result when targeting C++17 or later.
    • Fixed detection of return type deduction with MSVC.
    • Updated the asynchronous operation requirements to relax the requirements on the associated executor.
    • Added io_uring to the implementation notes.
    • Consult the Revision History for further details.
  • Beast:
    • Add buffers_generator
    • Add beast::http::message_generator
    • Added buffer_ref, so beast buffers can be used with asio.
    • Support for per-operation cancellation
    • C++20 awaitable examples.
    • websocket per-message compression options
    • websocket timeout option api
    • multiple content length error
    • Support for default-completion and rebind
  • Container Hash:
    • Major update.
    • The specializations of boost::hash have been removed; it now always calls hash_value.
    • Support for BOOST_HASH_NO_EXTENSIONS has been removed. The extensions are always enabled.
    • All standard containers are now supported. This includes std::forward_list and the unordered associative containers.
    • User-defined containers (types that have begin() and end() member functions that return iterators) are now supported out of the box.
    • Described structs and classes (those annotated with BOOST_DESCRIBE_STRUCT or BOOST_DESCRIBE_CLASS) are now supported out of the box.
    • hash_combine has been improved.
    • The performance (and quality, as a result of the above change) of string hashing has been improved. boost::hash for strings now passes SMHasher in 64 bit mode.
    • The documentation has been substantially revised to reflect the changes.
  • Core:
    • empty_value members are now marked as constexpr.
    • Added fclose_deleter, a deleter that calls std::fclose on a pointer to std::FILE.
    • Bit manipulation utilities in boost/core/bit.hpp now explicitly require unsigned integers on input. (#129)
    • bit_width now returns int instead of a value of the input argument type. This follows resolution of LWG3656.
  • Describe:
    • To allow the inclusion of enumerators.hppbases.hpp, and members.hpp when the option -pedantic is used, the invocation of BOOST_DESCRIBE_ENUM has been moved from modifiers.hpp into a separate header, modifier_description.hpp. As a consequence, modifiers.hpp no longer includes enum.hpp. Code that has been relying on this implicit inclusion may fail, and will need to be fixed to include enum.hpp.
  • DLL:
    • Fixed path_from_handle implementation for Windows platforms, thanks to @SaltfishAmi for the bug report 57.
  • Filesystem:
    • Deprecated: path construction, assignment and appending from containers of characters, such as std::vector<char> or std::list<wchar_t>, is deprecated in v3 and removed in v4. Please use string types or iterators instead.
    • Deprecated: boost/filesystem/path_traits.hpp header is deprecated and will be removed in a future release. The header contained implementation details of path and should not be used in user's code.
    • Previously deprecated APIs will now generate compilation warnings on use. To suppress these warnings, BOOST_FILESYSTEM_ALLOW_DEPRECATED macro can be defined when compiling user's code.
    • Fixed compilation due to a missing include on POSIX systems that do not support *at APIs. (#250)
    • On Windows prior to 10, added a workaround for network share filesystem that produces ERROR_INVALID_PARAMETER when constructing directory iterators. (PR#246#245)
    • On Windows, fixed weakly_canonical failing with an ERROR_INVALID_FUNCTION error code if the path started with the "\\?\" prefix. (#247)
    • Added support for std::string_viewboost::string_view and boost::container::string (as well as respective wchar_t counterparts) in path constructors, assignment and appending operations. (#208)
    • path constructors, assignment and appending operations taking a pair of iterators will no longer accept iterators with value types that are not one of the supported path character types.
    • On Windows, improved compatibility of directory_iterator with various mounted filesystems and Wine releases prior to 7.21. (#255#266)
    • On Windows, deduplicated files are now reported as regular files rather than reparse files. (#262)
  • Fusion:
    • Added fusion::identity_view (PR#240)
    • Added support for associative sequences on fusion::transform_view (PR#239)
    • Fixed compilation for the case when fusion::reverse_view used with an associative sequence (PR#237)
    • Fixed Clang 13 -Wdeprecated-copy warnings (PR#261)
    • A small dependency reorganization. Now boost::ref and boost::noncopyable are used from Boost.Core (PR#249)
    • Added CI testing on Linux and MacOS for clang and gcc, fixed CI testing on Windows (PR#245PR#236)
    • Improved docs and fixed typos (#234PR#235PR#238)
  • Geometry:
    • Solved issues
      • #1048 Index: Fix dangling references when Indexable is returned by value by IndexableGetter
      • #1076 Union: in rare cases it might miss one polygon
      • #1081 Union: due to precision it might miss interior rings
    • Bugfixes
      • #1063 Intersection: fix a bug in intersection of simple spherical polygons
      • #1064 Formulas: fix a consistency issue in geodesic direct formulas
      • #1088 Point: Fix regression for custom point types
      • Various fixes for missing include files, warnings, C++20 compilation errors and documentation
  • Histogram:
    • Major update.
    • Added new accumulators::fraction to compute fractions, their variance, and confidence intervals
    • Added interval computers for fractions: utility::clopper_pearsonutility::wilson_intervalutility::jeffreys_intervalutility::wald_interval which can compute intervals with arbitrary confidence level
    • Added utility::confidence_level and utility::deviation types to pass confidence levels as probabilities or in multiples of standard deviation for all interval computers, respectively
    • Fixed internal sub_array and span in C++20
  • Iterator:
    • function_output_iterator now supports perfect forwarding of the assigned values to the wrapped function object. (PR#73)
    • Fixed compilation of constructing a function_input_iterator from result of post-incrementing another function_input_iterator. (#75)
    • The result of post-incrementing an iterator based on iterator_facade now supports operator->(it++)->foo is equivalent to (*it++).foo, which was supported before.
  • JSON:
    • Added object::stable_erase.
    • Added parse overload for std::istream and operator>> for value.
    • Added rvalue ref-qualified accessors for value.
    • Conversion traits were redesigned.
    • Added conversion support for described classes and enums, std::optionalstd::variant, and null-like types (including std::nullptr_tstd::nullopt_t, and std::monotype).
    • Added non-throwing conversion from value to user types.
  • LexicalCast:
    • Fixed compilation while casting volatile arithmetic types. Thanks to Giovanni Cerretani for the bug report #50.
    • Removed usage of deprecated headers. Thanks to Michael Ford for the PR PR#53.
  • Locale:
    • Major update with some breaking changes.
    • C++11 support is now required, support for C++03 and earlier is dropped
    • Some enums have been converted to enum classes - Avoids name clashes
    • Replace -sICU_LINK_LOCALE & -sICU_LINK by fine-grained configuration options as done in Boost.RegEx
    • Fix detection of libiconv allowing Boost.Locale to be build (again) on some platforms
    • Remove use of and support for std::auto_ptr
    • Make the codecvt using wchar_t on Windows assume/use UTF-16 enconding
    • Performance improvements: Make basic_formatdate_time & hold_ptr movable, Fix use of format cache
    • Make Boost.Locale compatible with more ICU versions (especially the tests)
    • Fix RTTI definitions for some classes (visibility issues)
    • Fix compatibility of the ICU backend with some libc++ versions
    • Fix return value of some operators to correctly return non-const *this
    • Fix int-overflow on negative roll of years in date_time
    • Handle or suppress many warnings which makes the build log cleaner
    • Add support for more Windows codepages
    • Fix support for Windows codepages like ISO-2022-JP
  • Nowide:
    • Fix build failure of tests on MSVC
  • Stacktrace:
    • The library does not use COM initialization any more. Thanks to Alex Guteniev for the bug report, clarifications and PR PR#123!
    • The library now may use BOOST_STACKTRACE_BACKTRACE_INCLUDE_FILE macro value while detecting the libbacktrace availability in b2, thanks to Ben Gemmill for the bug report #115.
    • Added BOOST_STACKTRACE_BACKTRACE_FORCE_STATIC macro to force a single backtrace_state static instance while using the libbacktrace. Thanks to the Rasmus Thomsen for the bug report #118!
    • Avoid unresolved references when including only the boost/stacktrace/stacktrace.hpp header. Thanks to the Long Deng for the bug report #116.
    • Optimized stacktrace printing by not calling strlen on Windows platforms. Thanks to Alex Guteniev for the bug report #122
  • PFR:
    • Improved detection of aggregate initializables in C++14 mode, thanks to Denis Mikhailov for the PR PR#97.
    • Suppress clang-tidy warnings, thanks to Alexander Malkov for the PRs PR#109PR#104.
    • Use fold expressions if they are supported by the compiler. Thanks to Jean-Michaël Celerier for the PR PR#96.
  • STLInterfaces:
    • Fix two ill-formed iterator_interface operators in pre-C++20 iterators with a const value_type.
  • System:
    • The macro BOOST_SYSTEM_DISABLE_THREADS can now be defined to disable the use of <mutex> (e.g. on single-threaded libstdc++).
    • Added value_typeerror_typein_place_valuein_place_error to result<>.
    • Added emplace to result<>.
  • Unordered:
    • Major update.
    • Added fast containers boost::unordered_flat_map and boost::unordered_flat_set based on open addressing.
    • Added CTAD deduction guides for all containers.
    • Added missing constructors as specified in LWG issue 2713.
  • Variant:
    • Avoid recursive inclusion of headers, thanks to Nathan Sidwell for the bug report #101.
    • Removed usage of deprecated headers, thanks to Michael Ford for the PR PR#96.
    • Fixed compilation on clang in C++23 mode, thanks to Ed Catmur for the PR PR#98.
  • Variant2:
    • Added support for boost::json::value_from and boost::json::value_to.

 

PVS-Studio 7.22: Visual Studio Code, Qt Creator, .NET 7

PVS-Studio 7.22 has been released. It includes plugins for Visual Studio Code and Qt Creator, support of .NET 7 projects analysis, enhanced Best Warnings filter and new diagnostic rules.

PVS-Studio 7.22: Visual Studio Code, Qt Creator, .NET 7

by Sergey Vasiliev

From the article:

New plugins provide even more options for cross-platform work. Now you can use them to work with logs: view warnings, filter them, sort them in a grid, etc. You can't run the analysis yet — we plan to add this feature in future releases.

PVS-Studio and RPCS3: the best warnings in one click

Best Warnings — the analyzer's mode that displays 10 most interesting warnings in the output window. We invite you to take a look at the updated Best Warnings mode on the example of the RPCS3 project check.

PVS-Studio and RPCS3: the best warnings in one click

by Alexander Kurenev

From the article:

Best Warnings is a special mechanism for the first acquaintance with the PVS-Studio static analyzer. The full analyzer's log can contain thousands of warnings. Therefore, if you want to evaluate the work of the analyzer and not waste time and effort on viewing a large report that was issued by a not yet configured analyzer, use the Best Warnings mechanism. Open the analyzer's log in the PVS-Studio plugin for Visual Studio and enable Best Warnings.

FOSSA is announcing the GA of a security and license scanning capability for C and C++ projects

FOSSA was founded to provide the most relevant and real-time end-to-end governance for all third-party code. They now announce the general availability of C and C++ Security and License Scanning

Announcing the GA of C and C++ Security and License Scanning
By Gauthami Polasani

From the article:

Unlike other C/C++ scanning tools, FOSSA does not take a one-solution-fits-all approach to dependency identification in such a complex and layered ecosystem. FOSSA uses multi-pronged strategies (as described below) to accurately identify dependencies and surface security and license risks — regardless of how the code is included.).

Examples of errors that PVS-Studio found in LLVM 15.0

Compilers are evolving: they issue more and more warnings. Do developers still need to use static code analyzers like PVS-Studio? Yes, because analyzers are evolving too. In this article you'll see how PVS-Studio can find bugs even in a compiler.

Examples of errors that PVS-Studio found in LLVM 15.0

by Andrey Karpov

From the article:

It's a cool bug, although it's not scary. There is no semicolon after the return statement. As a result, the code does not work as it looks.

void FunctionLoweringInfo::ComputePHILiveOutRegInfo(const PHINode *PN) {
  ....
  Register DestReg = It->second;
  if (DestReg == 0)
    return
  assert(Register::isVirtualRegister(DestReg) &&
         "Expected a virtual reg");
  LiveOutRegInfo.grow(DestReg);
  ....
}