bugs

PVS-Studio: searching software weaknesses

As we check Apache HTTP Server, we see bugs crawling everywhere across the code. But wait! These are not just bugs, but security weaknesses!

PVS-Studio: searching software weaknesses

by Andrey Karpov, Phillip Khandeliants

From the article:

PVS-Studio has always been able to detect a large number of various security defects (potential vulnerabilities) in the program code. However, historically, we positioned PVS-Studio as a tool to search for errors. We see a trend in the software development to look for vulnerabilities in the code, although it is just the same. It seems to us that it is high time to do the rebranding of our static analyzer PVS-Studio. We will start with Common Weakness Enumeration (CWE). This article provides a table that shows matches of PVS-Studio diagnostic warnings of with the classifier. The table will be gradually updated and changed, but we can already use the table to write articles about security defects detected in projects. We suppose it would attract more attention of the software security specialists.

Finding bugs in the code of LLVM project with the help of PVS-Studio

Let's take a look at the suspicious fragments in the LLVM code which PVS-Studio detected.

Finding bugs in the code of LLVM project with the help of PVS-Studio

by Andrey Karpov

From the article:

LLVM developers, of course, will be able to understand if there is a bug here or not. I have to play detective. Looking at the code, I was thinking in the following direction: The function should read the opening bracket '<', then it reads the identifiers and commas in the loop. If there is no comma, we expected a closing bracket. If something goes wrong, then the function returns an error code. I reckon there was supposed to be the following algorithm of the function work (pseudocode).

PVS-Studio C/C++ static code analyzer for Linux

We released the first version of PVS-Studio analyzer for Linux. Now Linux developers are getting a new powerful tool to fight bugs in the code.

PVS-Studio for Linux

From the news:

Starting with the 6.10 version, PVS-Studio analyzer supports not only Windows, but the Linux too.

PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, it is also useful to search for misprints and Copy-Paste errors. Demonstrative examples of such errors: V501, V517, V522, V523, V571, V611.

The new Linux version (.deb, .rpm, .tgz) is available for download on the page: http://www.viva64.com/en/pvs-studio-download-linux/

Bugs found in GCC with the help of PVS-Studio

I regularly check various open-source projects to demonstrate the abilities of the PVS-Studio static code analyzer (C, C++, C#). Now it is time for the GCC compiler to get checked.

Bugs found in GCC with the help of PVS-Studio

by Andrey Karpov

From the article:

This part could also be called "Example number one thousand, why macros are bad". I really don't like macros and always urge people to avoid using them if possible. Macros make it difficult to read the code, provoke errors, and make the work of static analyzers harder. As best I can tell, from a brief interaction with the GCC code, the authors are big fans of macros. I was really tired looking at what the macros are expanded to, and perhaps missed quite a number of interesting errors. I should confess that I was lazy at times. But still, I will demonstrate a couple of errors, connected with macros.

The Ultimate Question of Programming, Refactoring, and Everything

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort.

The Ultimate Question of Programming, Refactoring, and Everything

by Andrey Karpov

From the article:

The scope of my interests − the C/C++ language and the promotion of code analysis methodology. I have been Microsoft MVP in Visual C++ for 5 years. The main aim of my articles and work in general - is to make the code of programs safer and more secure. I'll be really glad if these recommendations help you write better code, and avoid typical errors. Those who write code standards for companies may also find some helpful information here.

New updates of CppHints.com, service of recommendations on C++ programming from PVS-Studio team

New updates of C++Hints, service of recommendations on C++ programming

Changes in CppHints.com

by PVS-Studio Team

We got a lot of positive feedback from our readers and continue developing the C++Hints project. We have also answered two requests, that we saw quite often in the letters:

By this moment we have published the following articles:

The compiler is to blame for everything—Andrey Karpov

Many programmers are very fond of blaming the compiler for different errors. Let's talk about it.

The compiler is to blame for everything

by Andrey Karpov

From the article:

When a programmer tells you that the compiler causes an error, it is a lie in 99% of cases. When you start investigating the problem, you usually find out the following reasons:

  • an array overrun;
  • an uninitialized variable;
  • a misprint;
  • a synchronization error in a parallel program;
  • a non-volatile variable used;
  • code leading to undefined behavior;
  • etc.