{abp_pagination_html}

pvs-studio

PVS-Studio: searching software weaknesses

As we check Apache HTTP Server, we see bugs crawling everywhere across the code. But wait! These are not just bugs, but security weaknesses!

PVS-Studio: searching software weaknesses

by Andrey Karpov, Phillip Khandeliants

From the article:

PVS-Studio has always been able to detect a large number of various security defects (potential vulnerabilities) in the program code. However, historically, we positioned PVS-Studio as a tool to search for errors. We see a trend in the software development to look for vulnerabilities in the code, although it is just the same. It seems to us that it is high time to do the rebranding of our static analyzer PVS-Studio. We will start with Common Weakness Enumeration (CWE). This article provides a table that shows matches of PVS-Studio diagnostic warnings of with the classifier. The table will be gradually updated and changed, but we can already use the table to write articles about security defects detected in projects. We suppose it would attract more attention of the software security specialists.

How PVS-Studio does the bug search: methods and technologies

PVS-Studio is a static code analyzer, that searches for errors and vulnerabilities in programs written in C, C++ and C#. In this article, I am going to uncover the technologies that we use in PVS-Studio analyzer. In addition to the general theoretical information, I will show practical examples of how certain technology allows the detection of bugs.

How PVS-Studio does the bug search: methods and technologies

by Andrey Karpov

From the article:

The definition of the pattern looks quite simple, but in practice the implementation of the diagnostic is quite complicated. It's not enough just to analyze only "#define RShift(a) a >> 3". If warnings are issued for all strings of this kind, there will be too many of them. We should have a look at the way the macro expands in every particular case, and try to define the situations where it was done intentionally, and when the brackets are really missing.

 

How to use PVS-Studio for free

We want to help the software world improve the quality of their code, and get to know static analysis tools better. We are giving the opportunity to use PVS-Studio static code analyzer for free, for educational purposes, so that individual developers and enthusiastic teams could also fully use it.

How to use PVS-Studio for free

by Andrey Karpov

From the article:

Some developers may say that they don't want to see two additional lines of code at the beginning of the file with the comments not related to the project itself. It is their right, and they may simply not use the tool. Or they can purchase a commercial license, and use it without any restrictions. We see these comments as a gratuity for the provided license, and also as an additional way to promote our product. I think it's a good, fair exchange.

Finding bugs in the code of LLVM project with the help of PVS-Studio

Let's take a look at the suspicious fragments in the LLVM code which PVS-Studio detected.

Finding bugs in the code of LLVM project with the help of PVS-Studio

by Andrey Karpov

From the article:

LLVM developers, of course, will be able to understand if there is a bug here or not. I have to play detective. Looking at the code, I was thinking in the following direction: The function should read the opening bracket '<', then it reads the identifiers and commas in the loop. If there is no comma, we expected a closing bracket. If something goes wrong, then the function returns an error code. I reckon there was supposed to be the following algorithm of the function work (pseudocode).

PVS-Studio C/C++ static code analyzer for Linux

We released the first version of PVS-Studio analyzer for Linux. Now Linux developers are getting a new powerful tool to fight bugs in the code.

PVS-Studio for Linux

From the news:

Starting with the 6.10 version, PVS-Studio analyzer supports not only Windows, but the Linux too.

PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, it is also useful to search for misprints and Copy-Paste errors. Demonstrative examples of such errors: V501, V517, V522, V523, V571, V611.

The new Linux version (.deb, .rpm, .tgz) is available for download on the page: http://www.viva64.com/en/pvs-studio-download-linux/

Bugs found in GCC with the help of PVS-Studio

I regularly check various open-source projects to demonstrate the abilities of the PVS-Studio static code analyzer (C, C++, C#). Now it is time for the GCC compiler to get checked.

Bugs found in GCC with the help of PVS-Studio

by Andrey Karpov

From the article:

This part could also be called "Example number one thousand, why macros are bad". I really don't like macros and always urge people to avoid using them if possible. Macros make it difficult to read the code, provoke errors, and make the work of static analyzers harder. As best I can tell, from a brief interaction with the GCC code, the authors are big fans of macros. I was really tired looking at what the macros are expanded to, and perhaps missed quite a number of interesting errors. I should confess that I was lazy at times. But still, I will demonstrate a couple of errors, connected with macros.