PVS-Studio 7.12 New Features for Finding Safety and Security Threats

by Nikolay Mironov, Paul Eremeev

Well, to waste no time, let's point out the additions right away. So, here is what's new, safe, and cool in PVS-Studio:

• New diagnostic groups OWASP ASVS and The AUTOSAR C++14 Coding Guidelines have been added to the analyzer. Previously, the compliance of PVS-Studio diagnostic rules with these standards was available only on our website. Now we have more than 50 new diagnostic rules!
• Now the analyzer shows information about the compliance of the warnings with the SEI CERT Coding Standard. This information formerly was available only on the PVS-Studio website.
• The interface of our plugins for Visual Studio, JetBrains Rider, and IntelliJ IDEA has been improved to ease the work with analyzer messages that have safety and security standards identifiers.
• New diagnostic groups (OWASP, AUTOSAR) in PlogConverter are supported.
• New diagnostics (OWASP, AUTOSAR) are supported in SonarQube at the tag level. We classified our diagnostic rules by OWASP Top 10.

Why PVS-Studio Uses Data Flow Analysis: Based on Gripping Error in Open Asset Import Library

by Andrey Karpov

It all started with checking the latest version of the Qt 6 library. There was a separate usual article on this, where I'd described 77 errors found. It turned out that at first, I decided to flip through the report, not excluding the third-party libraries' warnings. In other words, I didn't exclude the warnings related to \src\3rdparty in the settings. It so happened that I immediately ran up against a gripping error example in the Open Asset Import Library. So, I decided to write this extra little note about it.

PVS-Studio Roadmap 2021

by Andrey Karpov

We will continue to support the MISRA C and MISRA C++ coding standards. However, it's time to also support a more modern set of rules described in The AUTSAR C++14 Coding Guidelines. This document is the MISRA C++:2008 standard update, and is also based on leading code standards and research papers prepared by AUTOSAR.

PVS-Studio 7.11 Release: IAR Arm, Diagnostics, FREE-FREE-FREE-FREE

by Andrey Karpov

Support of the IAR Arm compilers is now available in the pvs-studio-analyzer utility. This family of compilers was previously supported only in the CLMonitor.exe utility on Windows. Now users of PVS-Studio for Linux can check the code written for these compilers as well. We added interception of compiler calls via ld-linux to the pvs-studio-analyzer utility.

The Code Analyzer is wrong. Long live the Analyzer!

by Andrey Karpov

As you can see, once upon a time std::make_pair was taking arguments by value. If std::unique_ptr had existed at that time, then the code above would have been indeed incorrect. Whether this code would work or not would be a matter of luck. In practice, of course, this situation would never have occurred, since std::unique_ptr appeared in C++11 as a replacement for std::auto_ptr. Let's go back to our time. Starting with C++11, the constructor started to use move semantics.

Why PVS-Studio Doesn't Offer Automatic Fixes

by Andrey Karpov

But it only simplifies the code, not fixes it! Somebody else noticed this and opened a discussion: os_thread_windows.c - get_rel_wait() will block if abstime is in the past. As you can see, even humans make mistakes when trying to come up with a fix. Machines are just hopeless in that respect.

PVS-Studio 7.10 Release: OWASP, AUTOSAR, SARIF

by Andrey Karpov

Utilities for converting PVS-Studio analysis results (PlogConverter.exe for Windows and plog-converter for Linux\macOS) now support conversion to SARIF (Static Analysis Results Interchange Format). SARIF is a universal open format for presenting the results of tools that search for errors, safety and security defects. This format is supported by many static analyzers and allows you to combine various code quality control tools in a single ecosystem.

Checking Clang 11 with PVS-Studio

by Andrey Karpov

The programmer is using a modulo operation to get a random value of either 0 or 1. But the value 1 seems to confuse developers and make them write the classic anti-pattern in which the modulo operation is performed on 1 instead of 2. The X % 1 operation is meaningless as it always evaluates to 0.

Checking a Header-Only C++ Library Collection (awesome-hpp)

by Andrey Karpov

A note for library developers. You can use PVS-Studio to check open-source projects for free. To get a free license to use with your open-source project, please fill in this form.

Part 2: Upsetting Opinions about Static Analyzers

by Andrey karpov

And started coming up with cases when it might be justified, which means that the PVS-Studio analyzer warning was a false-positive. Some speculations about the change in memory between two checks came into play which occurs due to:

• running parallel threads;
• signal/interrupt handlers;
• the variable X is a reference to the element A[0];
• hardware, such as performing DMA operations;
• and so on.

After heated debate on the analyzer's inability to comprehend all cases, they left to cut down forest with axes. In other words, they found an excuse why they could still avoid using a static code analyzer in their work.