pvs-studio : Standard C++

Home » Blog » Tags » pvs-studio

« Prev Next »

pvs-studio

PVS-Studio 7.10 Release: OWASP, AUTOSAR, SARIF

By Andrey Karpov | Nov 11, 2020 10:59 AM | Tags: sarif pvs-studio owasp devsecops autosar

We develop PVS-Studio not only as a classic code analyzer, but also in the direction of Security and Safety. In this regard, we've started working on the support of the OWASP and AUTOSAR C++14 standards. To facilitate PVS-Studio integration into other code quality control tools, we supported analyzer results conversion to the SARIF format.

PVS-Studio 7.10 Release: OWASP, AUTOSAR, SARIF

by Andrey Karpov

From the article:

Utilities for converting PVS-Studio analysis results (PlogConverter.exe for Windows and plog-converter for Linux\macOS) now support conversion to SARIF (Static Analysis Results Interchange Format). SARIF is a universal open format for presenting the results of tools that search for errors, safety and security defects. This format is supported by many static analyzers and allows you to combine various code quality control tools in a single ecosystem.

Checking Clang 11 with PVS-Studio

By Andrey Karpov | Oct 27, 2020 05:23 AM | Tags: static code analysis sast pvs-studio open source llvm clang 11 clang bugs

It's no secret that compilers employ their own built-in static code analyzers, and those are developing as well. That's why we write articles every now and then to show that our static analyzer, PVS-Studio, can find bugs even inside compilers and that we are worth our salt.

Checking Clang 11 with PVS-Studio

by Andrey Karpov

From the article:

The programmer is using a modulo operation to get a random value of either 0 or 1. But the value 1 seems to confuse developers and make them write the classic anti-pattern in which the modulo operation is performed on 1 instead of 2. The X % 1 operation is meaningless as it always evaluates to 0.

Checking a Header-Only C++ Library Collection (awesome-hpp)

By Andrey Karpov | Oct 22, 2020 02:20 AM | Tags: sast pvs-studio open source devtool awesomehpp awesome-hpp

Somehow, we've happened to check most of the libraries making up a collection called "Awesome hpp". These are small header-only projects in C++. Hopefully, the information about the bugs we've found will help make the libraries better.

Checking a Header-Only C++ Library Collection (awesome-hpp)

by Andrey Karpov

From the article:

A note for library developers. You can use PVS-Studio to check open-source projects for free. To get a free license to use with your open-source project, please fill in this form.

Part 2: Upsetting Opinions about Static Analyzers

By Andrey Karpov | Oct 16, 2020 01:27 AM | Tags: volatile static code analysis pvs-studio false positives

By writing the article "Upsetting Opinions about Static Analyzers" we were supposed to get it off our chest and peacefully let it all go. However, the article unexpectedly triggered robust feedback. Unfortunately, the discussion went in the wrong direction, and now we will make a second attempt to explain our view of this situation.

Part 2: Upsetting Opinions about Static Analyzers

by Andrey karpov

From the article:

And started coming up with cases when it might be justified, which means that the PVS-Studio analyzer warning was a false-positive. Some speculations about the change in memory between two checks came into play which occurs due to:

running parallel threads;

signal/interrupt handlers;

the variable X is a reference to the element A[0];

hardware, such as performing DMA operations;

and so on.

After heated debate on the analyzer's inability to comprehend all cases, they left to cut down forest with axes. In other words, they found an excuse why they could still avoid using a static code analyzer in their work.

Upsetting Opinions about Static Analyzers

By Andrey Karpov | Oct 12, 2020 06:39 AM | Tags: static code analysis static analyzer pvs-studio data-flow analysis code analysis

Static analysis tools have advanced far over the time they've been around. They no longer resemble the "linters" that were in active use 20 years ago. But some programmers still view them as extremely primitive tools. And that's very sad.

Upsetting Opinions about Static Analyzers

by Andrey Karpov

From the article:

Of course, any modern static analyzer tracks the changes of variables' values. If a variable doesn't change, a warning is issued. If it does, no warning is issued. To ensure that, analyzers rely on data stream analysis. And that's exactly how PVS-Studio works. Let's take a look at the following synthetic example.

PVS-Studio 7.09

By Andrey Karpov | Aug 28, 2020 04:44 AM | Tags: static code analysis sast pvs-studio devsecops c++

Therefore, most likely, now each release will be followed by a special note so that users don't miss changes that may be useful to them. What's interesting is that from now on we won't just list everything that was added or improved. Rather, now on the contrary, the purpose is to highlight the most important features in the news to avoid having just a boring list of changes.

PVS-Studio 7.09

by Andrey Karpov

From the article:

New general analysis diagnostics:

    V1059. Macro name overrides a keyword/reserved name. This may lead to undefined behavior.

    V1060. Passing 'BSTR ' to the 'SysAllocString' function may lead to incorrect object creation.

    V1061. Extending 'std' or 'posix' namespace may result in undefined behavior.

    V1062. Class defines a custom new or delete operator. The opposite operator must also be defined.

    V1063. The modulo by 1 operation is meaningless. The result will always be zero.

PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents

By Andrey Karpov | Jul 27, 2020 07:24 AM | Tags: static code analysis sast pvs-studio devops azure devops

Static code analysis is most effective when changing a project, as errors are always more difficult to fix in the future than at an early stage. We continue expanding the options for using PVS-Studio in continuous development systems. This time, we'll show you how to configure pull request analysis using self-hosted agents in Microsoft Azure DevOps, using the example of the Minetest game.

PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents

by Alexey Govorov

From the article:

The result is a build system based on MSBuild for C++, with Chocolatey for installing PVS-Studio, CMake, and Git. Vcpkg is built for convenient management of the libraries that the project depends on. Also, we have to download the latest version of the Azure Pipelines Agent. To initialize the agent from the ENTRYPOINT Docker file, the PowerShell script 'entrypoint.ps1' is called, to which you need to add the URL of the project's "organization", the token of the agent pool, and the PVS-Studio license parameters....

PVS-Studio is now in Compiler Explorer!

By Andrey Karpov | Jul 6, 2020 04:39 AM | Tags: static code analysis pvs-studio godbolt compiler explorer

Now you can quickly and easily analyze the code for errors right on the godbolt.org site (Compiler Explorer). This feature opens up a large number of new possibilities – from quenching curiosity about the analyzer's abilities to being able to quickly share check results with a friend. Caution – GIFs!

PVS-Studio is now in Compiler Explorer

by George Gribkov

From the article:

If you want to see the output of your program, you can open the execution window by clicking "Add new... - > Execution only" in the code editor (not in the compiler window). In the gif below, you can see the output of the lab work taken from our page about free usage of PVS-Studio by students and teachers.

ModernCppStarter & PVS-Studio Static Code Analyzer

By Andrey Karpov | Jun 29, 2020 10:09 AM | Tags: pvs-studio moderncppstarter modern c++ devsecops code quality

One of the ways to improve software quality is to check source code with static analysis tools. This section explains how to use the PVS-Studio analyzer to check projects built on ModernCppStarter. We provide a free license for open-source projects.

ModernCppStarter & PVS-Studio Static Code Analyzer

by PVS-Studio Team

From the article:

plog-converter will convert the report into the errorfile format (similar to GCC's messages), which can be conveniently viewed in a terminal window and the IDE. You can also have the report converted to an HTML file by using the -t fullhtml flag. Use the flags -a and -d to filter diagnostics. Run the plog-converter --help command to view the full list of available options.

A Note of Caution about Using PVS-Studio on godbolt.org (Compiler Explorer)

By Andrey Karpov | Jun 8, 2020 11:12 AM | Tags: static code analysis pvs-studio godbolt compiler explorer bugs

We have added an option allowing you to experiment with the PVS-Studio static analyzer on the godbolt.org (Compiler Explorer) website. It supports analysis of C and C++ code.

A Note of Caution about Using PVS-Studio on godbolt.org (Compiler Explorer)

by Andrey Karpov

From the article:

This may be promising from the perspective of satisfying one's curiosity, writing articles, and so on. But there's a downside to it too: rather than using synthetic examples to explore or try out the tool, people may start relying on them to evaluate and compare it against other analyzers. And this is a very bad approach because the results will be unreliable and dependent on how the test examples are written.