static code analysis

Why Static Analysis Can Improve a Complex C++ Codebase

Gradually and imperceptibly we get the situation when C++ projects’ complexity becomes extreme. Unfortunately, now a C++ programmer can’t be on his own.

Why Static Analysis Can Improve a Complex C++ Codebase

by Andrey Karpov

From the article:

Analyzers know more than even professional developers. It has become too difficult to take into account and remember all the nuances when writing code. For instance, if you haven’t specifically read about it, you’ll never guess that calls to memset function for clearing private data sometimes disappear, as from a compiler’s point of view, a call to memset function is redundant. Meanwhile, it is a serious security defect CWE-14 that is detected literally everywhere.

Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

The PVS-Studio analyzer is gradually becoming more complicated but these changes can be hardly described in a Release-history. For example, this year we have consistently implemented symbolic computations in the analyzer. This is why it was agreed to write a note on algorithms and technologies, which PVS-Studio now uses to search for errors and potential vulnerabilities.

Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

by Andrey Karpov

From the article:

Here a mixture of technologies is working: data flow analysis, symbolic execution, and automatic method annotation (we will cover this technology in the next section). The analyzer sees that X variable is used in the Div function as a divisor. On this basis, a special annotation is built for the Div function. Further it is taken into account that in the function a range of values [0..4] is passed as the X argument. The analyzer comes to a conclusion that a division by 0 has to occur.

PVS-Studio is now available on macOS: 64 weaknesses in the Apple's XNU Kernel

A new version of the PVS-Studio analyzer 6.23 is working under macOS, which allows you to check the projects written in C and C++. Our team decided to perform a XNU Kernel check to coincide it with this event.

PVS-Studio is now available on macOS: 64 weaknesses in the Apple's XNU Kernel

by Andrey Karpov

From the article:

Although the XNU Kernel is relatively small, it's a challenge to study the analyzer warnings alone, which takes much time. False positives make the check more complicated, since I haven't performed the preliminary analyzer configuration. I just quickly looked through the warnings, writing out code fragments that, in my opinion, represent interest. This is more than enough for writing a quite large article. PVS-Studio analyzer easily finds a large number of interesting bugs.

How PVS-Studio does the bug search: methods and technologies

PVS-Studio is a static code analyzer, that searches for errors and vulnerabilities in programs written in C, C++ and C#. In this article, I am going to uncover the technologies that we use in PVS-Studio analyzer. In addition to the general theoretical information, I will show practical examples of how certain technology allows the detection of bugs.

How PVS-Studio does the bug search: methods and technologies

by Andrey Karpov

From the article:

The definition of the pattern looks quite simple, but in practice the implementation of the diagnostic is quite complicated. It's not enough just to analyze only "#define RShift(a) a >> 3". If warnings are issued for all strings of this kind, there will be too many of them. We should have a look at the way the macro expands in every particular case, and try to define the situations where it was done intentionally, and when the brackets are really missing.

 

PVS-Studio C/C++ static code analyzer for Linux

We released the first version of PVS-Studio analyzer for Linux. Now Linux developers are getting a new powerful tool to fight bugs in the code.

PVS-Studio for Linux

From the news:

Starting with the 6.10 version, PVS-Studio analyzer supports not only Windows, but the Linux too.

PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, it is also useful to search for misprints and Copy-Paste errors. Demonstrative examples of such errors: V501, V517, V522, V523, V571, V611.

The new Linux version (.deb, .rpm, .tgz) is available for download on the page: http://www.viva64.com/en/pvs-studio-download-linux/

Bugs found in GCC with the help of PVS-Studio

I regularly check various open-source projects to demonstrate the abilities of the PVS-Studio static code analyzer (C, C++, C#). Now it is time for the GCC compiler to get checked.

Bugs found in GCC with the help of PVS-Studio

by Andrey Karpov

From the article:

This part could also be called "Example number one thousand, why macros are bad". I really don't like macros and always urge people to avoid using them if possible. Macros make it difficult to read the code, provoke errors, and make the work of static analyzers harder. As best I can tell, from a brief interaction with the GCC code, the authors are big fans of macros. I was really tired looking at what the macros are expanded to, and perhaps missed quite a number of interesting errors. I should confess that I was lazy at times. But still, I will demonstrate a couple of errors, connected with macros.