pvs-studio | The Blog Pros

November 28, 2021

Virtual Function Calls in Constructors and Destructors (C++)

In different programming languages, the behavior of virtual functions differs when it comes to constructors and destructors. Incorrect use of virtual functions is a classic mistake. Developers often use virtual functions incorrectly. In this article, we"ll discuss some of these classic mistakes.

Theory

I suppose the reader is familiar with virtual functions in C++. Let's get straight to the point. When we call a virtual function in a constructor, the function is overridden only within a base class or a currently created class. Constructors in the derived classes have not yet been called. Therefore, the virtual functions implemented in them will not be called.

November 14, 2021

All Hail Bug Reports: How We Reduced the Analysis Time of the User’s Project From 80 to 4 Hours

People often see work in support as something negative. Today we'll look at it from a different perspective. This article is about a real communication of 100+ messages, exceptions, the analysis that didn't complete in three days.

Actually, bug reports are great If a bug report is adequately handled from both sides, it means that both the user and the software developer are interested in solving the problem. If both sides achieve the desired result, it's a win-win situation.

November 12, 2021

OWASP Top Ten and Software Composition Analysis (SCA)

One of the priority areas for PVS-Studio development is to cover categories from the OWASP Top Ten 2017 in the C# analyzer. We also plan to cover the Top Ten 2021 in the future. The most unusual for us is the A9:2017 category: Using Components with Known Vulnerabilities. This category has the A6 position in the preliminary version of OWASP 2021. The rule implementation for this category is an important task for our analyzer. It allows us to classify PVS-Studio as an SCA (Software Composition Analysis) tool. Which approach to implementation should we choose? Let's figure it out!

Using Components With Known Vulnerabilities

The A9 threat category (which turned into A6 in the preliminary OWASP 2021 version) is dedicated to using components with known vulnerabilities. These are the components that have the corresponding entries in the CVE database. CVE (Common Vulnerabilities and Exposures) is a database of records about real-life vulnerabilities in software, hardware, service components, etc.

October 1, 2021

Why You Need the MISRA Compliance Report and How to Generate One in PVS-Studio

If you are strongly interested in MISRA and would like to understand whether your project meets one of the MISRA association's standards, there is a solution. Its name is MISRA Compliance. PVS-Studio has recently learned how to generate the MISRA Compliance report. This article describes how you can use this feature, potentially making somebody's life better.

What Is MISRA Compliance?

MISRA Compliance is a standard that allows you to understand whether your project conforms to the MISRA C/C++ standards, its deviations, and re-categorizations. MISRA Compliance can be applied to all MISRA association standards, but in this article, we'll review its use with the MISRA C 2012 standard.

September 8, 2021

Intermodular Analysis of C++ Projects in PVS-Studio

Why would we need intermodular analysis? How does the analyzer benefit from it? Normally, our tool is checking only one source file at a time. The analyzer doesn't know about the contents of other project files. Intermodular analysis allows us to provide the analyzer with information about the entire project structure. This way, the analysis becomes more accurate and qualitative. This approach is similar to Link Time Optimization (LTO). For example, the analyzer can learn about a function behavior from another project file and issue a warning. It may be, for instance, dereference of a null pointer that was passed as an argument to an external function.

Implementation of intermodular analysis is a challenging task. Why? To find out the answer to this question, let's first dig into the structure of C++ projects.

September 8, 2021

Optimization of .NET Applications: A Big Result From Small Edits

One old and simple idea runs like a golden thread through this article: Premature optimizations are evil.

Sometimes it happens that optimization and readability go in slightly different directions. Code may work better, but it is harder to read and maintain. And vice versa — code is easy to read and modify but has some performance problems. Therefore, it is important to understand what we are willing to sacrifice in such cases.

August 29, 2021

Static Analysis Protects Your Code From Time Bombs

Static code analysis allows you to identify and eliminate many defects at an early stage. Moreover, it's possible to detect dormant errors that don't show themselves when they appear. They can cause many problems in the future and it requires many hours of debugging to detect them. Let's look at an example of such a dormant error.

To show the advantage of regular use of the PVS-Studio static analyzer, we regularly check the Blender project. My colleague wrote more about this idea here.

July 1, 2021

The ?. Operator in foreach Will Not Protect From NullReferenceException

Do you like the ?. operator? Well, who doesn't? Many people like these concise null checks. However, today's article shows that the ?. operator may be tricky sometimes. That is, it can create an illusion of safety when used in the foreach loop.

Let's start with a small task. Take a look at the following code:

February 11, 2021

COVID-19 Research and Uninitialized Variable

There is an open project, COVID-19 CovidSim Model, written in C++. There is also a PVS-Studio static code analyzer that detects errors very well. One day they met. Let's embrace the fragility of mathematical modeling algorithms and why you need to make every effort to enhance code quality.

This little story begins with an ordinary search on GitHub. While looking through the search results, I accidentally came across the COVID-19 CovidSim Model project. Without thinking twice, I decided to check it out using the PVS-Studio analyzer.

September 17, 2020

How I Improved My Legacy C++ Project With PVS-Studio

Since a few months, I've been refactoring my old C++/OpenGL project. Thus far, I used compilers (MSVC and Clang), my knowledge or free tools. At some point, I also got a chance to leverage a solid static analysis tool - PVS-Studio. The tool helped me with identifying 8 critical issues not to mention good code style and performance enhancements (in total 137 warnings)

Read on to see my report.

January 10, 2020

Apache Hadoop Code Quality: Production VS Test

In order to get high-quality production code, it's not enough just to ensure maximum coverage with tests. No doubt, great results require the main project code and tests to work efficiently together. Therefore, tests have to be paid as much attention to as source code. A decent test is a key success factor, as it will catch regression in production. Let's take a look at PVS-Studio static analyzer warnings to see the importance of the fact that errors in tests are no worse than the ones in production. Today's focus: Apache Hadoop.

About the Project

Those who were formerly interested in Big Data have probably heard or worked with the Apache Hadoop project. In a nutshell, Hadoop is a framework that can be used as a basis for building and working with Big Data systems.

November 5, 2019

PVS-Studio in the Clouds: CircleCI

This is a new piece of our series of articles about using the PVS-Studio static analyzer with cloud CI systems. Today we are going to look at another service, CircleCI. We'll take the Kodi media player application as a test project and see if we can find any interesting bugs in its source code.

Note. The previous articles on integrating PVS-Studio with cloud CI systems:

October 25, 2019

Commits and Pull Requests in Travis CI, Buddy, and AppVeyor Using PVS-Studio

Learn more about commits and pull requests with PVS-Studio.

Starting from version 7.04, the PVS-Studio analyzer for C and C++ languages on Linux and macOS provides a test feature that can check the list of specified files. Using this new mode, you can configure the analyzer to check commits and pull requests.

This article covers setting up the check of certain modified files from a GitHub project in popular CI systems, such as Travis CI, Buddy, and AppVeyor.

October 24, 2019

Analyzing the Code of ROOT, Scientific Data Analysis Framework

While Stockholm was holding the 118th Nobel Week, I was sitting in our office, where we develop the PVS-Studio static analyzer, working on an analysis review of the ROOT project, a big-data processing framework used in scientific research. This code wouldn't win a prize, of course, but the authors can definitely count on a detailed review of the most interesting defects plus a free license to thoroughly check the project on their own.

Introduction

ROOT is a modular scientific software toolkit. It provides all the functionalities needed to deal with big data processing, statistical analysis, visualisation, and storage. It is mainly written in C++. ROOT was born at CERN, at the heart of the research on high-energy physics. Every day, thousands of physicists use ROOT applications to analyze their data or to perform simulations.

August 9, 2019

How PVS-Studio Found an Error in the Library Used in PVS-Studio

This is a short story about how PVS-Studio helped us find an error in the source code of the library used in PVS-Studio. And it was not a theoretical error but an actual one — the error appeared in practice when using the library in the analyzer.

In PVS-Studio_Cmd (as well as some other utilities), we use a special library for parsing command line arguments: CommandLine.