Media Portal 2 is open software of a media center class, allowing the user to listen to music, watch videos, viewing pictures, and much more. For us, the developers of PVS-Studio static analyzer, this is another chance to check an interesting project, tell people (and developers) about the errors we find, and demonstrate the abilities of our analyzer of course.
Analyzing the Blender project with PVS-StudioPVS-Studio
We go on analyzing open source projects and making the software world better. This time we have checked the Blender 2.62 package intended for creating 3D computer graphics.
One of the programs, which allows you to solve the problem of data compression, is a popular file archiver 7-Zip, which I often use myself. Our readers have long asked us to check the code of this application. Well, it's time to look at its source code, and see what PVS-Studio is able to detect in this application.
Tesseract. Recognizing Errors in Recognition SoftwareAndrey Karpov
Tesseract is a free software program for text recognition developed by Google. According to the project description, "Tesseract is probably the most accurate open source OCR engine available". And what if we try to catch some bugs there with the help of the CppCat analyzer?
Errors detected in the Visual C++ 2012 librariesPVS-Studio
Static code analysis is one of the error detection methodologies. We are glad that this methodology is becoming more and more popular nowadays. Visual Studio which includes static analysis as one of its many features contributes to this process to a large extent. This feature is easy to try and start using regularly. When one understands one likes static code analysis, we are glad to offer a professional analyzer PVS-Studio for the languages C/C++/C++11.
To measure the efficiency of our analyzer, and also to promote the methodology of static analysis, we regularly analyze open source projects for bugs and write articles about the results. 2016 was no exception. This year is especially important as it is the year of the "growth" of the C# analyzer. PVS-Studio has obtained a large number of new C# diagnostics, an improved virtual values mechanism (symbolic execution) and much more. Based on the results of our teamwork, I compiled a kind of chart of the most interesting bugs, found in various C# projects in 2016.
I just cannot pass by the source code of ICQ messenger. It is a kind of a cult project, and when I saw the source code on GitHub, it was just a matter of time, when we will check it with PVS-Studio. Of course, we have a lot of other interesting projects that are waiting to be checked. For example, we have recently checked GCC, GDB, Mono. Finally, it's the turn of ICQ.
In this article, we will speak about the static analysis of the doxygen documentation generator tool. This popular and widely used project, which, as its authors claim, not without reason, has become "the de facto standard tool for generating documentation from annotated C++ sources", has never been scanned by PVS-Studio before. Doxygen scans the program source code and generates the documentation relying on it. Now it's time for us to peep into its source files and see if PVS-Studio can find any interesting bugs there.
Checking the Code of LDAP-Server ReOpenLDAP on Our Readers' RequestPVS-Studio
In this article, I'd like to talk about the analysis of ReOpenLDAP project. It was developed to help solve issues that PAO (PJSC) MegaFon, Russia's largest mobile network operator, was faced with when employing OpenLDAP in their infrastructure. ReOpenLDAP is now successfully used in MegaFon affiliates all over Russia, so we thought it would be interesting to check such a high-load project as this one with our static analyzer PVS-Studio.
Analyzing the Blender project with PVS-StudioPVS-Studio
We go on analyzing open source projects and making the software world better. This time we have checked the Blender 2.62 package intended for creating 3D computer graphics.
One of the programs, which allows you to solve the problem of data compression, is a popular file archiver 7-Zip, which I often use myself. Our readers have long asked us to check the code of this application. Well, it's time to look at its source code, and see what PVS-Studio is able to detect in this application.
Tesseract. Recognizing Errors in Recognition SoftwareAndrey Karpov
Tesseract is a free software program for text recognition developed by Google. According to the project description, "Tesseract is probably the most accurate open source OCR engine available". And what if we try to catch some bugs there with the help of the CppCat analyzer?
Errors detected in the Visual C++ 2012 librariesPVS-Studio
Static code analysis is one of the error detection methodologies. We are glad that this methodology is becoming more and more popular nowadays. Visual Studio which includes static analysis as one of its many features contributes to this process to a large extent. This feature is easy to try and start using regularly. When one understands one likes static code analysis, we are glad to offer a professional analyzer PVS-Studio for the languages C/C++/C++11.
To measure the efficiency of our analyzer, and also to promote the methodology of static analysis, we regularly analyze open source projects for bugs and write articles about the results. 2016 was no exception. This year is especially important as it is the year of the "growth" of the C# analyzer. PVS-Studio has obtained a large number of new C# diagnostics, an improved virtual values mechanism (symbolic execution) and much more. Based on the results of our teamwork, I compiled a kind of chart of the most interesting bugs, found in various C# projects in 2016.
I just cannot pass by the source code of ICQ messenger. It is a kind of a cult project, and when I saw the source code on GitHub, it was just a matter of time, when we will check it with PVS-Studio. Of course, we have a lot of other interesting projects that are waiting to be checked. For example, we have recently checked GCC, GDB, Mono. Finally, it's the turn of ICQ.
In this article, we will speak about the static analysis of the doxygen documentation generator tool. This popular and widely used project, which, as its authors claim, not without reason, has become "the de facto standard tool for generating documentation from annotated C++ sources", has never been scanned by PVS-Studio before. Doxygen scans the program source code and generates the documentation relying on it. Now it's time for us to peep into its source files and see if PVS-Studio can find any interesting bugs there.
Checking the Code of LDAP-Server ReOpenLDAP on Our Readers' RequestPVS-Studio
In this article, I'd like to talk about the analysis of ReOpenLDAP project. It was developed to help solve issues that PAO (PJSC) MegaFon, Russia's largest mobile network operator, was faced with when employing OpenLDAP in their infrastructure. ReOpenLDAP is now successfully used in MegaFon affiliates all over Russia, so we thought it would be interesting to check such a high-load project as this one with our static analyzer PVS-Studio.
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerAndrey Karpov
The author downloaded and analyzed the source code of the TortoiseSVN project using the PVS-Studio static code analyzer. The analysis found several bugs, including identical comparisons, unsafe uses of formatting functions like printf(), and obsolete null checks after memory allocation. While many of the issues would not cause failures, some could lead to undefined behavior, especially in 64-bit systems where pointer sizes are larger than integer types. The author concludes by recommending regular use of static analysis to find bugs early.
We Continue Exploring Tizen: C# Components Proved to be of High QualityPVS-Studio
This time I go back again to the check of the Tizen project. In my recent post "Experiment of Bug Detection in the Code of C #Components of Tizen" in our blog, I analyzed the code of C# superficially and came to a conclusion that it makes sense to check the whole code of C# components of this project for errors using PVS-Studio and write the article about it. Right away, I would like to share with you the results of the work that I have done. I shall tell at once that PVS-Studio analyzer showed itself not on the bright side on C# code. Anyway, first things first: let's see what the analyzer found, and then we will deal with statistics and make conclusions.
Comparing the general static analysis in Visual Studio 2010 and PVS-Studio by...PVS-Studio
The article demonstrates errors detected with the static code analyzer integrated into Visual Studio 2010. The research was performed on five open source projects. The same projects were also checked with PVS-Studio. Results of comparing these two tools are presented at the end of the article.
Comparing the general static analysis in Visual Studio 2010 and PVS-Studio by...Andrey Karpov
The article demonstrates errors detected with the static code analyzer integrated into Visual Studio 2010. The research was performed on five open source projects. The same projects were also checked with PVS-Studio. Results of comparing these two tools are presented at the end of the article.
Linux version of PVS-Studio couldn't help checking CodeLitePVS-Studio
As is already known to our readers, PVS-Studio static analyzer is exploring a new development direction - the Linux platform; as you may have noticed from the previous articles, it is doing well. This article shows how easily you can check a project with the help of the Linux version of the analyzer, because the simpler PVS-Studio for Linux is, the more supporters it will have. This time our choice was the CodeLite project. CodeLite was compiled and tested in Linux. Let's see what results we got.
We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual practice for developers to use demo samples as a basis for their own projects or borrow code fragments from them.
Some of you may know that we have recently released version 6.00 of our analyzer, that now has C# support. The ability to scan C# projects increases the number of open-source projects we can analyze. This article is about one such check. This time it is a project, developed by Sony Computer Entertainment (SCEI).
Every now and then, we have to write articles about how we've checked another fresh version of some compiler. That's not really much fun. However, as practice shows, if we stop doing that for a while, folks start doubting whether PVS-Studio is worth its title of a good catcher of bugs and vulnerabilities. What if the new compiler can do that too? Sure, compilers evolve, but so does PVS-Studio – and it proves, again and again, its ability to catch bugs even in high-quality projects such as compilers.
Re-checking the ReactOS project - a large reportPVS-Studio
The ReactOS project is rapidly developing. One of the developers participating in this project suggested that we re-analyzed the source code, as the code base is growing fast. We were glad to do that. We like this project, and we'll be happy if this article helps the developers to eliminate some bugs. Analysis was performed with the PVS-Studio 5.02 code analyzer.
Dusting the globe: analysis of NASA World Wind projectPVS-Studio
Sometimes it is useful to look back to see how helpful the analyzer was to old projects, and which errors can be avoided in good time, if the analyzer is regularly used. This time our choice was NASA World Wind project, which was being developed on C# until 2007.
Practical tips for dealing with projects involving legacy code. Covers investigating past projects, static analysis of existing code, and methods for changing legacy code.
Presented at PHP Benelux '10
Comparing the general static analysis in Visual Studio 2010 and PVS-Studio by...PVS-Studio
The article demonstrates errors detected with the static code analyzer integrated into Visual Studio 2010. The research was performed on five open source projects. The same projects were also checked with PVS-Studio. Results of comparing these two tools are presented at the end of the article.
Virtual machines are important tools in the arsenal of a software developer. Being an active user of VirtualBox, and checking various open source projects with the help of it, I was personally interested in checking its source code. We did the first check of this project in 2014, and the description of 50 errors barely fit into two articles. With the release of Windows 10 and VirtualBox 5.0.XX the stability of the program got significantly worse, in my humble opinion. So, I decided to check the project again.
The PVS-Studio team is now actively developing a static analyzer for C# code. The first version is expected by the end of 2015. And for now my task is to write a few articles to attract C# programmers' attention to our tool in advance. I've got an updated installer today, so we can now install PVS-Studio with C#-support enabled and even analyze some source code. Without further hesitation, I decided to scan whichever program I had at hand. This happened to be the Umbraco project. Of course we can't expect too much of the current version of the analyzer, but its functionality has been enough to allow me to write this small article.
Checking the Source Code of FlashDevelop with PVS-StudioPVS-Studio
To assess the quality of our static analyzer's diagnostics and to advertise it, we regularly analyze various open-source projects. The developers of FlashDevelop project contacted us on their own initiative and asked us to check their product, which we have gladly done.
Checking the World of Warcraft CMaNGOS open source serverPVS-Studio
In this article, I would like to share the results of our analysis of the open source implementation of the World of Warcraft server, CMaNGOS, as done by the PVS-Studio static analyzer.
We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual practice for developers to use demo samples as a basis for their own projects or borrow code fragments from them.
The document summarizes the results of analyzing the OpenCV computer vision library with the PVS-Studio code analyzer. Several real bugs were found in older versions of OpenCV and have since been fixed. New analysis of the current OpenCV version uncovered additional bugs, including copy-paste errors, meaningless loops, misprints in conditions, pointer errors, and poor test cases. The analysis demonstrates that static analysis is useful for finding real bugs in large, complex libraries like OpenCV during development.
The PVS-Studio developers' team has carried out comparison of the own static code analyzer PVS-Studio with the open-source Cppcheck static code analyzer. As a material for comparison, the source codes of the three open-source projects by id Software were chosen: Doom 3, Quake 3: Arena, Wolfenstein: Enemy Territory. The article describes the comparison methodology and lists of detected errors. The conclusions section at the end of the article contains "non-conclusions" actually, as we consciously avoid drawing any conclusions: you can reproduce our comparison and draw your own ones.
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. As of January 2013, PHP was installed on more than 240 million websites (39% of those sampled) and 2.1 million web servers. Originally created by Rasmus Lerdorf in 1994, the reference implementation of PHP (powered by the Zend Engine) is now produced by The PHP Group. While PHP originally stood for Personal Home Page, it now stands for PHP: Hypertext Preprocessor, which is a recursive acronym.
When developing compilers and interpreters, their source code and its testing procedure are demanded to comply with especially strict quality and reliability requirements. However, there are still some suspicious fragments found in the PHP interpreter's source code.
In this article, we are going to discuss the results of the check of the PHP interpreter by PVS-Studio 5.18.
Accord.Net: Looking for a Bug that Could Help Machines Conquer HumankindPVS-Studio
Articles discussing the results of analysis of open-source projects are a good thing as they benefit everyone: some, including project authors themselves, can find out what bugs lurk in a project; others discover for themselves the static analysis technology and start using it to improve their code's quality. For us, it is a wonderful means to promote PVS-Studio analyzer, as well as to put it through some additional testing. This time I have analyzed Accord.Net framework and found lots of interesting issues in its code.
I read a post recently about a check of the LibRaw project performed by Coverity SCAN. It stated that nothing interesting had been found. So I decided to try our analyzer PVS-Studio on it.
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerAndrey Karpov
The author downloaded and analyzed the source code of the TortoiseSVN project using the PVS-Studio static code analyzer. The analysis found several bugs, including identical comparisons, unsafe uses of formatting functions like printf(), and obsolete null checks after memory allocation. While many of the issues would not cause failures, some could lead to undefined behavior, especially in 64-bit systems where pointer sizes are larger than integer types. The author concludes by recommending regular use of static analysis to find bugs early.
We Continue Exploring Tizen: C# Components Proved to be of High QualityPVS-Studio
This time I go back again to the check of the Tizen project. In my recent post "Experiment of Bug Detection in the Code of C #Components of Tizen" in our blog, I analyzed the code of C# superficially and came to a conclusion that it makes sense to check the whole code of C# components of this project for errors using PVS-Studio and write the article about it. Right away, I would like to share with you the results of the work that I have done. I shall tell at once that PVS-Studio analyzer showed itself not on the bright side on C# code. Anyway, first things first: let's see what the analyzer found, and then we will deal with statistics and make conclusions.
Comparing the general static analysis in Visual Studio 2010 and PVS-Studio by...PVS-Studio
The article demonstrates errors detected with the static code analyzer integrated into Visual Studio 2010. The research was performed on five open source projects. The same projects were also checked with PVS-Studio. Results of comparing these two tools are presented at the end of the article.
Comparing the general static analysis in Visual Studio 2010 and PVS-Studio by...Andrey Karpov
The article demonstrates errors detected with the static code analyzer integrated into Visual Studio 2010. The research was performed on five open source projects. The same projects were also checked with PVS-Studio. Results of comparing these two tools are presented at the end of the article.
Linux version of PVS-Studio couldn't help checking CodeLitePVS-Studio
As is already known to our readers, PVS-Studio static analyzer is exploring a new development direction - the Linux platform; as you may have noticed from the previous articles, it is doing well. This article shows how easily you can check a project with the help of the Linux version of the analyzer, because the simpler PVS-Studio for Linux is, the more supporters it will have. This time our choice was the CodeLite project. CodeLite was compiled and tested in Linux. Let's see what results we got.
We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual practice for developers to use demo samples as a basis for their own projects or borrow code fragments from them.
Some of you may know that we have recently released version 6.00 of our analyzer, that now has C# support. The ability to scan C# projects increases the number of open-source projects we can analyze. This article is about one such check. This time it is a project, developed by Sony Computer Entertainment (SCEI).
Every now and then, we have to write articles about how we've checked another fresh version of some compiler. That's not really much fun. However, as practice shows, if we stop doing that for a while, folks start doubting whether PVS-Studio is worth its title of a good catcher of bugs and vulnerabilities. What if the new compiler can do that too? Sure, compilers evolve, but so does PVS-Studio – and it proves, again and again, its ability to catch bugs even in high-quality projects such as compilers.
Re-checking the ReactOS project - a large reportPVS-Studio
The ReactOS project is rapidly developing. One of the developers participating in this project suggested that we re-analyzed the source code, as the code base is growing fast. We were glad to do that. We like this project, and we'll be happy if this article helps the developers to eliminate some bugs. Analysis was performed with the PVS-Studio 5.02 code analyzer.
Dusting the globe: analysis of NASA World Wind projectPVS-Studio
Sometimes it is useful to look back to see how helpful the analyzer was to old projects, and which errors can be avoided in good time, if the analyzer is regularly used. This time our choice was NASA World Wind project, which was being developed on C# until 2007.
Practical tips for dealing with projects involving legacy code. Covers investigating past projects, static analysis of existing code, and methods for changing legacy code.
Presented at PHP Benelux '10
Comparing the general static analysis in Visual Studio 2010 and PVS-Studio by...PVS-Studio
The article demonstrates errors detected with the static code analyzer integrated into Visual Studio 2010. The research was performed on five open source projects. The same projects were also checked with PVS-Studio. Results of comparing these two tools are presented at the end of the article.
Virtual machines are important tools in the arsenal of a software developer. Being an active user of VirtualBox, and checking various open source projects with the help of it, I was personally interested in checking its source code. We did the first check of this project in 2014, and the description of 50 errors barely fit into two articles. With the release of Windows 10 and VirtualBox 5.0.XX the stability of the program got significantly worse, in my humble opinion. So, I decided to check the project again.
The PVS-Studio team is now actively developing a static analyzer for C# code. The first version is expected by the end of 2015. And for now my task is to write a few articles to attract C# programmers' attention to our tool in advance. I've got an updated installer today, so we can now install PVS-Studio with C#-support enabled and even analyze some source code. Without further hesitation, I decided to scan whichever program I had at hand. This happened to be the Umbraco project. Of course we can't expect too much of the current version of the analyzer, but its functionality has been enough to allow me to write this small article.
Checking the Source Code of FlashDevelop with PVS-StudioPVS-Studio
To assess the quality of our static analyzer's diagnostics and to advertise it, we regularly analyze various open-source projects. The developers of FlashDevelop project contacted us on their own initiative and asked us to check their product, which we have gladly done.
Checking the World of Warcraft CMaNGOS open source serverPVS-Studio
In this article, I would like to share the results of our analysis of the open source implementation of the World of Warcraft server, CMaNGOS, as done by the PVS-Studio static analyzer.
We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual practice for developers to use demo samples as a basis for their own projects or borrow code fragments from them.
The document summarizes the results of analyzing the OpenCV computer vision library with the PVS-Studio code analyzer. Several real bugs were found in older versions of OpenCV and have since been fixed. New analysis of the current OpenCV version uncovered additional bugs, including copy-paste errors, meaningless loops, misprints in conditions, pointer errors, and poor test cases. The analysis demonstrates that static analysis is useful for finding real bugs in large, complex libraries like OpenCV during development.
The PVS-Studio developers' team has carried out comparison of the own static code analyzer PVS-Studio with the open-source Cppcheck static code analyzer. As a material for comparison, the source codes of the three open-source projects by id Software were chosen: Doom 3, Quake 3: Arena, Wolfenstein: Enemy Territory. The article describes the comparison methodology and lists of detected errors. The conclusions section at the end of the article contains "non-conclusions" actually, as we consciously avoid drawing any conclusions: you can reproduce our comparison and draw your own ones.
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. As of January 2013, PHP was installed on more than 240 million websites (39% of those sampled) and 2.1 million web servers. Originally created by Rasmus Lerdorf in 1994, the reference implementation of PHP (powered by the Zend Engine) is now produced by The PHP Group. While PHP originally stood for Personal Home Page, it now stands for PHP: Hypertext Preprocessor, which is a recursive acronym.
When developing compilers and interpreters, their source code and its testing procedure are demanded to comply with especially strict quality and reliability requirements. However, there are still some suspicious fragments found in the PHP interpreter's source code.
In this article, we are going to discuss the results of the check of the PHP interpreter by PVS-Studio 5.18.
Accord.Net: Looking for a Bug that Could Help Machines Conquer HumankindPVS-Studio
Articles discussing the results of analysis of open-source projects are a good thing as they benefit everyone: some, including project authors themselves, can find out what bugs lurk in a project; others discover for themselves the static analysis technology and start using it to improve their code's quality. For us, it is a wonderful means to promote PVS-Studio analyzer, as well as to put it through some additional testing. This time I have analyzed Accord.Net framework and found lots of interesting issues in its code.
I read a post recently about a check of the LibRaw project performed by Coverity SCAN. It stated that nothing interesting had been found. So I decided to try our analyzer PVS-Studio on it.
Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...PVS-Studio
You probably already know that the Microsoft Corporation bought the Xamarin Company. Even though Microsoft has started gradually opening the source code of some of its products, the Xamarin.Forms code was a big surprise. I couldn't give it the go-by, and decided to check the code using a static code analyzer.
Having checked ReactOS's code I managed to fulfill three of my wishes at once. Firstly, I had wanted for a long time to write an article on a common project. It's not interesting to check the source code of projects like Chromium: its quality is too high and a lot of resources are spent to maintain it, which are unavailable to common projects. Secondly, it's a good example to demonstrate the necessity of static analysis in a large project, especially when it is developed by a diverse and distributed team. Thirdly, I've got a confirmation that PVS-Studio is becoming even better and more useful.
The document analyzes the source code of the Godot game engine using the PVS-Studio static code analyzer. It finds and discusses several types of errors identified by the analyzer, including duplicated comparisons, array overruns due to enum/array mismatches, incorrect data type checks, typos causing logic errors or infinite loops, and unsafe pointer usage. The analysis aims to both introduce readers to the Godot project and help its developers fix bugs and improve code quality.
Consequences of using the Copy-Paste method in C++ programming and how to dea...Andrey Karpov
I create the PVS-Studio analyzer detecting errors in source code of C/C++/C++0x software. So I have to review a large amount of source code of various applications where we detected suspicious code fragments with the help of PVS-Studio. I have collected a lot of examples demonstrating that an error occurred because of copying and modifying a code fragment. Of course, it has been known for a long time that using Copy-Paste in programming is a bad thing. But let's try to investigate this problem closely instead of limiting ourselves to just saying "do not copy the code".
An important event has taken place in the PVS-Studio analyzer's life: support of C#-code analysis was added in the latest version. As one of its developers, I couldn't but try it on some project. Reading about scanning small and little-known projects is not much interesting of course, so it had to be something popular, and I picked MonoDevelop.
Just recently I've checked the VirtualDub project with PVS-Studio. This was a random choice. You see, I believe that it is very important to regularly check and re-check various projects to show users that the PVS-Studio analyzer is evolving, and which project you run it on doesn't matter that much - bugs can be found everywhere. We already checked the VirtualDub project in 2011, but we found almost nothing of interest then. So, I decided to take a look at it now, 2 years later.
In May 2016, German game-development company Crytek made a decision to upload the source code of their game engine CryEngine V to Github. The engine is written in C++ and has immediately attracted attention of both the open-source developer community and the team of developers of PVS-Studio static analyzer who regularly scan the code of open-source projects to estimate its quality. A lot of great games were created by a number of video-game development studios using various versions of CryEngine, and now the engine has become available to even more developers. This article gives an overview of errors found in the project by PVS-Studio static analyzer.
Source code of WPF samples by Microsoft was checkedPVS-Studio
To let people know about PVS-Studio, which is now able to check not only C++ projects, but C# as well, we decided to check the source code of WPF examples, offered by Microsoft.
One of the Microsoft development teams already uses PVS-Studio analyzer in their work. It's great, but it's not enough. That's why I keep demonstrating how static code analysis could benefit developers, using Microsoft projects as examples. We scanned Casablanca project three years ago and found nothing. As a tribute to its high quality, the project was awarded with a "bugless code" medal. As time went by, Casablanca developed and grew. PVS-Studio's capabilities, too, have significantly improved, and now I've finally got the opportunity to write an article about errors found by the analyzer in Casablanca project (C++ REST SDK). These errors are few, but the fact that their number is still big enough for me to make this article, does speak a lot in favor of PVS-Studio's effectiveness.
PVS-Studio team is about to produce a technical breakthrough, but for now let...PVS-Studio
Static analysis is most useful when it is done on a regular basis. Especially when the project is rapidly developing, like the Blender project, for example. Now it's time to check it once more, and see what suspicious fragments we'll find this time.
PVS-Studio was used to analyze the code of the ReactOS operating system project. Over 200 errors and code quality issues were found, demonstrating the need for regular static analysis in large, distributed projects. Examples are provided of various types of errors found, including misprints, logical errors, uninitialized variables, and issues with whitespace and formatting. The author argues that static analysis should be a mandatory part of the development process for projects like ReactOS, and that the project would benefit from disallowing the use of tabs in code formatting.
A new static analysis tool for C++ code CppCat was presented just recently. You probably heard a lot about the previous product (PVS-Studio) by the same authors. I was pretty doubtful about it then: on the one hand, static analysis is definitely a must-have methodology - things go better with than without it; on the other hand, PVS-Studio may scare users off with its hugeness, an enterprise-like character and the price, of course. I could imagine a project team of 50 developers buying it but wasn't sure about single developers or small teams of 5 developers. I remember suggesting to the PVS-Studio authors deploying "PVS as a cloud service" and sell access to it by time. But they chose to go their own way and created an abridged version at a relatively small price (which any company or even a single developer can afford).
Analysis of PascalABC.NET using SonarQube plugins: SonarC# and PVS-StudioPVS-Studio
In November 2016, we posted an article about the development and use of the PVS-Studio plugin for SonarQube. We received great feedback from our customers and interested users who requested testing the plugin on a real project. As the interest in this subject is not decreasing, we decided to test the plugin on a C# project PascalABC.NET. Also, it should be borne in mind, that SonarQube have their own static analyzer of C# code - SonarC#. To make the report more complete, we decided to test SonarC# as well. The objective of this work was not the comparison of the analyzers, but the demonstration of the main peculiarities of their interaction with the SonarQube service. Plain comparison of the analyzers would not be fair due to the fact that PVS-Studio is a specialized tool for bug detection and potential vulnerabilities, while SonarQube is a service for the assessment of the code quality by a large number of parameters: code duplication, compliance with the code standards, unit tests coverage, potential bugs in the code, density of comments in the code, technical debt and so on.
Errors that static code analysis does not find because it is not usedAndrey Karpov
Readers of our articles occasionally note that the PVS-Studio static code analyzer detects a large number of errors that are insignificant and don't affect the application. It is really so. For the most part, important bugs have already been fixed due to manual testing, user feedback, and other expensive methods. At the same time, many of these errors could have been found at the code writing stage and corrected with minimal loss of time, reputation and money. This article will provide several examples of real errors, which could have been immediately fixed, if project authors had used static code analysis.
Bugs found in GCC with the help of PVS-StudioPVS-Studio
I regularly check various open-source projects to demonstrate the abilities of the PVS-Studio static code analyzer (C, C++, C#). Now it is time for the GCC compiler to get checked. Unquestionably, GCC is a very qualitative and well-tested project, that's why it's already a great achievement for a tool to find any errors in it. Fortunately, PVS-Studio coped with this task. No one is immune to typos or carelessness. This is why the PVS-Studio can become an additional line of defense for you, on the front of the endless war against bugs.
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 1PVS-Studio
Operating systems are among the largest and most complicated software projects, and that means they perfectly suit the purpose of demonstrating static code analysis' capabilities. After the successful analysis of Linux Kernel, I felt inspired to try analyzing other open-source operating systems as well.
Similar to Brief analysis of Media Portal 2 bugs (18)
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
Mobile app Development Services | Drona InfotechDrona Infotech
Drona Infotech is one of the Best Mobile App Development Company In Noida Maintenance and ongoing support. mobile app development Services can help you maintain and support your app after it has been launched. This includes fixing bugs, adding new features, and keeping your app up-to-date with the latest
Visit Us For :
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
How Can Hiring A Mobile App Development Company Help Your Business Grow?
Brief analysis of Media Portal 2 bugs
1. Brief analysis of Media Portal 2 bugs
Author: Ivan Kishchenko
Date: 06.03.2017
Media Portal 2 is open software of a media center class, allowing the user to listen to music, watch
videos, viewing pictures, and much more. For us, the developers of PVS-Studio static analyzer, this is
another chance to check an interesting project, tell people (and developers) about the errors we find,
and demonstrate the abilities of our analyzer of course.
About the project Media Portal 2
About the project Media Portal 2T, the project description taken from Wikipedia:
MediaPortal provides a 10-foot user interface for performing typical PVR/TiVo functionality, including
playing, pausing, and recording live TV; playing DVDs, videos, and music; viewing pictures; and other
functions. Plugins allow it to perform additional tasks, such as watching online video, listening to music
from online services such as Last.fm, and launching other applications such as games. It interfaces with
hardware commonly found in HTPCs, such as TV tuners, infrared receivers, and LCD displays.
A large part of the project is written in C#. There are separate units written in C++. Also, as far as I
understand, the Media Portal 2 developers are already using ReSharper in their project. I drew this
conclusion by seeing its mention in the .gitignore file. We do not like the idea of comparing PVS-Studio
and ReSharper, because these are different types of tools. However, as you can see, using ReSharper did
not prevent us from finding real errors in the code.
The analysis results
During the analysis we checked 3321 files. In total, there were 512,435 lines of code. As a result of the
check we had 72 high level warnings. 57 of them pointed to actual errors, typos, issues and strange
fragments in the code. There were also 79 second (medium) level warnings. In my own opinion, 53
2. warnings pointed to problematic or strange places in the code. We aren't going to look at the lowest
level warnings, because these warnings usually don't indicate real errors, have quite a large number of
false positives, and contain warnings that aren't relevant for most of the projects.
So the analyzer detected 0.2 errors per 1000 lines of code. The percentage of false positives is just 27%,
which is a very good result.
I should say right away that sometimes it's very hard to determine what exactly programmer meant to
achieve when was writing a particular piece of code. That's why those fragments that I considered
erroneous can have some distorted logic, but in the scope of a certain algorithm, can work quite
normally. But if this code is reused in another application, by another person who is unaware of all the
nuances of implementation, then most likely it will lead to bugs in their system.
Also, I want to note that the article doesn't cover all errors, since there are too many of them for a single
article.
So, let's take a look at the most interesting bugs we found; the project authors can do a more detailed
review of the bugs by doing the project check themselves, or by making a request for a temporary
license. Also, dear readers, if you are non-commercial or individual developers, I suggest using the free
version of our static analyzer. Its functional abilities are absolutely identical to the paid version and so, it
is the perfect fit for students, individual developers, and teams of enthusiasts.
3. Typos when using Copy-Paste
I will start the description with quite widespread errors when a programmer has copied a code block,
but forgot to change one or several variables in it due to inattention.
V3127 Two similar code fragments were found. Perhaps, this is a typo and 'AllocinebId' variable should
be used instead of 'CinePassionId' MovieRelationshipExtractor.cs 126
if (movie.CinePassionId > 0)
ids.Add(ExternalIdentifierAspect.SOURCE_CINEPASSION,
movie.CinePassionId.ToString());
if (movie.CinePassionId > 0) // <=
ids.Add(ExternalIdentifierAspect.SOURCE_ALLOCINE,
movie.AllocinebId.ToString());
It's very hard to find such bugs by doing a simple code review. Since the code is very stuck together,
most likely, the programmer just hasn't noticed the defect. Looking at the line marked with a comment,
you'll notice that the word Allocine is used instead of CinePassion everywhere in the second if block, but
in the condition of the check the variable CinePassionId was not replaced with AllocinebId.
The diagnostic V3217 found several more interesting typos showing the danger of Copy-Paste.
V3127 Two similar code fragments were found. Perhaps, this is a typo and 'Y' variable should be used
instead of 'X' PointAnimation.cs 125
double distx = (to.X - from.X) / duration;
distx *= timepassed;
distx += from.X;
double disty = (to.X - from.Y) / duration; // <=
disty *= timepassed;
disty += from.Y;
V3127 Two similar code fragments were found. Perhaps, this is a typo and 'X' variable should be used
instead of 'Y' Point2DList.cs 935
double dx1 = this[upper].Y - this[middle].X; // <=
double dy1 = this[upper].Y - this[middle].Y;
V3127 Two similar code fragments were found. Perhaps, this is a typo and 'attrY' variable should be
used instead of 'attrX' AbstractSortByComparableValueAttribute.cs 94
4. if (attrX != null)
{
valX = (T?)aspectX.GetAttributeValue(attrX);
}
if (attrY != null)
{
valX = (T?)aspectX.GetAttributeValue(attrX); // <=
}
In all cases in the first block, the evaluations are with the x axis; in the second block with the Y axis. If we
look at the commented lines, we can see that the programmer forgot to change X to Y or vice versa,
when copy pasting one of the blocks.
Access by null reference
Programming language is continuously evolving, but the main way to shoot yourself in the foot remain
the same. In the example of the code cited below, the programmer first verifies the BannerPath variable
against null. If it is null, then he checks that it is equal to an empty string with an Equals method, which
may cause a potential NullReferenceException.
V3080 Possible null dereference. Consider inspecting 'BannerPath'. TvdbBannerWithThumb.cs 91
if (ThumbPath == null &&
(BannerPath != null || BannerPath.Equals(""))) // <=
{
ThumbPath = String.Concat("_cache/", BannerPath);
}
This code fragment is rather strange, if we take into account the code after the check. To my mind, the
check should be triggered if the variable BannerPath is not null and not an empty string.
Correct variant can be like this:
if (ThumbPath == null &&
!string.IsNullOrEmpty(BannerPath))
{
ThumbPath = String.Concat("_cache/", BannerPath);
}
Incorrect operator precedence
I suggest taking a look at another quite amusing warning related to incorrect precedence of logic
operators.
V3130 Priority of the '&&' operator is higher than that of the '||' operator. Possible missing
parentheses. BinaryCacheProvider.cs 495
return config.EpisodesLoaded || !checkEpisodesLoaded &&
config.BannersLoaded || !checkBannersLoaded &&
5. config.ActorsLoaded || !checkActorsLoaded;
The programmer who wrote this code apparently did not take into account that the logical AND
operator (&&) has a higher precedence than the logical OR (||) operator. Once more, I would
recommend specifying explicitly the precedence of operations, and putting parentheses between them.
Here is one more error caused by incorrect operator precedence. The programmer ignores the fact that
the + operator has a higher priority than the ?? operator.
V3022 Expression '"Invalid header name: " + name' is always not null. The operator '??' is excessive.
HttpRequest.cs 309
...("Invalid header name: " + name ?? "<null>");
As a result, if the variable name is zero, it will be added to the string "Invalid header name:" as an empty
string, and will not be replaced by the expression "<null>". It's not a very crucial error in and of itself,
and in this case it won't lead to a crash.
The corrected variant will be as follows.
...("Invalid header name: " + (name ?? "<null>"));
A typo after the type casting
One more common typo that is caused by inattention. Note the variables other and obj.
V3019 Possibly an incorrect variable is compared to null after type conversion using 'as' keyword. Check
variables 'obj', 'other'. EpisodeInfo.cs 560
EpisodeInfo other = obj as EpisodeInfo;
if (obj == null) return false; // <=
if (TvdbId > 0 && other.TvdbId > 0)
return TvdbId == other.TvdbId;
....
In this code fragment a variable obj is explicitly cast to the EpisodeInfo type, and the result is returned to
the variable other. Note that further on we see a variable other being used, but the variable obj gets
verified against null. In the case that the variable obj we'll have is a type different from what it is cast to,
then to work with the other variable will lead to an exception.
Here is how a fixed code fragment may look:
EpisodeInfo other = obj as EpisodeInfo;
if (other == null) return false;
if (TvdbId > 0 && other.TvdbId > 0)
return TvdbId == other.TvdbId;
....
Double assignment
One more amusing error that was found by the analyzer. The following code fragment would be
meaningless, because the Released variable will always be equal to null.
V3008 The 'Released' variable is assigned values twice successively. Perhaps this is a mistake. Check
lines: 57, 56. OmDbSeasonEpisode.cs 57
DateTime releaseDate;
if (DateTime.TryParse(value, out releaseDate))
Released = releaseDate; // <=
Released = null; // <=
6. Most likely this statement with the nullification should be written in the else block. Then the correct
code fragment will be like this:
DateTime releaseDate;
if (DateTime.TryParse(value, out releaseDate))
Released = releaseDate; // <=
else
Released = null; // <=
When a minute doesn't always have 60 seconds
V3118 Milliseconds component of TimeSpan is used, which does not represent full time interval.
Possibly 'TotalMilliseconds' value was intended instead. Default.cs 60
private void WaitForNextFrame()
{
double msToNextFrame = _msPerFrame -
(DateTime.Now - _frameRenderingStartTime).Milliseconds;
if (msToNextFrame > 0)
Thread.Sleep(TimeSpan.FromMilliseconds(msToNextFrame));
}
Another fairly common typo that occurs because of the TimeSpan type implementation. But apparently,
the programmer did not know that the Seconds property of the object of TimeSpan type returns not the
total number of seconds in this interval, but the remaining number of seconds.
For example, if the time interval is 1minute, 150 seconds, then the call of the Milliseconds method will
return only 150 miliseconds. If it is necessary to return a total number of seconds, we should use the
method TotalMilliseconds. For this example it will be 1150 milliseconds.
Then the correct code could be as follows:
double msToNextFrame = _msPerFrame -
(DateTime.Now - _frameRenderingStartTime).TotalMilliseconds;
Incorrect order of arguments
One more mistake caused by inattentiveness. The method TryCreateMultimediaCDDrof iveHandler gets
enumerations of identifiers for videos, pictures, and audio in the specified sequence.
V3066 Possible incorrect order of arguments passed to 'TryCreateMultimediaCDDriveHandler' method.
RemovableMediaManager.cs 109
public static MultimediaDriveHandler
TryCreateMultimediaCDDriveHandler(DriveInfo driveInfo,
IEnumerable<Guid> videoMIATypeIds,
IEnumerable<Guid> imageMIATypeIds, // <=
IEnumerable<Guid> audioMIATypeIds) // <=
{ .... }
7. Since these parameters have the same types, the programmer didn't pay attention to the fact that when
he was passing arguments to the method, he misplaced pictures and audios:
public static ....()
{
MultimediaDriveHandler.TryCreateMultimediaCDDriveHandler(driveInfo,
Consts.NECESSARY_VIDEO_MIAS,
Consts.NECESSARY_AUDIO_MIAS, // <=
Consts.NECESSARY_IMAGE_MIAS) // <=
}
A condition that is always false
This code is pretty strange, so I was not sure if I should put it here or not.
V3022 Expression 'IsVignetteLoaded' is always false. TvdbFanartBanner.cs 219
if (IsVignetteLoaded) // <=
{
Log.Warn(....);
return false;
}
try
{
if (IsVignetteLoaded) // <=
{
LoadVignette(null);
}
....
I can assume that the first check was added for debugging, and that most likely, the programmer forgot
to remove it. As a result it blocks the second check which can lead to incorrect program execution.
Redundant check or an egregious error?
V3001 There are identical sub-expressions 'screenWidth != _screenSize.Width' to the left and to the
right of the '||' operator. MainForm.cs 922
if (bitDepth != _screenBpp ||
screenWidth != _screenSize.Width ||
screenWidth != _screenSize.Width) // <=
{
....
}
Pay attention to the last check: Most likely, the programmer wanted to check the width and height, but
after Copy-Paste forgot to replace Width with Height in the last check.
The analyzer found one more similar bug:
V3001 There are identical sub-expressions 'p == null' to the left and to the right of the '||' operator.
TriangulationConstraint.cs 141
public static uint CalculateContraintCode(
TriangulationPoint p, TriangulationPoint q)
{
if (p == null || p == null) // <=
{
throw new ArgumentNullException();
8. }
....
}
Looking at the body of the method more thoroughly, you may notice that the p parameter is verified
against null twice, at the same time the logic of this method presupposes using the q parameter. Most
likely, the right part of the check should contain a check of the q variable instead of p.
A forgotten condition and some more Copy-Paste
As you may have noticed, the biggest part of errors in this article are caused by Copy-paste, the
following bug is no exception.
V3003 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error
presence. Check lines: 452, 462. Scanner.cs 452
if (style == NumberStyles.Integer)
{
int ivalue;
if (int.TryParse(num, out ivalue))
return ivalue;
....
}
else if (style == NumberStyles.Integer) // <=
{
return double.Parse(num);
}
In both checks the variable style is compared with one and the same value in the enumeration. As a
result, the second check will never be executed. If we keep in mind the fact that during the first check
the string is converted to an integer, and in the second check to a floating-point number. I may assume
that the condition of the second check should be as follows:
....
}
else if (style == NumberStyles.Double) // <=
{
return double.Parse(num);
}
Conclusion
9. There were many more errors, typos, and issues found in this project. But they didn't seem interesting
enough to describe in this article. In general, I can say that the codebase of the project is not very
readable, and contains a lot of strange fragments. The majority weren't cited in the article, but I would
still consider them bad coding style. This could include using a foreach loop, to get the first element of
the collection and exit using the break at the end of the first iteration, numerous redundant checks,
large unseperated blocks of code, etc.
The Media Portal 2 developers can easily find all the issues, using the PVS-Studio tool. You may also find
bugs in your projects with the help of the mentioned tool.
I would like to mention that the biggest benefit from static analysis, is gained by regular use. It's not
enough to download the tool, and do a one-time check. As an analogy, programmers regularly review
the compiler warnings, not just 3 times a year before release. If the analyzer is used on a regular basis, it
will save significant time that is usually spent on searching for typos and errors.