Comparing capabilities of PVS-Studio and Visual Studio 2010 in detecting defects in 64-bit programs

Comparing capabilities of PVS-Studio
and Visual Studio 2010 in detecting
defects in 64-bit programs
Author: Andrey Karpov

Date: 06.07.2010

Abstract
In the article, we will compare three mechanisms of code analysis from the viewpoint of detecting 64-bit
errors: the Visual C++ 2010 compiler, the Code Analysis for C/C++ component included into Visual Studio
2010 and Viva64 analyzer included into PVS-Studio 3.60. I will show both the capabilities of detecting
defects in 64-bit projects and preliminary diagnosis of 64-bit errors in the 32-bit code of projects.

Introduction
Our company OOO "Program Verification Systems" develops a specialized static code analyzer Viva64
intended to detect 64-bit errors in Windows-applications. The Viva64 analyzer is included into the PVS-
Studio package integrating into the Visual Studio 2005/2008/2010 environment.

Our potential users who think about purchasing PVS-Studio often ask us what advantages our tool has
over diagnostic capabilities of the Visual C++ compiler and Code Analysis for C/C++ component available
in extended editions of Visual Studio (for instance, in Visual Studio 2010 Premium/Ultimate).

Our users are also interested in the capability of preliminary detection of 64-bit errors at the stage when
there is no 64-bit project yet.

In this article, we will compare various tools by 31 patterns of 64-bit errors and show how efficient they
are when checking 32-bit and 64-bit projects. In the third section, there are links for you to learn about
each error pattern in detail and comments on the comparison tables. The test project that we used as a
basis for comparison and that contains all the error patterns can be downloaded here:
http://www.viva64.com/external-pictures/ErrorExamples-vs2010-project.7z.

1. Comparison of tools when analyzing 64-bit projects
Comparison of tools and percentage of defects found when analyzing 64-bit projects are presented in
Table 1. Note that the column referring to Code Analysis for C/C++ is empty. The reason is that Code
Analysis for C/C++ does not work with 64-bit projects.

Also note that we enabled all the warnings of the Visual C++ compiler with the /Wall switch, i.e. all its
diagnostic capabilities are in use. The /Wp64 switch is disabled since it is ignored (has no sense) when
compiling 64-bit projects.

The coloring of the table cells (the legend):

• Grey - cannot be diagnosed.

• Blue background - can be diagnosed partly (see explanations in the third section).
• Green background - can be diagnosed.

Table 1 - Comparison of capabilities of the Visual C++ 2010 compiler, Code Analysis for C/C++ (Visual
Studio 2010 Premium) and Viva64 (PVS-Studio 3.60) in detecting 64-bit errors in a 64-bit project

Conclusion

The diagnostic capabilities of the Viva64 static analyzer exceed those of Visual C++ 2010 several times
when searching for 64-bit errors in 64-bit projects. The Code Analysis for C/C++ is useless in searching
for this type of errors since it cannot work with the code of 64-bit projects at the moment.

2. Comparison of tools when analyzing 32-bit projects
People are often interested in the possibility of detecting 64-bit errors already at the stage of working
with the 32-bit project already. This interest results from the following two tasks:

1. To estimate the cost of porting a 32-bit application to a 64-bit system.
2. To eliminate as many 64-bit errors as possible before porting the application.

Comparison of the tools and percentage of defects found when analyzing 32-bit projects are presented
in Table 2.

The /Wall and /Wp64 switches are enabled for the Visual C++ compiler to use its diagnostic capabilities
to the full extent. For the Code Analysis for C/C++ unit, we have also enabled all the possible warnings.

The coloring of the table cells (the legend):

• Grey - cannot be diagnosed.
• Blue background - can be diagnosed partly (see explanations in the third section).
• Green background - can be diagnosed.

Table 2 - Comparison of capabilities of the Visual C++ 2010 compiler, Code Analysis for C/C++ (Visual
Studio 2010 Premium) and Viva64 (PVS-Studio 3.60) in detecting 64-bit errors in a 32-bit project

Conclusion

The diagnostic capabilities of the Viva64 analyzer exceed those of Visual C++ 2010 several times when
searching for 64-bit errors in 32-bit projects.

The diagnostic capabilities of Visual C++ 2010 turn out to be less efficient when analyzing 32-bit projects
than in case of 64-bit projects. This is explained by the fact that the compiler uses a different data model
(ILP32) when compiling 32-bit projects.

The Code Analysis for C/C++ component is a general-purpose static analyzer and does not help in
detecting the type of 64-bit errors we consider here.

The Viva64 analyzer performed equally full analysis both for 32-bit and 64-bit projects. In practice, the
Viva64 analyzer still might miss up to 5% of errors and show fewer warnings. To learn more about it,
please see - Lesson 28. Estimating the cost of 64-bit migration of C/C++ applications.

3. Description of comparison parameters
A detailed description of each error pattern will take too much space in the article. So let me just give
you links to various sources where you may thoroughly study each of the patterns and see various
examples. I will also give some comments explaining why some types of errors can be diagnosed only
partly.

3.1. Implicit conversion of a 32-bit type to a memsize-type
Description:

• PVS-Studio documentation. V101. Implicit assignment type conversion to memsize type.
• Lessons on development of 64-bit C/C++ applications. Lesson 11. Pattern 3. Shift operations.
• Lessons on development of 64-bit C/C++ applications. Lesson 17. Pattern 9. Mixed arithmetic.

3.2. Dangerous address arithmetic
Description:

• PVS-Studio documentation. V102. Usage of non memsize type for pointer arithmetic.
• Lessons on development of 64-bit C/C++ applications. Lesson 13. Pattern 5. Address arithmetic.

3.3. Implicit conversion of a memsize-type to a 32-bit type
Description:

• PVS-Studio documentation. V103. Implicit type conversion from memsize type to 32-bit type.
• Andrey Karpov. OOO "Program Verification Systems" company blog. Problems of 64-bit code in
real programs: FreeBSD.

3.4. Implicit conversion of a 32-bit type to a memsize-type in a comparison
operation
Description:

• PVS-Studio documentation. V104. Implicit type conversion to memsize type in an arithmetic
expression.
• Andrey Karpov. OOO "Program Verification Systems" company blog. Why A + B != A - (-B).

3.5. Implicit conversion of a 32-bit type to a memsize-type in a ternary
operation
Description:

• PVS-Studio documentation. V105. N operand of '?:' operation: implicit type conversion to
memsize type.

3.6. Implicit conversion of a 32-bit type to a memsize-type when calling a
function
Description:

• PVS-Studio documentation. V106. Implicit type conversion N argument of function 'foo' to
memsize type.

3.7. Implicit conversion of a memsize-type to a 32-bit type when calling a
function
Description:

• PVS-Studio documentation. V107. Implicit type conversion N argument of function 'foo' to 32-bit
type.

3.8. A non-memsize type is used as an index
Description:

• PVS-Studio documentation. V108. Incorrect index type: 'foo[not a memsize-type]'. Use memsize
type instead.
• Lessons on development of 64-bit C/C++ applications. Lesson 13. Pattern 5. Address arithmetic.

3.9. Implicit conversion of a 32-bit type to a memsize-type inside the return
operator
Description:

• PVS-Studio documentation. V109. Implicit type conversion of return value to memsize type.

3.10. Implicit conversion of a memsize-type to a 32-bit type inside the return
operator
Description:

• PVS-Studio documentation. V110. Implicit type conversion of return value from memsize type to
32-bit type.


3.11. Functions with a variable number of arguments, a value of a memsize-
type is passed as the parameter
Description:

• PVS-Studio documentation. V111. Call function 'foo' with variable number of arguments. N
argument has memsize type.
• Lessons on development of 64-bit C/C++ applications. Lesson 10. Pattern 2. Functions with
variable number of arguments.

3.12. Dangerous magic number
Description:

• PVS-Studio documentation. V112. Dangerous magic number N used.
• Lessons on development of 64-bit C/C++ applications. Lesson 9. Pattern 1. Magic numbers.

3.13. Attempt to store a value of a memsize-type in a variable of the double
type
Description:

• PVS-Studio documentation. V113. Implicit type conversion from memsize to double type or vice
versa.
• PVS-Studio documentation. V203. Explicit type conversion from memsize to double type or vice
versa.
• Lessons on development of 64-bit C/C++ applications. Lesson 18. Pattern 10. Storage of integer
values in double.

Note to the table

When building a 32-bit project, the Visual C++ compiler warns only about the conversion of the double
type to size_t and does not warn about the opposite conversion.

3.14. Incorrect change of the pointer's type
Description:

• PVS-Studio documentation. V114. Dangerous explicit type pointer conversion.
• Lessons on development of 64-bit C/C++ applications. Lesson 14. Pattern 6. Changing an array's
type.
• Andrey Karpov. OOO "Program Verification Systems" company blog. 64-bit code issues in real
programs: pointer type change.

3.15. Using memsize types when handling exceptions
Description:

• PVS-Studio documentation. V115. Memsize type is used for throw.
• PVS-Studio documentation. V116. Memsize type is used for catch.
• Lessons on development of 64-bit C/C++ applications. Lesson 20. Pattern 12. Exceptions.

3.16. Memsize-types in unions
Description:

• PVS-Studio documentation. V117. Memsize type is used in the union.
• Lessons on development of 64-bit C/C++ applications. Lesson 16. Pattern 8. Memsize-types in
unions.

3.17. Dangerous expression as an argument of the malloc() function
Description:

• PVS-Studio documentation. V118. malloc() function accepts a dangerous expression in the
capacity of an argument.
• Lessons on development of 64-bit C/C++ applications. Lesson 9. Pattern 1. Magic numbers.

3.18. Incorrect calculation of object sizes using several sizeof() operators
Description:

• PVS-Studio documentation. V119. More than one sizeof() operators are used in one expression.
• Lessons on development of 64-bit C/C++ applications. Lesson 21. Pattern 13. Data alignment.

3.19. The new operator accepts an expression of a 32-bit type as an argument
Description:

• PVS-Studio documentation. V121. Implicit conversion of the type of 'new' operator's argument
to size_t type.

3.20. Explicit conversion of a 32-bit type to a memsize-type
Description:

• PVS-Studio documentation. V201. Explicit type conversion. Type casting to memsize.

3.21. Explicit conversion of a memsize-type to a 32-bit type
Description:

• PVS-Studio documentation. V202. Explicit type conversion. Type casting from memsize to 32-bit.
• Lessons on development of 64-bit C/C++ applications. Lesson 15. Pattern 7. Pointer packing.
• Andrey Karpov. OOO "Program Verification Systems" company blog. Search of explicit type
conversion errors in 64-bit programs.

Note to the table

The Visual C++ compiler diagnoses only the explicit conversion of pointers to 32-bit data types but not
all the memsize-types.

3.22. Incorrectly defined virtual functions
Description:

• PVS-Studio documentation. V301. Unexpected function overloading behavior. See N argument
of function 'foo' in derived class 'derived' and base class 'base'.
• Lessons on development of 64-bit C/C++ applications. Lesson 12. Pattern 4. Virtual functions.

• Andrey Karpov. OOO "Program Verification Systems" company blog. Issues of 64-bit code in real
programs: virtual functions.

Note to the table

The Visual C++ compiler diagnoses all the cases when the function prototype in the descendant class
differs from the prototype of the function defined as a virtual function in the base class. As a result, a lot
of warnings are generated which do not refer to 64-bit defects and it complicates the use of this
diagnosis type. Moreover, the compiler does not detect this type of errors at all when compiling a 32-bit
project.

3.23. Dangerous [] operator
Description:

• PVS-Studio documentation. V302. Member operator[] of 'foo' class has a 32-bit type argument.
Use memsize-type here.
• Andrey Karpov. OOO "Program Verification Systems" company blog. Search of 64-bit errors in
array implementation.

3.24. Using deprecated functions
Description:

• PVS-Studio documentation. V303. The function is deprecated in the Win64 system. It is safer to
use the 'foo' function.

3.25. Buffer overflow or underflow error
Description:

• PVS-Studio documentation. V320. A call of the 'foo' function will lead to a buffer overflow or
underflow in a 64-bit system.

Note to the table

The task of searching for the buffer overflow is difficult and often cannot be solved by means of static
analysis at all. That is why we specified in the table that the Viva64 analyzer detects only some of the
defects of this kind.

3.26. Searching for structures whose sizes can be decreased without
performance loss
Description:

• PVS-Studio documentation. V401. The structure's size can be decreased via changing the fields'
order. The size can be reduced from N to K bytes.
• Lessons on development of 64-bit C/C++ applications. Lesson 23. Pattern 15. Growth of
structures' sizes.
• Andrey Karpov. OOO "Program Verification Systems" company blog. Viva64 for optimizing data
structures.

Note to the table

The Visual C++ compiler warns about all empty spaces between fields in structures that appear because
of data alignment. This information may be used to search for non-optimal structures but it is difficult to
do in practice.

3.27. Using a function without preliminarily defining it (in the C language)
Description:

• PVS-Studio documentation. V102. Usage of non memsize type for pointer arithmetic.
• Andrey Karpov. OOO "Program Verification Systems" company blog. A nice 64-bit error in C.

Note to the table

The analyzer diagnoses this type of errors indirectly by generating a warning about conversion of the int
type to the pointer.

3.28. Incorrect #ifdef..#else
Description:

• Andrey Karpov. A Collection of Examples of 64-bit Errors in Real Programs. Example 3.

3.29. Serialization errors (changes of type sizes, byte order changes)
Description:

• Lessons on development of 64-bit C/C++ applications. Lesson 19. Pattern 11. Serialization and
data interchange.

3.30. Redirection errors (referring to WoW64)
Description:

• Andrey Karpov. A Collection of Examples of 64-bit Errors in Real Programs. Example 30.

3.31. Changes of program behavior when using overloaded functions
Description:

• Lessons on development of 64-bit C/C++ applications. Lesson 22. Pattern 14. Overloaded
functions.

Summary
The Viva64 static analyzer included into PVS-Studio exceeds the capabilities of Visual C++ 2010 and Code
Analysis for C/C++ component several times in detecting 64-bit defects. The analyzer can be used with
the same efficiency both when developing new 64-bit projects and preparing 32-bit code for migration
to a 64-bit system. The Viva64 analyzer also helps in estimating the cost of porting an application to a
64-bit system - this feature is described in "Lesson 28. Estimating the cost of 64-bit migration of C/C++
applications".

Comparing capabilities of PVS-Studio and Visual Studio 2010 in detecting defects in 64-bit programs

More Related Content

What's hot

Viewers also liked

Similar to Comparing capabilities of PVS-Studio and Visual Studio 2010 in detecting defects in 64-bit programs

Recently uploaded

Comparing capabilities of PVS-Studio and Visual Studio 2010 in detecting defects in 64-bit programs