Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam

Webinar: Parsing C++ - 10.10

>
>
>
Appreciate Static Code Analysis!

Appreciate Static Code Analysis!

Oct 16 2017
Author:

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be smarter and more attentive than I am.

0535_Appreciate_Static_Code_Analysis/image1.png

You must be careful when working with static analysis tools. Code reported by the analyzer often looks fine and you are tempted to discard the warning as a false positive and move on. Even I, one of the PVS-Studio developers, fall into this trap and fail to spot bugs every now and then. A few days ago, I opened two tickets in our bug tracker reporting the V614 diagnostic, which looks for use of uninitialized variables and arrays.

In both cases, I was sure the analyzer was wrong and needed fixing up. Here's the first case:

0535_Appreciate_Static_Code_Analysis/image2.png

I read this code four times but saw nothing suspicious. I concluded it was a false positive that needed fixing, but the analyzer was actually right, while I was not attentive enough.

The caption buffer remains uninitialized. Look at the first lines: both strings are written to buffer text. This is a typo and I overlooked it.

The second case is even more epic:

0535_Appreciate_Static_Code_Analysis/image3.png

PVS-Studio warned about the use of uninitialized buffer buf. Nonsense! I reported it as a bug to be fixed since it was obvious that the sprintf function did initialize the buffer and the code was fine.

No way! Again, PVS-Studio was right and I was wrong. The creation excelled the creator. :)

Look what the mean author of that code wrote in one of the header files:

0535_Appreciate_Static_Code_Analysis/image5.png

(definesTypes.h)

sprinf expands into std::printf. Yes, that is right, sprintf does the same as printf in this program.

What a shame! It turns out the printf function uses uninitialized buffer buf as a format string.

So, appreciate and use static code analyzers! They will help save your time and nerve cells.



Comments (0)

Next comments next comments
close comment form