PVS-Studio 5.00, a solution for developers of modern resource-intensive applications

PVS-Studio,
a solution for developers of modern
resource-intensive applications

OOO “Program Verification Systems” (Co Ltd)

www.viva64.com

PVS-Studio Overview
PVS-Studio is a static analyzer that
detects errors in source code of C, C++,
C++11, C++/CX applications.

There are 3 sets of rules included into
PVS-Studio:

1. General-purpose diagnosis
2. Diagnosis of 64-bit errors (Viva64)
3. Diagnosis of parallel errors (VivaMP)

Priority of & and ! operations
Return to Castle Wolfenstein – computer game, first
person shooter, developed by id Software company. Game
engine is available under GPL license.

#define SVF_CASTAI 0x00000010

if ( !ent->r.svFlags & SVF_CASTAI )

if ( ! (ent->r.svFlags & SVF_CASTAI) )

Usage of && instead of &

Stickies – yellow sticky notes, just only on your
monitor.

#define REO_INPLACEACTIVE (0x02000000L)
#define REO_OPEN (0x04000000L)

if (reObj.dwFlags && REO_INPLACEACTIVE)
m_pRichEditOle->InPlaceDeactivate();

if(reObj.dwFlags && REO_OPEN)
hr = reObj.poleobj->Close(OLECLOSE_NOSAVE);

Undefined behavior
Miranda IM (Miranda Instant Messenger) –
instant messaging software for Microsoft
Windows.

while (*(n = ++s + strspn(s, EZXML_WS)) && *n != '>') {

Usage of `delete` for an array
Chromium – open source web browser developed by
Google. The development of Google Chrome browser is
based upon Chromium.

auto_ptr<VARIANT> child_array(new VARIANT[child_count]);

You should not use auto_ptr with arrays. Only one element is destroyed inside
auto_ptr destructor:
~auto_ptr() {
delete _Myptr;
}

For example you can use boost::scoped_array as an alternative.

Condition is always true

WinDjView is fast and small app for viewing
files of DjVu format.

inline bool IsValidChar(int c)
{
return c == 0x9 || 0xA || c == 0xD || c >= 0x20 && c <= 0xD7FF
|| c >= 0xE000 && c <= 0xFFFD || c >= 0x10000 && c <= 0x10FFFF;
}

Code formatting differs from it’s own
logic
Squirrel – interpreted programming
language, which is developed to be used as
a scripting language in real time
applications such as computer games.

if(pushval != 0)
if(pushval) v->GetUp(-1) = t;
else
v->Pop(1);

v->Pop(1); - will never be reached

Incidental local variable declaration

FCE Ultra – open source Nintendo Entertainment
System console emulator

int iNesSaveAs(char* name)
{
...
fp = fopen(name,"wb");
int x = 0;
if (!fp)
int x = 1;
...
}

Using char as unsigned char
// check each line for illegal utf8 sequences.
// If one is found, we treat the file as ASCII,
// otherwise we assume an UTF8 file.
char * utf8CheckBuf = lineptr;
while ((bUTF8)&&(*utf8CheckBuf))
{
if ((*utf8CheckBuf == 0xC0)||
(*utf8CheckBuf == 0xC1)||
(*utf8CheckBuf >= 0xF5))
{
bUTF8 = false;
break;
}

TortoiseSVN — client of Subversion revision control system,
implemented as Windows shell extension.

Incidental use of octal values
oCell._luminance = uint16(0.2220f*iPixel._red +
0.7067f*iPixel._blue +
0.0713f*iPixel._green);

....

oCell._luminance = 2220*iPixel._red +
7067*iPixel._blue +
0713*iPixel._green;

eLynx Image Processing SDK and Lab

One variable is used for two loops
Lugaru — first commercial game developed by
Wolfire Games independent team.

static int i,j,k,l,m;
...
for(j=0; j<numrepeats; j++){
...
for(i=0; i<num_joints; i++){
...
for(j=0;j<num_joints;j++){
if(joints[j].locked)freely=0;
}
...
}
...
}

Array overrun

LAME – free app for MP3 audio encoding.

#define SBMAX_l 22
int l[1+SBMAX_l];

for (r0 = 0; r0 < 16; r0++) {
...
for (r1 = 0; r1 < 8; r1++) {
int a2 = gfc->scalefac_band.l[r0 + r1 + 2];

Priority of * and ++ operations
eMule is a client for ED2K file sharing network.

STDMETHODIMP CCustomAutoComplete::Next(...,
ULONG *pceltFetched)
{
...
if (pceltFetched != NULL)
*pceltFetched++;
...
}

(*pceltFetched)++;

Comparison mistake
WinMerge — free open source software intended for
the comparison and synchronization of files and
directories.

BUFFERTYPE m_nBufferType[2];
...
// Handle unnamed buffers
if ((m_nBufferType[nBuffer] == BUFFER_UNNAMED) ||
(m_nBufferType[nBuffer] == BUFFER_UNNAMED))
nSaveErrorCode = SAVE_NO_FILENAME;

By reviewing the code close by, this should contain:
(m_nBufferType[0] == BUFFER_UNNAMED) ||
(m_nBufferType[1] == BUFFER_UNNAMED)

Forgotten array index
void lNormalizeVector_32f_P3IM(..., Ipp32s* mask, ...) {
Ipp32s i;
Ipp32f norm;

for(i=0; i<len; i++) {
if(mask<0) continue;
...
}
}

if(mask[i]<0) continue;

IPP Samples are samples demonstrating how to
work with Intel Performance Primitives Library
7.0.

Identical source code branches
Notepad++ - free text editor for Windows supporting
syntax highlight for a variety of programming languages.

if (!_isVertical) if (!_isVertical)
Flags |= DT_BOTTOM; Flags |= DT_VCENTER;
else else
Flags |= DT_BOTTOM; Flags |= DT_BOTTOM;

Calling incorrect function with similar
name
What a beautiful comment. But it is sad that here we’re doing not what was
intended.
/** Deletes all previous field specifiers.
* This should be used when dealing
* with clients that send multiple NEP_PACKET_SPEC
* messages, so only the last PacketSpec is taken
* into account. */
int NEPContext::resetClientFieldSpecs(){
this->fspecs.empty();
return OP_SUCCESS;
} /* End of resetClientFieldSpecs() */

Nmap Security Scanner – free utility intended for
diverse customizable scanning of IP-networks with
any number of objects and for identification of the
statuses of the objects belonging to the network
which is being scanned.

Dangerous ?: operator

Newton Game Dynamics – a well known physics
engine which allows for reliable and fast simulation
of environmental object’s physical behavior.

den = dgFloat32 (1.0e-24f) *
(den > dgFloat32(0.0f)) ? dgFloat32(1.0f) : dgFloat32(-1.0f);

The priority of ?: is lower than that of multiplication operator *.

And so on, and so on…
if((t=(char *)realloc(
next->name, strlen(name+1)))) FCE Ultra

if((t=(char *)realloc(
next->name, strlen(name)+1)))

minX=max(0,minX+mcLeftStart-2);
minY=max(0,minY+mcTopStart-2);
maxX=min((int)width,maxX+mcRightEnd-1);
maxY=min((int)height,maxX+mcBottomEnd-1);

minX=max(0,minX+mcLeftStart-2);
minY=max(0,minY+mcTopStart-2);
maxX=min((int)width,maxX+mcRightEnd-1);
maxY=min((int)height,maxY+mcBottomEnd-1);

Low level memory management
operations
ID_INLINE mat3_t::mat3_t( float src[3][3] ) Return to Castle
{
Wolfenstein
memcpy( mat, src, sizeof( src ) );
}

ID_INLINE mat3_t::mat3_t( float (&src)[3][3] )
{
memcpy( mat, src, sizeof( src ) );
}

itemInfo_t *itemInfo;
memset( itemInfo, 0, sizeof( &itemInfo ) );

memset( itemInfo, 0, sizeof( *itemInfo ) );

operations

CxImage – open image processing library.

memset(tcmpt->stepsizes, 0,
sizeof(tcmpt->numstepsizes * sizeof(uint_fast16_t)));

memset(tcmpt->stepsizes, 0,
tcmpt->numstepsizes * sizeof(uint_fast16_t));

operations

A beautiful example of 64-bit error:

dgInt32 faceOffsetHitogram[256];
dgSubMesh* mainSegmenst[256];

memset (faceOffsetHitogram, 0, sizeof (faceOffsetHitogram));
memset (mainSegmenst, 0, sizeof (faceOffsetHitogram));

This code was duplicated but was not entirely corrected. As a result the
size of pointer will not be equal to the size of dgInt32 type on Win64 and
we will flush only a fraction of mainSegmenst array.

operations
#define CONT_MAP_MAX 50
int _iContMap[CONT_MAP_MAX];
...
memset(_iContMap, -1, CONT_MAP_MAX);

memset(_iContMap, -1, CONT_MAP_MAX * sizeof(int));

operations
OGRE — open source Object-Oriented Graphics
Rendering Engine written in C++.

Real w, x, y, z;
...

inline Quaternion(Real* valptr)
{
memcpy(&w, valptr, sizeof(Real)*4);
}

Yes, at present
this is not a
mistake.
But it is a
landmine!

And a whole lot of other errors in well
known projects
• WinMerge
• Chromium, Return to Castle Wolfenstein, etc
• Miranda IM
• Intel IPP Samples
• Fennec Media Project
• Ultimate Toolbox
• Loki
• eMule Plus, Pixie, VirtualDub, WinMerge, XUIFramework
• Chromium
• Qt
• Apache HTTP Server
• TortoiseSVN

Here are the links to the articles containing descriptions of the errors:
http://www.viva64.com/en/pvs-studio/

Types of detectable errors
• copy-paste errors;
• Incorrect formatting strings (printf);
• buffer overflow;
• Incorrect utilization of STL, WinAPI;
• ...
• errors concerning the migration of 32-bit
applications to 64-bit systems (Viva64);
• errors concerning the incorrect usage of
OpenMP;

Integration
• Visual Studio 2012: C, C++, C++11,
C++/CX (WinRT).
• Visual Studio 2010: C, C++, C++0x.
• Visual Studio 2008: C, C++.
• Visual Studio 2005: C, C++.
• Embarcadero RAD Studio XE3: C, C++, C++11.
• Embarcadero RAD Studio XE2: C, C++.
• MinGW: C, C++.

PVS-Studio Features
• Incremental Analysis – verification of newly compiled files;
• Verification of files which were recently modified several days ago;
• Verification of files by their filenames from within the text file list;
• continuous integration systems support;
• version control systems integration;
• ability to operate fro m command line interface;
• «False Alarms» marking;
• saving and loading of analysis results;
• utilizing all available cores and processors;
• interactive filters;
• Russian and English online documentation;
• Pdf documentation;

Integration with Visual Studio
2005/2008/2010/2012

Integration with
Embarcadero RAD Studio XE2/XE3

Incremental Analysis – verification of newly
compiled files
• you just work with Visual Studio as usual;
• compile by F7;
• the verification of newly compiled files will start in
background automatically;
• At the end of verification the notification will appear,
allowing you to inspect detected errors;

VCS and CI support
(revision control, continuous integration)
• launching from command line:
"C:Program Files (x86)PVS-Studiox64PVS-Studio.exe"
--sln-file "C:UsersevgDocuments OmniSampleOmniSample (vs2008).sln"
--plog-file "C:UsersevgDocumentsresult.plog"
--vcinstalldir "C:Program Files (x86)Microsoft Visual Studio 9.0VC"
--platform "x64"
--configuration "Release”

• sending the results by mail:
cmd.exe /c type result-log.plog.only_new_messages.txt

• commands for launching from CruiseControl.Net,
Hudson, Microsoft TFS are readily available

Interactive filters
• filtering messages without restarting the
analysis
• Filtering by errors’ code, by filenames
(including masks), by messages’ text, by
warning levels;
• displaying/hiding false alarms.

Integrated
help
reference

(description
of the
errors)

PVS-Studio Advantages
• Easy-to-download! You may download the PVS-Studio
distribution package without registering and filling in
any forms.
• Easy-to-try! The PVS-Studio program is implemented
as a plug-in for Visual Studio and Embarcadero RAD
Studio.
• Easy-to-buy! Unlike other code analyzers, we have
simple pricing and licensing policy.
• Easy-to-support! It is the analyzer's developers who
directly communicate with users, which enables you to
quickly get answers to even complicated questions
related to programming.

Pricing policy
• a license for a team of no more than five
developers is €5250;
• prolongation for one year – 80% of base price;
• the site license for teams with 20+
developers;

Information about company
OOO “Program Verification Systems” (Co Ltd)
300027, Russia, Tula, Metallurgov 70-1-88.

www.viva64.com
support@viva64.com

Working time: 09:00 – 18:00 (GMT +3:00)

PVS-Studio 5.00, a solution for developers of modern resource-intensive applications

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to PVS-Studio 5.00, a solution for developers of modern resource-intensive applications (20)

More from Andrey Karpov (20)

Recently uploaded (20)

PVS-Studio 5.00, a solution for developers of modern resource-intensive applications