We, the PVS-Studio static code analyzer developers, have a peculiar view on beauty. On the beauty of bugs. We like to find grace in errors, examine them, try to guess how they appeared. Today we have an interesting case when the concepts of length and size got mixed up in the code.

LFortran project error

When we heard about the new CppCast issue about LFortran, we decided to check this very LFortran. This is a small project so we don’t know if there will be enough material for a classic article about open-source project analysis. However, a small error immediately caught our attention…


Static analyzers’ primary aim is to search for errors missed by developers. Recently, the PVS-Studio team again found an interesting example proving the power of static analysis.

You have to be very attentive while working with static analysis tools. Often the code that triggered the analyzer seems to be correct. So, you are tempted to mark the warning as false positive. The other day, we fell into such a trap. Here’s how it turned out.

Recently, we’ve enhanced the analyzer core. When viewing new warnings, my colleague found a false one among them. He noted the warning to show the…


Each generation, companies like Sony, Microsoft and Nintendo delight their consumers with new consoles and different games for them. Yet there is a caveat — some games exclusively run on their platforms. Whereas a console may be worth an expensive PC component or a full-fledged computer. So what can you do? Emulators come to the rescue here. The market is full of similar projects, some are released as open source. Let us turn our attention to Nintendo Switch emulators. On the network, Ryujinx and Yuzu projects are among most popular responses. …


Visual Studio from Microsoft has long been the main development environment to work with the PVS-Studio analyzer. Our analyzer started off on Windows, so Visual Studio was an obvious and reasonable choice. In more than 10 years of PVS-Studio development, the analyzer has become available for several other languages and platforms. No wonder people ask us if we can integrate PVS-Studio into their favorite IDEs.

A year ago, on June 18, 2020, we released the first version of PVS-Studio plugin for the JetBrains Rider environment. …


PVS-Studio is a static analysis tool that helps find errors in software source code. This time PVS-Studio looked for bugs in Storm Engine’s source code.

Storm Engine

Storm Engine is a gaming engine that Akella has been developing since January 2000, for the Sea Dogs game series. The game engine became open-source on March 26th, 2021. The source code is available on GitHub under the GPLv3 license. Storm Engine is written in C++.

In total, PVS-Studio issued 235 high-level warnings and 794 medium-level warnings. Many of these warnings point to bugs that may cause undefined behavior. …


We don’t often get the chance to write something on parallel programming issues. This time we “got lucky”. The TraceEvent standard method has some implementation peculiarities. They resulted in an error with multiple threads blocking. So we’d like to warn users about this nuance and cover this interesting case from our users support practice. Why was our support involved? Keep reading to find out. Enjoy the reading!

Backstory

The PVS-Studio distribution includes the CLMonitor.exe utility or compilation monitoring system. It helps to seamlessly integrate PVS-Studio static analysis for C and C++ into any build system. A build system has to use…


We know many ways to detect performance problems, such as extremely low speed and high memory consumption. Usually tests, developers, or testers detect such applications’ drawbacks. In the worst case, users find weaknesses and report back. Alas, detecting defects is only the first step. Next, we should localize the problem. Otherwise, we won’t solve it. Here comes a question — how to find weak points that lead to excessive memory consumption and slow down in a large project? Are there such at all? Maybe it’s not about the application? …


This note will answer the question — why PVS-Studio considers parameters of public methods potential sources of tainted data. The analyzer can issue warnings if such parameters haven’t been checked before use.

The point is that undue confidence in external data may lead to various vulnerabilities — SQLI, XSS, path traversal and others. Most obvious examples of external data sources: parameter values of requests or text that a user enters (for example, in a text field).

Excessive trust in parameters of public methods can be even more dangerous. Public methods are the ones that can be called from other assemblies…


While PVS-Studio analyses a Unity project, one may stumble upon such an error: Error was encountered while trying to open solution file ‘…’: The solution file has two projects named “UnityEngine.UI”. This note discusses the reasons for this error and how to eliminate it.

Reasons

PVS-Studio uses some third-party libraries, including Roslyn and MSBuild to check C# projects. We use Roslyn to parse code. MSBuild parses solution (.sln) and project (.csproj) files. Besides, MSBuild is the main .NET build system.

You may encounter the error above when you call the Microsoft.Build.Construction.SoltuionFile.Parse method to receive a SolutionFile instance. The method is in…


From the earliest days, we used MSVC to compile the PVS-Studio C++ analyzer for Windows — then, in 2006, known as Viva64, version 1.00. With new releases, the analyzer’s C++ core learned to work on Linux and macOS, and we modified the project’s structure to support CMake. However, we kept using the MSVC compiler to build the analyzer’s version for Windows. Then, in 2019, on April 29th, Visual Studio developers announced they had included the LLVM utilities and Clang compiler in the IDE. And just recently we’ve gotten around to try it.

Performance Testing

We chose SelfTester — our utility for the…

Unicorn Developer

The developer, the debugger, the unicorn. I know all about static analysis and how to find bugs and errors in C++, C#, and Java source code.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store