• ## Espressif IoT Development Framework: 71 Shots in the Foot

One of our readers recommended paying heed to the Espressif IoT Development Framework. He found an error in the project code and asked if the PVS-Studio static analyzer could find it. The analyzer can't detect this specific error so far, but it managed to spot many others. Based on this story and the errors found, we decided to write a classic article about checking an open source project. Enjoy exploring what IoT devices can do to shoot you in the foot.

• ## Android interop with SWIG (a guide). From simple to weird. Part 2 — weird

• Tutorial

This part covers the use of typemaps, complex & weird cases, and debugging suggestions. This part requires an understanding of Part 1 - usage of SWIG in simple cases.

This is a practical Android-first guide, with Android Studio project you can play with.

• ## Android interop with SWIG (a guide). From simple to weird. Part 1 — simple

SWIG is a tool for generating cross-language interfaces - it provides interoperability of C++ and other languages (C++ and Java in our case). SWIG just simplifies and automizes cross-language interaction; otherwise, you may end up with thousands of lines of handwritten JNI code - but SWIG covers this for you.

This guide is for newbies (Part 1) and for those who experienced in SWIG (part 2). I'm starting from basic setup and usage and ending with complex & weird cases encountered in development. The latter cases are not so complex, rather usual for modern languages, which SWIG doesn't support yet (as lambdas).

This guide is practical. In opposition to overcomplicated huge-volume SWIG documentation, this guide is showing the cases practically. The bits developed by myself while working on the different projects or taken from StackOverflow. This guide allows you to quick-start an Android Studio project and giving practical examples of using SWIG. The link to the Android Studio project is here.

This guide is Android-first. The goal was to make it simple to onboard for Android developers. There are many articles about SWIG, but they are mainly for desktop Java applications, and it is quite an overhead to just try them on Android to check if the solution for the particular problem is working. While this guide includes an Android Studio project, with which you can play around instantly. Of course, all the information given here applies to any Java application.

Warning! I should warn you, that nowadays cross-platform development offers powerful tools. If you are developing a new application it is much more cost-efficient in practice to use ReactNative, Flutter of Kotlin-Native than the SWIG. While SWIG is more suitable to connect the C++ library or existing C++ application core.

• ## GTK: The First Analyzer Run in Figures

For some people, the introduction of a static analyzer into a project seems like an insurmountable obstacle. It is widely believed that the amount of analysis results issued after the first run is so large that only two options seem reasonable: do not mess with it at all or refocus all people on fixing warnings. In this article, we will try to dispel this myth by implementing and configuring the analyzer on a GTK project.

• ## Did It Have to Take So Long to Find a Bug?

Have you ever wondered which type of project demonstrates higher code quality – open-source or proprietary? Our blog posts may seem to suggest that bugs tend to concentrate in open-source projects. But that's not quite true. Bugs can be found in any project, no matter the manner of storage. As for the code quality, it tends to be higher in those projects where developers care about and work on it. In this small post, you will learn about a bug that took two years to fix, although it could have been done in just five minutes.
• ## Top 10 Bugs Found in C++ Projects in 2020

It's winter outside, the year is coming to an end, which means it's time to review the most notable errors the PVS-Studio analyzer detected in 2020.
• ## The Code Analyzer is wrong. Long live the Analyzer

Combining many actions in a single C++ expression is a bad practice, as such code is hard to understand, maintain, and it is easy to make mistakes in it. For example, one can instill a bug by reconciling different actions when evaluating function arguments. We agree with the classic recommendation that code should be simple and clear. Now let's look at an interesting case where the PVS-Studio analyzer is technically wrong, but from a practical point of view, the code should still be changed.
AdBlock has stolen the banner, but banners are not teeth — they will be back

• ## How static code analysis helps in the GameDev industry

The gaming industry is constantly evolving and is developing faster than a speeding bullet. Along with the growth of the industry, the complexity of development also increases: the code base is getting larger and the number of bugs is growing as well. Therefore, modern game projects need to pay special attention to the code quality. Today we will cover one of the ways to make your code more decent, which is static analysis, as well as how PVS-Studio in practice helps in the game project development of various sizes.
• ## Why PVS-Studio Doesn't Offer Automatic Fixes

Static analyzer PVS-Studio can detect bugs in pretty complex and intricate parts of code, and coming up with appropriate fixes for such bugs may be a tough task even for human developers. That's exactly the reason why we should avoid offering any options for automatic fixing at all. Here are a couple of examples.
• ## ConcurrenCpp — The C++ concurrency library

Repository

concurrencpp allows applications to write asynchronous code easily and safely by using executors and coroutines.

By using concurrencpp applications can break down big procedures that need to be processed asynchronously into smaller tasks that run concurrently and work in a co-operative manner to achieve the wanted result.

concurrencpp also allows applications to write parallel algorithms more easily by using parallel coroutines.

• Being able to write non-blocking, asynchronous code easily by using the C++20 coroutines and the co_await keyword.
• Being able to write modern concurrent code without having to rely on low-level concurrency primitives like locks and condition variables.
• The concurrency runtime manages all low-level resources such as threads automatically.
• Reducing the possibility of race conditions, data races and deadlocks by using high-level objects with built-in synchronization.
• concurrencpp provides various types of commonly used executors with a complete coroutine integration.
• Applications can extend the library by using their own provided executors.
• Applications automatically scale-up to use all hardware processors (cores).
• ## Checking Clang 11 with PVS-Studio

Every now and then, we have to write articles about how we've checked another fresh version of some compiler. That's not really much fun. However, as practice shows, if we stop doing that for a while, folks start doubting whether PVS-Studio is worth its title of a good catcher of bugs and vulnerabilities. What if the new compiler can do that too? Sure, compilers evolve, but so does PVS-Studio – and it proves, again and again, its ability to catch bugs even in high-quality projects such as compilers.
• ## Checking a Header-Only C++ Library Collection (awesome-hpp)

Somehow, we've happened to check most of the libraries making up a collection called "Awesome hpp". These are small header-only projects in C++. Hopefully, the information about the bugs we've found will help make the libraries better. We'll also be happy to see the developers use PVS-Studio on a regular basis thanks to the free-license option we provide.
• ## Amnesia: The Dark Descent or How to Forget to Fix Copy Paste

Just before the release of the "Amnesia: Rebirth" game, the vendor "Fractional Games" opened the source code of the legendary "Amnesia: The Dark Descent" and its sequel "Amnesia: A Machine For Pigs". Why not use the static analysis tool to see what dreadful mistakes are hidden in the inside of these cult horror games?
• ## Checking the Code of DeepSpeech, or Why You Shouldn't Write in namespace std

DeepSpeech is an open-source speech recognition engine developed by Mozilla. It's pretty fast and ranks high, which makes its source code an interesting target for static analysis. In this article, I'll show you some of the bugs found in DeepSpeech's C++ code.

## Introduction

We have already scanned a few projects based on machine learning before, so there was nothing new about DeepSpeech to us in this respect. No wonder since the project is quite popular: as of this writing, it has 15k stars on GitHub.
• ## Part 2: Upsetting Opinions about Static Analyzers

By writing the article "Upsetting Opinions about Static Analyzers" we were supposed to get it off our chest and peacefully let it all go. However, the article unexpectedly triggered robust feedback. Unfortunately, the discussion went in the wrong direction, and now we will make a second attempt to explain our view of this situation.
• ## Upsetting Opinions about Static Analyzers

Static analysis tools have advanced far over the time they've been around. They no longer resemble the "linters" that were in active use 20 years ago. But some programmers still view them as extremely primitive tools. And that's very sad. It hurts to see the static analysis methodology in general and our PVS-Studio analyzer in particular treated that way.

• ## What's new in rotor v0.09

rotor is a non-intrusive event loop friendly C++ actor micro framework, similar to its elder brothers like caf and sobjectizer. The new release came out under the flag of pluginization, which affects the entire lifetime of an actor.

• ## Why it is important to apply static analysis for open libraries that you add to your project

Modern applications are built from third-party libraries like a wall from bricks. Their usage is the only option to complete the project in a reasonable time, spending a sensible budget, so it's a usual practice. However, taking all the bricks indiscriminately may not be such a good idea. If there are several options, it is useful to take time to analyze open libraries in order to choose the best one.
• ## Why code reviews are good, but not enough

Code reviews are definitely necessary and useful. It's a way to impart knowledge, educate, control a task, improve code quality and formatting, fix bugs. Moreover, you can notice high-level errors related to the architecture and algorithms used. So it's a must-have practice, except that people get tired quickly. Therefore, static analysis perfectly complements reviews and helps to detect a variety of inconspicuous errors and typos. Let's look at a decent example on this topic.
• ## Checking QEMU using PVS-Studio

QEMU is a rather well-known application for emulation. Static analysis can help developers of complex projects such as QEMU catch errors at early stages and generally improve quality and reliability of a project. In this article, we will check the source code of the QEMU application for potential vulnerabilities and errors using the PVS-Studio static analysis tool.