• Espressif IoT Development Framework: 71 Shots in the Foot

      One of our readers recommended paying heed to the Espressif IoT Development Framework. He found an error in the project code and asked if the PVS-Studio static analyzer could find it. The analyzer can't detect this specific error so far, but it managed to spot many others. Based on this story and the errors found, we decided to write a classic article about checking an open source project. Enjoy exploring what IoT devices can do to shoot you in the foot.

      Read more →
    • Android interop with SWIG (a guide). From simple to weird. Part 1 — simple

      SWIG is a tool for generating cross-language interfaces - it provides interoperability of C++ and other languages (C++ and Java in our case). SWIG just simplifies and automizes cross-language interaction; otherwise, you may end up with thousands of lines of handwritten JNI code - but SWIG covers this for you.

      This guide is for newbies (Part 1) and for those who experienced in SWIG (part 2). I'm starting from basic setup and usage and ending with complex & weird cases encountered in development. The latter cases are not so complex, rather usual for modern languages, which SWIG doesn't support yet (as lambdas).

      This guide is practical. In opposition to overcomplicated huge-volume SWIG documentation, this guide is showing the cases practically. The bits developed by myself while working on the different projects or taken from StackOverflow. This guide allows you to quick-start an Android Studio project and giving practical examples of using SWIG. The link to the Android Studio project is here.

      This guide is Android-first. The goal was to make it simple to onboard for Android developers. There are many articles about SWIG, but they are mainly for desktop Java applications, and it is quite an overhead to just try them on Android to check if the solution for the particular problem is working. While this guide includes an Android Studio project, with which you can play around instantly. Of course, all the information given here applies to any Java application.

      Warning! I should warn you, that nowadays cross-platform development offers powerful tools. If you are developing a new application it is much more cost-efficient in practice to use ReactNative, Flutter of Kotlin-Native than the SWIG. While SWIG is more suitable to connect the C++ library or existing C++ application core.

      Read more
    • GTK: The First Analyzer Run in Figures

        For some people, the introduction of a static analyzer into a project seems like an insurmountable obstacle. It is widely believed that the amount of analysis results issued after the first run is so large that only two options seem reasonable: do not mess with it at all or refocus all people on fixing warnings. In this article, we will try to dispel this myth by implementing and configuring the analyzer on a GTK project.

        Читать далее
      • Did It Have to Take So Long to Find a Bug?


          Have you ever wondered which type of project demonstrates higher code quality – open-source or proprietary? Our blog posts may seem to suggest that bugs tend to concentrate in open-source projects. But that's not quite true. Bugs can be found in any project, no matter the manner of storage. As for the code quality, it tends to be higher in those projects where developers care about and work on it. In this small post, you will learn about a bug that took two years to fix, although it could have been done in just five minutes.
          Read more →
        • The Code Analyzer is wrong. Long live the Analyzer

            Foo(std::move(buffer), line_buffer - buffer.get());

            Combining many actions in a single C++ expression is a bad practice, as such code is hard to understand, maintain, and it is easy to make mistakes in it. For example, one can instill a bug by reconciling different actions when evaluating function arguments. We agree with the classic recommendation that code should be simple and clear. Now let's look at an interesting case where the PVS-Studio analyzer is technically wrong, but from a practical point of view, the code should still be changed.
            Read more →
          • Ads
            AdBlock has stolen the banner, but banners are not teeth — they will be back

          • How static code analysis helps in the GameDev industry


              The gaming industry is constantly evolving and is developing faster than a speeding bullet. Along with the growth of the industry, the complexity of development also increases: the code base is getting larger and the number of bugs is growing as well. Therefore, modern game projects need to pay special attention to the code quality. Today we will cover one of the ways to make your code more decent, which is static analysis, as well as how PVS-Studio in practice helps in the game project development of various sizes.
              Read more →
            • ConcurrenCpp — The C++ concurrency library


                concurrencpp allows applications to write asynchronous code easily and safely by using executors and coroutines.

                By using concurrencpp applications can break down big procedures that need to be processed asynchronously into smaller tasks that run concurrently and work in a co-operative manner to achieve the wanted result.

                concurrencpp also allows applications to write parallel algorithms more easily by using parallel coroutines.

                concurrencpp main advantages are:

                • Being able to write non-blocking, asynchronous code easily by using the C++20 coroutines and the co_await keyword.
                • Being able to write modern concurrent code without having to rely on low-level concurrency primitives like locks and condition variables.
                • The concurrency runtime manages all low-level resources such as threads automatically.
                • Reducing the possibility of race conditions, data races and deadlocks by using high-level objects with built-in synchronization.
                • concurrencpp provides various types of commonly used executors with a complete coroutine integration.
                • Applications can extend the library by using their own provided executors.
                • Applications automatically scale-up to use all hardware processors (cores).
                Read more →
              • Checking Clang 11 with PVS-Studio

                  PVS-Studio: I'm still worthy

                  Every now and then, we have to write articles about how we've checked another fresh version of some compiler. That's not really much fun. However, as practice shows, if we stop doing that for a while, folks start doubting whether PVS-Studio is worth its title of a good catcher of bugs and vulnerabilities. What if the new compiler can do that too? Sure, compilers evolve, but so does PVS-Studio – and it proves, again and again, its ability to catch bugs even in high-quality projects such as compilers.
                  Read more →
                • Checking a Header-Only C++ Library Collection (awesome-hpp)

                    PVS-Studio and Awesome hpp

                    Somehow, we've happened to check most of the libraries making up a collection called "Awesome hpp". These are small header-only projects in C++. Hopefully, the information about the bugs we've found will help make the libraries better. We'll also be happy to see the developers use PVS-Studio on a regular basis thanks to the free-license option we provide.
                    Read more →
                  • Amnesia: The Dark Descent or How to Forget to Fix Copy Paste


                      Just before the release of the "Amnesia: Rebirth" game, the vendor "Fractional Games" opened the source code of the legendary "Amnesia: The Dark Descent" and its sequel "Amnesia: A Machine For Pigs". Why not use the static analysis tool to see what dreadful mistakes are hidden in the inside of these cult horror games?
                      Read more →
                    • Checking the Code of DeepSpeech, or Why You Shouldn't Write in namespace std

                        DeepSpeech is an open-source speech recognition engine developed by Mozilla. It's pretty fast and ranks high, which makes its source code an interesting target for static analysis. In this article, I'll show you some of the bugs found in DeepSpeech's C++ code.



                        We have already scanned a few projects based on machine learning before, so there was nothing new about DeepSpeech to us in this respect. No wonder since the project is quite popular: as of this writing, it has 15k stars on GitHub.
                        Read more →
                      • Part 2: Upsetting Opinions about Static Analyzers

                          Единорог грустит

                          By writing the article "Upsetting Opinions about Static Analyzers" we were supposed to get it off our chest and peacefully let it all go. However, the article unexpectedly triggered robust feedback. Unfortunately, the discussion went in the wrong direction, and now we will make a second attempt to explain our view of this situation.
                          Read more →
                        • Upsetting Opinions about Static Analyzers

                            Static analysis tools have advanced far over the time they've been around. They no longer resemble the "linters" that were in active use 20 years ago. But some programmers still view them as extremely primitive tools. And that's very sad. It hurts to see the static analysis methodology in general and our PVS-Studio analyzer in particular treated that way.

                            Read more →
                          • Why it is important to apply static analysis for open libraries that you add to your project

                              PVS-Studio and Awesome header-only C++ libraries

                              Modern applications are built from third-party libraries like a wall from bricks. Their usage is the only option to complete the project in a reasonable time, spending a sensible budget, so it's a usual practice. However, taking all the bricks indiscriminately may not be such a good idea. If there are several options, it is useful to take time to analyze open libraries in order to choose the best one.
                              Read more →
                            • Why code reviews are good, but not enough


                                Code reviews are definitely necessary and useful. It's a way to impart knowledge, educate, control a task, improve code quality and formatting, fix bugs. Moreover, you can notice high-level errors related to the architecture and algorithms used. So it's a must-have practice, except that people get tired quickly. Therefore, static analysis perfectly complements reviews and helps to detect a variety of inconspicuous errors and typos. Let's look at a decent example on this topic.
                                Read more →
                              • Checking QEMU using PVS-Studio


                                  QEMU is a rather well-known application for emulation. Static analysis can help developers of complex projects such as QEMU catch errors at early stages and generally improve quality and reliability of a project. In this article, we will check the source code of the QEMU application for potential vulnerabilities and errors using the PVS-Studio static analysis tool.
                                  Read more →