PVS-Studio,a solution for developers of modern resource-intensive applications

PVS-Studio, a solution for developers of modern resource-intensive applicationsOOO “Program Verification Systems” (Co Ltd)www.viva64.com

The PVS-Studio toolthe Viva64rule set for 64-bit software analysis;the VivaMPrule set for parallel software analysis;the general-purpose analysis rule set.Licensing and pricing policy forPVS-StudioAbout the OOO“Program Verification Systems” companyContents

The PVS-Studio ToolAnalysis of C/C++ source code

PVS-Studio is a static code analyzer intended for developers of contemporary resource-intensive softwarePVS-Studio includes three sets of diagnostic rules:Viva64 intended for detecting errors of 64-bit software development and migration;VivaMP intended for detecting parallel issues in source code of software developed with the OpenMP technology;General-purpose analysis for detecting general errors such as misprints, buffer overflows, condition errors, etc.

errors accompanying porting of 32-bit software to 64-bit systems; errors accompanying development of new 64-bit software; errors in parallel applications caused by programmers’ insufficient knowledge of the OpenMP technology; errors caused by incorrect memory handling in parallel code (unprotected memory access, absence of synchronization, incorrect variable access mode and so on);logical errors, incorrect use of algorithms and containers, buffer overflows;misprints brought into the text during copying of code fragments or through inattention;non-optimal constructs that can be easily optimized.PVS-Studio detects the following types of issues in C/C++ code

develop new 64-bit software; port 32-bit code to 64-bit systems; provide software with support of concurrent execution using the OpenMP technology;want to enhance code’s quality and safety;want to detect as many errors as possible already at the stage of developing.The PVS-Studio code analyzer is necessary for those who

Easy-to-download:http://www.viva64.com/en/pvs-studio-download/Easy-to-try:PVS-Studiointegrates into Visual Studio;The distribution package includes samples of software with errors.Easy-to-buy (online or through a bank):http://www.viva64.com/en/order/Why PVS-Studio?

PVS-Studio’s featuresintegration into Visual Studio2005/2008/2010;C and C++ support;C++0x support within the framework of Visual Studio 2010;detailed help system (including the Russian language);usability;convenient error filtering and suppression system;analysis of files in concurrent mode.

Online-documentation (also in the PDF format)

You may easily study how PVS-Studio works with the help of the demonstration project OmniSample included into the distribution package

Some our customerswww.viva64.com/en/customers/

Viva64, a rule set for 64-bit software analysis

The problem of applications migration to 64-bit platformsThe process of code migration is inevitable.

C/C++ applications migration is most difficult because of language peculiarities.

During migration, there can occur errors in programs which are impossible to diagnose by the existing methodology of testing.

It is difficult to get assured in the correctness of modern programs after their migration to 64-bit systems (MS-DOS 1.0 contained 4,000 code lines, while Windows Vista contains 50,000,000). That is why it is impossible to refer to the experience of past migrations.The difficulty of 64-bit migration for various types of code compared to assembler, in percentage termsAccording to Kang Su Gatlin, Visual C++ Program Manager,Microsoft Corporation, 2004

Here are some samples of errors Viva64 can detect

Problem with overloaded virtual functionsBase class:classCWinApp {virtualvoidWinHelp(DWORD_PTR, UINT); };User’s code:class CMyApp : public CWinApp {virtualvoidWinHelp(DWORD, UINT); };32-bit system:64-bit system:

Address arithmetic with pointersint A = -2;unsigned B = 1;int array[5] = { 1, 2, 3, 4, 5 };int *ptr = array + 3;ptr = ptr + (A + B);printf("%i\n", *ptr);VariableAtype intis cast to type unsigned;A and B addition is carried out. As a result, we obtain value 0xFFFFFFFF typeunsigned;Expression "ptr + 0xFFFFFFFFu“ is calculated. The result depends on pointer dimension on the given platform. In a 32-bit program, the expression will be equivalent to "ptr - 1" and we will successfully print number 3. Ina 64-bit program, value 0xFFFFFFFFu will be added to the pointer, as a result, the pointer will appear far beyond the array limits.

Infinite loopsboolIsPresent(char *array, size_tarraySize,char key){for (unsigned i = 0; i != arraySize; ++i)if (array[i] == key) return true; return false;}This code will lead to an infinite loop occurrence if arraySize exceeds value UINT_MAX.Detection of such errors using unit-tests or dynamic analyzers (BoundsChecker) is extremely complicated by the necessity of running on large data sizes. During processing of a small data size, the error will not be detected.

Errors in shift operationsptrdiff_t SetBitN(ptrdiff_t value, unsigned bitNum) { ptrdiff_t mask = 1 << bitNum; return value | mask;}Code of the given bit setting in unit.The first error consists in character variable shift.During 31st bit setting on a 64-bit system, the result of the function operation will be the value 0xffffffff80000000The second error is connected with the fact that this code will never set bits with numbers 32 to 63. Please note that "1" has typeint, and during shift by 32 positions, overflow will occur.Whether we obtain as a result 0 (A) or 1 (B) depends on the compiler implementation.

Errors of magic numbers use#define N_COUNT 100int **pArray = (int**)malloc(N_COUNT * 4);hFileMapping = CreateFileMapping ( (HANDLE) 0xFFFFFFFF, NULL, PAGE_READWRITE, (DWORD) 0, (DWORD) (szBufIm), (LPCTSTR) &FileShareNameMap[0]);size_t n, newexp;n = n >> (32 - newexp);The most widespread magic values which are dangerous during applications porting from a 32-bit to a 64-bit platform

Overflow in arithmetic expressions in which 32-bit and 64-bit data types are used togetherptrdiff_t UnsafeCalcIndex(int x, int y, int width) {return x + y * width;}...intdomainWidth = 50000;intdomainHeght = 50000; for (int x = 0; x != domainWidth; ++x) for (int y = 0; y != domainHeght; ++y) array[UnsafeCalcIndex(x, y, domainWidth)] = 1;This code cannot fill correctly the array, which consists of 50000*50000 elements. During calculation of the expression "x + y * width"overflow occurs, and, as a result, outbounds the array limits.

Errors of implicit type castsize_t __fread(void * __restrict buf, size_t size, size_t count,FILE * __restrict fp); size_tfread(void * __restrict buf, size_t size, size_t count,FILE * __restrict fp){int ret; FLOCKFILE(fp);ret = __fread(buf, size, count, fp); FUNLOCKFILE(fp);return (ret);}Function __freadreturns type size_t, however, for storing the quantity of read bytes, type int is used. As a result, in case of large sizes of the data being read, the function can return the wrong quantity of bytes which will be read in fact.

The example shown above was taken from FreeBSDsource code.The error was corrected in December 2008 only!With that, the first (pilot) 64-bit FreeBSDversion was released as far back as June 2003.

Patterns of 64-bit errors in the code were explored in more than 100 various articles in printed and electronic media.Our own experience in computational modeling packages code migration and visualization in C++ was considered.During the research, a base consisting of dozens of various error patterns connected with code migration to 64-bit systems was created. Both well-known (published) errors and earlier unknown errors were included in the base.Rules of diagnostics were formulated on the basis of detected error patterns. Both error patterns and diagnostic rules are published in our articles and are available to everyone.How we made 64- bit code analyzer

Comparison: Viva64,VC++ (/Wp64), C++Test and PC-LintThe table presents comparison carried out at the end of 2008. Nowadays, PVS-Studio has much more capabilities.

E.G.S. S.r.l. Company is engaged in the development of solutions in the sphere of 3D objects modeling on the basis of triangulated grids.Use of Viva64 for verification of CAD-system Leios Studio by EGS S.r.l.

Use of Viva64 for verification of CAD-system Leios Studio by EGSS.r.l. (continued)The total size of Leios Studiosource code is 13 megabytes (440,000 code lines).Code migration with the use of Viva64 allowed to save much time which would be needed in case of manual code review.The main problem cases detected in the process of automatic code analysis with the help of Viva64 tool are:Computational algorithms features during processing of large data volumes; Work with large size files; Processing of 3d-models containing large number of triangles (the larger the number of triangles is, the more precise the models are); Work of licensing subsystem; Details: http://www.viva64.com/en/a/0036/

Project size: 1.5Mb, 125filesPotentially dangerous constructions detected with the help of Viva64: 89Of which real errors: 6Statistics on detected erroros in Loki libraryhttp://loki-lib.sourceforge.netDetails: http://www.viva64.com/en/a/0049/

VivaMP, a rule set for parallel (OpenMP) software analysis

Problems in the code of programs using OpenMPAbsence of keywords in directivesIncorrect operating with lockingDependence of code behavior on the quantity of threads processing itSimultaneous work with common resourceVulnerable access to common memoryCareless use of local variablesUnnecessary memory protection from simultaneous writingPerformance errors

Here are some samples of errors VivaMP can detect

Non processed exceptions in parallel sections#pragmaomp parallel forfor (size_t i = 0; i != n; ++i) {float *array =new float[10000]; delete [] array;}The example will lead to incorrect behavior of the program and most likely to its abnormal termination, if memory allotment error occurs.The error is related to the exception throwing from the parallel section. According to OpenMP specification, if you use exceptions inside a parallel section,all these exceptions should be processed inside this section. If you use operator new inside a parallel section, you should consider seizing the exception which, according to C++ language standard will be generated at memory allotment error.

Errors of inattentive use of OpenMP directives and functions

Race condition errorsint a = 0;#pragmaomp parallel for num_threads(4)for (inti = 0; i < 100000; i++) {a++;}Race condition happens when several threads of a multithread application attempt to simultaneously gain access to data, with that, at least one thread is making a record. Race conditions can lead to unpredictable results, and they are often hard to detect. Sometimes, race conditions consequences show only after a long period of time in quite another part of the application. Moreover, errors of such kind are extremely difficult to duplicate. It is extremely effective to detect at least some of such errors with the help of static analysis as early as at the code writing stage.

Errors of initialization of static objects in parallel sectionspragmaomp parallel{ static intst = Calc(); ...}The static variable will start the process of initialization in several threads at once, this can lead to an uncertain result.The troubles of such errors consist in their unstable and rare manifestation during testing.

General-purpose analysis rule set

The main advantage of static analysis is that it can detect errors at the very early stagesCorrelation of the cost on eliminating defects depending on the time they were introduced and found. The data for the table were taken from the book “Code complete” by S. Macconnell.

It is beneficial to detect any type of errors at the coding stageIt is not crucial how complicated an error is: whether this is a mere misprint or error of algorithm’s logic. It is very beneficial to detect at least a part of such errors already at the stage of coding. It significantly reduces costs on code testing and maintenance.The PVS-Studio analyzer diagnoses a lot of diverse types of errors. We cannot enumerate all the types of errors it can detect, so please refer to the documentation for the list of provided diagnoses.Documentation (online): http://www.viva64.com/en/d/

Here are samples of errors the general-purpose analyzer can detect

Incorrect conditionintiChilds[2]; ...boolhasChilds() const { return(iChilds > 0 || iChilds > 0); }Although this code successfully compiles without any warnings, it is meaningless in this case. The correct code must look as follows:intiChilds[2]; ...boolhasChilds() const { return(iChilds[0] > 0 || iChilds[1] > 0); }

Reference to an already destroyed objectstructCVariable { char name[64];};void CRendererContext::RiGeometryV(int n, char *tokens[]){ for (i=0;i<n;i++) {CVariablevar; if (parseVariable(&var, NULL, tokens[i]))tokens[i] = var.name;}}The pointer to an array located in a variable of the CVariable type is saved in an external array. As a result, the "tokens" array will contain pointers to already non-existent objects as the RiGeometryVfunction terminates.

Incomplete buffer clearingMD5Context *ctx;...memset(ctx, 0, sizeof(ctx));The misprint here causes the structure to be cleared only partially. The error in this code is that it is the size of the pointer which is calculated instead of the MD5Context structure’s size. This is the correct code:MD5Context *ctx;...memset(ctx, 0, sizeof(*ctx));

Error in the if - else - if - else chainif (a == 1) Foo1();else if (a == 2) Foo2();else if (a == 1) Foo3();The 'Foo3()' function will never get control.

Misprint. Double assignment.CSize(POINT pt) { cx = pt.x; cx = pt.y; }The code is taken from a real application where the programmer implemented his own classCSize. The correct code certainly must have looked this way:CSize(POINT pt) { cx = pt.x; cy = pt.y; }Misprint. Unnecessary‘;’.for (i = 0; i < n; i++);{ Foo(i);}

Incorrect use of std::removevoid unregisterThread() { Guard<TaskQueue> g(_taskQueue); std::remove(_threads.begin(),_threads.end(),ThreadImpl::current());}Thestd::remove function does not remove the items from the container. It only shifts the items and returns the iterator to the beginning of the trash. Assume we have the vector<int> container that contains items 1,2,3,1,2,3,1,2,3. If we execute the code "remove( v.begin(), v.end(), 2 )", the container will contain items 1,3,1,3,?,?,? where ? is some trash. Also, the function will return the iterator to the first trash item, so if we want to remove these trash items, we must write the following code: "v.erase(remove(v.begin(), v.end(), 2), v.end())".

Licensing and pricing policy for PVS-Studio

PVS-Studio:pricesOrder Page: http://www.viva64.com/en/order/

You are enabled to get new versions (including major-versions) during 1 year;You are enabled to get support by e-mail during 1 year; You get time unbounded right to use the program. A year after you purchased it, you can continue getting new versions of PVS-Studio and contacting the support service. Restrictions will only concern new diagnostic capabilities that will appear in the analyzer after your license has expired.What does the price include besides the right of use?

Information about OOO “Program Verification Systems” (Co Ltd)

The certificate of official registration of computer programs N2007614164, "Viva64". Registered in Computer Program Registeron September 28th, 2007.The certificate of official registration of computer programs N2008610480, "VivaCore, a source code analysis library". Registered in Computer Program Registeron January 25th, 2008.The certificate of official registration of computer programs N2008612845, "Viva64 2.0". Registered in Computer Program Registeron May 29th, 2008.Intellectual property is registered

Our articles are published at largest sites for developers http://www.viva64.com/en/experience/

PVS-Studio, a solution for developers of modern resource-intensive applications

More Related Content

Viewers also liked

Similar to PVS-Studio, a solution for developers of modern resource-intensive applications

Recently uploaded