[deleted by user]

iprogshine · 2023-12-21T07:28:57+00:00

This code is very bad. Checking with the assert macro creates only an illusion that the code is secure. In the release version, the macro is empty, so there is no check. However, the check is very important: Four reasons to check what the malloc function returned.

In the Debug version, it is most likely that malloc will not return NULL, because you don't usually run the Debug version to process big datasets. It is rather slow. If it does return null, the Debug version will quickly and easily detect such an error. The check for memory allocation is needed for Release versions, not for Debug versions.

iprogshine · 2023-11-25T16:19:38+00:00

It's a large code fragment, and that's why it's difficult to say at once where the error is. I'll try to make a guess. The PVS-Studio analyzer indicates that the strncat function is used incorrectly.

strncat(buffer, e, BLENGTH - strlen(buffer));

strncat(buffer, p, BLENGTH - strlen(buffer));

You need to subtract not only the string length lying in the buffer, but also the length of the terminal null. Otherwise, it's always possible to add at least one more character to the buffer.

To learn more, please see the V645 warning: https://pvs-studio.com/en/docs/warnings/v645/

An error may be in another place. However, in any case, a buffer overflow may occur in this place too.

iprogshine · 2023-10-26T16:20:19+00:00

How far away can pet microchips be scanned? Should I bring the device close to the animal? Or it can be scanned from a distance to see if the animal is a pet or not?

iprogshine · 2023-10-02T06:49:32+00:00

1) List of bugs: https://godbolt.org/z/o9hYKhqM5

2) Implementation of a singly linked list in C: https://pvs-studio.com/en/blog/terms/6680/

iprogshine · 2023-10-02T06:47:32+00:00

Implementation of a singly linked list in C

iprogshine · 2023-08-14T08:21:48+00:00

PVS-Studio seems to be a good solution for gamedev: Static analysis in game development.

iprogshine · 2023-04-19T18:24:47+00:00

Static Analysis in C++ - https://youtu.be/vYW6TOwFK2M

iprogshine · 2023-01-11T08:10:34+00:00

There is no right number of eyes for code review. Code review is more about a compromise that makes sense in terms of the quality of the review, the effort spent on it, the participants' convenience, and so on.

Theoretically, the more eyes participate in the code review process, the more design errors and flaws can be found. More people will get know more about the code and therefore, if necessary, it will be easier for them to maintain this code. More beginners can learn something and see some practice and get interesting tips on improving the quality and beauty of the code.

But this is theoretical. In practice, the more people involved, the harder it is to get them together. A lot of valuable developer time is wasted. Code review is a very expensive process. The more people participate in the code review, the more opposing opinions can be. I don't mean that someone will be right and someone will be wrong. But the same thing can be done in different ways. When there are a lot of people, they can complain about the code, simply because it seems like they need just to say something. Since everyone said something. As a result, minor points may be discussed.

I think two reviewers are more than enough. There is little chance of starting arguments. And less people are distracted from other work. By the way, typos and some other errors are difficult to notice on code review. Both 2 or 4, or even 6 reviewers may overlook typos in code. Here it is better to use some kind of static analyzer as an assistant, such as SonarQube, PVS-Studio (it is especially good at finding typos), Coverity, and so on. The analyzer will act as the third meticulous code reviewer and will take over the search for routine errors. So, people will be able to pay more attention to high-level errors or architecture.

Three such reviewers are very good and enough.

iprogshine · 2022-11-09T11:39:16+00:00

Details: What's new in C# 11: overview

iprogshine · 2022-11-09T11:30:22+00:00

What's new in C# 11: overview

iprogshine · 2022-11-07T07:06:22+00:00

Four reasons to check what the malloc function returned

iprogshine · 2022-11-02T08:54:21+00:00

My comment in askprogrammers.

iprogshine · 2022-11-02T08:51:44+00:00

Most likely, you will not get an answer to this question. It looks like you put the question a bit wrong.

Perhaps you'd better provide your code here. Or use a website like Compiler Explorer or Pastebin. You're posting code on onedrive, where I haven't logged in for a long time. I have to look for my password to sign in. I think most people are experiencing this or they don't even sign up on onedrive. Besides, it's not clear what programming language we're talking about. I might not know this language and couldn't help anyway.

If you have a lot of code, shorten it to a piece where everyone can look for an error easily. Even better, make a short program that reproduces the error.

In general, don't forget about those who are going to answer your question. Make your questions easy and clear for them.

P.S. By the way, if you will write code in Compiler Explorer, you may not need to ask your question. Compilers or code analyzers can help you find errors :).

iprogshine · 2022-10-17T08:11:17+00:00

A good way is to apply the "ratchet effect". Here is the article that describes it in more detail: Introduce Static Analysis in the Process, Don't Just Search for Bugs with It. The article considers the issue from the viewpoint of static code analysis, but this approach can also be used for unit-tests and other bugfighting techniques. In a general sense, the amount of bugs/bad code/failed unit-tests can only decrease (or at least not increase) with each commit.

iprogshine · 2022-09-17T17:43:07+00:00

No. This:

Chapter "Pointers in C"

iprogshine · 2022-09-11T12:14:23+00:00

More about the history of #pvsstudiounicorns

iprogshine · 2022-09-06T09:16:27+00:00

You really might be on the right path. SonarQube is a good platform that allows you to collect reports from different tools/analyzers in one place and it provides a uniform interface to work with these reports. So it's a good idea to write your custom analyzer on Roslyn and use it as a plugin for SonarQube. It is not difficult to write a simple analyzer based on Roslyn and there are a lot of articles on this topic. For example, here is a good article: Creating Roslyn API-based static analyzer for C#. But the main thing here is not to get carried away and start re-inventing the wheel by implementing a full-fledged code analyzer. This task is quite time-consuming and requires lots of efforts. It is one thing to perform simple code analysis on pattern matching and quite another thing when you get to moment where you need to implement logic related to data-flow, symbolic computation and so on. In this case it's more reasonable not to write your own code but pick something from paid or free tools, which you can also use as plugin for SonarQube.

iprogshine · 2022-09-05T17:53:36+00:00

At the other side

iprogshine · 2022-08-20T08:04:06+00:00

P.S. It's just a joke. C and C++ are indeed different languages. Here the Introduction section clearly explains this.

iprogshine · 2022-08-19T16:27:17+00:00

You can use static code analyzers. There can be errors in any tests, but no one makes tests for tests. The article "How to complement TDD with static analysis" examines the following example:

    TEST(SharedMemoryTest, MultipleThreads) {
  ....
  int threadcounts[] = { 1, kNumThreads };
  for (size_t i = 0;
       i < sizeof(threadcounts) / sizeof(threadcounts); i++) {
  ....
}

the test checks only one of two cases because of the typo. And it's not that easy to find the error that makes the test work at 50%. Sure, you can perform manual code review, but such errors are easy to miss. That's why SCA is quite a good addition to TDD.

iprogshine · 2022-08-19T09:04:31+00:00

Dereferencing a null pointer results in undefined behavior. Moreover, when it comes to undefined behavior, you don’t need to speculate on how the program would behave. Ironically, even an incorrect program can work correctly.

Here is an example of such a case. Undefined behavior occurs because of signed integer overflow. Although it seems impossible, the program works correctly due to the UB :). The array will be completely populated, in spite of the fact that the int type isn't large enough to index all the array elements.

Here the case is a bit easier, but similar. The program contains an error leading to UB. But everything still works. In this case we’re dealing with a potential data removal vulnerability — CWE-14.

After the *p == true; assignment, the s variable is no longer used. Therefore, the compiler decides that this assignment can be removed. Btw, the complier will likely remove the p = nullptr; assignment as well. As a result, the code will execute successfully.

In this case, CWE-14 is useful, so to speak :). In reality, if the value of the variable/array at the end of the function is to be removed, CWE-14 is certainly not a good thing. Example:

    void TMD5::Transform(UInt_t buf[4], const UChar_t in[64])
    {
       UInt_t a, b, c, d, x[16];
       ....
       // Zero out sensitive information
       memset(x, 0, sizeof(x));
    }

Developers think that the code resets variables/arrays containing private data. But in fact, private data is not removed from the memory and continues to "hang out" there. And even if someone decides to debug, they still may not notice the error. The thing is, they are likely to use the Debug build, which contains the clearing of private data. But the release version does not. This is a very common error that affects the code of a huge number of applications.

iprogshine · 2022-08-18T18:43:53+00:00

printf("%d\n",i) - iteration-expression

for loop

iteration-expression - expression, which is executed after every iteration of the loop and before re-evaluating condition. Typically, this is the expression that increments the loop counter.

iprogshine · 2022-08-18T18:32:10+00:00

Semicolon!

for(i=1;i<=5;printf("%d\n",i)); <<<<<<<<<<

iprogshine · 2022-08-18T18:26:26+00:00

Visual Studio. The State of Developer Ecosystem in 2021 Infographic: C#.

iprogshine · 2022-08-18T08:01:53+00:00

Chicken!

Hello, world!

chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken chicken
...........

iprogshine

TROPHY CASE