PVS-Studio 2018: CWE, Java, RPG, macOS, Keil, IAR, MISRA

The year 2018 is approaching and it's time to think about new directions for the development of our static analyzer PVS-Studio. Now the most interesting for us is the support of the Java language. In addition, we are considering the possibility of supporting the IBM RPG language. It is equally interesting to develop analysis of C, C ++ C # code in the direction of identifying potential vulnerabilities. We also want to support the analysis of C and C ++ code on the macOS platform, and, finally, to finish support for compilers from Keil and IAR. We are not going anywhere to support the standard MISRA. Listed a lot, and for all the 2018 one we will not be enough. Therefore, let's discuss our plans together with us and choose the most priority directions.

First, let me remind you of the already implemented features of the PVS-Studio static code analyzer:

• Detection of a wide range of errors and potential vulnerabilities in the code of C, C ++, C ++ / CLI, C ++ / CX and C # programs.
• Convenient and easy integration with Visual Studio 2010-2017. Automatic analysis of individual files after their recompilation is possible.
• Running from the command line to check the entire solution: allows you to integrate PVS-Studio into nightly builds, so that everyone has a fresh log in the morning. Alternatively, using the BlameNotifier utility, you can send letters to developers about errors that PVS-Studio found during the night run.
• Excellent scalability. Support for multi-core and multiprocessor systems with setting the number of cores used. IncrediBuild support.
• Interactive filtering of the analysis results (log) in the PVS-Studio window: by diagnostic code, by file name, by inclusion of the word in the diagnostic text.
• A large number of options for integration into projects developed for Linux.
• Mark as False Alarm - markup in the code, so as not to swear specific diagnostics in a specific file fragment. You can also use special comments to suppress warnings related to macros.
• Mass Suppression - allows you to suppress all old messages so that the analyzer generates 0 operations. You can always return to the depressed messages later. The ability to safely integrate PVS-Studio into the existing development process and focus on errors only in the new code.
• Automatic check for new versions of PVS-Studio (both when working in the IDE and at night assemblies).
• Using relative paths in report files to enable report transfer to another machine.
• CLMonitoring - checking for projects that do not have Visual Studio files (.sln / .vcxproj); if suddenly you don’t have enough CLMonitoring functionality, then you can integrate PVS-Studio into any Makefile-based build system manually. A similar Linux utility is called pvs-studio-analyzer.
• Ability to exclude from the analysis files by name, folder or mask; ability to check files modified in the last N days.
• Integration with SonarQube. This is an open platform to ensure continuous quality control of the source code.
• HTML report in short and full version. The full version includes the source code of the files and allows navigation through them.

Supported languages ​​and compilers:

• Windows Visual Studio 2017 C, C ++, C ++ / CLI, C ++ / CX (WinRT), C #
• Windows Visual Studio 2015 C, C ++, C ++ / CLI, C ++ / CX (WinRT), C #
• Windows Visual Studio 2013 C, C ++, C ++ / CLI, C ++ / CX (WinRT), C #
• Windows Visual Studio 2012 C, C ++, C ++ / CLI, C ++ / CX (WinRT), C #
• Windows Visual Studio 2010 C, C ++, C ++ / CLI, C #
• Windows MinGW C, C ++
• Windows / Linux. Clang C, C ++
• Linux GCC C, C ++

We briefly listed what is already there. Details can be found in the documentation . Now let's see what may appear in new versions.
')

Potential weaknesses, CWE

The PVS-Studio analyzer is already able to detect a large number of potential vulnerabilities (weaknesses). A version of PVS-Studio will soon appear, where one or another identifier according to the CWE classification will correspond to most warnings.

Figure N1. CWE column is enabled.

However, this is only the first stage, which we will do in the outgoing 2017. Next year we are waiting for more interesting work related to the implementation of the search for potential vulnerabilities. We plan to make several specialized diagnostics for C, C ++ and C # in this direction. For example, we give a description of one of the planned diagnostics.

I will give the description from the issues-tracker.

First we need to introduce the concept of “unreliable data”. This is data that comes from outside. Examples of unreliable data:

• data in the buffer read by the fread function
• data in the buffer obtained by the recv function
• data in the buffer (line) read using scanf ("% s", ...)
• integer variable read by fscanf ("% i", ...)
• integer variable read by fread (& integer, sizeof (int), 1, file)
• integer variable read from stream: wcin >> n;
• an integer variable obtained externally by other means: n = GetFileSize (h, x);
• GetServerVariable and ReadClient functions are used to obtain information (some field is read from the EXTENSION_CONTROL_BLOCK structure)
• and so on

A variable / buffer is considered an unreliable source until some value check is performed for it. Examples of checks that make the data reliable (the data is verified and correct):

• if (n == 2)
• if (strcmp (s1, s2)> 0)
• if (strchr (s1, 'c') == 0)
• if (n> 1 && n <100)

Note 1. At the same time, checking for NULL for pointers is not considered to be validation of data:

char s[100]; scanf("%s", s); if (s) //     . //    . 's' -  . 

Note 2. A special Data Flow mechanism is required for arrays and structures, which is not yet available in PVS-Studio. The fact is that checking individual elements does not make the entire buffer / structure valid. Explanation:

 unsigned char B[2]; if (B[0] < 3) //   ,   . //      . //     " // / ". if (B[0] < 3 && B[1] < 3) //   . //     . 

The most difficult thing is to think about such checks of the whole array:

 int A[100]; ... for (i = 0; i < 100; ++i) if (A[i] < 10) //    return; 

When PVS-Studio begins to know about invalid data, make a diagnosis that detects its use. This will identify vulnerabilities. There are many real vulnerabilities due to the fact that the received byte / bytes are used without prior verification. Under use are understood, for example, such actions:

• if (pinter [unsafe_int] == ​​1)
• malloc (unsafe_int * sizeof (float))
• ptr + = unsafe_int;
• if (A [unsafe_buffer [1]] == 1)
• memcpy (a, b, unsafe_buffer [i])
• buffer_size = 1 + unsafe_int;
• printf (unsafe_buffer, 1, 2);
• sprintf (normal_bug, unsafe_buffer, 1, 2);
• etc.

Note 3. Functions such as strncpy or _tcsncpy_s (meaning a function variant with 3 arguments) can form a string without a terminal zero at the end. Such strings are unsafe from the point of view of applying to them further functions that wait for an input null-terminal string. For example, they cannot be passed to the strlen function.

Java

Already a couple of months quietly and calmly developing a Java analyzer. Unfortunately, while this is happening in the background, since there is not enough strength for everything. It is too early to tell about this undertaking. I will only note that for Data Flow analysis it is planned to use the developments implemented in the C ++ core of the analyzer.

The Java parser interacts with the C ++ core using the Java Native Interface (JNI). SWIG (Simplified Wrapper and Interface Generator) is used to generate wrappers for functions. This allows you to reuse the functionality of the C ++ analyzer, as well as improve performance.

To stir up interest, I’ll give you a couple of errors that PVS-Studio can already detect in Java code.

JMonkeyEngine project. PVS-Studio warning: V6004 The 'then' statement is equivalent to the 'else' statement. VRMouseManager.java:139, 147

 if( environment.isInVR() == false ){ Texture tex = environment.getApplication(). getAssetManager().loadTexture(texture); mouseImage.setTexture( environment.getApplication().getAssetManager(), (Texture2D)tex, true); ySize = tex.getImage().getHeight(); mouseImage.setHeight(ySize); mouseImage.setWidth(tex.getImage().getWidth()); mouseImage.getMaterial().getAdditionalRenderState(). setBlendMode(BlendMode.Alpha); mouseImage.getMaterial().getAdditionalRenderState(). setDepthWrite(false); } else { Texture tex = environment.getApplication(). getAssetManager().loadTexture(texture); mouseImage.setTexture( environment.getApplication().getAssetManager(), (Texture2D)tex, true); ySize = tex.getImage().getHeight(); mouseImage.setHeight(ySize); mouseImage.setWidth(tex.getImage().getWidth()); mouseImage.getMaterial().getAdditionalRenderState(). setBlendMode(BlendMode.Alpha); mouseImage.getMaterial().getAdditionalRenderState(). setDepthWrite(false); } 

In the above code, the then and else blocks are the same. It is worth checking the code for an error, or remove duplication.

Project RxJava . PVS-Studio warning: V6022 Expression 'idx3> 0' is always true. JavadocWording.java:865

 if (idx1 > 0 && idx2 > 0 && (idx3 < 0 || (idx2 < idx3 && idx3 > 0))) { .... } 

Perhaps there is no real error here, but idx3> 0 checking is redundant. Since idx2> 0 , and idx2 <idx3 , idx3 will always be greater than zero.

IBM RPG

Not everyone knows what kind of language, so let's start with a brief description.

IBM RPG (Report Program Generator) is a programming language whose syntax was originally similar to the command language of IBM mechanical tabs. It was designed to facilitate the transition of engineers who serviced these tabs to new equipment and to transfer data. It was originally implemented for IBM 1401. It was widely used in the 1960s and 1970s.

Figure 2. IBM 1401. See also Ken Ross and Paul Laughton demo the IBM 1401 .

IBM continues to support the language at the present time, since it has a huge amount of code written on it that is unprofitable to translate into other programming languages.

In the version of RPG IV, released in 2001, introduced elements of object programming.

The compiler Visual RPG, developed by a third-party manufacturer, provides work under Windows and GUI support. There are also implementations for OpenVMS and other, more exotic platforms.

Learn more about the language in Wikipedia: IBM RPG . Plus, we are planning to write an overview article about this language soon.

Now we need to tell why we paid attention to this language.

We were contacted by a company potentially interested in static code analysis in the RPG language. Therefore, we decided to look at this language, and it interested us. As we understand, a lot of code is written in this language, which needs to be maintained and added new fragments. At the same time, there are very few specialists familiar with this language, which makes us think about additional ways to control its quality and correctness. It is from this that interest arises in the possibility of static code analysis.

We thought that since analyzers for languages ​​like Cobol and Ada continue to appear and develop in the world, then why don't we make an analyzer for RPGs. Moreover, this language is still deprived in terms of code analyzers. For example, there is a SonarRPG analyzer, but it only implements 8 diagnostics to detect errors. This is clearly not enough. I am sure: we would be able to offer users much more interesting diagnostics to identify these errors and typos.

We are not in a hurry to start creating an analyzer for the IBM RPG, but we decided to voice this topic in order to look for potential customers. If your organization is dealing with an IBM RPG, then we will be happy to talk with you and get your opinion on the prospects for developing an RPG analyzer.

If we see that there is indeed an interest in the RPG language, then in 2018 we will begin work in this direction.

Note. The IBM RPG analyzer, if it appears, will be supplied separately and have a special price (vintage is more expensive :).

Figure N3. Books on RPG language purchased. It remains to find a hero to read them.

macOS

We offer to pre-order and purchase licenses for the macOS version of the analyzer.

At the moment, macOS version is not ready, but there is nothing difficult in its creation. You just need to take and make it. I think if this issue becomes relevant, we will adapt PVS-Studio for macOS within a few months. Another thing is that while we are not in a hurry to do it. We are not sure that this is a priority, compared to others.

Therefore, we would be happy to sell several licenses in order to be convinced of practical interest on the part of the programming community.

Practical interest is important for us, and we have already “passed” abstract interest and made an unsuccessful CppCat product :). I would like not to repeat such mistakes.

Benefits that customers will get by purchasing a still unprepared PVS-Studio:

• For the price of an annual license, you can use PVS-Studio for 2 years.
• You will get the integration exactly for your build system and environment.

Keil, IAR

Keil and IAR are developing compilers for embedded systems. From time to time they write to us with a proposal to implement their support. There are no obstacles and some of the work has already been done. Unfortunately, not enough resources to bring it to mind and test. Hopefully we can find time for Keil and IAR in 2018.

Misra

Until recently, we looked very narrowly at the MISRA standard from a position — how many mistakes it would allow to find. This is the wrong approach. The meaning of such standards as MISRA is not to find as many errors in the project as possible. Their meaning is to further control the quality of the code and warn the programmer against the use of potentially dangerous language constructs.

For example, one of the MISRA rules prohibits the use of the goto operator. If you take and try to apply such a rule to the old, large, and at the same time long existing project, then the result is likely to be disappointment from such code verification. Almost certainly, there are no errors, but you have to rewrite a large number of algorithms to get rid of goto . This can do more harm than good by accidentally making mistakes in the process of refactoring code.

The MISRA standard is not used like this. The application should immediately be written in accordance with the rules specified in the standard. Figuratively speaking, MISRA is not a way of dealing with existing goto , but a way that these goto are not used when writing code.

We revised our attitude to the MISRA standard and understand that it is really necessary, although it does not fit into our model “they took a big project, launched PVS-Studio, found errors”. Our potential clients want to use both MISRA and find misprints at the same time, which PVS-Studio reveals remarkably.

We are going to meet our customers and have begun work on supporting the standards of MISRA C and MISRA C ++ in PVS-Studio. By default, MISRA warnings will be disabled. We do not want to fill the report window with such messages as “comments / * * / should not be used; // should be used”. However, at any time you can turn on the MISRA diagnostics kit and start using it regularly.

Conclusion

As you can see, we have a lot of plans for 2018. This article is written as a reason to start a discussion with our new potential users and find out what interests them most. We ask you to be active and write us your opinions on voiced directions. Especially weighty words are pre-orders of licenses :).

Thank you all for your attention and congratulations in advance on the upcoming New Year 2018!