October 6, 2014 at 20:17

Based on “three interviews about static analyzers”, or the fourth interview

    interview
    About a week ago, on Habré, I published an article “ Three interviews on static code analyzers ”, in which the views of experienced programmers from Acronis, AlternativaPlatform and the NGO Echelon on the software development methodology, as well as some of their thoughts regarding the use, were presented to the reader’s court static code analyzers.

    Since the sponsor of the article was LLC Program Ver, the developer of the PVS-Studio static analyzer , I decided to ask Andrey Karpov (technical director) to answer some questions as well. Namely, to comment on the interesting moments of all three interviews. Plus make an appeal to colleagues and readers. This is an interesting result.



    Commentary on noteworthy points in an Akronis interview


    A couple of times at a conference during informal communication in the lobby or at the dining table I was asked: "Is someone else programming in C ++?". And I was genuinely surprised when I replied: "Yes, and this is one of the most used languages." It’s just that he’s somehow not heard today. Around php, ruby, go. C ++ seems to be "a long time ago and not true." And I am pleased that people will once again see in the article that, for example, Acronis Backup is written in C ++ and 70 programmers are constantly working on this. I myself am not worried about the future of C and C ++. I just wonder how it turns out that many consider C ++ a dead language.

    It was also nice to hear that Code Review is widely used in Acronis. Often this method of improving the quality of programs is underestimated, or it is believed that it takes too much time. Miser pays twice.

    By the way, I know at least one example when sometimes multiplying sizeof by sizeof still makes practical sense. For example, such a multiplication is obtained when one sizeof () is used to take the number of elements in an array. This refers to this:
    template 
char (&ArraySizeHelper(T (&array)[N]))[N];
#define arraysize(array) (sizeof(ArraySizeHelper(array)))

    Such an 'arraysize' protects against accidental passing as an argument not an array, but an ordinary pointer. Details here .

    As a result, a construction of the form may well turn out: “sizeof (float) * (sizeof (ArraySizeHelper (array)))”. But the PVS-Studio analyzer knows about such cases and does not issue warnings.

    Commentary on Highlights in Interview Alternatives


    I am not familiar with Java, so I can not comment on how well the language protects against errors. Of course, the mere absence of manual memory management greatly simplifies life. However, I think some of the errors are language independent. For example, if these are Copy-Paste results . I think using a static analyzer to find typos would be quite appropriate for Java. But again, I don’t know what the existing code analyzers offer for Java.

    Commentary on noteworthy points in an interview with the Echelon NGO


    Immediately felt a little official style of writing text. Apparently, the specifics of the work and the type of documents that have to be prepared leave a mark. On the one hand, I do not like such texts, since they are boring to read. On the other hand, I envy. The text produces a sense of solidity and seriousness of the work being done. We have no such thing about PVS-Studio. We write a lot of articles about using PVS-Studio, but almost nothing about the analyzer itself and how important it is. It will also be necessary to try to write solid texts of a descriptive plan about PVS-Studio.

    By the way, taking this opportunity, I wanted to raise this topic. Our users or potential users do not at all consider PVS-Studio as a tool capable of finding vulnerabilities. I do not understand this. Yes, we are not looking for bookmarks in the code. We are focused on finding bugs, not defects that make software vulnerable. But still, I do not understand such a division into white and black. Indeed, many errors can be just as considered a vulnerability. It is enough to look at the error from a different angle.

    Take, for example, the UltimateTCPIP project and find the following error in it using PVS-Studio:
    char *CUT_CramMd5::GetClientResponse(LPCSTR ServerChallenge)
{
  ...
  if (m_szPassword != NULL)
  {
    ...
    if (m_szPassword != '\0')
    {
  ...
}

    V528 It is odd that pointer to 'char' type is compared with the '\ 0' value. Probably meant: * m_szPassword! = '\ 0'. UTMail ut_crammd5.cpp 333

    We talk about such an error simply as a typo. Forgot to exchange the pointer. As a result, the check that the line is empty is not performed. The code should have been like this:
    if (*m_szPassword != '\0')

    But, on the other hand, this is a real vulnerability. We leave aside the question of whether this vulnerability can be exploited and how dangerous it is. The main thing is that a typo check can reveal the real security hole. You never know what will go wrong if the program starts working with an empty password.

    Or another example from PostgreSQL:
    char *
px_crypt_md5(const char *pw, const char *salt,
             char *passwd, unsigned dstlen)
{
  ....
  unsigned char final[MD5_SIZE];
  ....
  /* Don't leave anything around in vm they could use. */
  memset(final, 0, sizeof final);
  ....
}

    V597 The compiler could delete the 'memset' function call, which is used to flush 'final' buffer. The RtlSecureZeroMemory () function should be used to erase the private data. pgcrypto crypt-md5.c 157

    Here PVS-Studio detects that the 'final' array is not nullified before exiting the function. Why so, you can find out from the description of the diagnostic V597 .

    It’s not clear to me why the PVS-Studio diagnostics are “insufficiently revealing vulnerabilities”.

    Your vision for the future of static code analyzers


    In general, with static analysis, everything is fine. Tools in this direction are developing rapidly and gaining great popularity.

    I would like this to happen faster in Russia too. We have virtually no market for static analysis tools. This can be judged at least by the number of visits to our site, downloading demos and sales statistics. Half of all activity is created by visitors from Russia. But the number of Russian customers is not 50%, but only a little. It’s sad.

    Address to readers and colleagues


    The text in the spirit of “use static analysis in your work” will sound trite. Therefore, I will raise a non-standard topic.

    I wish you successful communication between superiors and subordinates. Often the instructions of the authorities look at least strange. But keep in mind that the boss often has a large amount of knowledge on the project as a whole. And what seems strange to a subordinate at a high level can be very useful or simply forced. Unfortunately, the programmer’s bosses themselves often come from programmers and therefore tend to introversion. In other words, setting a task, they do not consider it necessary to explain why all this is necessary. They must be understood and forgiven. And then, asking questions, to understand what caused such a strange order. Most likely, the boss will not mind explaining. He simply forgot about it or “optimized” the communication time, reducing the complex task to “do it like that”. Accordingly, I wish the management not to forget to explain their steps and decisions.

    And thanks to the interview organizer.

    Conclusion


    So, dear readers, we can say that the bonus materials have just been shown to you. The author hopes that you were interested. On this, allow me to take my leave. Write high-quality code and use the widest range of useful tools. All the best! We do not say goodbye.
    Tags:

    Also popular now: