One day from PVS-Studio user support

We welcome any thematic discussions on the topic of code quality. We are written by clients, students and any other users from all over the Internet. Regardless of country, time zone or language. Spoken language, of course. Among programming languages, we are still interested in a limited set. Now it is C, C ++, C # and Java. The benefits of communication are many. We implement some offers of users immediately, because they are really helpful. Often we simply help out someone else's project, explaining analyzer warnings, which in the end turn out to be an error. This note is about one such case.

About the analyzer

PVS-Studio is a tool for detecting errors and potential vulnerabilities in the source code of programs written in C, C ++, C # and Java. It runs on Windows, Linux, and macOS.



For communication, there are 3 forms of feedback:

1. Feedback
2. Trial request
3. Price request

Thursday evening

One active user who tried the analyzer on his code actively began to send false warnings. Before I could answer, 3 letters accumulated. This was the end of the working day, and there was little strength left (to the question of the reliability of the manual code review). Our team was actively preparing for the big release, which left a few days.



I decided to postpone the answer to Friday or even to the next week:



Hello, Konstantin.



We parse warnings. Next week I will comment on suspicious places :-)



This is a note that static code analysis is very efficient, and manual code review will be inferior to automatic verification in many cases, especially at the end of the working day.



With the permission of the user, I’ll tell you about the correspondence:



Letter 1



False positive V712:

uint32_t StartUpCounter = 0, HSEStatus = 0; RCC->CR |= ((uint32_t)RCC_CR_HSEON); /* Wait till HSE is ready and if Time out is reached exit */ { HSEStatus = RCC->CR & RCC_CR_HSERDY; StartUpCounter++; } while((HSEStatus == 0) && (StartUpCounter != HSE_STARTUP_TIMEOUT)); // V712...
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

Letter 2



There is a false positive V715:

 { // V715 ... lpmode.cpp 356 HSEStatus = RCC->CR & RCC_CR_HSERDY; StartUpCounter++; } while((HSEStatus == 0) && (StartUpCounter != HSE_STARTUP_TIMEOUT));
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

Letter 3



Christmas tree sticks, enchanted place! Everything is there, swears (see code from previous letters):



V560 A part of conditional expression is always true: (StartUpCounter! = ((Uint16_t) 0x5000)). lpmode.cpp 356



V776 Potentially infinite loop. The variable in the loop exit condition 'HSEStatus == 0' does not change its value between iterations. lpmode.cpp 356



Maybe I don’t understand something? But in practice, everything works, and if the quartz does not start, then we exit this section by timeout ;-)



Letter 4 (answer)



Hello, Konstantin.



We parse warnings. Next week I will comment on suspicious places :-)



Letter 5



Heck! I only saw the code after your writing with lateral vision - the do statement was skipped ... Everything fell into place! Quite an eye blurred%)



do {...} while (...);

Conclusion

As you can see, there were 4 analyzer warnings for the same place, but it still took time to convince the user of an error. In such a situation, a manual review would not even have a chance.



A similar story with a happy ending: " How PVS-Studio turned out to be more attentive than three and a half programmers ."



Use static analyzers in your project. They are not a substitute for code review with a colleague, but are a useful complement to code quality control.

If you want to share this article with an English-speaking audience, then please use the link to the translation: Svyatoslav Razmyslov. One Day from PVS-Studio User Support .