Appreciate Static Code Analysis!

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be smarter and more attentive than I am.

You must be careful when working with static analysis tools. Code reported by the analyzer often looks fine and you are tempted to discard the warning as a false positive and move on. Even I, one of the PVS-Studio developers, fall into this trap and fail to spot bugs every now and then. A few days ago, I opened two tickets in our bug tracker reporting the V614 diagnostic, which looks for use of uninitialized variables and arrays.

In both cases, I was sure the analyzer was wrong and needed fixing up. Here’s the first case:

I read this code four times but saw nothing suspicious. I concluded it was a false positive that needed fixing, but the analyzer was actually right, while I was not attentive enough.

The caption buffer remains uninitialized. Look at the first lines: both strings are written to buffer text. This is a typo and I overlooked it.

The second case is even more epic:

PVS-Studio warned about the use of uninitialized buffer buf. Nonsense! I reported it as a bug to be fixed since it was obvious that the sprintf function did initialize the buffer and the code was fine.

No way! Again, PVS-Studio was right and I was wrong. The creation excelled the creator. :)

Look what the mean author of that code wrote in one of the header files:

sprinf expands into std::printf. Yes, that is right, sprintf does the same as printf in this program.

What a shame! It turns out the printffunction uses uninitialized buffer buf as a format string.

So, appreciate and use static code analyzers! They will help save your time and nerve cells.

By Andrey Karpov