Published in


Build to order? Checking MSBuild for the second time

MSBuild is a popular open-source build platform created by Microsoft. Developers all over the world use MSBuild. In 2016, we checked it for the first time and found several suspicious places. Can we find anything this time? Let’s see!


Since the previous check, the project has grown a lot. Our analyzer has become more advanced, too. This only makes this task more interesting! Despite the high quality of the MSBuild product and the well-known name of its creator, we again managed to find some issues in MSBuild’s source code. The project is almost entirely written in C#. You can see it on GitHub. We took the code from this commit.

To compare the analysis results, let’s look at two diagrams:

After the second check, the analyzer issued 839 warnings. Last time, there were only 262. The number of Medium-level warnings has increased fourfold. Warnings of this level of certainty prevail in our article. The number of Low-level warnings increased by about two and a half times. High-level warnings increased by almost two times.

Six years have passed since the first check — and we, the developers of PVS-Studio, weren’t wasting our time :). Since the first MSBuild check, we have added 64 GA (General Analysis) and 23 OWASP diagnostics to the C# analyzer. We’ve also enhanced existing diagnostic rules. But not only C# developers have done significant work. If you want to track how the analyzer has been changing — click here.

Let’s look at the most interesting warnings.

Wrong increment

Issue 1

PVS-Studio’s warning: V3133 Postfix increment for variable ‘parsePoint’ is senseless because this variable is overwritten. Scanner.cs 310

Perhaps the developer expected the ScanForPropertyExpressionEnd to accept the incremented parsePoint value as the second argument. Unfortunately, this won’t happen. The problem is in using the postfix notation for the increment. In this case, first the variable’s current value is returned, and only then is it incremented.

Therefore, the initial value of parsePoint is passed to the method. The value obtained after executing ScanForPropertyExpressionEnd is assigned to the parsePoint variable. Because of this, the variable’s increased value is overwritten. So, the increment operation does not affect anything in this code fragment.

This issue can be fixed by changing the postfix notation to the prefix one:

parsePoint = ScanForPropertyExpressionEnd(expression, ++parsePoint);

Suspicious logical expressions

Issue 2

The analyzer issued three warnings for this code fragment:

  • V3022 Expression ‘leftConflictReference.IsPrimary && rightConflictReference.IsPrimary’ is always false. ReferenceTable.cs 2388
  • V3063 A part of conditional expression is always true if it is evaluated: !isNonUnified. ReferenceTable.cs 2389
  • V3063 A part of conditional expression is always true if it is evaluated: !isNonUnified. ReferenceTable.cs 2390

The second and the third warnings are a consequence of the problem marked by the first warning. Let’s look at the condition of the last if. As we can see, the if body’s leftConflictReference.IsPrimary and rightConflictReference.IsPrimary values are always false.

The isNonUnified variable is initialized with the value obtained after leftConflictReference.IsPrimary && rightConflictReference.IsPrimary is executed. These variables are both false. Therefore, isNonUnified is always false.

Then isNonUnified is used as a part of an expression to initialize two more variables:

Therefore, the value of these variables depends only on the right operand of the ‘&&’ operator. The code can be simplified by replacing the if body with the following:

Most likely, the code doesn’t contain any errors, just some unnecessary operations. However, we cannot ignore the analyzer’s warning — it’s not a false positive. My teammate wrote an article about that, I highly recommend you to read it.

Issue 3

PVS-Studio’s warning: V3063 A part of conditional expression is always false if it is evaluated: dllArchitecture == SystemProcessorArchitecture.MSIL. ReferenceTable.cs 2968

The dllArchitecture variable is initialized by the SystemProcessorArchitecture.None value. This variable can be assigned another value only in the switch body. If you look closely, you can notice that SystemProcessorArchitecture.MSIL isn’t assigned in any of the case blocks. Note that (SystemProcessorArchitecture) 6 doesn’t match the MSIL element. There is no assignment of this variable in the default branch.

Below switch, there’s a check that dllArchitecture equals SystemProcessorArchitecture.MSIL. Looks weird — dllArchitecture can’t have this value.

The code also contains a comment that explains a part of the condition: “If the assembly is MSIL or none it can work anywhere so there does not need to be any warning ect.” So, the check wasn’t accidental. This makes the code very suspicious.

Issue 4

Can you find an error here?

Something tells me that you either didn’t find it or you did but spent hours searching. Let’s shorten this code fragment a bit:

PVS-Studio’s warning: V3008 The ‘_toolsetProvider’ variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 284, 282. BuildParameters.cs 284

Now you can easily find an issue here. The _toolsetProvider field is assigned a value twice. This is absolutely pointless. Hard to say whether it’s really an error. It’s unclear if there should be something else instead of one of the _toolsetProvider assignments. Perhaps, this is an unnecessary assignment, but it’s better to avoid such cases.

This issue is a good example of how static analysis can help. The human eye will almost always fail to find a problem in such code, but the static analyzer won’t.

Mixed-up arguments

Issue 5

PVS-Studio’s warning: V3066 Possible incorrect order of arguments passed to ‘SdkResult’ constructor: ‘sdkResult.Warnings’ and ‘sdkResult.Errors’. InternalEngineHelpers.cs 83

To understand this warning, we need to inspect the SdkResult constructor declaration first:

A rather rare and interesting warning. It usually points to a serious error. Judging by the parameters’ names, we can conclude that the second parameter is a collection of errors and the third one is a collection of warnings. Now it’s clear why the analyzer issued a warning. When an object is created in the CloneSdkResult method, sdkResult.Warnings is passed as the second argument, and sdkResult.Errors is passed as the third argument. Most likely, the order of arguments was mixed up here — it is difficult to imagine a situation where a warning and an error would be interchangeable.

Potential null dereference

Issue 6

PVS-Studio’s warning: V3125 The ‘project’ object was used after it was verified against null. Check lines: 2446, 2439. Engine.cs 2446

The project variable is checked for null in this condition:

if (String.IsNullOrEmpty(toolsVersion) && project != null)

The following condition accesses the project.FullFileName property. But project isn’t checked for null there — hence the problem. This is odd: the developer suspects that the variable could be null seven code lines above this one, but doesn’t suspect it now.

It’s worth noting that the state of the variable cannot change and buildRequest.ProjectFileName is not related to project in any way. Dereferencing a null reference will lead to NullReferenceException.

Issue 7

PVS-Studio’s warning: V3125 The ‘item’ object was used after it was verified against null. Check lines: 139, 134. BuildItemCacheEntry.cs 139

In the foreach body, the item variable is checked for null. If item is null, 0 is written to the stream. Then, without any condition, 1 is written to the stream, and then… Then NullReferenceException is thrown. This will happen because of the item’s writeToStream call.

Perhaps the else block is missing here. Below is a possible way to correct the error:

Issue 8

PVS-Studio’s warning: V3153 Enumerating the result of null-conditional access operator can lead to NullReferenceException. Consider inspecting: properties?.Keys. MockEngine.cs 165

In the code above, the foreach block iterates through a collection. To obtain this collection, the foreach statement uses the ‘?.’ operator. The developer could have assumed that if properties is null, the code in the foreach body simply won’t execute. Although that is correct, here’s a problem — an exception will be thrown.

The GetEnumerator method is called for the iterated collection. It’s not hard to guess the outcome of calling this method for a variable that carries the null value.

You can find a more detailed analysis of such issues in this article.

Issue 9

The analyzer issued two warnings for this code fragment:

  • V3125 The ‘propertyValue’ object was used after it was verified against null. Check lines: 3301, 3253. Expander.cs 3301
  • V3095 The ‘propertyValue’ object was used before it was verified against null. Check lines: 3301, 3324. Expander.cs 3301

Actually, both these warnings point out the same problem. Let’s look at the condition of the first if. A part of this condition checks propertyValue for null. This implies that the developer expected this value could be null. There may be a case where propertyValue == null is true while the second part of the condition is false. Therefore, the else branch would be executed. In that branch, the null reference would be dereferenced when the propertyValue.GetType method is called. It is also worth noting that further on, before the method is called, PropertyValue is checked for null.


In this article we described not only issues, diagnostics for which didn’t exist when we first checked MSBuild, but also warnings from relatively old diagnostics.

Obviously, new diagnostics helped find errors that we didn’t see during the first check. The old diagnostics use core mechanisms. We constantly enhance these mechanisms to achieve high-quality analysis, that’s why old diagnostics issue new warnings.

You may ask a question: “Why did you describe only 9 warnings?” We wanted to show you the most interesting ones without making the article boring.

Last, but not least, we’d like to acclaim the MSBuild developers’ hard work — they really care about the project’s quality.

We are constantly working hard to keep enhancing PVS-Studio: new diagnostics are being added, old ones are being modified. This allows you to find more code fragments that could be dangerous for your program. You can try PVS-Studio for free and see what it can find in your project.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Unicorn Developer

Unicorn Developer


The developer, the debugger, the unicorn. I know all about static analysis and how to find bugs and errors in C, C++, C#, and Java source code.