QEMU is a rather well-known application for emulation. Static analysis can help developers of complex projects such as QEMU catch errors at early stages and generally improve quality and reliability of a project. In this article, we will check the source code of the QEMU application for potential vulnerabilities and errors using the PVS-Studio static analysis tool.
PVS-Studio, originally developed as a universal tool for finding errors in software code, is now gradually focusing on ensuring safety and security of applications, identifying potential zero-day vulnerabilities. This was facilitated by the support of CERT and MISRA standards, the classification of analyzer warnings in accordance with the CWE standard, the development of data flow analysis mechanisms for tainted data checking, and so on.
The development of the PVS-Studio analyzer is speeding up. Therefore, most likely, now each release will be followed by a special note so that users don't miss changes that may be useful to them. What's interesting is that from now on we won't just list everything that was added or improved. Rather, now on the contrary, the purpose is to highlight the most important features in the news to avoid having just a boring list of changes. So, we offer you a press release for PVS-Studio 7.09.
XMage is a client-server application for playing Magic: The Gathering (MTG). XMage's development was started in early 2010. Since then, it has seen 182 releases, attracted an army of contributors, and it's still being actively developed even now. All that makes it a good reason for us to contribute to its development too! So, today the PVS-Studio unicorn is going to check the code base of XMage and maybe even get into a fight with some entities.
We were asked to check a collection of open source PMDK libraries for developing and debugging applications with NVRAM support by PVS-Studio. Well, why not? Moreover, this is a small project in C and C++ with a total code base size of about 170 KLOC without comments. Which means, the results review won't take much energy and time. Let's go.
Some people wonder why our site is named Viva64, the product is called PVS-Studio, and the company's name is OOO "Program Verification Systems". It's really weird, so it's time to set things right. Renaming the company will be the first step. For sure, many people are interested in the question why there is such a variety of names. Short explanation: due to historical reasons. This article is a more detailed story of how it happened.
This article is about the check of the OpenRA project using the static PVS-Studio analyzer. What is OpenRA? It is an open source game engine designed to create real-time strategies. The article describes the analysis process, project features, and warnings that PVS-Studio has issued. And, of course, here we will discuss some features of the analyzer that made the project checking process more comfortable.
Sometimes, tired of endless code review and debugging, you start wondering if there are ways to make your life easier. After some googling or merely by accident, you stumble upon the phrase, "static analysis". Let's find out what it is and how it can be used in your project.
To keep it interesting, this time I'd like to tell about our approach to developing and polishing diagnostic rules for PVS-Studio Java. You will learn how we keep existing warnings consistent across releases and why the new ones aren't too weird. I'll also share a bit of inside information on what plans we, the Java team, have for the future, and show you a few interesting (and a few plain) bugs we found using the diagnostics from the upcoming release.
Static code analysis is most effective when changing a project, as errors are always more difficult to fix in the future than at an early stage. We continue expanding the options for using PVS-Studio in continuous development systems. This time, we'll show you how to configure pull request analysis using self-hosted agents in Microsoft Azure DevOps, using the example of the Minetest game.