Android and iOS application development are two different style and nature of developments; thus, require extra money and efforts to develop them separately for different devices. This problem was considered a major flaw in the mobile application development industry.
A year after writing the article about checking Tizen, developers of the PVS-Studio static analyzer checked the quality of the operating system code again, this time demonstrating the abilities of their product to detect errors and potential security vulnerabilities in the Android code.
Despite the fact that the Android code is of high quality and is well tested, and its development includes at least the use of Coverity static analyzer, PVS-Studio still managed to find a lot of interesting defects. Some errors are classified as CWE (Common Weakness Enumeration), which for a certain coincidence of circumstances can be used as vulnerability (CVE). That is why, if you want to protect your code from security vulnerabilities, you should find as many bugs as described in CWE and eliminate them.
According to developers, PVS-Studio is a tool for static application security testing (SAST) and can detect many potential vulnerabilities before they caused harm. This article describes examples of errors by the following categories:
- Pointless comparisons
- Null pointer dereference
- Private data is not cleared in memory
- Unspecified/implementation-defined behavior
- Incorrect memory control
- Array index out of bounds
- Broken loops
and so on.
Thus, 490 CWE per 1855000 lines of code have been detected or more than 1 vulnerability per 4000 lines.
Development of large complex projects is impossible without the use of programming methodologies and tools to help monitor the quality of the code. First of all, this is a literate coding standard, code reviews, unit tests, static and dynamic code analyzers. All this helps to detect defects in code at the earliest stages of development. Use additional programs and methods to control the quality of your code and make your product secure!
Source - https://www.viva64.com/en/b/0579/
PVS-Studio static analyzer team, which until recently was searching for bugs and potential vulnerabilities only in C, C++, and C# code, has prepared a new version of their tool for Java code as well. Despite the fact that in the Java world there is already a number of static analysis tools, developers believe that their analyzer can be powerful and will be a good competition.
One of developers wrote in his article about the way how PVS-Studio for Java was created. First of all, it was necessary to figure out the development process of a syntax tree and semantic model. As these elements are basic, static analyzer is built around them. In addition to them, the analyzer also requires data flow analysis, which enables you to calculate the possible values of variables and expressions in each point of the program and, thanks to that, find errors. Also the analyzer needs the annotation mechanism, diagnostic rules, integration, testing, and other techniques, explained in detail in the article.
Traditionally, the author gave examples of errors from different open source projects, that the Java analyzer has detected. The author also noted that in the future articles with a more detailed report on each project will be available. So far you can review errors from the Hibernate, Hive, JavaParser, Jenkins projects and several others.
Besides that, when the first alpha version of the Java analyzer is available, developers suggest participating in its testing for those who would like to. To do this, write to their support and they will contact you.
Full article - https://www.viva64.com/en/b/0572/
If you are a software developer working in the video game industry and wondering what else you could do to improve the quality of your product or make the development process easier and you don’t use static analysis – it’s just the right time to start doing so. You doubt that? OK, I’ll try to convince you. And if you are just looking to see what coding mistakes are common with video-game and game-engine developers, then you’re, again, at the right place: I have picked the most interesting ones for you.
One of the best ways to prove that static analysis is a useful method is probably through examples showing it in action. That’s what the PVS-Studio team does while checking open-source projects. After publishing of various articles, we compiled our top-10 mistakes from the program code in the video-game industry, and now we suggest you read this article - https://www.viva64.com/en/b/0570/
List of projects considered in the article:
- X-Ray Engine
- CryEngine V
- Space Engineers
- Quake III Arena GPL
- Doom 3
- Unreal Engine 4
Although video-game development includes a lot of steps, coding remains one of the basic ones. Even if you don’t write thousands of code lines, you have to use various tools whose quality determines how comfortable the process is and what the ultimate result will be. Static analysis is a very useful tool when developing, and one more option to help you improve the quality of your code (and thus of the final product).
Software bugs can lead not only to material losses, but also can damage human's health. For example, actors on the stage of a theatre can get injured if suddenly one of the scenery begins to go down on the stage at the wrong time. However, the connection between the errors in code and the health damage of medical software is more obvious. Let's talk about this topic.
This article focuses on the teams of developers who create the programs for a medical equipment. I hope they will not stay indifferent and will check their code. Let's recall two famous cases where errors in programs, related to medicine, became the reason for bad news.
Firstly, it is a series of tragic events caused by the errors in the Therac-25 device of radiation therapy. This device has caused at least six overdoses of radiation within the period from June 1985 to January 1987, some patients received doses of tens of thousands of rad. At least two people died directly from the radiation overdoses. Software bugs of the device were the reason of the tragedies and the main problem was the incorrect security strategy.
Firebird, MySQL, and PostgreSQL are probably the most famous representatives of DBMS. Naturally, these projects often are compared with each other - by functionality, usability, etc. We have decided to perform our own code quality comparison of these projects.
The article gives a review of bugs, detected using PVS-Studio static code analyzer. A 'direct' approach of comparing by the number of warnings in this case is badly applicable, so you have to find other ways to compare. For example, you can analyze projects for potential vulnerabilities, as well as to see which of the most interesting errors will be found. By undertaking such a review, you can estimate, which code is better, and find out who will emerge victorious from this battle.
Read more - https://www.viva64.com/en/b/0542/
Honestly I warn: take this text with a certain amount of skepticism. I just recently started to get acquainted with the internals of PHP, but I would like to tell you about what is happening behind the scenes bug # 75237 .
Is the rabbit hole deep?
How many minutes do you need to understand what the chip is?
Francis Bacon in 1620 divided the sources of human error in the way of cognition into four groups, which he called "ghosts" or "idols" (Latin idola).
"Ghosts of the genus" stem from human nature itself, they do not depend on either culture or individuality of a person. "The human mind is like an uneven mirror, which, mixing the nature of things, reflects things in a distorted and disfigured form."
The inspiration for writing this article was obtained after reading a similar publication for the x86 architecture .
This material will help those who want to understand how the programs are built from the inside, what happens before entering the main and why all this is done. Also I'll show you how to use some of the features of the glibc library. And in the end, as in the original article , the traversed path will be visually represented. Most of the article is a parsing of the glibc library.
So, let's start our trip. We will use Linux x86-64, and as a debugging tool - lldb. Also sometimes we will disassemble the program with objdump.
The source text is normal Hello, world (hello.cpp):
std::cout << "Hello, world!" << std::endl;
Something is happening. People are unhappy. The specter of civil unrest is pursued by our programming communities.
For the first time a significant number of web developers openly question the web platform. Here is a typical article and discussion of . I could list more, but if you are sufficiently interested in programming to read this article, you probably already read this year at least one pompous recitation about the current state of web development. This article is not one of those. I can not compete in bullying the existing status quo with people who have to deal with web development every day. This is another article.
It's you, the front end hacker