Finding Bugs using Path-Sensitive Static Analysis Gábor Horváth Gabor.Horvath@microsoft.com @XazaxHunWelcome to CppCon 2021! Join #visual_studio channel on CppCon Discord https://aka.ms/cppcon/discord latest announcements Take our survey https://aka.ms/cppconAgenda • Intro to path-sensitive static analysis • Path-sensitive checks in MSVC • A look under the hood • Upcoming features • Lessons learned2012 -> Unknown p -> Null p -> MaybeNull p -> MaybeNull Warning Unknown Null NotNull MaybeNull Analysis state Transition semi-lattice• Some paths are infeasible: • Not taking branch 1, but taking branch

https://www.meetup.com/St-Petersburg-CPP-User- Group/ ● C++ Russia: https://cppconf.ru/en/Why Code Analysis?Software QualityReadability Maintainability tools fuzzer battery life Repeatable tests Undefined Behavior – Fun with NULL pointers, part 1: https://lwn.net/Articles/342330/Why code analysis – ● Improve software quality ● Lower developer frustration ● Avoid UBLanguageLanguage helps Built-in compiler check ○ Current LLVM implementation gives 5% overhead ○ Annotations to help analysis: gsl::SharedOwner, gsl::Owner, gsl::Pointer void sample1() { int* p = nullptr; {

Navigation ☑️� Linters ☑️� Colorization & Formatting ☑️� IntelliSense ⌛; ☑️�MSVC ☑️�MSVC Code Analysis ☑️�MSBuild ; CMake ⌛ ; GCC ⌛ ; Clang/LLVM ⌛ ☑️�Stepping ☑️�Parallel Stacks ☑️�Debugger 4. Developer and Team Productivity Static Analysis ✴ New and improved checkers in MSVC Code Analysis • Returning a local variable with std::move • Path-sensitive bounds checking • Use-after-move • Lifetime Oct 28 – 4:45pm / Fri, Oct 29 – 12:00pm Finding bugs using path-sensitive static analysis Gabor Horvath – _3 Tue, Oct 26 – 3:15pm Static Analysis and Program Safety in C++: Making it Real Sunny Chatterjee

Documentation in The Era of Concepts and Ranges – Sy Brand & Christopher Di Bella (Google) • Static Analysis and Program Safety in C++: Making it Real – Sunny Chatterjee • In-memory and Persistent Representations Code – Julia Reid • Why does std::format do that? – Charlie Barto • Finding bugs using path-sensitive static analysis – Gabor Horvath (online 29th)Happy Coding! Thank you Twitter: @jureid22

milliseconds; using time_point = time_point; static constexpr bool is_steady = false; static time_point now() {} }; static_assert(is_clock_v); For a type T to qualify as a SYSTEM\CurrentControlSet\Control\LeapSecondInformation • For pre-2018 leap seconds, we maintain a static constexpr table to pull data from. • Note that we don’t currently have a way to detect upcoming October update). • However, because leap seconds happen infrequently, we plan to update this static table periodically so older OSes can still detect more recent leap seconds (they will just need

= __range.end(); for(; __begin != __end; __begin++) { char c = *__begin; [...] } Lifetime analysis for everyone - Gábor Horváth & Matthias Gehre - CppCon 2019C++ is getting safer: P2718! string = __range.end(); for(; __begin != __end; __begin++) { char c = *__begin; [...] } Lifetime analysis for everyone - Gábor Horváth & Matthias Gehre - CppCon 2019 optional mayReadInput(); for(char = __range.end(); for(; __begin != __end; __begin++) { char c = *__begin; [...] } Lifetime analysis for everyone - Gábor Horváth & Matthias Gehre - CppCon 2019 optional mayReadInput(); for(char

judicious programming techniques • Supported by libraries • Enforced by language rules and static analysis • The basic model for achieving that can be found in A brief introduction to C++'s model for 2023 9 Stability is a featureChallenges • Describe a type-safe C++ use • No violations of the static type system • No resource leaks • Convince developers to use that safe (or just safer) styles of • C++ was designed to be an evolving language • Relying on feedback is just good engineering • Static type safety was an ideal from day #1 • It still is • But an elusive ideal under real-world constraints

with its built-in checks. Static analysis is great, but you also get tons of false positives. Now that you’re hooked on smart tools, you have to try dynamic/runtime analysis. After years of improvements Victor Ciura | @ciura_victor - 2020: The Year of Sanitizers? Vignette in 3 parts Static Analysis Dynamic Analysis Warm Fuzzy Feelings10 2020 Victor Ciura | @ciura_victor - 2020: The Year of debugger linter/formatter test framework perf profiler CI/CD service SCM client package manager static analyzer dynamic analyzer (runtime) automated refactoring tools build system + fuzzing code

this so hard?Why is this so hard? Performance Analysis Performance Profiling how to do it right how to do it betterWhy is this so hard? Performance Analysis how to do it rightint main(int argc, char tv_usec = 0; setitimer(ITIMER_REAL, &timer, 0); } A Typical performance evaluation static void flush_icache(void* begin, size_t size) { uintptr_t p = (uintptr_t)begin & ~15UL; for p += 16; } asm("isync"); } DataHeapType* getDataHeap() { static char buf[sizeof(DataHeapType)]; static DataHeapType* _theDataHeap = new (buf) DataHeapType; return _theDataHeap;