Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Submission + - SPAM: New hobby of PVS-Studio team: fixing potential vulnerabilities in open source

Andrey_Karpov writes: The topic of vulnerabilities detected in various open source projects is extremely popular nowadays. The news about that can be found on different sites (example: Adobe fixes 8 Security Vulnerabilities in Adobe Flash Player & Shockwave Player). However, it is of no use to discuss these vulnerabilities (CVE) from a programmers' point of view. It is more important to prevent these vulnerabilities at the stage of writing the code, rather than worry that some leak was found again. Therefore, the Common Weakness Enumeration list (CWE) is of greater interest to the developers.

This list (CWE) presents systematized errors that may cause vulnerabilities. There are different factors that influence the fact, if an error turns into a vulnerability or not. In other words, a defect sometimes can be exploited, and sometimes not, depending on luck.

What is significant, is that by eliminating the errors, given in CWE, a programmer protects the code from a great number of potential vulnerabilities in advance. Static analyzers can be great assistants in this case.

PVS-Studio has always been able to detect a large number of various weaknesses (potential vulnerabilities) in the program code. However, historically, we positioned PVS-Studio as a tool to search for errors. As I've already said, there is a trend in the software development to look for vulnerabilities in the code, although it's just the same. We started rebranding of our tool. Common Weakness Enumeration (CWE) was the first thing we looked at and wrote an article where provided a draft of a table, presenting the comparison of PVS-Studio diagnostics and CWE. We also demonstrated a couple of potential vulnerabilities in Apache HTTP Server.

That was not the end. We got interested in fixing potential vulnerabilities in various projects. Moreover, we decided to compile these small actions on making the world a better place, into small weekly reports. The first one covered the defects in C# projects (CoreFX, MSBuild).

The second would be interesting for the community of C and C++ programmers. It is about errors in such projects as FreeBSD, GCC, Clang.

Some may say that nor every project requires testing for the potential vulnerabilities from the CWE point of view. I agree. But it's useful to find bugs and fix them in any case. Plus it demonstrates that PVS-Studio can be used to look for security issues.

Submission + - SPAM: PVS-Studio project - 10 years of failures and successes

Andrey_Karpov writes: Ten years ago, we created a simple utility called 'Viva64' intended to detect problems in 64-bit code. This is how PVS-Studio static code analyzer came into being. Although 10 years have passed, we only started doing something more or less 'worthy' as a company, just a few years ago. This article isn't a 'success story' because we think that the most interesting events are yet to come. However, 10 years is quite an occasion, and a good time to assess some of the results of our work, and to tell our readers how it all started, which errors we made, and what we finally did right. Perhaps, at times, I will be not very precise in the chronological description of the events. 10 years is a long period of time, and memory is not perfect.
Link to Original Source

Submission + - Search for bugs in C, C++ and C# on Windows and Linux (PVS-Studio Free)

An anonymous reader writes: PVS-Studio team want to help the software world improve the quality of their code, and get to know static analysis tools better. They are giving the opportunity to use PVS-Studio static code analyzer for free, for educational purposes, so that individual developers and enthusiastic teams could also fully use it.

Instruction: How to use PVS-Studio for Free.

P.S. PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++ and C#. It works in Windows and Linux environment. Examples: bugs found in open source projects.

Submission + - How to find a bug in your Linux project

An anonymous reader writes: A team of developers of PVS-Studio analyzer that is designed to search for errors in programs written in C, C++ and C# has released a version of their tool for Linux. Previously there was a possibility to do the analysis of the projects only in Windows, now the support is added also for the second most popular platform.

PVS-Studio detects potential errors of three main groups: general analysis, optimizations and 64-bit issues. The diagnostic set of general analysis allows detecting logic errors, typos, code fragments, causing access violation, incorrect usage of algorithms from STL libraries and a lot more.

The new version of PVS-Studio for GNU/Linux OS, in addition to the native version of the analyzer, offers convenient variants of the integration to the projects, using CMake and QMake and the display of the analysis results in the QtCreator and CLion IDE. Also there is now a possibility to check any project that uses one of the compilers, supported by the analyzer, with the help of the universal compilation tracking system.

The distribution kit of the analyzer Linux version as an archive and deb/rpm packages is available at this link:

It is also necessary for the users to read a short instruction How to run PVS-Studio on Linux .

Submission + - Apparantly, soon we'll hear about a large number of bugs from the Linux world.

An anonymous reader writes: There are restless developers of PVS-Studio code analyzer. This is such a tool that will draw the attention of the programmer to those code fragments that most likely contain an error. We can say that this is kind of a virtual assistant that does the code review and warns if he doesn't like something. And does it quite successfully. For example, not so long ago the guys reported that they found more than 10000 bugs in open-source projects.

The main point of the news is in the following. Until recently, the PVS-Studio tool was only available to Windows developers. Although the authors have written several articles about the check of Linux projects as an experiment, that doesn't count. Now the distribution kit is available for Linux developers as well.

Those who are willing to try out the new tool can find it on the download page. Here you can read the information of how to check your project.

I think this event is quite important and interesting. Soon we will probably see a lot of mentioning of this product: how this tool will find another bug in a popular Linux project. On the website of the authors you may find their blog and Twitter where they will most likely describe those interesting moments, connected with the Linux version. They have quite a funny blog that can be called "Bugs, bugs are everywhere!" Their logo is hilarious, by the way.

Submission + - Chatbots, and how will Microsoft help us with this? (

El_programmer writes: Generally, a chatbot is a program that can imitate a meaningful dialogue with the user via text or speech in the language known to the user. The goal of such a dialogue, is often to answer the user requests and execute bot commands. Not being something substantially new, chatbots however, are positioned in the marketplace as a sort of know-how activity. Of course, the fuss created around such bots as smart and often an indispensable assistant for the users, plays a huge role.

Chat bots won't let you get bored while interacting with other users of Messenger, entertaining with a fresh joke or game; they can send the current weather forecast; help with ordering pizza; advise about healthy eating in response to a message about your weight and blood pressure; dialogue with you on legal services websites, simulating a real interlocutor; can ask you in a pleasant voice about your mood and, based on analysis of your response, select a musical composition on your smartphone; can easily cope with the role of a support service specialist of any service by e-mail. These are just a few small examples of what smart bots can do. There is also a separate group of corporate bots, solving important corporate tasks.

Like any new technology, chatbots are a logical development of the more familiar methods of communication with, and conveying of information to, an end-user: web sites, applications, push notifications, etc. This technology is attractive, first of all, due its end-user focus, integration into the final platform, ease of use, intellectualism, and friendliness.

Major IT players (primarily on the market of online communications) have already evaluated the potential and possible benefits of using chatbots in their solutions a long time ago. Bots in one form or another are used extensively in all popular messengers, Internet platforms, and mobile devices.

Microsoft is actively involved in the development, working in several directions: mobile assistant Cortana; not a very successful, but certainly an interesting experiment with a female bot. Tay on Twitter; a more successful experiment in China with a female bot Xiaoice (Sâois); bots for Skype; and finally, the Microsoft Bot Framework for creation and integration of its own bots into various platforms.

This overview article is devoted to the study of a trend which is growing rapidly in popularity in the IT industry — chatbots, and the role of Microsoft in their development process. The article will cover the history of chatbots, peculiar properties of bots, the main, and also some unexpected spheres of their application, perspectives and technology limits.

Submission + - Over 10000 bugs in various open source projects

Andrey_Karpov writes: In order to promote a static analysis methodology we regularly verify various open source projects. The bugs we found demonstrate that nobody is immune from misprints, inattention or other mistakes. Absolutely nobody, and we find confirmations to this point in such projects as Microsoft Code Contracts, Qt, Linux kernel, CryEngine, VirtualBox, LibreOffice, Firefox, Boost, Tor and so on. At the moment we inspected 262 projects. It's official! We found and logged 10000 bugs!

As a rule, we write an article when we find fairly large number of issues in a project. You may refer to the list of our articles using the link. If we find just a few issues, we report them to contributors of a project and get engaged with other matters.

Of course, 10000 issues in 262 projects is not too much. It makes 38 issues per project at an average. I should notice that indeed this amount does not mean anything. Code base and quality may vary from project to project. For example, in some projects we find just one issue, while other projects contain hundreds of issues.

It is time now to share a link to the logged errors:

Errors detected in Open Source projects

This collection of issues can be used as a unique data for thinking of coding standards development, writing articles about programming rules, and assist in other research on improving software reliability, for example, "The Last Line Effect". Wish you interesting findings.

Submission + - PVS-Studio Team: Analysis of PHP7

Andrey_Karpov writes: It's quite amusing to hear the news about new trending programming languages and the debates about the most useful ones. Nevertheless, C and C++ are still there, quietly doing their job. For example, PHP7 is written in C, so there is a cause to run the PVS-Studio analyzer and see which bugs can be found in the PHP Interpreter.

Submission + - SPAM: Code quality of a $10000 project

Andrey_Karpov writes: Sometimes you may see discussions on the topic of code quality — what is better — open or proprietary code In my personal opinion — there is no difference. I have seen a lot of source code — both open and closed. And there was no perfect software — all projects had good and bad fragments.

Which makes us write articles about the analysis of the projects. We use open source projects of course. Not so long ago we had a lucky chance to write about the code of closed software. Closed untill recently, to be more exact.

So, I suggest reading an article: Toonz code leaves mush to be desired

OpenToonz is a software for producing a 2D animation. It is based on the "Toonz" project, which was developed by Digital Video in Italy. Later it was customized by Studio Ghibli, and has now been used for creating its works for many years already. Besides the animation films, this project was also used for creation of computer games — Discworld, and Claw, for instance.

It should be noted that the price of the kit was about $10000.

This project was used to create such films as "Howl's Moving Castle", "Spirited Away", "Ponyo on the Cliff by the Sea" and a lot of other fantasy films. "Futurama" was also among them!

Comment Re:Oh, Karpov, you inveterate spammer... (Score 3, Interesting) 169

You may just say - hey this is me, psychonaut, I've banned viva64 on Wikipedia. Praise me for that. Because of me you won't see links to really helpful material on viva64.

For example, it's really not necessary for those who are interested in Precompiled header to know that there is a super useful article StdAfx.h. Burn it all! :)

Comment Re:Another one? (Score 1) 169

Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

Here are the articles about our project checks:

Here are the checks of C# projetcs:

Comment Re:Poor Practices by PVS Studio and HexRays (Score 1) 169

Perhaps, I didn't get you quite right. Could it be that you didn't read the article attentively enough? The things we write about aren't really nonsense. For example, we are aware what is strcpy and memcpy. At times we see that people read our article not very thoroughly and then start arguing. I'll provide such an example concerning memcpy - see Fragment N1 and the comments below. This is a completely different case, I've provided it to show that the readers should carefully look though the code examples we provide.

Slashdot Top Deals

An adequate bootstrap is a contradiction in terms.