You are on page 1of 10

PVS-Studio vs Chromium

:
: 23.05.2011

. , Chromium. Chromium -
, PVS-Studio.

Chromium - - , Google

. Chromium Google Chrome. Chromium
Google Chrome, .
Chromium - (solution), 473 .

C/C++ 460 .
.
460 . ,
155 . , .
. Chromium
Chromium. ,
.
Chromium ,
PVS-Studio. Chromium
, . PVS-Studio ,
++ .
Chromium .
,
:

int XX[] = { 1, 2, 3, 4 };
size_t N = sizeof(XX) / sizeof(XX[0]);
:
#define count_of(arg) (sizeof(arg) / sizeof(arg[0]))
. , ,
. ,
, .
:
void Test(int C[3])
{
int A[3];
int *B = Foo();
size_t x = count_of(A); // Ok
x = count_of(B); // Error
x = count_of(C); // Error
}
count_of(A) A,
.
count_of() ,
. ,
count_of(B). .
, .
Miranda IM:
#define SIZEOF(X) (sizeof(X)/sizeof(X[0]))
int Cache_GetLineText(..., LPTSTR text, int text_size, ...)
{
...
tmi.printDateTime(pdnce->hTimeZone, _T("t"), text, SIZEOF(text), 0);
...
}

. , ,
:

void Test(int C[3])


{
x = count_of(C); // Error
}

++, 'C' ,
.
.
, ,
. :
void Test(int (&C)[3])
{
x = count_of(C); // Ok
}
count_of(C) 3.
Chromium. ,
. :
template <typename T, size_t N>
char (&ArraySizeHelper(T (&array)[N]))[N];
#define arraysize(array) (sizeof(ArraySizeHelper(array)))
. ArraySizeHelper
N.
N, 'char'. ,
. sizeof() ArraySizeHelper.
'arraysize' ArraySizeHelper .
, .
, , .
, 'count_of()'. ArraySizeHelper
, .
:
template <typename T, size_t N>
char (&ArraySizeHelper(T (&array)[N]))[N];
#define arraysize(array) (sizeof(ArraySizeHelper(array)))

void Test(int C[3])


{
int A[3];
int *B = Foo();
size_t x = arraysize(A); // Ok
x = arraysize(B); //
x = arraysize(C); //
}
. - ,
. ,
. Google.
, , .
if (!file_util::Delete(db_name, false) &&
!file_util::Delete(db_name, false)) {
// Try to delete twice. If we can't, fail.
LOG(ERROR) << "unable to delete old TopSites file";
return false;
}
.
? . , , .
.
, - .
, , , .
. ,
, . ,
, .
, 1000 . .
, Sleep(0) .
PVS-Studio? Chromium, , ,
. ,
. , .
, , , . ?
. :
V512 A call of the 'memset' function will lead to underflow of the
buffer '(exploded)'. platform time_win.cc 116

void NaCl::Time::Explode(bool is_local, Exploded* exploded) const {


...
ZeroMemory(exploded, sizeof(exploded));
...
}
. . : sizeof(*exploded).

V502

Perhaps the '?:' operator works in a different way than it was

expected. The '?:' operator has a lower priority than the '-'
operator.

views

custom_frame_view.cc

400

static const int kClientEdgeThickness;


int height() const;
bool ShouldShowClientEdge() const;

void CustomFrameView::PaintMaximizedFrameBorder(gfx::Canvas* canvas) {


...
int edge_height = titlebar_bottom->height() ShouldShowClientEdge() ? kClientEdgeThickness : 0;
...
}
"?:" , .
:
int edge_height = titlebar_bottom->height() (ShouldShowClientEdge() ? kClientEdgeThickness : 0);

, .
V547

Expression 'count < 0' is always false. Unsigned type value

is never < 0.

ncdecode_tablegen

ncdecode_tablegen.c

197

static void CharAdvance(char** buffer, size_t* buffer_size,


size_t count) {
if (count < 0) {
NaClFatal("Unable to advance buffer by count!");
} else {
...
}
"count < 0" . -
. , , ,
. ,
, .
, :
V511

The sizeof() operator returns size of the pointer, and not

of the array, in 'sizeof (salt)' expression.


visitedlink_common.cc

common

84

void MD5Update(MD5Context* context, const void* buf, size_t len);

VisitedLinkCommon::Fingerprint
VisitedLinkCommon::ComputeURLFingerprint(
...
const uint8 salt[LINK_SALT_LENGTH])
{
...
MD5Update(&ctx, salt, sizeof(salt));
...
}
MD5Update() , .
? - .
-
.
:

MD5Update(&ctx, salt, sizeof(salt[0]) * LINK_SALT_LENGTH);


:
VisitedLinkCommon::Fingerprint
VisitedLinkCommon::ComputeURLFingerprint(
...
const uint8 (&salt)[LINK_SALT_LENGTH])
{
...
MD5Update(&ctx, salt, sizeof(salt));
...
}

:
V501

There are identical sub-expressions 'host !=

buzz::XmlConstants::str_empty ()' to the left and to the right of the


'&&' operator.

chromoting_jingle_glue

iq_request.cc

248

void JingleInfoRequest::OnResponse(const buzz::XmlElement* stanza) {


...
std::string host = server->Attr(buzz::QN_JINGLE_INFO_HOST);
std::string port_str = server->Attr(buzz::QN_JINGLE_INFO_UDP);
if (host != buzz::STR_EMPTY && host != buzz::STR_EMPTY) {
...
}
port_str:
if (host != buzz::STR_EMPTY && port_str != buzz::STR_EMPTY) {

:
V530

The return value of function 'empty' is required to be utilized.

chrome_frame_npapi

np_proxy_service.cc

293

bool NpProxyService::GetProxyValueJSONString(std::string* output) {


DCHECK(output);
output->empty();
...
}
: output->clear();

:
V522

Dereferencing of the null pointer 'plugin_instance' might take

place. Check the logical condition.


chrome_frame_npapi.cc

chrome_frame_npapi

517

bool ChromeFrameNPAPI::Invoke(...)
{
ChromeFrameNPAPI* plugin_instance =
ChromeFrameInstanceFromNPObject(header);
if (!plugin_instance && (plugin_instance->automation_client_.get()))
return false;
...
}

, :
V547

Expression 'current_idle_time < 0' is always false. Unsigned

type value is never < 0.

browser

idle_win.cc

23

IdleState CalculateIdleState(unsigned int idle_threshold) {


...
DWORD current_idle_time = 0;
...

// Will go -ve if we have been idle for a long time (2gb seconds).
if (current_idle_time < 0)
current_idle_time = INT_MAX;
...
}

, . , .
, Chromium. :
V554

Incorrect use of auto_ptr. The memory allocated with 'new []'

will be cleaned using 'delete'.


accessibility_win_browsertest.cc

interactive_ui_tests
306

void AccessibleChecker::CheckAccessibleChildren(IAccessible* parent) {


...
auto_ptr<VARIANT> child_array(new VARIANT[child_count]);
...
}

, Chromium.
, Chromium.
. , ,
. ( ICU):
V547 Expression '* string != 0 || * string != '_'' is always true.
Probably the '&&' operator should be used here.

icui18n ucol_sit.cpp

242

U_CDECL_BEGIN static const char* U_CALLCONV


_processVariableTop(...)
{
...
if(i == locElementCapacity && (*string != 0 || *string != '_')) {

*status = U_BUFFER_OVERFLOW_ERROR;
}
...
}
"(*string != 0 || *string != '_')" . : (*string == 0 ||
*string == '_').

PVS-Studio . Chromium - ,
. Chromium. ,
, . ,
460 , , ,
.

P.S.
: Chromium ? ,
. ,
. Chromium Miranda IM Ultimate Toolbox.
,
. .
Chromium, ,
. ,
PVS-Studio. Google
.

P.P.S.
, . , FlylinkDC++.
.