Hypercritical C++ Code Review

Hypercritical C++ Code Review
Yuri Minaev
minev@viva64.com

2
A C++ developer at PVS-
Studio.
Working on the core
functionality and diagnostic
rules of the C/C++ static code
analyzer.
About me

3
• We all do code reviews
• Who doesn't admit this – does it twice as often
• It's ok, nobody's gonna blame you
• Just make sure, you take precautions
What is this about?

4
• We all do code reviews
• Who doesn't admit this –
does it twice as often
• It's ok, nobody's gonna blame
you
• Just make sure, you take
precautions
What are you talking about?

6
void foo(const std::vector<....> &vec)
{
for (auto i = 0; i < vec.size(); ++i)
{
// do some magic with vec[i]
}
}
int i = 0;

7
{
{
}
}
Bad for x64

8
{
{
}
} Signed/unsigned
mixup

9
{
for (size_t i = 0; i < vec.size(); ++i)
{
}
}
Better

10
{
for (auto i = 0ull; i < vec.size(); ++i)
{
}
}
128-bit systems, anyone?

11
{
for (auto&& item : vec)
{
// do some magic with item
}
}
Look, I fixed it

13
auto other =
static_cast<const Self &>(rhs_);
const T &a = data[n];
const T &b = other.data[m];
// Do stuff
:(

14
auto& other =
// Do stuff
Look, I fixed it

15
decltype(auto) other =
// Do stuff
If you're really into it

16
Thou shalt not auto, unless thy faith is strong and
pure

19
using V = std::vector<....>;
void vector_inc(V &v)
{
for (size_t i = 0; i < v.size(); i++)
{
v[i]++;
}
}

20
for (size_t i = 0; i < v.size(); i++)
{
v[i]++;
}
std::vector<uint32_t> &v;
std::vector<uint8_t> &v;
Which is faster?

21
Let's benchmark, shall we?
Compiler Element -O1 -O2 -O3
gcc 8 uint8_t 2.0 2.0 2.0
gcc 8 uint32_t 2.3 1.3 0.2
clang 8 uint8_t 9.2 2.0 2.0
clang 8 uint32_t 9.2 0.2 0.2

25
// using V = std::vector<uint8_t>;
auto it = v.begin();
const auto end = v.end();
for (; it != end; ++it)
{
++(*it);
}

27
One more (with uint8_t)
Compiler Before (-O2) After (-O2) Speedup
gcc 8 2.0 1.3 1.5x
clang 8 2.0 0.06 33.4x

28
auto it = v.begin();
const auto end = v.end();
for (; it != end; ++it)
{
++(*it);
}
Does it remind you of anything?

29
for (auto&& elem : v)
{
++elem;
}
How about this?

31
Thou shalt not write indexed loops for they are
abomination before the Code

34
void InputPassword(char *pswd);
void ProcessPassword(const char *pswd);
void DoSomething()
{
char password[MAX_PASSWORD_LEN];
InputPassword(password);
ProcessPassword(password);
memset(password, 0, sizeof(password));
}

35
What does the compiler say?
clang 10 with –O2

37
• Custom safe_memset + disabled LTO/WPO
• Access a non-volatile object through a volatile pointer
• Call memset through a volatile function pointer
• Volatile assembly code
• Memset + memory barrier
• Disable compiler optimisations (-fno-builtin-memset)
• C11: memset_s
So, what can you do?

38
Thou shalt wash thy data thoroughly before releasing
it

40
if (!fgets(readbuf, BUFSIZ, stdin))
{
// ....
}
if(readbuf[strlen(readbuf) - 1] == 'n')
readbuf[strlen(readbuf) - 1] = '0';
CVE-2015-8948

41
if (!fgets(readbuf, BUFSIZ, stdin))
{
// ....
}
if(readbuf[strlen(readbuf) - 1] == 'n')
readbuf[strlen(readbuf) - 1] = '0';
Put an empty line here
This goes BOOM

42
if (getline(&line, &linelen, stdin)
== -1)
{
// ....
}
if(line[strlen(line) - 1] == 'n')
line[strlen(line) - 1] = '0';
Look, I fixed it

43
== -1)
{
// ....
}
CVE-2016-6262

44
== -1)
{
// ....
}
Put an empty line here
This goes BOOM

45
Thou shalt not accept data from strangers for they
might be sinful

47
void Init( float ix=0, float iy=0,
float iz=0, float iw=0 )
{
SetX( ix );
SetY( iy );
SetZ( iz );
SetZ( iw );
}
SetW( iw );

48
if (access & FILE_WRITE_ATTRIBUTES)
output.append("tFILE_WRITE_ATTRIBUTESn");
if (access & FILE_WRITE_DATA)
output.append("tFILE_WRITE_DATAn");
if (access & FILE_WRITE_EA)
output.append("tFILE_WRITE_EAn");
if (access & FILE_WRITE_EA)
output.append("tFILE_WRITE_EAn");
Same blocks

49
if (
protocol.EqualsIgnoreCase("http") ||
protocol.EqualsIgnoreCase("https") ||
protocol.EqualsIgnoreCase("news") ||
protocol.EqualsIgnoreCase("ftp") ||
protocol.EqualsIgnoreCase("file") ||
protocol.EqualsIgnoreCase("javascript") ||
protocol.EqualsIgnoreCase("ftp")
) {
Double checking

50
Thou shalt not copy-paste thy code blocks

52
Have Spaceship, Will Travel
<=>

53
struct Foo
{
int a, b;
};
bool operator==(Foo lhs, Foo rhs)
{
return lhs.a == rhs.a
&& lhs.b == rhs.b;
}

54
struct Foo
{
int a, b;
};
bool operator!=(Foo lhs, Foo rhs)
{
return !(lhs == rhs);
}
bool operator==(Foo lhs, Foo rhs)
{
return lhs.a == rhs.a && lhs.b == rhs.b;
}
So far so good

55
bool operator<(Foo lhs, Foo rhs) { ??? }
bool operator<=(Foo lhs, Foo rhs) { ??? }
bool operator>(Foo lhs, Foo rhs) { ??? }
bool operator>=(Foo lhs, Foo rhs) { ??? }
How about these?

56
bool operator<(Foo lhs, Foo rhs)
{
return lhs.a < rhs.a
&& lhs.b < rhs.b;
}
So far so good

57
{
return lhs.a < rhs.a
&& lhs.b < rhs.b;
}
Foo { 2, 1 } < Foo { 1, 2 }
Foo { 1, 2 } < Foo { 2, 1 }
false
false

58
{
if (lhs.a < rhs.a) return true;
if (rhs.a < lhs.a) return false;
return lhs.b < rhs.b;
}
Foo { 2, 1 } < Foo { 1, 2 }
Foo { 1, 2 } < Foo { 2, 1 }
false
true

59
struct Foo
{
double a;
};
{
return lhs.a < rhs.a;
}
bool operator>=(Foo lhs, Foo rhs)
{
return !(lhs < rhs);
}

60
Foo { 1.0 } < Foo { 2.0 }
Foo { 1.0 } < Foo { NaN }
true
false
{
return lhs.a < rhs.a;
}
bool operator>=(Foo lhs, Foo rhs)
{
return !(lhs < rhs);
}
Foo { 1.0 } >= Foo { NaN } true

61
So, what shall we do?
struct Foo
{
// anything
auto operator<=>(const Foo &rhs) const = default;
};

62
Foo { 1.0 } < Foo { 2.0 }
Foo { 1.0 } < Foo { NaN }
true
false
struct Foo
{
// anything
auto operator<=>(const Foo &rhs) const = default;
};
Foo { 1.0 } >= Foo { NaN } false
Foo { 2, 1 } < Foo { 1, 2 }
Foo { 1, 2 } < Foo { 2, 1 }
false
true

64
const Ptree* pIf =
IsA(p, ntIfStatement, ntSwitchStatement)
? p
: IsA(First(p),
ntIfStatement, ntSwitchStatement)
&& ContainsNoReturnStatements(First(p))
? First(p)
: nullptr;

65
const Ptree* pIf =
IsA(p, ntIfStatement, ntSwitchStatement)
? p
: IsA(First(p),
ntIfStatement, ntSwitchStatement)
&& ContainsNoReturnStatements(First(p))
? First(p)
: nullptr;

66
Thy comparison routines shall be correct or else the
Wrath of Code will get thee

68
struct G584_Info
{
G584_Info(/*A bunch of params*/)
{/**/}
const Ptree *m_p;
bool m_add, m_mul;
bool m_sub, m_div;
};

69
auto what = p->What();
if (what == ntParenExpr)
{
// infs is std::vector<G584_Info>&
infs.push_back(
G584_Info(p, true, true, false, false)
);
p = SafeSkipParentesis(p);
} Possible copy

70
auto what = p->What();
if (what == ntParenExpr)
{
// infs is std::vector<G584_Info>&
infs.emplace_back(
p, true, true, false, false
);
p = SafeSkipParentesis(p);
} Better

71
struct G584_Info
{
G584_Info(/*A bunch of params*/)
{/**/}
const Ptree *m_p;
bool m_add, m_mul;
bool m_sub, m_div;
};
emplace_back this?
yes, since C++20

72
Thou shalt not push that which can be emplaced

74
auto&& infoMap = GetFunctionDangerousInfoMap();
auto it = infoMap.find(funcInfo);
if (it == infoMap.end())
{
infoMap.insert(
std::make_pair(funcInfo, dangerousInfo));
}
else
{
auto&& a = it->second;
}
Here we go again

75
{
infoMap.emplace(funcInfo, dangerousInfo);
}
else
{
}
Better?

76
{
infoMap.emplace(funcInfo,
dangerousInfo);
}
else
{
} Double lookup

77
if (auto [it, success] =
infoMap.try_emplace(funcInfo,
dangerousInfo);
!success)
{
}
Look, I fixed it

78
Thou shalt search only once

81
gcc is <ILLEGIBLE> broken
As I understand it, those <BEEP>ing <BAD PEOPLE>
decided to <ILLEGIBLE> break everything again. It
worked before and now it's broken.
For example, dropping the sign (a & 0x7fffffff)
doesn't <BLEEP>ing work, and nothing works no
more.
They always <FLIP>ing break everything, those
<CENSORED>s. Take your <WEEP>ing UB and <...>

82
int foo(const char *s)
{
int r = 0;
while (*s)
{
r += ((r * 20891 + *s * 200)
| *s ^ 4 | *s ^ 3 )
^ (r >> 1);
s++;
}
return r & 0x7fffffff;
}
Signed
Overflow
Drop the sign

83
foo(char const*):
movzx edx, BYTE PTR [rdi]
test dl, dl
je .L4
xor esi, esi
.L3:
; lots of calculations
jne .L3
mov eax, esi
and eax, 2147483647
ret
.L4:
xor eax, eax
ret
Drop the sign

84
int foo(const char *s)
{
int r = 0;
while (*s)
{
r += ((r * 20891 + *s * 200)
| *s ^ 4 | *s ^ 3 )
^ (r >> 1);
s++;
}
return r & 0x7fffffff;
}
gcc -O2 -std=c++17 -funsigned-char

85
foo(char const*):
movzx edx, BYTE PTR [rdi]
xor r8d, r8d
test dl, dl
je .L1
.L3:
; lots of calculations
jne .L3
.L1:
mov eax, r8d
ret
Oops

86
Thou shalt not cook signed values with overflow
semantics

87
Throwing Out
noexcept(BOOM)

88
void func() noexcept
{
// ....
throw SomeException{};
}
This is REALLY bad

89
void func() noexcept
{
anotherFunc();
}
This is also REALLY bad
void anotherFunc()
{
throw SomeException{};
}

90
Not noexcept, but implies so
DllMain

91
BOOL WINAPI DllMain(/**/)
{
BOOL br = TRUE;
// ....
if (FAILED(DllRegisterServer()))
br = FALSE;
// ....
return br;
}

92
{
BOOL br = TRUE;
// ....
br = FALSE;
// ....
return br;
}
PVS-Studio: don't throw from
DllMain, mate

93
{
BOOL br = TRUE;
// ....
br = FALSE;
// ....
return br;
}
PVS-Studio: don't throw from
DllMain, mate
Me: LOLWUT?

94
• Part of Window API
• Essentially, written in C
• Related to COM
• Doesn't throw
DllRegisterServer
Looks buggy
Or does it?

95
HRESULT WINAPI DllRegisterServer(VOID)
{
// ....
hr = ::RegOpenKeyEx(/**/);
// ....
DllGetObjectInfo(/**/);
// ....
hr = ::RegSetValueEx(/**/);
// ....
RegCloseKey(hk);
}
These don't throw

96
HRESULT WINAPI DllGetObjectInfo(/**/)
{
// ....
hr = DllGetObject(/**/);
if (SUCCEEDED(hr))
{
// ....
delete pPlugin;
}
// ....
}

97
HRESULT WINAPI DllGetObject(
DWORD dwPluginId,
IShellPlugin **ppPlugin)
{
// ....
*ppPlugin = new CCommandPlugin;
// ....
}

98
He who is without noexcept shall throw, and none
other

Hypercritical C++ Code Review

More Related Content

What's hot (19)

Similar to Hypercritical C++ Code Review (20)

More from Andrey Karpov (20)

Recently uploaded (20)

Hypercritical C++ Code Review