Thread: PVS-Studio VS Chromium
View Single Post
Banned
26May2011,11:41  
Karpov2007's Avatar
Just in case, I want to remind you that the article describes only some of the suspicious places in code. The analysis of the full PVS-Studio report is a huge task and it's better to be performed by the developers themselves. I will now cite some additional suspicious fragments from Chromium and it's libraries:

Code:
V564  The '&' operator is applied to bool type value. You've probably forgotten to include parentheses or intended to use the '&&' operator.  base  platform_file_win.cc  216

#define FILE_ATTRIBUTE_DIRECTORY 0x00000010

bool GetPlatformFileInfo(PlatformFile file, PlatformFileInfo* info) {
  ...
  info->is_directory =
    file_info.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY != 0;
  ...
}
-----------------------------------------
V503  This is a nonsensical comparison: pointer < 0.  browser  profile_impl.cc  169

void GetCacheParameters(ContextType type, FilePath* cache_path,
                        int* max_size) {
  ...
  *max_size = 0;
  if (!base::StringToInt(value, max_size)) {
    *max_size = 0;
  } else if (max_size < 0) {
    *max_size = 0;
  }
  ...
}
-----------------------------------------
V511  The sizeof() operator returns size of the pointer, and not of the array, in 'sizeof (salt)' expression.  browser  visitedlink_master.cc  968
V512  A call of the 'memcpy' function will lead to underflow of the buffer 'salt_'.  browser  visitedlink_master.cc  968

uint8 salt_[LINK_SALT_LENGTH];

VisitedLinkMaster::TableBuilder::TableBuilder(
    VisitedLinkMaster* master,
    const uint8 salt[LINK_SALT_LENGTH])
    : master_(master),
      success_(true) {
  fingerprints_.reserve(4096);
  memcpy(salt_, salt, sizeof(salt));
}
-----------------------------------------
V530  The return value of function 'empty' is required to be utilized.  chrome_frame_ie  protocol_sink_wrap.cc  399

std::wstring url_;

HRESULT ProtData::ReportProgress(IInternetProtocolSink* delegate,
                                 ULONG status_code, LPCWSTR status_text) {
  ...
  case BINDSTATUS_REDIRECTING:
    url_.empty();
    if (status_text)
      url_ = status_text;
    break;
  ...
}
-----------------------------------------
V554  Incorrect use of auto_ptr. The memory allocated with 'new []' will be cleaned using 'delete'.  interactive_ui_tests  accessibility_win_browsertest.cc  171

void AccessibleContainsAccessible(...)
{
  ...
  auto_ptr<VARIANT> child_array(new VARIANT[child_count]);
  ...
}
-----------------------------------------
V540  Member 'lpstrFilter' should point to string terminated by two 0 characters.  test_shell_common  test_shell_win.cc  643

bool TestShell::PromptForSaveFile(const wchar_t* prompt_title,
                                  FilePath* result) {
  ...
  OPENFILENAME info = {0};
  ...
  info.lpstrFilter = L"*.txt";
  ...
}
-----------------------------------------
V517 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error presence. Check lines: 800, 808. icui18n msgfmt.cpp 800

UnicodeString&
MessageFormat::toPattern(UnicodeString& appendTo) const {
  ...
  else if (formatAlias == *defaultTimeTemplate) {
    appendTo += ID_TIME;
  }
  ...
  else if (formatAlias == *defaultTimeTemplate) {
    appendTo += ID_TIME;
    appendTo += COMMA;
    appendTo += ID_MEDIUM;
  }
  ...
}

And here:
V517 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error presence. Check lines: 777, 785. icui18n msgfmt.cpp 777
-----------------------------------------
V501 There are identical sub-expressions to the left and to the right of the '&&' operator: !has_audio &&!has_audio libjingle_p2p sessionmessages.cc 308

bool ParseGingleTransportInfos(...)
{
  ...
  bool has_audio = FindContentInfoByName(contents, CN_AUDIO) != NULL;
  bool has_video = FindContentInfoByName(contents, CN_VIDEO) != NULL;

  if (!has_audio && !has_audio) {
    ...
}
-----------------------------------------
V517 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error presence. Check lines: 353, 355. libwebp frame.c 353

void VP8ReconstructBlock(VP8Decoder* const dec) {
  ...
  if (dec->non_zero_ & (1 << n)) {
    VP8Transform(coeffs + n * 16, dst);
  } else if (dec->non_zero_ & (1 << n)) {
    VP8TransformDC(coeffs + n * 16, dst);
  }
  ...
}
-----------------------------------------
V501 There are identical sub-expressions 'sub->negNsSet->value' to the left and to the right of the '==' operator. libxml xmlschemas.c 13949

static int
xmlSchemaCheckCOSNSSubset(...)
{
  ...
  if ((sub->negNsSet != NULL) &&
      (super->negNsSet != NULL) &&
      (sub->negNsSet->value == sub->negNsSet->value))
   return 0;
 ...
}
-----------------------------------------
V501 There are identical sub-expressions 'ir1->operands [0]->type->is_matrix ()' to the left and to the right of the '||' operator. mesa ir_algebraic.cpp 189

bool
ir_algebraic_visitor::reassociate_constant(...)
{
  ...
  if (ir1->operands[0]->type->is_matrix() ||
      ir1->operands[0]->type->is_matrix() ||
      ir2->operands[1]->type->is_matrix() ||
      ir2->operands[1]->type->is_matrix())
   return false;
  ...
}
-----------------------------------------
V501 There are identical sub-expressions to the left and to the right of the '&&' operator: width > 0 && height > 0 && height > 0 mesa teximage.c 2801

void GLAPIENTRY
_mesa_TexSubImage3D(...)
{
  ...
  else if (width > 0 && height > 0 && height > 0) {
  ...
}
-----------------------------------------
V547 Expression 'input.len < 0' is always false. Unsigned type value is never < 0. nss pk11merge.c 491

struct SECItemStr {
  ...
  unsigned int len;
};

static SECStatus
pk11_mergeSecretKey(...)
{
  ...
  if (input.len < 0) {
    rv = SECFailure;
    goto done;
  }
  ...
}
-----------------------------------------
 V564 The '&' operator is applied to bool type value. You've probably forgotten to include parentheses or intended to use the '&&' operator. nss secasn1u.c 121

PRBool SEC_ASN1IsTemplateSimple(const SEC_ASN1Template *theTemplate)
{
  ...
  if (!theTemplate->kind & SEC_ASN1_CHOICE) {
    return PR_FALSE; /* no choice means not simple */
  }
  ...
}
-----------------------------------------
V502 Perhaps the '?:' operator works in a different way than it was expected. The '?:' operator has a lower priority than the '+' operator. ots gdef.cc 278

bool version_2;

bool ots_gdef_parse(...)
{
  ...
  const unsigned gdef_header_end = static_cast<unsigned>(8) +
    gdef->version_2 ? static_cast<unsigned>(2) : static_cast<unsigned>(0);
  ...
}
-----------------------------------------
V501 There are identical sub-expressions 'kKeep_StencilOp == fFrontFailOp' to the left and to the right of the '&&' operator. skia grstencil.h 159

bool isDisabled() const {
  return kKeep_StencilOp == fFrontPassOp   &&
         kKeep_StencilOp == fBackPassOp    &&
         kKeep_StencilOp == fFrontFailOp   &&
         kKeep_StencilOp == fFrontFailOp   &&
         kAlways_StencilFunc == fFrontFunc &&
         kAlways_StencilFunc == fBackFunc;
}
-----------------------------------------
V501 There are identical sub-expressions 'x >= 0' to the left and to the right of the '&&' operator. webcore_platform feconvolvematrix.cpp 289

ALWAYS_INLINE int
FEConvolveMatrix::getPixelValue(PaintingData& paintingData, int x, int y)
{
  if (x >= 0 && x < paintingData.width && x >= 0 && y < paintingData.height)
    return (y * paintingData.width + x) << 2;
  ...
}
-----------------------------------------
V501 There are identical sub-expressions '(bStart >= aStart && bStart <= aEnd)' to the left and to the right of the '||' operator. webcore_remaining spatialnavigation.cpp 236

// This method checks if |start| and |dest| have a partial intersection, either
// horizontally or vertically.
// * a = Current focused node's rect.
// * b = Focus candidate node's rect.
static bool areRectsPartiallyAligned(FocusDirection direction, const IntRect& a, const IntRect& b)
{
    int aStart  = start(direction, a);
    int bStart  = start(direction, b);
    int bMiddle = middle(direction, b);
    int aEnd = end(direction, a);
    int bEnd = end(direction, b);

    // Picture of the partially aligned logic:
    //
    //    Horizontal       Vertical
    // ********************************
    // *  _            *   _ _ _      *
    // * |_|           *  |_|_|_|     *
    // * |_|.... _     *      . .     *
    // * |_|    |_|    *      . .     *
    // * |_|....|_|    *      ._._ _  *
    // *        |_|    *      |_|_|_| *
    // *        |_|    *              *
    // *               *              *
    // ********************************
    //
    // ... and variants of the above cases.
    return ((bStart >= aStart && bStart <= aEnd)
            || (bStart >= aStart && bStart <= aEnd)
            || (bEnd >= aStart && bEnd <= aEnd)
            || (bMiddle >= aStart && bMiddle <= aEnd)
            || (bEnd >= aStart && bEnd <= aEnd));
}
-----------------------------------------
V501 There are identical sub-expressions 'cy ().isRelative ()' to the left and to the right of the '||' operator. webcore_svg svgradialgradientelement.cpp 253

bool SVGRadialGradientElement::selfHasRelativeLengths() const
{
  return cy().isRelative()
      || cy().isRelative()
      || r().isRelative()
      || fx().isRelative()
      || fy().isRelative();
}