New Safety Rules in C++ Code Analysis

New Safety Rules in C++ Code Analysis

This blog post will introduce new rules related to VARIANT and its sibling types – such as VARIANTARG, or PROPVARIANT. To help with the new rules, we have built a code analysis extension, called VariantClear, that detects violations of these new rules in code. It is named VariantClear because the primary rule it detects is about misuse of VariantClear function.

In Visual Studio version 16.8 Preview 3,  we are adding a few safety rules to C++ Code Analysis that can find some common mistakes, which can lead to bugs ranging from simple broken features to costly security vulnerabilities. These new rules are developed around issues discovered in production software via security reviews and incidents requiring costly servicing. Every shipping piece of software in Microsoft runs these rules as part of security and compliance requirements.

This blog post will introduce new rules related to VARIANTand its sibling types – such as VARIANTARG, or PROPVARIANT. To help with the new rules, we have built a code analysis extension, called VariantClear, that detects violations of these new rules in code.  It is named VariantClear because the primary rule it detects is about misuse of VariantClearfunction.

The VariantClear extension detects and reports the following warnings:

  • C33001: VARIANT ‘var’ was cleared when it was uninitialized 
  • C33004: VARIANT ‘var’, which is marked as Out was cleared before being initialized  
  • C33005: VARIANT ‘var’ was provided as an input or input/output parameter but was not initialized 

While Visual Studio version 16.8 Preview 3 already has the VariantClear extension included, it is not yet enabled by default. To enable this extension, please add the following lines either to your project file or to the Microsoft.CodeAnalysis.Extensions.props file under MSBuild\Microsoft\VC\v160 folder in the Visual Studio installation location:

If you want to add this to individual project file, add it after all other <PropertyGroup> elements:

<PropertyGroup Condition="'$(ConfigurationType)'!='Utility' and '$(ConfigurationType)'!='Makefile'">
    <EspXtensions Condition="'$(EnableVariantClear)'!='false'">VariantClear.dll;$(EspXtensions)</EspXtensions>
</PropertyGroup>

If you want to modify your Visual Studio installation, you can add this to the Microsoft.CodeAnalysis.Extensions.props file, after the similar element for HResultCheck:

<EspXtensions Condition="'$(EnableVariantClear)'!='false'">VariantClear.dll;$(EspXtensions)</EspXtensions>

Please note that this will likely be overwritten if you repair or reinstall Visual Studio, or upgrade to a later release. Please stay tuned for update when we have this extension enabled in Visual Studio.

c++ diagnostics new feature writing code code analysis static analysis

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Static in C# | What is static | Static Methods & Classes | C# Tutorial | Advanced C#

LIKE | COMMENT | SHARE | SUBSCRIBE In this tutorial, I will discussed about Static in C#. A static class is declared with the help of static keyword. A stati...

Static example in C# | What is static | Static Methods & Classes | Advanced C#

LIKE | COMMENT | SHARE | SUBSCRIBE In this tutorial, I will discussed about Static in C#. A static class is declared with the help of static keyword. A stati...

Dicey Issues in C/C++

C/C++ problems. If you are familiar with C/C++then you must have come across some unusual things and if you haven’t, then you are about to. The below codes are checked twice before adding, so feel free to share this article with your friends.

Cory House’s Analogy Between Writing Code and Writing Prose

We should write code like authors write pages in a book.

Static Code Analysis for Python

Static code analysis looks at the code without executing it. It is usually extremely fast to execute, requires little effort to add to your workflow, and can uncover common mistakes. The only downside is that it is not tailored towards your code.