Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tips & Tricks: Scrubbing Source Code For Common Coding Mistakes (FxCop And PREfast) Nicholas Guerrera TLNL06 Software Design Engineer Microsoft Corporation.

Published byMarylou Bell Modified over 8 years ago

Similar presentations

Presentation on theme: "Tips & Tricks: Scrubbing Source Code For Common Coding Mistakes (FxCop And PREfast) Nicholas Guerrera TLNL06 Software Design Engineer Microsoft Corporation."— Presentation transcript:

1 Tips & Tricks: Scrubbing Source Code For Common Coding Mistakes (FxCop And PREfast) Nicholas Guerrera TLNL06 Software Design Engineer Microsoft Corporation

2 2 Why Code Analysis? One of a collection of strategies for improving code quality Identify potential issues earlier in development cycle Problems are cheaper to fix the earlier they are identified

3 3 Code Analysis In Visual Studio Team System Managed code analysis (FxCop) C#, C++/CLI, VB.NET, ASP.NET Unmanaged code analysis (PREfast) C/C++ Automatically suppress warnings in source File bugs based on analysis results Enforce code analysis policy for check-ins

4 4 Types Of Mistakes Typographical Misuse of API Security issues API design guidelines / best practices Code complexity and maintainability Constructs that do not perform well

5 5 Demo: Managed Code Analysis In Visual Studio Team System Nicholas Guerrera Software Design Engineer Visual Studio Team System

6 6 Example One SQL injection vulnerability private string GetAccountNumber(string username, string password) { string cnxString = ConfigurationManager.AppSettings["ConnectionString"]; using (SqlConnection connection = new SqlConnection(cnxString)) using (SqlCommand command = new SqlCommand()) { connection.Open(); command.Connection = connection; command.CommandText = "SELECT AccountNumber FROM Users " + "WHERE (Username='" + username + "')" + "' AND (Password='" + password + "')"; return (string)command.ExecuteScalar(); } "q' OR 'q'='q"

7 7 public class box { public int height; public int width; public box(int height, int width) { this.height = height; this.width = width; this.print_to_console(); } public void print_to_console() { Console.WriteLine("({0},{1}", this.height, this.width); } Issues: public fields, incorrect casing, underscores Tip: Use C# refactoring to fix these! Example Two Naming and design guidelines

8 8 private Font ReadFontFromSettings() { XmlDocument doc = new XmlDocument(); XmlDocument doc = new XmlDocument(); doc.Load(GetSettingsXmlPath()); doc.Load(GetSettingsXmlPath()); XmlNode fontNode = doc.SelectSingleNode("Font"); XmlNode fontNode = doc.SelectSingleNode("Font"); float size = float.Parse(fontNode.Attributes["Size"].Value); float size = float.Parse(fontNode.Attributes["Size"].Value); string name = fontNode.Attributes["Name"].Value; string name = fontNode.Attributes["Name"].Value; FontStyle style = (FontStyle)Enum.Parse(typeof(FontStyle), fontNode.Attributes["Style"].Value); FontStyle style = (FontStyle)Enum.Parse(typeof(FontStyle), fontNode.Attributes["Style"].Value); return new Font(name, size, style); return new Font(name, size, style);} Issue: Missing IFormatProvider argument, defaults to CultureInfo.CurrentCulture Example Three Globalization error

9 9 public class SampleException : Exception { public SampleException() : base() { } public SampleException(string message) : base(message) { } public SampleException(string message, Exception innerException) : base(message, innerException) { } } Issue: Missing [Serializable] attribute and deserialization constructor  Exception cannot be serialized or thrown across AppDomains. Example Four Serialization error

10 10 Demo: Unmanaged Code Analysis In Visual Studio Team System Nicholas Guerrera Software Design Engineer Visual Studio Team System

11 11 Example One Buffer overrun void PrintModuleFileName() { wchar_t *p = (wchar_t *)malloc(MAX_PATH); GetModuleFileName(NULL, p, MAX_PATH); printf("%S", p); } Issues Buffer overrun: confusion between character and byte counts Misuse of malloc and GetModuleFileName

12 12 Example Two Arithmetic overflow long long Shift(int x, int y) { return x << y; } Issue Arithmetic overflow: result is cast to 64-bit after the shift may already have overflown beyond 32-bits.

13 13 Example Three Incorrect HRESULT usage // Call CoInitialize and return true if it succeeds. bool Initialize() { if (CoInitialize(0)) { return false; } return true; } Issue HRESULT and bool are semantically different, use FAILED or SUCCEEDED macros. Success codes can be non-zero (true in a boolean context). For example, S_FALSE == 0x1

14 14 Example Four Incorrect printf usage bool PrintStuff() { printf("%s - %d", 22, "twenty-two"); printf("%s - %d", "twenty-two"); printf("%s - %d", "twenty-two", 22, 22); } Issues Type mismatches Too few arguments Too many arguments

15 15 Example Five Possible NULL dereference void DoWork() { int x, *p; if (Condition()) { p = &x; } else { p = (int *)malloc(sizeof(int)); } *p = 27; } Issue: If Condition() returns false, p could be null Tip: Double-click on messages in the error list to see path highlighting

16 16 Where To Find Out More Getting started with code analysis Hands-On Lab: Visual Studio Team System, Source Code Analysis: HOL- TLN04 Visual Studio Team System 2005 Beta 2, CTP, or upcoming RTM Discussions on public forums at http://forums.microsoft.com http://forums.microsoft.com FxCop is also available as a standalone tool from http://www.gotdotnet.com/ http://www.gotdotnet.com/

17 17 Questions?

18 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Tips & Tricks: Scrubbing Source Code For Common Coding Mistakes (FxCop And PREfast) Nicholas Guerrera TLNL06 Software Design Engineer Microsoft Corporation."

Similar presentations

Air Force Institute of Technology Electrical and Computer Engineering

Air Force Institute of Technology Electrical and Computer Engineering
Core Java Lecture 4-5. What We Will Cover Today What Are Methods Scope and Life Time of Variables Command Line Arguments Use of static keyword in Java.

Core Java Lecture 4-5. What We Will Cover Today What Are Methods Scope and Life Time of Variables Command Line Arguments Use of static keyword in Java.
Things to Remember When Developing 64-bit Software OOO Program Verification Systems www.viva64.com.

Things to Remember When Developing 64-bit Software OOO "Program Verification Systems"
Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 6 Functions.

Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 6 Functions.
1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.

1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.
Outline Java program structure Basic program elements

Outline Java program structure Basic program elements
Finding and Debugging Errors

Finding and Debugging Errors
ASP.NET Programming with C# and SQL Server First Edition

ASP.NET Programming with C# and SQL Server First Edition
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Defect Detection at Microsoft – Where the Rubber Meets the Road Manuvir Das (and too many others to list) Program Analysis Group Center for Software Excellence.

Defect Detection at Microsoft – Where the Rubber Meets the Road Manuvir Das (and too many others to list) Program Analysis Group Center for Software Excellence.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Future Directions for Leveraging Advanced XML Tools and Building Custom XML Solutions Denise Draper DAT321 Microsoft Corporation.

Future Directions for Leveraging Advanced XML Tools and Building Custom XML Solutions Denise Draper DAT321 Microsoft Corporation.
Java Software Solutions Lewis and Loftus Chapter 2 1 Copyright 1997 by John Lewis and William Loftus. All rights reserved. Software Concepts -- Introduction.

Java Software Solutions Lewis and Loftus Chapter 2 1 Copyright 1997 by John Lewis and William Loftus. All rights reserved. Software Concepts -- Introduction.
1 Lap Around The WinFX And Windows SDKs Brent Rector Program Manager Microsoft Corporation FUNL02.

1 Lap Around The WinFX And Windows SDKs Brent Rector Program Manager Microsoft Corporation FUNL02.
How to Add WMI Interfaces to SCSIPort and Storport Miniports

How to Add WMI Interfaces to SCSIPort and Storport Miniports
Developing Workflows with SharePoint Designer David Coe Application Development Consultant Microsoft Corporation.

Developing Workflows with SharePoint Designer David Coe Application Development Consultant Microsoft Corporation.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Ravs Kaur Test Lead Microsoft Corporation TL60.

Ravs Kaur Test Lead Microsoft Corporation TL60.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
By Nicholas Policelli An Introduction to Java. Basic Program Structure public class ClassName { public static void main(String[] args) { program statements.

By Nicholas Policelli An Introduction to Java. Basic Program Structure public class ClassName { public static void main(String[] args) { program statements.

Similar presentations

Ads by Google