Tips & Tricks: Scrubbing Source Code For Common Coding Mistakes (FxCop And PREfast) Nicholas Guerrera TLNL06 Software Design Engineer Microsoft Corporation.

Slides:



Advertisements
Similar presentations
Air Force Institute of Technology Electrical and Computer Engineering
Advertisements

Core Java Lecture 4-5. What We Will Cover Today What Are Methods Scope and Life Time of Variables Command Line Arguments Use of static keyword in Java.
Things to Remember When Developing 64-bit Software OOO "Program Verification Systems"
Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 6 Functions.
1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.
Outline Java program structure Basic program elements
Finding and Debugging Errors
ASP.NET Programming with C# and SQL Server First Edition
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Defect Detection at Microsoft – Where the Rubber Meets the Road Manuvir Das (and too many others to list) Program Analysis Group Center for Software Excellence.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Future Directions for Leveraging Advanced XML Tools and Building Custom XML Solutions Denise Draper DAT321 Microsoft Corporation.
Java Software Solutions Lewis and Loftus Chapter 2 1 Copyright 1997 by John Lewis and William Loftus. All rights reserved. Software Concepts -- Introduction.
1 Lap Around The WinFX And Windows SDKs Brent Rector Program Manager Microsoft Corporation FUNL02.
How to Add WMI Interfaces to SCSIPort and Storport Miniports
Developing Workflows with SharePoint Designer David Coe Application Development Consultant Microsoft Corporation.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Ravs Kaur Test Lead Microsoft Corporation TL60.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
By Nicholas Policelli An Introduction to Java. Basic Program Structure public class ClassName { public static void main(String[] args) { program statements.
Visual Studio 2005 Team System: Building Robust & Reliable Software Tejasvi Kumar Technology Specialist - VSTS Microsoft Corporation
Summary of what we learned yesterday Basics of C++ Format of a program Syntax of literals, keywords, symbols, variables Simple data types and arithmetic.
MSBuild: Architecting a Customized Build System Rajeev Goel, TLN402 Software Development Engineer MSBuild Microsoft Corporation.
Chair of Software Engineering 1 Introduction to Programming Bertrand Meyer Exercise Session October 2008.
Sudesh Krishnamoorthy Developer Technology Specialist | Microsoft |
Introduction to VSTS Introduction to Visual Studio 2008 Development Edition Understanding code complexity using Code Metrics.
C# 2.0 and Future Directions Anders Hejlsberg Technical Fellow Microsoft Corporation.
Building More Reliable And Better Performing Web Applications With Visual Studio 2005 Team System Gabriel Marius TLN312 Program Manager Microsoft Corporation.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 6 Functions.
Performing Simple Calculations with C# Telerik Corporation
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
21. THE STANDARD LIBRARY. General Rules The C standard library is divided into 15 parts (24 in C99), with each part described by a header. The names of.
IE Developer Tools Jonathan Seitel Program Manager.
Microsoft Corporation. Announcement Visual Studio® Team System 2008 Enables you to Build Quality Code Be More Productive Collaborate at the Next Level.
1 Low Level ADO.NET Operations II Microsoft Visual C# 2008 Step by Step Chapter 25.
Tips and Tricks for Debugging ASP.NET Web Applications and Services Habib Heydarian TLNL05 Program Manager Microsoft Corporation.
Lucian Wischik SESSION CODE: DEV401. Advanced Use of the New Microsoft Visual Basic 2010 Language Features Lucian Wischik, VB spec lead.
Visual C++ Optimizations Jonathan Caves Principal Software Engineer Visual C++ Microsoft Corporation.
1 Problem Solving  The purpose of writing a program is to solve a problem  The general steps in problem solving are: Understand the problem Dissect the.
Top 10 Entity Framework Features Every Developer Should Know
Content Coverity Static Analysis Use cases of Coverity Examples
Mike Harsh PRSL001 Program Manager Microsoft Corporation
ASP.NET Programming with C# and SQL Server First Edition
Working with Java.
BRIEF Overview ON THE MAJOR Similarities & Differences
TFS Database Import Service for Visual Studio Team Services
Jim Nakashima Program Manager – Cloud Tools Microsoft Corporation
Get Typed with TypeScript!
Azure API Management Jothi Prakash A
C Basics.
Computer Science 210 Computer Organization
Improving software quality using Visual Studio 11 C++ Code Analysis
null, true, and false are also reserved.
C# Today and Tomorrow Mads Torgersen,
BRIEF Overview ON THE MAJOR Similarities & Differences
Microsoft Connect /2/2019 9:06 AM
Microsoft Connect /17/2019 9:55 PM
Recap Week 2 and 3.
Microsoft Connect /16/ :45 PM
Introduction to Static Analyzer
Microsoft Connect /22/2019 9:54 PM
Microsoft Connect /23/ :38 AM
Focus of the Course Object-Oriented Software Development
4/28/2019 6:13 PM HW-889P Advanced driver code analysis techniques Tips and tricks to develop more secure & reliable drivers Dave Sielaff Principal Software.
Lecture 14: Testing Testing used to verify object behavior through designed test suites Can test Classes – “unit” testing Object interactions – “integration”
Common Coding Defects.
Mark Quirk Head of Technology Developer & Platform Group
Software Testing.
Microsoft Connect /14/ :11 AM
Presentation transcript:

Tips & Tricks: Scrubbing Source Code For Common Coding Mistakes (FxCop And PREfast) Nicholas Guerrera TLNL06 Software Design Engineer Microsoft Corporation

2 Why Code Analysis? One of a collection of strategies for improving code quality Identify potential issues earlier in development cycle Problems are cheaper to fix the earlier they are identified

3 Code Analysis In Visual Studio Team System Managed code analysis (FxCop) C#, C++/CLI, VB.NET, ASP.NET Unmanaged code analysis (PREfast) C/C++ Automatically suppress warnings in source File bugs based on analysis results Enforce code analysis policy for check-ins

4 Types Of Mistakes Typographical Misuse of API Security issues API design guidelines / best practices Code complexity and maintainability Constructs that do not perform well

5 Demo: Managed Code Analysis In Visual Studio Team System Nicholas Guerrera Software Design Engineer Visual Studio Team System

6 Example One SQL injection vulnerability private string GetAccountNumber(string username, string password) { string cnxString = ConfigurationManager.AppSettings["ConnectionString"]; using (SqlConnection connection = new SqlConnection(cnxString)) using (SqlCommand command = new SqlCommand()) { connection.Open(); command.Connection = connection; command.CommandText = "SELECT AccountNumber FROM Users " + "WHERE (Username='" + username + "')" + "' AND (Password='" + password + "')"; return (string)command.ExecuteScalar(); } "q' OR 'q'='q"

7 public class box { public int height; public int width; public box(int height, int width) { this.height = height; this.width = width; this.print_to_console(); } public void print_to_console() { Console.WriteLine("({0},{1}", this.height, this.width); } Issues: public fields, incorrect casing, underscores Tip: Use C# refactoring to fix these! Example Two Naming and design guidelines

8 private Font ReadFontFromSettings() { XmlDocument doc = new XmlDocument(); XmlDocument doc = new XmlDocument(); doc.Load(GetSettingsXmlPath()); doc.Load(GetSettingsXmlPath()); XmlNode fontNode = doc.SelectSingleNode("Font"); XmlNode fontNode = doc.SelectSingleNode("Font"); float size = float.Parse(fontNode.Attributes["Size"].Value); float size = float.Parse(fontNode.Attributes["Size"].Value); string name = fontNode.Attributes["Name"].Value; string name = fontNode.Attributes["Name"].Value; FontStyle style = (FontStyle)Enum.Parse(typeof(FontStyle), fontNode.Attributes["Style"].Value); FontStyle style = (FontStyle)Enum.Parse(typeof(FontStyle), fontNode.Attributes["Style"].Value); return new Font(name, size, style); return new Font(name, size, style);} Issue: Missing IFormatProvider argument, defaults to CultureInfo.CurrentCulture Example Three Globalization error

9 public class SampleException : Exception { public SampleException() : base() { } public SampleException(string message) : base(message) { } public SampleException(string message, Exception innerException) : base(message, innerException) { } } Issue: Missing [Serializable] attribute and deserialization constructor  Exception cannot be serialized or thrown across AppDomains. Example Four Serialization error

10 Demo: Unmanaged Code Analysis In Visual Studio Team System Nicholas Guerrera Software Design Engineer Visual Studio Team System

11 Example One Buffer overrun void PrintModuleFileName() { wchar_t *p = (wchar_t *)malloc(MAX_PATH); GetModuleFileName(NULL, p, MAX_PATH); printf("%S", p); } Issues Buffer overrun: confusion between character and byte counts Misuse of malloc and GetModuleFileName

12 Example Two Arithmetic overflow long long Shift(int x, int y) { return x << y; } Issue Arithmetic overflow: result is cast to 64-bit after the shift may already have overflown beyond 32-bits.

13 Example Three Incorrect HRESULT usage // Call CoInitialize and return true if it succeeds. bool Initialize() { if (CoInitialize(0)) { return false; } return true; } Issue HRESULT and bool are semantically different, use FAILED or SUCCEEDED macros. Success codes can be non-zero (true in a boolean context). For example, S_FALSE == 0x1

14 Example Four Incorrect printf usage bool PrintStuff() { printf("%s - %d", 22, "twenty-two"); printf("%s - %d", "twenty-two"); printf("%s - %d", "twenty-two", 22, 22); } Issues Type mismatches Too few arguments Too many arguments

15 Example Five Possible NULL dereference void DoWork() { int x, *p; if (Condition()) { p = &x; } else { p = (int *)malloc(sizeof(int)); } *p = 27; } Issue: If Condition() returns false, p could be null Tip: Double-click on messages in the error list to see path highlighting

16 Where To Find Out More Getting started with code analysis Hands-On Lab: Visual Studio Team System, Source Code Analysis: HOL- TLN04 Visual Studio Team System 2005 Beta 2, CTP, or upcoming RTM Discussions on public forums at FxCop is also available as a standalone tool from

17 Questions?

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.