Slashdot Mirror

← Back to Domains

Domain: viva64.com

Stories and comments across the archive that link to viva64.com.

Comments · 57

  1. Re:Yes, go ahead! by Anonymous Coward · · Score: 1 · on TechCrunch Urges Developers: Replace C Code With Rust (techcrunch.com)

    Just for the record, just in case someone points to this and claims nobody expressed any doubts. Certainly not because I missed the tone of biting sarcasm in your voice:

    Maybe these will be overcome. Maybe a better more formally proven type system will be implemented. For now there are doubts.

  2. bugs by Andrey_Karpov · · Score: 1 · on Google Launches New Website To Showcase Its Open Source Projects and Processes (betanews.com)

    Well, now PVS-Studio has more code to check and to entertain the readers with reports. :) About the analysis of various open source projects by PVS-Studio Team: https://www.viva64.com/en/insp...

  3. PVS-Studio by Andrey_Karpov · · Score: 1 · on A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com)

    Some developers say that typos are not dangerous and PVS-Studio is not needed. This great tool for typos search: https://www.viva64.com/en/exam... Now I have the argument. :)

  4. Re:Funnily by Jahta · · Score: 1 · on Interview With Python Creator Guido Van Rossum (techrocket.com)

    I was just talking to an old Co-Worker from a C++ company I worked at a few years back. He asked "So what are you doing lately" and I told him I'm working on my thesis, which is titled "Ruby's a Terrible Programming Language, And You're A Terrible Programmer For Liking It". Then I cited a number of my complaints -- being able to add arbitrary functions to a live object, never knowing where to look for the interface definition of parameter objects, need to extensively test all execution paths of production code (Which no one ever does,) odd syntactic quirks and changes in syntax between language versions. He laughed and said he had exactly the same complaints about Python. You see, Object Oriented Programming was invented to reduce maintenance costs for completed projects, because that's where 90% of your expenses with the project will be. Ruby, at least, and apparently Python as well according to my friend's complaints, were invented to make the cheap part of the development process "easier", while at the same time letting the language fanboys pat themselves on the back about what clever programmers they are. This is exactly the opposite of software "engineering".

    Well you can write terrible code in any language; C/C++ projects are no different. The "engineering" part is between the keyboard and the chair; a fool with a tool is still a fool. That's why testing matters and, with modern automated testing, full test coverage is not difficult.

    Python is a well structured, expressive, language that is suitable for many types of application. You don't even have to write OOP code if you don't want to; though if you do, Python has good OOP support. OOP is not a magic fix for maintenance costs. Well structured code (OOP or not) is what makes maintenance easy.

  5. Re:Oh, Karpov, you inveterate spammer... by Andrey_Karpov · · Score: 3, Interesting · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    You may just say - hey this is me, psychonaut, I've banned viva64 on Wikipedia. Praise me for that. Because of me you won't see links to really helpful material on viva64.

    For example, it's really not necessary for those who are interested in Precompiled header to know that there is a super useful article StdAfx.h. Burn it all! :)

  6. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  7. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  8. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  9. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  10. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  11. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  12. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  13. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  14. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  15. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  16. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  17. Re:Dear PVD Team: by Andrey_Karpov · · Score: 2 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    See "An always up-to-date list of articles describing errors that we find in open source projects with PVS-Studio analyzer".

    We have checked this projects from the list you've provided:

  18. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  19. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  20. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  21. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  22. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  23. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  24. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  25. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  26. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  27. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  28. Re:Another one? by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    Well, it's not very likely that we'll be given a chance to run the analysis on Windows. Even if such a thing happens, we can't write an article about that. In general, we like checking Microsoft projects. These programs are of high quality and it's a big achievement for us to find something worthwhile, as well another opportunity to advertise PVS-Studio.

    Here are the articles about our project checks:

    Here are the checks of C# projetcs:

  29. Re:ahhhh advertising, my good friend! by Andrey_Karpov · · Score: 1 · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    It doesn't have any prospects to make a cheap tool. I suggest looking at CppCat story, a tool we were selling for $250.

  30. How the fuck are you so sure, paco? by Anonymous Coward · · Score: 0, Flamebait · on PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel

    How the fuck are you so sure that the code in question is "working as intended"?

    For MOD_LOAD, random_source_register(&random_nehemiah) is only called under very specific circumstances.

    Yet for MOD_UNLOAD, random_source_deregister(&random_nehemiah) is called even if random_source_register(&random_nehemiah) wasn't called during MOD_LOAD.

    Deregistering something that was not registered properly in the first place is often a very dangerous, and incorrect, thing to be doing!

    Oh, and guess what? A FIX WAS JUST FUCKING COMMITTED FOR THE BUG THAT YOU INCORRECTLY CLAIMED DIDN'T EXIST!

    You should apologize to all of us for your snide, and incorrect, bullshit.

  31. Re:Low quality software must be free (as in beer) by neilo_1701D · · Score: 2, Interesting · on Microsoft Brings Office To Android Smartphones For Free

    ... as that would show the absolutely low quality of their code

    What is directly known about Microsoft code doesn't support your argument. For example, after the Windows 2000 code leak several people did their own analysis of the code. For example, kuro5hin concluded:

    In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility.

    Note that last sentence: Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility.

    More recently, static code analysis was done on the legally released Word for Windows 1.1a by PVS-Studio. They concluded:

    I have found very few strange fragments. There are two reasons for that. Firstly, I found the code to be skillfully and clearly written. Secondly, the analysis had to be incomplete, while teaching the analyzer the specifics of the old C language wouldn't be of any use.

    In short, there may be many reasons not to pay for Microsoft's software. Your perception of the quality of their code is not one.

  32. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  33. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  34. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  35. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  36. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  37. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  38. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  39. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  40. Re:Slashvertisment by UnknownSoldier · · Score: 4, Informative · on Unreal Engine Code Issues Fixed By Third-party Company

    The one review everyone is interested in ... Linux Kernel (Jan 2015) static analysis!

    Other notable ones are:

    * LibreOffice
    * Vim
    * Gimp
    * Wine
    * Blender
    * Quake 3 Arena
    * Doom 3
    * Notepad++ (2012)

  41. Re:Slashvertisment by UnknownSoldier · · Score: 1 · on Unreal Engine Code Issues Fixed By Third-party Company

    Considering there are tons of bugs in open source programs ... you might be right :-)

    Intel Galileo UEFI analysis (May 2015)
    Godot Engine analysis (April 2015)
    FreeCAD analysis (April 2015)
    Haiku OS analysis: part 1, part 2 (April 2015)
    Vim analysis (March 2015)
    CoreCLR analysis (March 2015)
    LibreOffice analysis (March 2015)
    MatrixSSL analysis (February 2015)
    Linux kernel analysis (January 2015)
    Powder Toy analysis (December 2014)
    Spring RTS analysis (December 2014)
    Miranda NG analysis: part 1, part 2 (November 2014)
    NSS analysis (October 2014)
    KDE analysis (September 2014)
    Oracle VM VirtualBox analysis: part 1, part 2 (September 2014)
    PHP analysis (September 2014)
    Asterisk analysis (August 2014)
    Cocos2d-x analysis (August 2014)
    GIMP analysis (August 2014)
    Wine analysis (August 2014)
    Bitcoin analysis (July 2014)
    OpenMW analysis (May 2014)
    Tesseract analysis (May 2014)
    TortoiseGit analysis (May 2014)
    WinSCP analysis (April 2014)
    Unreal Engine 4 analysis (April 2014)
    Microsoft Word 1.1a analysis (April 2014)
    Scilab analysis (March 2014)
    μManager analysis (March 2014)
    CryEngine 3 SDK analysis (March 2014)
    glibc analysis (February 2014)
    Firebird analysis (February 2014)
    LibRaw analysis (February 2014)
    Source SDK analysis (January 2014)
    PostgreSQL analysis (December 2013)
    Geant4 analysis (November 2013)
    VirtualDub analysis (October 2013)
    OpenMS analysis (September 2013)
    Boost analysis (August 2013)
    Multi Theft Auto analysis (August 2013)
    NetXMS analysis (May 2013)
    This one is not open-source, but still useful to everyone. C++Builder header files analysis (May 2013)
    Windows 8 Driver Samples analysis (April 2013)
    OpenCV analysis (March 2013)
    Casablanca analysis (March 2013)
    OpenSSL analysis (December 2012), second analysis (April 2014)
    Tor analysis (November 2012)
    This one is not open-source, but still useful to everyone. Visual C++ libraries analysis (September 2012), second analysis (October 2014)
    Trans-Proteomic Pipeline analysis (August 2012), second analysis (September 2013)
    MAME analysis (July 2012)
    Blender analysis (April 2012)
    Dolphin-emu analysis (February 2012)
    TrinityCore analysis (February 2012)
    Quake III Arena GPL analysis (February 2012)
    Firefox analysis (December 2011), second analysis (June 2014)
    Doom 3 analysis (November 2011)
    ReactOS analysis (September 2011), second analysis (April 2013)
    Clang analysis (August 2011), second analysis (August 2012)
    Intel Energy Analysiser SDK analysis (July 2011)
    Apache HTTP Server analysis (July 2011)
    Qt analysis (July 2011), second analysis (April 2014)
    Chromium analysis (May 2011), second analysis (October 2011), third analysis (August 2013), fourth analysis (December 2013)
    Miranda IM analysis (March 2011)
    Intel IPP Samples analysis (January 2011), second analysis (October 2011), third analysis (April 2012)
    Ultimate Toolbox analysis (December 2010)
    TortoiseSVN analysis (December 2010), second analysis (June 2013)
    qutIM analysis (November 2010)
    Fennec Media Project analysis (November 2010)
    Notepad++ analysis (November 2010), second analysis (February 2012)
    WinMerge analysis (October 2010), second analysis (March 2012)

  42. Re:Slashvertisment by UnknownSoldier · · Score: 1 · on Unreal Engine Code Issues Fixed By Third-party Company

    They have some good featured articles

    PVS-Studio: analyzing ReactOS's code
    http://www.viva64.com/en/a/007...

    Analysis of Godot Engine's Source Code
    http://www.viva64.com/en/b/032...

    Analyzing FreeCAD's Source Code and Its "Sick" Dependencies
    http://www.viva64.com/en/b/032...

  43. Re:Slashvertisment by UnknownSoldier · · Score: 1 · on Unreal Engine Code Issues Fixed By Third-party Company

    They have some good featured articles

    PVS-Studio: analyzing ReactOS's code
    http://www.viva64.com/en/a/007...

    Analysis of Godot Engine's Source Code
    http://www.viva64.com/en/b/032...

    Analyzing FreeCAD's Source Code and Its "Sick" Dependencies
    http://www.viva64.com/en/b/032...

  44. Re:Slashvertisment by UnknownSoldier · · Score: 1 · on Unreal Engine Code Issues Fixed By Third-party Company

    They have some good featured articles

    PVS-Studio: analyzing ReactOS's code
    http://www.viva64.com/en/a/007...

    Analysis of Godot Engine's Source Code
    http://www.viva64.com/en/b/032...

    Analyzing FreeCAD's Source Code and Its "Sick" Dependencies
    http://www.viva64.com/en/b/032...

  45. Re:Slashvertisment by UnknownSoldier · · Score: 1 · on Unreal Engine Code Issues Fixed By Third-party Company

    They have some good featured articles

    PVS-Studio: analyzing ReactOS's code
    http://www.viva64.com/en/a/007...

    Analysis of Godot Engine's Source Code
    http://www.viva64.com/en/b/032...

    Analyzing FreeCAD's Source Code and Its "Sick" Dependencies
    http://www.viva64.com/en/b/032...

  46. Re:PHP is a piece of shit and this is why by UnknownSoldier · · Score: 1 · on Modern PHP: New Features and Good Practices

    That's a great list!

    Analysis of the PHP source code, showing some of the ways PHP is fucked up and hopeless beyond repair:

    http://www.viva64.com/en/b/027...

  47. Re:memset() is bad? by viperidaenz · · Score: 1 · on First Phase of TrueCrypt Audit Turns Up No Backdoors

    This is actually tangentially related to heartbleed - if the memory had been zeroed when freed, the scope of the exploit would have been greatly reduced, as only currently allocated blocks would have been vulnerable

    The blocks holding the certificate private key are always allocated, so always vulnerable.

    This is completely incorrect. Until it is freed (or realloc'ed), the address returned by malloc will point to the same data, regardless of whether it is in the L1 cache, RAM, or paged to disk. Were this not the case, each program would need to implement its own MMU.

    So virtual memory is completely useless, because paging to disk doesn't free up the physical RAM or other processes?

    Perhaps you should have read the article linked in the article you linked. http://www.viva64.com/en/k/004...

    There is SecureZeroMemory() function in the depths of Win32 API. Its description is rather concise and reads that this function overwrites a memory region with zeroes and is designed in such way that the compiler never eliminates a call of this function during code optimization.

    So don't use memset to zero memory.

    There is still the risk that another process reads data from RAM that another process was using, unless the OS zeros out the memory before allocating it.
    That's something you can't get around in application code because you don't control the other applications.

  48. Re:memset() is bad? by rdnetto · · Score: 1 · on First Phase of TrueCrypt Audit Turns Up No Backdoors

    But the program performs functionally the same.
    That's the rule followed when doing compiler optimisations.

    memset has nothing to do with Heartbleed by the way, nor does any compiler optimisation.

    The program will generate the same output yes, but the security implications are not the same.
    This is actually tangentially related to heartbleed - if the memory had been zeroed when freed, the scope of the exploit would have been greatly reduced, as only currently allocated blocks would have been vulnerable. Furthermore, the most common reason for using custom mallocs in security-critical applications is to do exactly that - to zero all memory immediately upon freeing.

    Zeroing memory like this is a common practice in such cases.

    You also don't guarantee the original data is overwritten. If your application is paged out of RAM before the call to memset, when it gets loaded back in to RAM it can be pointing to a different physical memory location. You're now overwriting.... something completely different.

    This is completely incorrect. Until it is freed (or realloc'ed), the address returned by malloc will point to the same data, regardless of whether it is in the L1 cache, RAM, or paged to disk. Were this not the case, each program would need to implement its own MMU.

    Now, what is true is that additional copies of the data could be made, but you'd need to have escalated to root to access anything in a pagefile (at which point your system is completely compromised anyway), and I'm not even sure if direct access to L1 cache is possible.

  49. A Boring Article About a Check of the OpenSSL Proj by Andrey_Karpov · · Score: 1 · on Theo De Raadt's Small Rant On OpenSSL

    Some time ago, a vulnerability was revealed in OpenSSL, and I guess there's no programmer who hasn't been talking about it since then. I knew that PVS-Studio could not catch the bug leading to this particular vulnerability, so I saw no reason for writing about OpenSSL. Besides, quite a lot of articles have been published on the subject recently. However, I received a pile of e-mails, people wanting to know if PVS-Studio could detect that bug. So I had to give in and write this article: http://www.viva64.com/en/b/025...

  50. Re:Static analysis ? by savuporo · · Score: 1 · on How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

    Lame reply to self but, yeah, according to the most basic static analysis tools, it was broken in 2012
    http://www.viva64.com/en/b/018...
    and still broken in 2013
    http://www.viva64.com/en/b/025...