https://www.meetup.com/St-Petersburg-CPP-User- Group/ ● C++ Russia: https://cppconf.ru/en/Why Code Analysis?Software QualityReadability Maintainability tools fuzzer battery life Repeatable tests Undefined Behavior – Fun with NULL pointers, part 1: https://lwn.net/Articles/342330/Why code analysis – ● Improve software quality ● Lower developer frustration ● Avoid UBLanguageLanguage helps Built-in compiler check ○ Current LLVM implementation gives 5% overhead ○ Annotations to help analysis: gsl::SharedOwner, gsl::Owner, gsl::Pointer void sample1() { int* p = nullptr; {

Finding Bugs using Path-Sensitive Static Analysis Gábor Horváth Gabor.Horvath@microsoft.com @XazaxHunWelcome to CppCon 2021! Join #visual_studio channel on CppCon Discord https://aka.ms/cppcon/discord latest announcements Take our survey https://aka.ms/cppconAgenda • Intro to path-sensitive static analysis • Path-sensitive checks in MSVC • A look under the hood • Upcoming features • Lessons learned2012 -> Unknown p -> Null p -> MaybeNull p -> MaybeNull Warning Unknown Null NotNull MaybeNull Analysis state Transition semi-lattice• Some paths are infeasible: • Not taking branch 1, but taking branch

accounts • Isolate untrusted inputs Management • Keep dependencies up to date • Use static code analysis tools built into your CICD pipeline • Use fuzzing in your CICD pipelineStrategies for Secure Security DevOps has these built in ● BinSkim ● CodeQL ● PreFast and SAL annotations ● OASIS Static Analysis Results Interchange Format (SARIF) ● C++ Core Check rulesThird Party or Open Source Software ● without ASan is unsupported Compiler Options /fsanitize-coverage=inline-bool-flag /fsanitize-coverage=edge /fsantize- coverage=trace-cmp /fsanitize-coverage=grace-div Link the libraries: • clang_rt.fuzzer_no_main-x86_64

its built-in checks. Static analysis is great, but you also get tons of false positives. Now that you’re hooked on smart tools, you have to try dynamic/runtime analysis. After years of improvements Ciura | @ciura_victor - 2020: The Year of Sanitizers? Vignette in 3 parts Static Analysis Dynamic Analysis Warm Fuzzy Feelings10 2020 Victor Ciura | @ciura_victor - 2020: The Year of Sanitizers I Static Analysis15 2020 Victor Ciura | @ciura_victor - 2020: The Year of Sanitizers? C++ Core Guidelines Checker docs.microsoft.com/en-us/cpp/code-quality/quick-start-code-analysis-for-c-cpp

into smaller chunks •Static analysis tools99 How can we test it? •Remove old code and add new code at the same time •Separate tasks into smaller chunks •Static analysis tools •Formal Design100 How •Remove old code and add new code at the same time •Separate tasks into smaller chunks •Static analysis tools •Formal Design •Code Review101 How can we test it? •Remove old code and add new code at Control Tracking) 2. Enumeration/Constant Versioning and Deprecation 3. Automated Static Code Analysis for Renaming 4. Semantic Versioning for Enums 5. Refactor Scripts and Tools to Validate Renaming

released a new version (dependency version number update). • you need an additional package for data analysis (add a new dependency). • you have found a better package and no longer need the older package Release 23.3.1.post2+bdcba5dd0 6.3.1 Static Code Analysis This project is configured with pre-commit to automatically run linting and other static code analysis on every commit. Running these tools prior to --cov tests\test_create.py -k create_install_update_remove_smoketest If you are not measuring code coverage, pytest can be run without the --cov option. The docker compose tests pass --cov. Note: Some integration

released a new version (dependency version number update). • you need an additional package for data analysis (add a new dependency). • you have found a better package and no longer need the older package Release 0.0.0.dev0+placeholder 6.3.1 Static Code Analysis This project is configured with pre-commit to automatically run linting and other static code analysis on every commit. Running these tools prior to --cov tests\test_create.py -k create_install_update_remove_smoketest If you are not measuring code coverage, pytest can be run without the --cov option. The docker compose tests pass --cov. Note: Some integration

$1B-Scale Data Center…NVIDIA Installed GPU Computing Power = 100x+ Growth Over ~Six Years 107 Note: Analysis does not include TPUs or other specialized AI accelerators, for which less data is available. TPUs intelligence projects. These enable collaboration, reuse, and distribution of AI tools and assets. Analysis shown includes GitHub repositories with 500+ stars. Infrastructure = tools for model serving, compute faster [vs. ChatGPT Free]… …ChatGPT Enterprise also provides unlimited access to advanced data analysis, previously known as Code Interpreter. - ChatGPT Enterprise Release Statement, 8/23 Number of

Navigation ☑️� Linters ☑️� Colorization & Formatting ☑️� IntelliSense ⌛; ☑️�MSVC ☑️�MSVC Code Analysis ☑️�MSBuild ; CMake ⌛ ; GCC ⌛ ; Clang/LLVM ⌛ ☑️�Stepping ☑️�Parallel Stacks ☑️�Debugger Cross-platform development 4. Developer and Team Productivity Static Analysis ✴ New and improved checkers in MSVC Code Analysis • Returning a local variable with std::move • Path-sensitive bounds checking 4:45pm / Fri, Oct 29 – 12:00pm Finding bugs using path-sensitive static analysis Gabor Horvath – _3 Tue, Oct 26 – 3:15pm Static Analysis and Program Safety in C++: Making it Real Sunny Chatterjee – _2