What’s New in Code Analysis for Visual Studio 2012


Hi Everyone,

With the launch of the Beta we would like to tell you about some of the great enhancements we have made to code analysis based on your feedback.  Back when we started planning for Visual Studio 2012 we spent a good deal of time talking with people who use code analysis, and understanding the common pain points.  What we learned was there are three key areas you would like to see us improve:

  1. Help better manage large numbers of warnings
  2. Make the output from the analyzer more understandable
  3. Improve the accuracy of the analyzer and the types of coding errors it finds

In this post let’s go over some of the highlights for code analysis in Visual Studio 2012:

  • Code Analysis is available in all editions of Visual Studio and supports 64bit C++ projects
  • Custom rule sets for C++ projects and quick keyword filtering for managing results
  • Ability to step through each line on the warning path to improve understanding of the issue
  • More accurate, relevant warnings to find important bugs early in development

 

Code Analysis Available in All Editions of Visual Studio

First, we are really excited to announce that we are including code analysis in all editions of Visual Studio 2012, including a subset of the most critical warnings in the Express edition for free (this applies to C++, C#, and VB code analysis) and all rules in the Professional, Premium, and Ultimate editions.  We see code analysis as an important tool for writing high quality software, and we want you to have access to the same tools that we run internally at Microsoft.

Filtering and C++ Rule Sets

Historically, one of the difficult things about using code analysis has been managing the sometimes large sets of results.  When we would run analysis on a moderate or large codebase for the first time the sheer number of warnings returned was overwhelming.  Finding ways to carve off small bits was difficult.

To help with this we have created a new window for managing Code Analysis results.

image

This window contains a keyword filter text box where you can filter code analysis results on warning number, text in the title or message of the warning, as well as filename or function name.  We have found this is really useful for quickly getting to the code analysis warnings that are most relevant.  For example, say you are adding a new function to an existing project that has previous code analysis warnings in it, and you just want to see any new warnings you may have added. Using keyword filtering you can filter on your new function name and investigate those first.

In addition, if you are using Visual Studio 2012 Professional, Premium, or Ultimate editions you can now create custom rule sets for C++ projects.  The rule set configuration file determines which warnings Code Analysis checks for. We have included a default rule set that we think is a great place to start, but we encourage you to customize the rule set to make Code Analysis more relevant to you. For instance, if your organization cares about globalization defects because you ship your software in multiple languages you can enable these rules, or vice versa.

image

Detailed Explanation of Code Path to Warning

Another part of the C++ code analysis experience we set out to improve is around understanding how the analyzer found the problem.  Previously when investigating a code analysis warning we would often scratch our heads and say to ourselves “ok, it’s telling me there is a bug on this line of source code, but how did it get there in the first place?”

So in Visual Studio 2012 we have introduced the concept of “key events.” A Key event is a relevant decision or assumption the analyzer made in the process of finding a defect. In the example below there are three key events (on the left). The key event on line 7 explains what the analyzer assumed in order to reach the bug; that the Boolean parameter ‘guard’ is false.

clip_image004

In the Code Analysis window you can click on a warning and step through these key events similar to a traditional debugger.

image

We have added key events to a handful of the most relevant and common C++ warnings, and as we hear feedback from you we will continue to update and improve the output of the warning messages.

Many Other Improvements

Lastly I would like to mention that there are many other improvements we have made to the accuracy of the C++ analyzer, the source code annotation language used by the analyzer (as well as documentation for it), and the kinds of defects the analyzer finds.  Just to point out one improvement; in this release we have added checks for concurrency defects like threading deadlocks and race conditions in C++ code.  However, these are topics unto themselves, so we can save them for another day.

In closing this first post for code analysis in Visual Studio 2012, we are excited to use this blog as a way to teach, learn, and interact together.  We encourage you to try Visual Studio 2012 and check out code analysis, and we appreciate and look forward to your feedback.

-Code Analysis Team

To discover more about code analysis in Visual Studio 2012 go here:

http://msdn.microsoft.com/en-us/library/windows/apps/hh441471(v=VS.85).aspx


Comments (14)

  1. Sofiane H. says:

    Awesome Stuff!

  2. Does code analysis in VS11 have support for Code Contracts so that CA1062: Validate arguments of public methods does not fire when you use Contract.Requires or Contract.Assume?

  3. john DC says:

    Cool.  Tried it and it found 3 bugs in my app.  Here is one from a copy & paste issue

    // Convert date from disk sorted friendly to user friendly

    // Input: 20120207-552

    // Output: 2/7/2010 5:52pm

    void SortedDateTimeFormatToNormal(const wchar_t * szSorted, wchar_t * sznormal, int outcnt)

    {

    swscanf_s(szSorted, L"%4d%2d%2d%c%d", &year, &month, &day );

    Note the incorrect %c copied from another routine.  My test data had a leading zero ie 07…

  4. Ash says:

    Awesome. Thanks for including Code Analysis in all editions! Now if only the compiler could get up to speed with C++ 11 standard…

  5. Jesse Houwing says:

    Nice! Sml question… Will we be able to filter the window to only show open files? And to only show checked-out files? That would be a great feature for brownfield scenarios.

  6. Abc says:

    OMG!!!

    VS.next looks like VC6 :/// The Pain is Back!!!

    Please give an option to change appearance or the nightmares will return!

  7. That's good. I gave a test to one of my projects and get some security issues related to pointers, which I know about, but there seems to be many internal libraries related issues.

    E.g. img100.imageshack.us/…/notgood.png. This is a dialog based MFC application and because internally for data management I use only STL logic there are no issue with my own code, but its seems that there are problems with old internal ATL/MFC code. Will be good to make a check on it.

  8. Tom Kirby-Green says:

    It's just wonderful that this stuff is available in the Pro edition now! Thank you, thank you for making this happen 🙂

  9. Robert Basler says:

    Well crap, I thought I could skip VS2011.  Now if you'd just put the profiler into all editions we'd really be cooking!

  10. @Remco unfortunately we were not able to add support for Code Contracts into Visual Studio 11, so CA1062 will still fire when using Contract.Requires or Contract.Assumes.  There is however a workaround for CA1062 that I will publish a post shortly indicating how to avoid this warning in cases where you know it won't be null

    @Robert, the Visual Studio Profiler (with the exception of tier interaction profiling) has been moved into the Visual Studio 11 Professional edition as well

  11. @Jesse, that is a great suggestion.  We won't likely have time to get that into Visual Studio 11, but I've added it to our backlog.

    @Innos_mage, from looking at your screen shot it appears you are using a pre-Beta version of Visual Studio. Try upgrading to Beta and let me know if the warnings go away.

    -Vince

  12. @Robert, I should have also mentioned regarding the profiler, that we did include the relevant profiling components for profiling Windows 8 Metro Style Applications in the free Windows 8 Express SKU

  13. Ted says:

    Detecting nested conditional expressions using the "x = expression ? a : b;" syntax would be nice.

  14. Hey guys,

    We have an interesting problem with apparently different versions of FxCop.

    On a clean Visual Studio 2010 installation we receive 2 FxCop Warnings (CA1812 – avaoid uninstantiated internal classes, CA1822 – Mark member as static) for generated code (in *.g.cs) from a XAML WF4 workflow.

    The same warnings don't appear on systems having Visual Studio11 beta installed. (no matter which FxCopCmd.exe is used)

    Is there a way to get the same behavior on both machines – or even better, what to do to get rid of those unecessary warnings on 2010?

Skip to main content