The C++ team is excited to announce the latest improvements to Code Analysis in Visual
Studio. Continuing our commitment to make C++ development safer and more reliable, this
update focuses on reducing false positives and enhancing the analysis engine’s
precision. These improvements are driven by internal teams’ and your valuable feedback
through Visual Studio Developer Community
Key Improvements
Following recommendations from
MORSE,
we focused on enhancing selected security warnings that detect high-impact
vulnerabilities. Our goal was to keep the false positive rate below 10% when running
these checks against large codebases, ensuring broad adoption across Microsoft teams.
This first wave of improvements targets three crucial warnings:
C26100,
C26831, and
C33001.
Concurrency and Locking
C26100, one of our critical security warnings, detects potential race conditions that
could lead to memory corruption or deadlocks. Through improved analysis of
synchronization patterns, we have enhanced this warning to more accurately identify
high-risk concurrency issues. Here is a summary of the key improvements in this area:
- New diagnostics
(C26132 + C26133)
for detecting lock hierarchy mismatches in custom locking functions - Better analysis of lock acquisition patterns
- Improved status tracking for concurrency checking
Enhanced Overflow Detection for Allocations
C26831, another critical security warning, detects potential numerical overflows in
values used for memory allocation that could lead to buffer overruns and other memory
corruption vulnerabilities. Through improved analysis of allocation patterns and sign
conversions, we have enhanced this warning to more accurately identify high-risk
overflow scenarios. Here is a summary of the key improvements in this area:
- New diagnostics
(C26838 + C26839)
for detecting potential allocation overflow issues due
to signed-to-unsigned conversions - Added heuristics for validating postcondition overflow checks in allocation routines
VariantClear and VARIANT Initialization
C33001, our third critical security warning, detects uninitialized VARIANT objects that
could lead to memory corruption when passed to cleanup functions. Through improved
tracking of VARIANT initialization states, we have enhanced this warning to accurately
identify high-risk COM interface usage while maintaining a low false positive rate in
production Windows code.
Community Feedback
Your feedback drives our prioritization and helps us deliver a better product. We
actively monitor the Developer Community and use upvotes to understand which issues
impact the most users. Even if you encounter an issue that is already reported,
please upvote it – this helps us better prioritize our fixes.
Here are some key issues we have addressed based on community feedback:
- Warning C26435 contradicts to Compiler Error C3609
- False positive lifetime code analysis warning C26848: Do not dereference a null pointer (lifetime.1)
- warning: C26822 false positive improperly emitted for
return NULL; - _Must_inspect_result_ incorrectly issues C28193 when nested struct/union field is inspected
- _Return_type_success_(expr) incorrectly produces C6101 expression references anonymous struct / union fields
- Code analysis warning C6011 for valid call to CWnd::GetSafeHwnd()
We encourage you to continue reporting and upvoting issues you encounter. Whether it is
a false positive, unclear diagnostic message, or feature request, your input is
essential in shaping the future of C++ Code Analysis.
Looking Forward
Security remains a top priority as we work closely with MORSE and internal teams to
enhance critical security warnings for high-impact vulnerabilities. We remain committed
to lowering false positive rates across all our checkers.
Your feedback through the Developer Community continues to be essential in shaping our
roadmap. As we expand our coverage of modern C++ security best practices, we will keep
focusing on addressing community-reported issues to ensure our warnings remain precise
and actionable.
Try It Out
These improvements are now available in Visual Studio 2022 version 17.13. To get
started, check out the
Code Analysis documentation.
Our work is heavily influenced by your feedback; please continue to engage with us
through the Developer Community and
in the comments section below.
Stay tuned for more C++ static analysis improvements. Your feedback helps us make C++
development safer and more productive for everyone.
The post MSVC C++ Code Analysis: Updates in Visual Studio 2022 version 17.13 appeared first on C++ Team Blog.
