I am really astonished by the capabilities of static code analysis. The tool surprised me the other day as it turned out to be smarter and more attentive than I am. I found I must be careful when working with static analysis tools. Code reported by the analyzer often looks fine and I'm tempted to discard the warning as a false positive and move on. I fell into this trap and failed to spot bugs...Even I, one of the PVS-Studio developers.
So, appreciate and use static code analyzers! They will help save your time and nerve cells.
[Ed note: I debated running this story as there was an element of self-promotion (aka Bin Spam), but the submitter has been with the site for a while and has posted informative comments. Besides, I know there have been far too many times when I've seen a compiler complain about some section of my code and I'm thinking there is nothing wrong with it — and then I, finally, see my mistake. Anyone have samples of code where you just knew the compiler or static analyzer was wrong, only to find out otherwise? --martyb]
(Score: 4, Informative) by maxwell demon on Monday October 23 2017, @11:18PM (1 child)
No, the "s" in "sprintf" does not stand for "secure", but for "string". Basically it is a version of printf that doesn't output its arguments after formatting, but writes them into a string (actually, character array) instead.
The secure version of sprintf is snprintf.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by turgid on Tuesday October 24 2017, @07:30PM
And nowadays we also have asprintf if you like to leak memory inadvertently.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].