Ghidra

/ hownot2code / Leave a comment

Ghidra

Always true & Unreachable code

public void setValueAt(Object aValue, int row, int column) {
  ...
  int index = indexOf(newName);
  if (index >= 0) {                  // <=
    Window window = tool.getActiveWindow();
    Msg.showInfo(getClass(), window, "Duplicate Name",
                 "Name already exists: " + newName);
    return;
  }

  ExternalPath path = paths.get(row); // <=
  ...
}
private int indexOf(String name) {
  for (int i = 0; i < paths.size(); i++) {
    ExternalPath path = paths.get(i);
    if (path.getName().equals(name)) {
      return i;
    }
  }
  return 0;
}

PVS-Studio warnings:

  • V6007 Expression ‘index >= 0’ is always true. ExternalNamesTableModel.java:105
  • V6019 Unreachable code detected. It is possible that an error is present. ExternalNamesTableModel.java:109

Something distracted the developer, and they accidentally implemented the indexOf method in such a way that it returns 0, i.e. the index of the first element of the paths collection, instead of -1 for a non-existent value. This will happen even if the collection is empty. Or maybe they generated the method but forgot to change the default return value. Anyway, the setValueAt method will refuse any offered value and show the message “Name already exists” even if there’s not a single name in the collection.

By the way, the indexOf method is not used anywhere else, and its value is actually needed only to determine if the sought element exists. Rather than writing a separate method and playing around with indexes, it would probably be better to write a for-each loop right in the setValueAt method and have it return when encountering the matching element.

Please click here to see more bugs from this project.

RavenDB

/ hownot2code / Leave a comment

RavenDB JPG_Logo-2

Always true

public override void VerifyCanExecuteCommand(
  ServerStore store, TransactionOperationContext context, bool isClusterAdmin
)
{
  using (context.OpenReadTransaction())
  {
    var read = store.Cluster.GetCertificateByThumbprint(context, Name);
    if (read == null)
      return;

    var definition = JsonDeserializationServer.CertificateDefinition(read);
    if (
      definition.SecurityClearance != SecurityClearance.ClusterAdmin || // <=
      definition.SecurityClearance != SecurityClearance.ClusterNode     // <=
    )
      return;
  }

  AssertClusterAdmin(isClusterAdmin);
}

Analyzer warning: V3022 Expression is always true. Probably the ‘&&’ operator should be used here. DeleteCertificateFromClusterCommand.cs(21) Raven.Server

Another example of a situation where almost certainly the wrong logical operator was chosen. In this case, the condition is always true, because the variable isn’t exactly equal to at least one of the values that it is compared with.

I suppose that “||” should be replaced with “&&”. Then the above fragment will make sense. If the logical operator is chosen correctly, it is most likely that other variables should be compared in one of the conditions. Anyway, this fragment looks very fishily and it must be analyzed.

Please click here to see more bugs from this project.

Command & Conquer

/ hownot2code / Leave a comment

270599

Array overrun

V557 Array overrun is possible. The ‘QuantityB’ function processes value ‘[0..86]’. Inspect the first argument. Check lines: ‘HOUSE.H:928’, ‘CELL.CPP:2337’. HOUSE.H 928

typedef enum StructType : char {
  STRUCT_NONE=-1,
  ....
  STRUCT_COUNT,   // <= 87
  STRUCT_FIRST=0
} StructType;
int BQuantity[STRUCT_COUNT-3];
int QuantityB(int index) {return(BQuantity[index]);}
bool CellClass::Goodie_Check(FootClass * object)
{
  ....
  int bcount = 0;
  for( j=0; j < STRUCT_COUNT; j++) {     bcount += hptr->QuantityB(j);
  }
  ....
}

There are a lot of global variables in the code and it is obvious that they are easy to get confused. The analyzer’s warning about an array index out of bounds is issued at the point of accessing the BQuantity array by index. The array size is 84 elements. Algorithms for analyzing the data flow in the analyzer helped to find out that the index value comes from another function – Goodie_Check. There, a loop is executed with a final value of 86. Therefore, 12 bytes of “someone’s” memory (3 int elements) are constantly being read in this place.

Please click here to see more bugs from this project.

Best Practices for Building Applications on Microsoft Azure

/ hownot2code / Leave a comment

Image Source

The demand for cloud-native application development is increasing on a daily basis. Cloud-native apps can provide benefits that traditional apps can’t, including high availability, automatic resource provisioning, and auto-scaling. These applications also help organizations and developers maintain their competitive edge.

In this article, you will learn best practices for cloud-native application development on Azure, including tooling for creating and deploying your first Azure-native application.

What Are Cloud-Native Applications?

The simplest definition of cloud-native application is an app you develop for use in the cloud. The app’s design completely adheres to the cloud environment it was designed for.

This definition differentiates between a cloud-based application and a cloud-native application. Cloud-based applications are apps that are hosted in the cloud, but were not built for this environment.

The Cloud Native Computing Foundation (CNCF) extended this definition, and added their own criteria of cloud-native apps. CNCF defines the cloud-native approach as the use of microservices-based and containerized software that can be dynamically orchestrated.

Best Practices for Cloud-Native Application Development on Azure

You might think that, with CNCF’s extended definition of cloud-native you can just go ahead and develop apps that are native for all clouds. However, every cloud has its own structure, capabilities, resources, and features. Below, are four aspects of the Azure cloud that you should take into consideration when developing Azure-native apps.

1. Use Azure backup and smaller Virtual Machines (VMs)

Hardware failures can occur at any given moment. To avoid data loss, you should backup your cloud environments. Small-sized VMs are more immune to failures than large-sized VMs because of their transient local storage. This is why you should avoid large VMs unless they are really necessary. Instead, you can utilize the Azure Backup feature that maintains the disk-based replicas on multiple locations for on-premise or online applications.

2. Use autoscaling

Autoscaling enables you to use only the resources you need when you need them by leveraging dynamic resource allocation. Autoscaling can also help reduce the cost of running your applications. Design your applications to be horizontally scalable to get the maximum performance and cost benefits. Apps usually don’t need more powerful processors, they distributed workloads.

Try not to tie your code to specific cloud instances when developing your application. Specific instances can limit scalability and availability. You can create a scheduled autoscaling policy, if you expect a high traffic volume at specific times. This policy can start instances before your demand increases.

3. Understand Azure storage and database options

Azure offers solutions for relational database management systems (RDBMS), as well as big data workloads. Azure database and storage options include blob storage, table storage, file storage and more. You can easily migrate databases to Azure using Azure Migrate or third party migration tools.

Table storage does not support the features of the relational database and indexing. Use it to store unstructured data. Leverage Azure SQL Database in case of complex data manipulation and queries. However, you need to understand the limitations of Azure SQL shared database before starting working with it. Limitations include the lack of authentication on SQL Azure, and the lack of high availability features like backup and restore.

4. Focus on security

The isolated services of cloud-native approach can make your applications more secure than traditional applications. However, cloud-native applications do not provide better security by default.

  • Conduct penetration tests — to find vulnerabilities inside your environment and apps.
  • Monitor app traffic and log your application activity — this data can help you detect threats and alert you when your application becomes unavailable.
  • Shut down remote debugging features — when you’re done troubleshooting your app. Attackers can use remote debugging features to modify your application code.
  • Use HTTPS for communication — any incoming and outgoing traffic should be passed through HTTPS. HTTPS can help ensure that transmitted data isn’t modified or rerouted.

Tools to Create and Deploy Azure Applications

Microsoft Azure offers a couple of ways to build and deploy applications, as explained below.

Azure App Service

Azure App Service enables you to build and host RESTful APIs, mobile, and web apps without managing infrastructure. Azure App Service provides all the necessary tools to create apps for particular business needs.

Moreover, developers can use any programming language they want and integrate the service with GitHub, and Visual Studio Online for a quick development cycle. The list below reviews some of the apps you can build with the help of Azure App Service.

  • Mobile App Service — enables you to host and build cross-platform and native apps for iOS, Android, Windows, or Mac. You can use this service from any location at any time. The development environment meets the requirements for creating large enterprise-grade applications.
  • Web Apps Service — create, deploy, and load balance websites or web applications with Python, Java, PHP, .NET, and Node.js..
  • API Apps Service — enables you to host and build your APIs securely in the cloud. Developers can use Azure API Apps to develop APIs using Python, C#, or PHP.
  • Logic App Service — schedule, automate, and orchestrate business-critical workflows, and processes. You can integrate systems, apps, and data more easily with prebuilt connectors and APIs.

You can find more information about Azure App Service in the official page.

Azure Cloud Services

Azure Cloud Service is a Platform as a Service (PaaS) offering that supports reliable, scalable, and inexpensive applications. Azure cloud service provides more control over Azure VMs, because it is hosted on Virtual Machines (VMs). You can access these VMs remotely and install your own software. However, deployment and monitoring of complex workloads and VMs is challenging compared to App Service.

There are two different roles in Azure Cloud Services. Each role provides different app hosting:

  • Worker roles — worker roles deploy the app as a standalone application without using Internet Information Services (IIS). Worker roles are usually used for powerful applications and APIs.
  • Web roles — host the app automatically via the (IIS). A web role is usually assigned for lightweight and straightforward applications.

Azure Functions

Azure Functions is a serverless computing service that enables developers to run small pieces of code in the cloud without managing infrastructure. That leaves more time for writing code and developing new features.

You have to use a trigger to execute an Azure function. A trigger is an external services event that fires up the Functions. An external event can be a Blob being inserted into a container, an HTTP request, or a timer being lapsed. Azure Functions can also help you reduce your cloud costs, since Microsoft charges only for the time the Function actually runs.

Azure Virtual Machines (VMs)

Azure VMS is a large collection of pre-defined Windows or Linux servers that provides you with the flexibility of virtualization without having to purchase and manage hardware. Virtual machines provide full responsibility for updates, support, installations, and administration, as well as full control over configurations.

Azure Virtual Machines can isolate two operating systems and their applications. For instance, if you create an Ubuntu VM and install PHP, MySQL, and Apache, they will not conflict with the Microsoft SQL, PHP 5 installation on another virtual machine. In addition, you can find some VM images with pre-installed Visual Studio in the Azure Marketplace. You can quickly create a temporary, or long-term use development VM by using these images.

Conclusion

There are multiple steps you need to take in order to deploy cloud-native applications in Azure. First, you have to understand Azure storage and database options, then design your applications to be scalable, and evaluate your backup options. Then you should choose a tool that best suits your needs. Remember that each of the Azure application development has its weaknesses, strengths, and learning curves.

C++ Is Faster and Safer Than Rust: Benchmarked by Yandex

/ hownot2code / 3 Comments

Author: Roman Proskuryakov

Spoiler: C++ is not faster or slower – that’s not the point, actually. This article continues our good tradition of busting myths about the Rust language shared by some big-name Russian companies.

The previous article of this series is titled “Go is faster than Rust: benchmarked by Mail.Ru (RU)“. Not so long ago, I tried to lure my coworker, a C-programmer from another department, to Rust. But I failed because – I’m quoting him:

In 2019, I was at the C++ CoreHard conference, where I attended Anton @antoshkka Polukhin’s talk about the indispensable C++. According to him, Rust is a young language, and it’s not that fast and even not that safe.

Anton Polukhin is a representative of Russia at the C++ Standardization Committee and an author of several accepted proposals to the C++ standard. He is indeed a prominent figure and authority on everything C++ related. But his talk had a few critical factual errors regarding Rust. Let’s see what they are.

The part of Anton’s presentation (RU) that we are particularly interested in is 13:00 through 22:35 .

Continue reading

Zero, one, two, Freddy’s coming for you

/ hownot2code / Leave a comment

This post continues the series of articles, which can well be called “horrors for developers”. This time it will also touch upon a typical pattern of typos related to the usage of numbers 0, 1, 2. The language you’re writing in doesn’t really matter: it can be C, C++, C#, or Java. If you’re using constants 0, 1, 2 or variables’ names contain these numbers, most likely, Freddie will come to visit you at night. Go on, read and don’t say we didn’t warn you.


Continue reading