The C++ team is excited to announce the latest improvements to Code Analysis in Visual Studio. Continuing our commitment to make C++ development safer and more reliable, this update focuses on reducing false positives and enhancing the analysis engine’s precision. These improvements are driven by internal teams’ and your valuable feedback through Visual Studio Developer Community

Key Improvements

Following recommendations from MORSE, we focused on enhancing selected security warnings that detect high-impact vulnerabilities. Our goal was to keep the false positive rate below 10% when running these checks against large codebases, ensuring broad adoption across Microsoft teams. This first wave of improvements targets three crucial warnings: C26100, C26831, and C33001.

Concurrency and Locking

C26100, one of our critical security warnings, detects potential race conditions that could lead to memory corruption or deadlocks. Through improved analysis of synchronization patterns, we have enhanced this warning to more accurately identify high-risk concurrency issues. Here is a summary of the key improvements in this area:

• New diagnostics (C26132 + C26133) for detecting lock hierarchy mismatches in custom locking functions
• Better analysis of lock acquisition patterns
• Improved status tracking for concurrency checking

Enhanced Overflow Detection for Allocations

C26831, another critical security warning, detects potential numerical overflows in values used for memory allocation that could lead to buffer overruns and other memory corruption vulnerabilities. Through improved analysis of allocation patterns and sign conversions, we have enhanced this warning to more accurately identify high-risk overflow scenarios. Here is a summary of the key improvements in this area:

• New diagnostics (C26838 + C26839) for detecting potential allocation overflow issues due to signed-to-unsigned conversions
• Added heuristics for validating postcondition overflow checks in allocation routines

VariantClear and VARIANT Initialization

C33001, our third critical security warning, detects uninitialized VARIANT objects that could lead to memory corruption when passed to cleanup functions. Through improved tracking of VARIANT initialization states, we have enhanced this warning to accurately identify high-risk COM interface usage while maintaining a low false positive rate in production Windows code.

Community Feedback

Your feedback drives our prioritization and helps us deliver a better product. We actively monitor the Developer Community and use upvotes to understand which issues impact the most users. Even if you encounter an issue that is already reported, please upvote it – this helps us better prioritize our fixes.

Here are some key issues we have addressed based on community feedback:

• Warning C26435 contradicts to Compiler Error C3609
• False positive lifetime code analysis warning C26848: Do not dereference a null pointer (lifetime.1)
• warning: C26822 false positive improperly emitted for return NULL;
• _Must_inspect_result_ incorrectly issues C28193 when nested struct/union field is inspected
• _Return_type_success_(expr) incorrectly produces C6101 expression references anonymous struct / union fields
• Code analysis warning C6011 for valid call to CWnd::GetSafeHwnd()

We encourage you to continue reporting and upvoting issues you encounter. Whether it is a false positive, unclear diagnostic message, or feature request, your input is essential in shaping the future of C++ Code Analysis.

Looking Forward

Security remains a top priority as we work closely with MORSE and internal teams to enhance critical security warnings for high-impact vulnerabilities. We remain committed to lowering false positive rates across all our checkers.

Your feedback through the Developer Community continues to be essential in shaping our roadmap. As we expand our coverage of modern C++ security best practices, we will keep focusing on addressing community-reported issues to ensure our warnings remain precise and actionable.

Try It Out

These improvements are now available in Visual Studio 2022 version 17.13. To get started, check out the Code Analysis documentation. Our work is heavily influenced by your feedback; please continue to engage with us through the Developer Community and in the comments section below.

Stay tuned for more C++ static analysis improvements. Your feedback helps us make C++ development safer and more productive for everyone.