{"id":26998,"date":"2020-10-28T15:00:51","date_gmt":"2020-10-28T15:00:51","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cppblog\/?p=26998"},"modified":"2020-10-28T11:11:04","modified_gmt":"2020-10-28T11:11:04","slug":"even-more-new-safety-rules-in-c-code-analysis","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cppblog\/even-more-new-safety-rules-in-c-code-analysis\/","title":{"rendered":"Even More New Safety Rules in C++ Code Analysis"},"content":{"rendered":"<p><span data-contrast=\"none\">In\u202f<\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/visualstudio\/releases\/2019\/release-notes-preview\"><span data-contrast=\"none\">Visual Studio version 16.8\u202fPreview 3<\/span><\/a><span data-contrast=\"none\">,\u202f\u202fwe<\/span><span data-contrast=\"none\">\u202f<\/span><span data-contrast=\"none\">have added<\/span><span data-contrast=\"none\">\u202fa\u202ffew\u202fsafety rules to C++ Code Analysis\u202fthat can\u202ffind\u202fsome common mistakes, which can lead to\u202fbugs ranging\u202ffrom simple broken features to\u202fcostly security vulnerabilities.\u202fThese new rules are developed around issues discovered in\u202f<\/span><span data-contrast=\"none\">production<\/span><span data-contrast=\"none\">\u202fsoftware via\u202fsecurity reviews and incidents\u202frequiring\u202fcostly\u202f<\/span><span data-contrast=\"none\">servicing<\/span><span data-contrast=\"none\">.\u202fEvery shipping piece of software in Microsoft runs these rules as part of security and compliance requirements.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">The first part of this blog series,\u00a0<\/span><a href=\"https:\/\/devblogs.microsoft.com\/cppblog\/new-safety-rules-in-c-code-analysis\/\"><span data-contrast=\"none\">New Safety Rules in C++ Code Analysis<\/span><\/a><span data-contrast=\"none\">, introduced<\/span><span data-contrast=\"none\">\u00a0new rules related<\/span><span data-contrast=\"none\">\u00a0to<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">the\u00a0<\/span><span data-contrast=\"none\">misuse<\/span><span data-contrast=\"none\">\u00a0of<\/span><span data-contrast=\"none\">\u00a0<\/span><code><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/oaidl\/ns-oaidl-variant\"><span data-contrast=\"none\">VARIANT<\/span><\/a><\/code><span data-contrast=\"none\">\u202f<\/span><span data-contrast=\"none\">and its sibling types \u2013 such as\u202f<\/span><code><span data-contrast=\"none\">VARIANTARG<\/span><\/code><span data-contrast=\"none\">, or<code>\u202f<\/code><\/span><code><span data-contrast=\"none\">PROPVARIANT<\/span><\/code><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">This second\u00a0<\/span><span data-contrast=\"none\">part\u00a0<\/span><span data-contrast=\"none\">of the series\u00a0<\/span><span data-contrast=\"none\">introduce<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">\u00a0new rules about \u201cuse of enumerations as index\u201d and \u201cuse of Boolean as HRESULT\u201d.\u00a0<\/span><span data-contrast=\"none\">To help with the<\/span><span data-contrast=\"none\">se<\/span><span data-contrast=\"none\">\u00a0new rules,\u202fwe\u202fhave built\u00a0<\/span><span data-contrast=\"none\">two\u00a0<\/span><span data-contrast=\"none\">code analysis extension<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">, called\u202f<\/span><code><span data-contrast=\"none\">EnumIndex<\/span><\/code><span data-contrast=\"none\"><code>\u00a0<\/code>and\u00a0<\/span><code><span data-contrast=\"none\">HResultCheck<\/span><\/code><span data-contrast=\"none\"><code>\u00a0<\/code>that\u202fdetect violations of these new rules\u202fin code.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<h2>Using\u00a0enum\u00a0as index<span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">A<\/span><span data-contrast=\"none\">n<\/span><span data-contrast=\"none\">\u00a0<\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/cpp\/enumerations-cpp\"><span data-contrast=\"none\">enumerat<\/span><span data-contrast=\"none\">i<\/span><span data-contrast=\"none\">on<\/span><\/a><span data-contrast=\"none\">\u00a0or\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">is\u00a0<\/span><span data-contrast=\"none\">a user-defined\u00a0<\/span><span data-contrast=\"none\">integral\u00a0<\/span><span data-contrast=\"none\">type that consists of a<\/span><span data-contrast=\"none\">n optional<\/span><span data-contrast=\"none\">\u00a0set of named integral constants that are known as enumerators<\/span><span data-contrast=\"none\">\u00a0(also called enumeration-constants)<\/span><span data-contrast=\"none\">.<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">Usually, a<\/span><span data-contrast=\"none\">n enumeration provides context to describe a range of\u00a0<\/span><span data-contrast=\"none\">values <\/span><span data-contrast=\"none\">(<\/span><span data-contrast=\"none\">called enumerators)<\/span><span data-contrast=\"none\">\u00a0which are represented as named\u00a0<\/span><span data-contrast=\"none\">constants<\/span><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">An\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0can be made scoped by specifying class or\u00a0<\/span><span data-contrast=\"none\">struct<\/span><span data-contrast=\"none\">\u00a0keyword after the\u00a0<\/span><code><span data-contrast=\"none\">enum<\/span><\/code><span data-contrast=\"none\">\u00a0keyword, for example:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">enum\u00a0class\u00a0Suit\u00a0{\u00a0Diamonds, Hearts, Clubs,\u00a0Spades\u00a0};<\/pre>\n<p><span data-contrast=\"none\">Without the <code>class<\/code> or <code>struct<\/code> keyword, an\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0becomes\u00a0<\/span><span data-contrast=\"none\">unscoped<\/span><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Using\u00a0<\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/build\/reference\/std-specify-language-standard-version\"><span data-contrast=\"auto\">\/std:c++17<\/span><\/a><span data-contrast=\"none\">, an\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0(regular or scoped) can be defined with an explicit underlying type and no enumerators, which in effect introduces a new integral type that has no implicit conversion to any other type.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Unscoped<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">enumerators<\/span><span data-contrast=\"none\">\u00a0can be implicitly converted to <code>int<\/code><\/span><span data-contrast=\"none\">.\u00a0<\/span><span data-contrast=\"none\">Scoped enumerators cannot be implicitly converted<\/span><span data-contrast=\"none\">\u00a0to <code>int<\/code>. A cast is required to convert\u00a0<\/span><span data-contrast=\"none\">a scoped enumerator to int. Likewise, a<\/span><span data-contrast=\"none\">\u00a0cast is required to convert an <code>int<\/code>\u00a0<\/span><span data-contrast=\"none\">to<\/span><span data-contrast=\"none\">\u00a0a scoped or\u00a0<\/span><span data-contrast=\"none\">unscoped<\/span><span data-contrast=\"none\">\u00a0enumerator.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">The fact that\u00a0<\/span><span data-contrast=\"none\">an\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">eration<\/span><span data-contrast=\"none\">\u00a0is an integral type that usually\u00a0<\/span><span data-contrast=\"none\">consist<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">\u00a0of\u00a0<\/span><span data-contrast=\"none\">a finite set<\/span><span data-contrast=\"none\">\u00a0of named constant values (enumerators)<\/span><span data-contrast=\"none\">\u00a0which\u00a0<\/span><span data-contrast=\"none\">can be\u00a0<\/span><span data-contrast=\"none\">converted implicitly or explicitly to <code>int<\/code> makes it very common to use enumerators as index values<\/span><span data-contrast=\"none\">. For example:<\/span><\/p>\n<pre class=\"prettyprint\">const\u00a0auto&amp;\u00a0colorInfo\u00a0=\u00a0ColorTable[color];<\/pre>\n<p><span data-contrast=\"none\">You will find lots of discussions online on using\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0values as array indices. It really makes sense in many situations.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">F<\/span><span data-contrast=\"none\">requently<\/span><span data-contrast=\"none\">,\u00a0<\/span><span data-contrast=\"none\">when\u00a0<\/span><span data-contrast=\"none\">developers\u00a0<\/span><span data-contrast=\"none\">use enumerators of an\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0type as indices for an array, they know that the enumerators of the\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0type have values starting from zero to a known maximum value, with an increment of one and with no gap between any pair of consecutive enumerators<\/span><span data-contrast=\"none\">.<\/span><span data-contrast=\"none\">\u00a0Thus,\u00a0<\/span><span data-contrast=\"none\">most of<\/span><span data-contrast=\"none\">\u00a0developers think checking the enumerator value received against the known maximum value would ensure validity of it.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">However, using\u00a0<\/span><span data-contrast=\"none\">enumerators<\/span><span data-contrast=\"none\">\u00a0as array indices is not very safe.\u00a0<\/span><span data-contrast=\"none\">Unfortunately, it seems that\u00a0<\/span><span data-contrast=\"none\">there are not many discussions on why it can be dangerous.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Let\u2019s look at an example.<\/span><span data-contrast=\"none\">\u00a0Consider the following\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0and\u00a0<\/span><span data-contrast=\"none\">a\u00a0<\/span><span data-contrast=\"none\">table of function pointers<\/span><span data-contrast=\"none\">\u00a0for which we want to use the\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0value as the index<\/span><span data-contrast=\"none\">:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">\/\/ MyHeader.h \r\n \r\n#pragma once \r\n \r\n#include &lt;iostream&gt; \r\n \r\ntypedef int (*FP)(); \r\n \r\nenum FunctionId \r\n{ \r\n    Function1, \r\n    Function2, \r\n    Function3, \r\n    FunctionCount \r\n}; \r\n \r\ntemplate &lt;int val&gt; \r\nint GetValue() { return val; }; \r\n \r\nint DoNotCallMe() \r\n{ \r\n    std::cout &lt;&lt; \"This shouldn't be called!\\n\"; \r\n    return -1; \r\n} \r\n \r\nFP fp = DoNotCallMe; \r\n \r\nFP Functions[] \r\n{ \r\n    GetValue&lt;0&gt;, \r\n    GetValue&lt;1&gt;, \r\n    GetValue&lt;2&gt; \r\n};<\/pre>\n<p><span data-contrast=\"none\">Now, in\u00a0<\/span><span data-contrast=\"none\">a\u00a0<\/span><span data-contrast=\"none\">source file, let\u2019s define a function to select a function from the table, using\u00a0<\/span><span data-contrast=\"none\">an<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">enumerator of the\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0as the index<\/span><span data-contrast=\"none\">\u00a0for the function pointer table<\/span><span data-contrast=\"none\">:<\/span><\/p>\n<pre class=\"prettyprint\">#include \"MyHeader.h\" \r\n \r\nFP GetFunction(FunctionId funcId) \r\n{ \r\n    if (funcId &lt; FunctionId::FunctionCount) \r\n        return Functions[funcId]; \r\n    return nullptr; \r\n}<span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"none\">Neat, isn\u2019t it?\u00a0<\/span><span data-contrast=\"none\">T<\/span><span data-contrast=\"none\">o\u00a0<\/span><span data-contrast=\"none\">protect from rogue or faulty callers,\u00a0<\/span><span data-contrast=\"none\">I check the\u00a0<\/span><span data-contrast=\"none\">enumerator\u00a0<\/span><span data-contrast=\"none\">value\u00a0<\/span><span data-contrast=\"none\">against the known maximum value for\u00a0<\/span><code><span data-contrast=\"none\">FunctionId<\/span><\/code><span data-contrast=\"none\">, so<\/span><span data-contrast=\"none\">\u00a0that it doesn\u2019t cause\u00a0<\/span><span data-contrast=\"none\">the function\u00a0<\/span><span data-contrast=\"none\">to access the table beyond its bound. I know the\u00a0<\/span><span data-contrast=\"none\">enumerators of\u00a0<\/span><code><span data-contrast=\"none\">FunctionId<\/span><\/code><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0type<\/span><span data-contrast=\"none\">\u00a0will start from zero<\/span><span data-contrast=\"none\">, incremented by one,<\/span><span data-contrast=\"none\">\u00a0and end at\u00a0<\/span><code><span data-contrast=\"none\">FunctionId<\/span><span data-contrast=\"none\">::<\/span><span data-contrast=\"none\">FunctionCount<\/span><\/code><span data-contrast=\"none\"><code>\u00a0\u2013 1<\/code>,\u00a0<\/span><code><span data-contrast=\"none\">FunctionCount<\/span><\/code><span data-contrast=\"none\">\u00a0being the last enumerator in the\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Let\u2019s continue to add more code that uses this function<\/span><span data-contrast=\"none\">. Our customer code will have integer value as the selector of a function, and want us to return an integer value through the function<\/span><span data-contrast=\"none\">:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">int GetValue(int funcIdx) \r\n{ \r\n    const auto fp = GetFunction(static_cast&lt;FunctionId&gt;(funcIdx)); \r\n    return fp ? fp() : -1; \r\n}<\/pre>\n<p><span data-contrast=\"none\">As\u00a0<\/span><span data-contrast=\"none\">explained<\/span><span data-contrast=\"none\">\u00a0above, I needed\u00a0<\/span><span data-contrast=\"none\">a\u00a0<\/span><span data-contrast=\"none\">cast\u00a0<\/span><span data-contrast=\"none\">to convert the\u00a0<\/span><span data-contrast=\"none\">integer value\u00a0<\/span><span data-contrast=\"none\">for the function table index\u00a0<\/span><span data-contrast=\"none\">to the\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0type<\/span><span data-contrast=\"none\">\u00a0to pass to\u00a0<\/span><code><span data-contrast=\"none\">GetFunction<\/span><\/code><span data-contrast=\"none\">. That will make sure that the\u00a0<\/span><code><span data-contrast=\"none\">int<\/span><\/code><span data-contrast=\"none\">\u00a0value is properly converted to\u00a0<\/span><span data-contrast=\"none\">an enumerator of the\u00a0<\/span><code><span data-contrast=\"none\">FunctionId<\/span><\/code><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">.<\/span><span data-contrast=\"none\">\u00a0So far, so good,\u00a0<\/span><span data-contrast=\"none\">I hope.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Now, let\u2019s consider a function that\u00a0<\/span><span data-contrast=\"none\">calls<\/span><span data-contrast=\"none\">\u00a0<\/span><code><span data-contrast=\"none\">GetValue<\/span><\/code><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">to get\u00a0<\/span><span data-contrast=\"none\">a value<\/span><span data-contrast=\"none\">\u00a0through a function<\/span><span data-contrast=\"none\">:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">int main() \r\n{ \r\n    return GetValue(-1); \r\n}<\/pre>\n<p><span data-contrast=\"none\">Where did <code>-1<\/code> come from? For this discussion, that is not <\/span><span data-contrast=\"none\">important<\/span><span data-contrast=\"none\">. Let\u2019s assume it was from\u00a0<\/span><span data-contrast=\"none\">user\u2019s<\/span><span data-contrast=\"none\">\u00a0input<\/span><span data-contrast=\"none\">.\u00a0<\/span><span data-contrast=\"none\">Anyway, t<\/span><span data-contrast=\"none\">his obviously seems wrong.\u00a0<\/span><span data-contrast=\"none\">However, I didn\u2019t get any hint from compiler on potential problem with this call, even with <code>\/Wall<\/code>. In fact, nothing is \u201cwrong\u201d\u00a0<\/span><span data-contrast=\"none\">considering the\u00a0<\/span><span data-contrast=\"none\">types involved and how they are used. But we know this is wrong.<\/span><span data-contrast=\"none\">\u00a0Does\u00a0<\/span><code><span data-contrast=\"none\">GetFunction<\/span><\/code><span data-contrast=\"none\">\u00a0really protect itself from this call?<\/span><span data-contrast=\"none\">\u00a0A short answer is \u2013 No.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Proble<\/span><span data-contrast=\"none\">ms\u00a0<\/span><span data-contrast=\"none\">are<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">that\u00a0<\/span><span data-contrast=\"none\">you can cast any <code>int<\/code> value to an\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0type<\/span><span data-contrast=\"none\">, and\u00a0<\/span><span data-contrast=\"none\">that\u00a0<\/span><span data-contrast=\"none\">an\u00a0<\/span><span data-contrast=\"none\">enum\u2019s<\/span><span data-contrast=\"none\">\u00a0underlying type defaults to <code>int<\/code> \u2013 <code>signed int<\/code>. For a signed value, if you check the upper bound<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">but not its lower bound, you end up allowing negative values.<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">In the above example, it ended up calling the dangerous\u00a0<\/span><code><span data-contrast=\"none\">DoNotCallMe<\/span><\/code><span data-contrast=\"none\">\u00a0function,\u00a0<\/span><span data-contrast=\"none\">that happens to be right before\u00a0<\/span><span data-contrast=\"none\">the function pointer table. In real life, this\u00a0<\/span><span data-contrast=\"none\">kind of bug\u00a0<\/span><span data-contrast=\"none\">can\u00a0<\/span><span data-contrast=\"none\">lead to\u00a0<\/span><span data-contrast=\"none\">an exploitable<\/span><span data-contrast=\"none\">\u00a0security vulnerability.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">It is less likely someone\u00a0<\/span><span data-contrast=\"none\">checks<\/span><span data-contrast=\"none\">\u00a0for the lower\u00a0<\/span><span data-contrast=\"none\">bound<\/span><span data-contrast=\"none\">\u00a0but forgets to check the upper bound. However, that can also cause the same problem<\/span><span data-contrast=\"none\">, by allowing access beyond the array bound.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Just for fun, running the above example\u00a0<\/span><span data-contrast=\"none\">produces<\/span><span data-contrast=\"none\">\u00a0the following output<\/span><span data-contrast=\"none\">\u00a0for me<\/span><span data-contrast=\"none\">:<\/span><\/p>\n<pre class=\"prettyprint\">This shouldn't be called! \r\nC:\\Temp\\Sample.exe (process 9748) exited with code -1.<\/pre>\n<h2>EnumIndex\u202fRules<\/h2>\n<p><span data-contrast=\"none\">The\u202f<\/span><code><span data-contrast=\"none\">EnumIndex<\/span><span data-contrast=\"none\">\u00a0<\/span><\/code><span data-contrast=\"none\">extension\u202f<\/span><span data-contrast=\"none\">finds\u00a0<\/span><span data-contrast=\"none\">defects\u00a0<\/span><span data-contrast=\"none\">like the one shown above,\u00a0<\/span><span data-contrast=\"none\">and reports\u202f<\/span><span data-contrast=\"none\">them through\u00a0<\/span><span data-contrast=\"none\">the following warnings:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/code-quality\/c33010\"><span data-contrast=\"none\">C330<\/span><span data-contrast=\"none\">1<\/span><span data-contrast=\"none\">0<\/span><\/a><span data-contrast=\"none\">:\u202f<\/span><span data-contrast=\"none\">Unchecked lower bound for\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0&#8216;<\/span><code><span data-contrast=\"none\">enum<\/span><\/code><span data-contrast=\"none\">&#8216; used as index.<\/span><span data-contrast=\"none\">\u202f<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/code-quality\/c33011\"><span data-contrast=\"none\">C330<\/span><span data-contrast=\"none\">11<\/span><\/a><span data-contrast=\"none\">:\u202f<\/span><span data-contrast=\"none\">Unchecked upper bound for\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0&#8216;<\/span><code><span data-contrast=\"none\">enum<\/span><\/code><span data-contrast=\"none\">&#8216; used as index.<\/span><span data-contrast=\"none\">\u202f<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2>Warning C33010<\/h2>\n<p><span data-contrast=\"none\">This warning is triggered\u00a0<\/span><span data-contrast=\"none\">for<\/span><span data-contrast=\"none\">\u00a0an\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0that is used as an index into an array, if the upper bound is checked for its value, but not the lower bound.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Here is a simplified example:\u202f<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">typedef void (*PFN)(); \r\n \r\nenum class Index \r\n{ \r\n    Zero, \r\n    One, \r\n    Two, \r\n    Three, \r\n    Max \r\n}; \r\n \r\nvoid foo(Index idx, PFN(&amp;functions)[5]) \r\n{ \r\n    if (idx &gt; Index::Max) \r\n        return; \r\n \r\n    auto pfn = functions[static_cast&lt;int&gt;(idx)];    \/\/ C33010 \r\n    if (pfn != nullptr) \r\n        (*pfn)(); \r\n    \/\/ ...... \r\n}<\/pre>\n<p><span data-contrast=\"none\">\nThese warnings are corrected by checking the index value for lower\u00a0<\/span><span data-contrast=\"none\">bound<\/span><span data-contrast=\"none\">\u00a0as well:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">typedef void (*PFN)(); \r\n \r\nenum class Index \r\n{ \r\n    Zero, \r\n    One, \r\n    Two, \r\n    Three, \r\n    Max \r\n}; \r\n \r\nvoid foo(Index idx, PFN(&amp;functions)[5]) \r\n{ \r\n    if (idx &lt; Index::Zero || idx &gt; Index::Max) \r\n        return; \r\n \r\n    auto pfn = functions[static_cast&lt;int&gt;(idx)];    \/\/ OK \r\n    if (pfn != nullptr) \r\n        (*pfn)(); \r\n    \/\/ ...... \r\n}<\/pre>\n<h2>Warning C33011<span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">This warning is triggered\u00a0<\/span><span data-contrast=\"none\">for<\/span><span data-contrast=\"none\">\u00a0an\u00a0<\/span><span data-contrast=\"none\">enum<\/span><span data-contrast=\"none\">\u00a0that is used as an index into an array, if the lower bound is checked for its value, but not the upper bound.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Here is a simplified example:\u202f<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">typedef void (*PFN)(); \r\n \r\nenum class Index \r\n{ \r\n    Zero, \r\n    One, \r\n    Two, \r\n    Three, \r\n    Max \r\n}; \r\n \r\nvoid foo(Index idx, PFN(&amp;functions)[5]) \r\n{ \r\n    if (idx &lt; Index::Zero) \r\n        return; \r\n \r\n    auto pfn = functions[static_cast&lt;int&gt;(idx)];    \/\/ C33011 \r\n    if (pfn != nullptr) \r\n        (*pfn)(); \r\n    \/\/ ...... \r\n}<\/pre>\n<p><span data-contrast=\"none\">These warnings are corrected by checking the index value for upper bound as well:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">typedef void (*PFN)(); \r\n \r\nenum class Index \r\n{ \r\n    Zero, \r\n    One, \r\n    Two, \r\n    Three, \r\n    Max \r\n}; \r\n \r\nvoid foo(Index idx, PFN(&amp;functions)[5]) \r\n{ \r\n    if (idx &lt; Index::Zero || idx &gt; Index::Max) \r\n        return; \r\n \r\n    auto pfn = functions[static_cast&lt;int&gt;(idx)];    \/\/ OK \r\n    if (pfn != nullptr) \r\n        (*pfn)(); \r\n    \/\/ ...... \r\n}<\/pre>\n<h2>Enabling\u00a0EnumIndex\u00a0rules in Visual Studio<span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">You can enable\u00a0<\/span><code><span data-contrast=\"none\">EnumIndex<\/span><\/code><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">rules in Visual Studio as follows by selecting different\u00a0<\/span><span data-contrast=\"none\">ruleset<\/span><span data-contrast=\"none\">\u00a0for your project:\u202f<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<table data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\">\n<tbody>\n<tr>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">Rule ID\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">Extension\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">Native Minimum Rules\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">Native Recommended Rules\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">All Rules\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">C330<\/span><span data-contrast=\"auto\">10<\/span><span data-contrast=\"auto\">\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">EnumIndex<\/span><span data-contrast=\"auto\">\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">C330<\/span><span data-contrast=\"auto\">11<\/span><span data-contrast=\"auto\">\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">EnumIndex<\/span><span data-contrast=\"auto\">\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">\u202f\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span data-contrast=\"none\">\u202f<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<h2>Using\u00a0Boolean\u00a0as HRESULT<span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">While it may not be intentional,\u00a0<\/span><span data-contrast=\"none\">we have seen<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">code where\u00a0<\/span><span data-contrast=\"none\"><code>Boolean<\/code> value<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">were\u00a0<\/span><span data-contrast=\"none\">used as <code>HRESULT<\/code> value<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">, and vice versa<\/span><span data-contrast=\"none\">. C\/C++ allow implicit conversions between <\/span><span data-contrast=\"none\">them<\/span><span data-contrast=\"none\">, and compilers wouldn\u2019t warn about these implicit conversions. However, a <code>Boolean<\/code> value and an <code>HRESULT<\/code> have different semantics, and may not be used interchangeably.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">That is why there is already a rule against this misuse.<\/span><span data-contrast=\"none\">\u00a0Consider the following example:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">#include &lt;windows.h&gt; \r\nBOOL IsEqual(REFGUID, REFGUID); \r\n \r\nHRESULT foo(REFGUID riid1, REFGUID riid2) \r\n{ \r\n    return IsEqual(riid1, riid2); \r\n}<\/pre>\n<p><span data-contrast=\"none\">The intention of\u00a0<\/span><code><span data-contrast=\"none\">foo(<\/span><\/code><span data-contrast=\"none\"><code>)<\/code> is to\u00a0<\/span><span data-contrast=\"none\">compare the two values and\u00a0<\/span><span data-contrast=\"none\">return <code>S_OK<\/code> when\u00a0<\/span><span data-contrast=\"none\">they<\/span><span data-contrast=\"none\">\u00a0are equal. However, it will return <code>S_FALSE<\/code> if the values are equal, and <code>S_OK<\/code> if the values are different.<\/span><span data-contrast=\"none\">\u00a0This is quite the opposite to\u00a0<\/span><span data-contrast=\"none\">the intended<\/span><span data-contrast=\"none\">\u00a0behavior. However, this code will likely compile just fine without getting a warning about this potential defect. Fortunately, C++ Code Analysis can detect this and will report a\u00a0<\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/code-quality\/c6216\"><span data-contrast=\"none\">C6216<\/span><\/a><span data-contrast=\"none\">\u00a0warning, which\u00a0<\/span><span data-contrast=\"none\">is a general warning about\u00a0<\/span><span data-contrast=\"none\">implicit<\/span><span data-contrast=\"none\">\u00a0cast of <code>Boolean<\/code> value to <code>HRESULT<\/code>.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Among\u00a0<\/span><span data-contrast=\"none\">various\u00a0<\/span><span data-contrast=\"none\">potential misuse<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">\u00a0of <code>Boolean<\/code>\u00a0<\/span><span data-contrast=\"none\">and <code>HRESULT<\/code> values, we\u00a0<\/span><span data-contrast=\"none\">learned that <\/span><span data-contrast=\"none\">one specific scenario\u00a0<\/span><span data-contrast=\"none\">occurs more often than\u00a0<\/span><span data-contrast=\"none\">others, and<\/span><span data-contrast=\"none\">\u00a0leads to more obvious bugs. We have created an additional extension to cover this very scenario \u2013\u00a0<\/span><code><span data-contrast=\"none\">H<\/span><span data-contrast=\"none\">R<\/span><span data-contrast=\"none\">esultCheck<\/span><\/code><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<h2>HResult\u202fRules<\/h2>\n<p><code><span data-contrast=\"none\">The\u202f<\/span><span data-contrast=\"none\">HResultCheck<\/span><\/code><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">extension\u202f<\/span><span data-contrast=\"none\">finds\u00a0<\/span><span data-contrast=\"none\">where a C style <code>BOOL FALSE<\/code> is returned from a function as an <code>HRESULT<\/code> value, leading to returning <code>S_OK<\/code> when the intention is presumably returning a failure result<\/span><span data-contrast=\"none\">:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/code-quality\/c33020\"><span data-contrast=\"none\">C330<\/span><span data-contrast=\"none\">2<\/span><span data-contrast=\"none\">0<\/span><\/a><span data-contrast=\"none\">:\u202f<\/span><span data-contrast=\"none\">Likely incorrect <code>HRESULT<\/code> usage detected.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/cpp\/code-quality\/c33011\"><span data-contrast=\"none\">C330<\/span><span data-contrast=\"none\">22<\/span><\/a><span data-contrast=\"none\">:\u202f<\/span><span data-contrast=\"none\">Potentially incorrect <code>HRESULT<\/code> usage detected (low confidence)<\/span><span data-contrast=\"none\">.<\/span><span data-contrast=\"none\">\u202f<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2>Warning C33020<span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">This is\u00a0<\/span><span data-contrast=\"none\">a\u00a0<\/span><span data-contrast=\"none\">high-confidence warning indicating that\u00a0<\/span><code><span data-contrast=\"none\">HRESULT<\/span><\/code><span data-contrast=\"none\">-returning function returns\u00a0<\/span><code><span data-contrast=\"none\">FALSE<\/span><\/code><span data-contrast=\"none\">.<\/span><span data-contrast=\"none\">\u00a0In many cases, developers consider <code>FALSE<\/code> as a failure value, and return it from a function with the intention of indicating\u00a0<\/span><span data-contrast=\"none\">f<\/span><span data-contrast=\"none\">ailure<\/span><span data-contrast=\"none\">. However, the value of <code>FALSE<\/code> is <code>0<\/code><\/span><span data-contrast=\"none\">.<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">W<\/span><span data-contrast=\"none\">hen interpreted as an <code>HRESULT<\/code> value,\u00a0<\/span><span data-contrast=\"none\">this value becomes <code>S_OK<\/code>, representing success<\/span><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Here is a<\/span><span data-contrast=\"none\">\u00a0simplified<\/span><span data-contrast=\"none\">\u00a0example:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">#include &lt;Windows.h&gt; \r\n \r\nHRESULT foo() \r\n{ \r\n    \/\/ ...... \r\n    return FALSE; \/\/ C33020 \r\n}<\/pre>\n<p><span data-contrast=\"none\">This can be fixed\u00a0<\/span><span data-contrast=\"none\">returning<\/span><span data-contrast=\"none\">\u00a0a proper <code>HRESULT<\/code> value:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">#include &lt;Windows.h&gt; \r\n \r\nHRESULT foo() \r\n{ \r\n    \/\/ ...... \r\n    return E_FAIL; \/\/ OK \r\n}<\/pre>\n<h2>Warning C33022<\/h2>\n<p><span data-contrast=\"none\">This is\u00a0<\/span><span data-contrast=\"none\">low<\/span><span data-contrast=\"none\">-confidence warning for a function that returns <code>HRESULT<\/code>, if there is <code>FALSE<\/code> somewhere along the line that eventually returns it.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Here is a<\/span><span data-contrast=\"none\">\u00a0simplified<\/span><span data-contrast=\"none\">\u00a0example:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">#include &lt;Windows.h&gt; \r\n \r\n#define RETURN_FAILURE(x) do { *res = x; return FALSE; } while(false); \r\n \r\nHRESULT test04(BOOL* res) \r\n{ \r\n    \/\/ ... \r\n    RETURN_FAILURE(FALSE); \r\n    \/\/ ... \r\n    return S_OK; \r\n}<\/pre>\n<p><span data-contrast=\"none\">This can be fixed\u00a0<\/span><span data-contrast=\"none\">by using\u00a0<\/span><span data-contrast=\"none\">a proper<\/span><span data-contrast=\"none\">\u00a0<code>HRESULT<\/code> value:<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<pre class=\"prettyprint\">#define RETURN_FAILURE(x) do { *res = x; return E_FAIL; } while(false); \r\n \r\nHRESULT test04(BOOL* res) \r\n{ \r\n    \/\/ ... \r\n    RETURN_FAILURE(FALSE); \r\n    \/\/ ... \r\n    return S_OK; \r\n}<\/pre>\n<h2>Enabling\u00a0HResult\u00a0rules in Visual Studio<\/h2>\n<p><span data-contrast=\"none\">You can enable\u00a0<\/span><code><span data-contrast=\"none\">HResult<\/span><\/code><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">rules in Visual Studio as follows by selecting different\u00a0<\/span><span data-contrast=\"none\">ruleset<\/span><span data-contrast=\"none\">\u00a0for your project:\u202f<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<table data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\">\n<tbody>\n<tr>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">Rule ID\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">Extension\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">Native Minimum Rules\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">Native Recommended Rules\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">All Rules\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">C330<\/span><span data-contrast=\"auto\">2<\/span><span data-contrast=\"auto\">0<\/span><span data-contrast=\"auto\">\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">HResultCheck<\/span><span data-contrast=\"auto\">\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">C330<\/span><span data-contrast=\"auto\">22<\/span><span data-contrast=\"auto\">\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">HResultCheck<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">\u202f\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">X\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<h2>Give us your\u202ffeedback<\/h2>\n<p><span data-contrast=\"none\">Check out these newly added rules and let us know\u00a0<\/span><span data-contrast=\"none\">how<\/span><span data-contrast=\"none\">\u00a0they help you write safer C++. Stay tuned as we add more safety rules in future releases of Visual Studio.\u202f<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Download\u202f<\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/visualstudio\/releases\/2019\/release-notes-preview\"><span data-contrast=\"none\">Visual Studio 2019 version 16.8 Preview 3<\/span><\/a><span data-contrast=\"none\">\u202f<\/span><span data-contrast=\"none\">today<\/span><span data-contrast=\"none\">\u202fand give it a try. We would love to hear from you to help us prioritize and build the right features for you. We can be reached via the comments below,\u202f<\/span><a href=\"https:\/\/developercommunity.visualstudio.com\/spaces\/8\/index.html\"><span data-contrast=\"none\">Developer Community<\/span><\/a><span data-contrast=\"none\">,\u202fand<\/span><span data-contrast=\"none\">\u202fTwitter (<\/span><a href=\"https:\/\/twitter.com\/visualc\"><span data-contrast=\"none\">@VisualC<\/span><\/a><span data-contrast=\"none\">). The best way to file a bug or suggest a feature is via Developer Community.<\/span><span data-ccp-props=\"{&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In\u202fVisual Studio version 16.8\u202fPreview 3,\u202f\u202fwe\u202fhave added\u202fa\u202ffew\u202fsafety rules to C++ Code Analysis\u202fthat can\u202ffind\u202fsome common mistakes, which can lead to\u202fbugs ranging\u202ffrom simple broken features to\u202fcostly security vulnerabilities.\u202fThese new rules are developed around issues discovered in\u202fproduction\u202fsoftware via\u202fsecurity reviews and incidents\u202frequiring\u202fcostly\u202fservicing.\u202fEvery shipping piece of software in Microsoft runs these rules as part of security and compliance requirements.\u00a0 The first [&hellip;]<\/p>\n","protected":false},"author":39446,"featured_media":35994,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,239,277],"tags":[119,163],"class_list":["post-26998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cplusplus","category-diagnostics","category-writing-code","tag-code-analysis","tag-static-analysis"],"acf":[],"blog_post_summary":"<p>In\u202fVisual Studio version 16.8\u202fPreview 3,\u202f\u202fwe\u202fhave added\u202fa\u202ffew\u202fsafety rules to C++ Code Analysis\u202fthat can\u202ffind\u202fsome common mistakes, which can lead to\u202fbugs ranging\u202ffrom simple broken features to\u202fcostly security vulnerabilities.\u202fThese new rules are developed around issues discovered in\u202fproduction\u202fsoftware via\u202fsecurity reviews and incidents\u202frequiring\u202fcostly\u202fservicing.\u202fEvery shipping piece of software in Microsoft runs these rules as part of security and compliance requirements.\u00a0 The first [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts\/26998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/users\/39446"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/comments?post=26998"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts\/26998\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/media\/35994"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/media?parent=26998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/categories?post=26998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/tags?post=26998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}