{"id":35138,"date":"2025-02-19T15:14:30","date_gmt":"2025-02-19T15:14:30","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cppblog\/?p=35138"},"modified":"2025-02-19T15:14:30","modified_gmt":"2025-02-19T15:14:30","slug":"msvc-c-code-analysis-updates-in-visual-studio-2022-version-17-13","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cppblog\/msvc-c-code-analysis-updates-in-visual-studio-2022-version-17-13\/","title":{"rendered":"MSVC C++ Code Analysis: Updates in Visual Studio 2022 version 17.13"},"content":{"rendered":"<p>The C++ team is excited to announce the latest improvements to Code Analysis in Visual\nStudio. Continuing our commitment to make C++ development safer and more reliable, this\nupdate focuses on reducing false positives and enhancing the analysis engine&#8217;s\nprecision. These improvements are driven by internal teams&#8217; and your valuable feedback\nthrough <a href=\"https:\/\/developercommunity.visualstudio.com\/\">Visual Studio Developer Community<\/a><\/p>\n<h2>Key Improvements<\/h2>\n<p>Following recommendations from\n<a href=\"https:\/\/www.microsoft.com\/security\/blog\/author\/microsoft-offensive-research-security-engineering-team\/\">MORSE<\/a>,\nwe focused on enhancing selected security warnings that detect high-impact\nvulnerabilities. Our goal was to keep the false positive rate below 10% when running\nthese checks against large codebases, ensuring broad adoption across Microsoft teams.\nThis first wave of improvements targets three crucial warnings:\n<a href=\"https:\/\/learn.microsoft.com\/cpp\/code-quality\/c26100\">C26100<\/a>,\n<a href=\"https:\/\/learn.microsoft.com\/cpp\/code-quality\/c26831\">C26831<\/a>, and\n<a href=\"https:\/\/learn.microsoft.com\/cpp\/code-quality\/c33001\">C33001<\/a>.<\/p>\n<h3>Concurrency and Locking<\/h3>\n<p>C26100, one of our critical security warnings, detects potential race conditions that\ncould lead to memory corruption or deadlocks. Through improved analysis of\nsynchronization patterns, we have enhanced this warning to more accurately identify\nhigh-risk concurrency issues. Here is a summary of the key improvements in this area:<\/p>\n<ul>\n<li>New diagnostics\n(<a href=\"https:\/\/learn.microsoft.com\/cpp\/code-quality\/c26132\">C26132<\/a> + <a href=\"https:\/\/learn.microsoft.com\/cpp\/code-quality\/c26133\">C26133<\/a>)\nfor detecting lock hierarchy mismatches in custom locking functions<\/li>\n<li>Better analysis of lock acquisition patterns<\/li>\n<li>Improved status tracking for concurrency checking<\/li>\n<\/ul>\n<h3>Enhanced Overflow Detection for Allocations<\/h3>\n<p>C26831, another critical security warning, detects potential numerical overflows in\nvalues used for memory allocation that could lead to buffer overruns and other memory\ncorruption vulnerabilities. Through improved analysis of allocation patterns and sign\nconversions, we have enhanced this warning to more accurately identify high-risk\noverflow scenarios. Here is a summary of the key improvements in this area:<\/p>\n<ul>\n<li>New diagnostics\n(<a href=\"https:\/\/learn.microsoft.com\/cpp\/code-quality\/c26838\">C26838<\/a> + <a href=\"https:\/\/learn.microsoft.com\/cpp\/code-quality\/c26839\">C26839<\/a>)\nfor detecting potential allocation overflow issues due\nto signed-to-unsigned conversions<\/li>\n<li>Added heuristics for validating postcondition overflow checks in allocation routines<\/li>\n<\/ul>\n<h3><code>VariantClear<\/code> and <code>VARIANT<\/code> Initialization<\/h3>\n<p>C33001, our third critical security warning, detects uninitialized <code>VARIANT<\/code> objects that\ncould lead to memory corruption when passed to cleanup functions. Through improved\ntracking of <code>VARIANT<\/code> initialization states, we have enhanced this warning to accurately\nidentify high-risk COM interface usage while maintaining a low false positive rate in\nproduction Windows code.<\/p>\n<h2>Community Feedback<\/h2>\n<p>Your feedback drives our prioritization and helps us deliver a better product. We\nactively monitor the Developer Community and use upvotes to understand which issues\nimpact the most users. Even if you encounter an issue that is already reported,\nplease upvote it &#8211; this helps us better prioritize our fixes.<\/p>\n<p>Here are some key issues we have addressed based on community feedback:<\/p>\n<ul>\n<li><a href=\"https:\/\/developercommunity.visualstudio.com\/t\/Warning-C26435-contradicts-to-Compiler-E\/10355159\">Warning C26435 contradicts to Compiler Error C3609<\/a><\/li>\n<li><a href=\"https:\/\/developercommunity.visualstudio.com\/t\/False-positive-lifetime-code-analysis-wa\/10732352\">False positive lifetime code analysis warning C26848: Do not dereference a null pointer (lifetime.1)<\/a><\/li>\n<li><a href=\"https:\/\/developercommunity.visualstudio.com\/t\/warning:-C26822-false-positive-improperl\/10796852\">warning: C26822 false positive improperly emitted for <code>return NULL;<\/code><\/a><\/li>\n<li><a href=\"https:\/\/developercommunity.visualstudio.com\/t\/_Must_inspect_result_-incorrectly-issues\/10743387\">_Must_inspect_result_ incorrectly issues C28193 when nested struct\/union field <em>is<\/em> inspected<\/a><\/li>\n<li><a href=\"https:\/\/developercommunity.visualstudio.com\/t\/_Return_type_success_expr-incorrectly-\/10743376\">_Return_type_success_(expr) incorrectly produces C6101 expression references anonymous struct \/ union fields<\/a><\/li>\n<li><a href=\"https:\/\/developercommunity.visualstudio.com\/t\/Code-analysis-warning-C6011-for-valid-ca\/10732505\">Code analysis warning C6011 for valid call to CWnd::GetSafeHwnd()<\/a><\/li>\n<\/ul>\n<p>We encourage you to continue reporting and upvoting issues you encounter. Whether it is\na false positive, unclear diagnostic message, or feature request, your input is\nessential in shaping the future of C++ Code Analysis.<\/p>\n<h2>Looking Forward<\/h2>\n<p>Security remains a top priority as we work closely with MORSE and internal teams to\nenhance critical security warnings for high-impact vulnerabilities. We remain committed\nto lowering false positive rates across all our checkers.<\/p>\n<p>Your feedback through the Developer Community continues to be essential in shaping our\nroadmap. As we expand our coverage of modern C++ security best practices, we will keep\nfocusing on addressing community-reported issues to ensure our warnings remain precise\nand actionable.<\/p>\n<h2>Try It Out<\/h2>\n<p>These improvements are now available in Visual Studio 2022 version 17.13. To get\nstarted, check out the\n<a href=\"https:\/\/learn.microsoft.com\/cpp\/code-quality\/quick-start-code-analysis-for-c-cpp\">Code Analysis documentation<\/a>.\nOur work is heavily influenced by your feedback; please continue to engage with us\nthrough the <a href=\"https:\/\/developercommunity.visualstudio.com\/cpp\">Developer Community<\/a> and\nin the comments section below.<\/p>\n<p>Stay tuned for more C++ static analysis improvements. Your feedback helps us make C++\ndevelopment safer and more productive for everyone.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post details the latest updates in Visual Studio 2022 version 17.13 for MSVC C++ Code Analysis. Driven by internal team insights and developer community feedback, these improvements significantly reduce false positives and strengthen production code security.<\/p>\n","protected":false},"author":169849,"featured_media":35994,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[270,1],"tags":[],"class_list":["post-35138","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-cplusplus"],"acf":[],"blog_post_summary":"<p>This post details the latest updates in Visual Studio 2022 version 17.13 for MSVC C++ Code Analysis. Driven by internal team insights and developer community feedback, these improvements significantly reduce false positives and strengthen production code security.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts\/35138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/users\/169849"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/comments?post=35138"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/posts\/35138\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/media\/35994"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/media?parent=35138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/categories?post=35138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cppblog\/wp-json\/wp\/v2\/tags?post=35138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}