Have you reported the bugs to the project developers? Have you sent them a patch?
When checking open-source projects, we almost always report the results to their authors. If we publish such a report as an article, we try to send the link to it to the developers. If there are too few bugs in a project to write an article about, we still report whatever results we've got to the authors. Or rather, we try to - sometimes developers don't (strange as it may sound) have any contacts, or their bug trackers don't accept messages, or you need to enter a captcha which no one can solve.
That's why we never send patches. There are a few reasons for that:
1. We are not familiar with the code and therefore cannot be sure if all the bugs we catch are really bugs. To understand that, we would need to study the project very closely.
2. Even with obvious bugs, we often can't say for sure how to fix them.
3. Finally, we pursue but one goal with our articles - to demonstrate the capabilities of the analyzer we develop. That is, we want to prove that our tool can find bugs in a real-life, living code. We don't aim at fixing bugs - we aim at proving that our tool can find them.
I think even MSVC2008 should accept free(NULL) without crashing.
My guess is that this was a case of tweaking the source code until the buggy compiler accepted it (it's within a "#ifdef _MSC_VER" block, so it's a MSVC-only workaround). He probably originally wrote the function containing something like std::abort(), but the compiler rejected it. So he changed it to a dummy (do-nothing) call to free(), and missed updating the comment he had written in the previous attempt.
Per the spec, free(NULL) is fine and well defined, essentially a no-op. Not sure what they're thinking. abort would have been an option.... And hell, were they trying to invoke UB and assuming that would cause a crash? Wrong on multiple levels.
Is ::GetType() marked as pure in the LibreOffice source code, does PVS-Studio check the source code of its implementation(s), does PVS-Studio have heuristics for function names that likely are pure, or does it just assume any function is pure?
Call free(NULL); does not lead to any trouble. However, if you say that regularly use such statmen in your code, I'll be surprised. Analyzer surprised too. PVS suspects that it is not okay, and maybe we're dealing with some kind of typo or something else.
These are especially interesting to me for the rules--it is not crazy hard to add things to Go's `go vet` tool (or write other checks outside vet with `go/ast`, etc.), and I wonder if "assigned variable twice consecutively" or "foo() == foo() looks suspicious" are good candidates.
It's perfectly valid for the function getColor() to return different value for each invocation, e.g., think std::rand().
However, the function as you wrote, when used in the expression (getColor() == getColor()), results in undefined behavior. This is because equality operator (==) is not a sequence point in C++, and thus by calling getColor() twice, you are modifying variables a & b more than once between a pair of sequence points (see "Undefined behavior" section here: http://en.cppreference.com/w/cpp/language/eval_order).
In general, you cannot be sure of the order of evaluation for a statement of form say, f() == g(). The relative order in which f & g are called is unspecified. Also, the behavior can easily become undefined if you violate certain conditions in f & g (as in the case above).
>the function as you wrote, when used in the expression (getColor() == getColor()), results in undefined behavior
In C++14 (and I believe C++11), this is not correct. Specifically, §1.9/15 says, "Every evaluation in the calling function (including other function calls) that is not otherwise specifically sequenced before or after the execution of the body of the called function is indeterminately sequenced with respect to the execution of the called function;" this sentence is marked with a note that reads, "In other words, function executions do not interleave with each other."
Item 4 under the "Sequence point rules" section on the page you linked says basically the same thing. I haven't looked at the C++98 standard, but I imagine it allows this, too.
The two calls to "getColor" are indeterminately sequenced. As a result, the behaviour of evaluating "(getColor() == getColor())" is merely unspecified, not undefined. In fact, the behaviour is guaranteed to be equivalent to one of the possible orderings (§1.9/13: "Evaluations A and B are indeterminately sequenced when either A is sequenced before B or B is sequenced before A, but it is unspecified which").
The order of whether left hand or right hand is evaluated first is not specified, but calling a function will be sequenced, so there's no undefined behavior like you describe here.
It could definitely be a false positive. That said, that would be pretty strange behavior for a function called getColor(). I'd expect that to return a property value, not modify some state.
Perhaps there is some semantic analysis involved (I don't know what tool they're using), but I have to imagine that getColor() is defined along the lines:
T getColor() const;
Otherwise that warning would often be at risk of emitting FP's, to the point at which it would become far less useful. Of course, even then...
