Monday, June 5, 2017

Static Code Analyzer: PVS-Studio

10:25 AM Leave a Reply
Static Code Analyzer: PVS-Studio

Static Code Analyzer

    PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, it is also useful to search for misprints and Copy-Paste errors. Examples of such errors: V501, V517, V522, V523, V3001.

The main value of static analysis is in its regular use, so that errors are identified and fixed at the earliest stages. There is no point in wasting 50 hours looking for a bug that could be found with static analysis. So, let’s point out that again – the main idea of static analysis is not to find one hidden bug on the day before the release, but to fix dozens of bugs day by day.



    The analyzer can be run at night on the server and warn about suspicious code fragments. Ideally, these errors can be detected and fixed before getting into the repository. PVS-Studio can automatically be launched immediately after the compiler for the files that have been just modified. It works in Windows and Linux.



Quick start in Windows and Linux

     PVS-Studio can integrate into Visual Studio development environment 2010-2017. If you use this IDE, then most likely you will just have to go to the menu of PVS-Studio plugin and choose “Check Current Project”.

Often, it can be a more complicated process, and you will need to integrate PVS-Studio into a build system, even an exotic one. The topic of integration is too broad to describe it here. You can find all the information in the detailed documentation.

One more point to notice – PVS-Studio for Windows and Linux has special utilities, gathering information about the compiler launches. These tools allow doing a quick analysis of a project that gets compiled in any possible way. You can quickly try out the analyzer abilities, without wasting time on its integration with makefile or a build script. See the description of the utility Standalone (Windows) and pvs-studio-analyzer (Linux).



The technology of analysis

The pattern-based analysis on the basis of an abstract syntax tree is used to look for fragments in the source code that are similar to the known code patterns with an error.
The type inference based on the semantic model of the program allows the analyzer to have full information about all variables and statements in the code.
The symbolic execution allows evaluating values of variables that can lead to errors, perform range checking of values.
The data-flow analysis is used to evaluate limitations that are imposed on values of variables when processing various language constructs. For example, values that a variable can take inside if/else blocks.
Method annotations provide more information about the used methods than can be obtained by analyzing only their signatures.


Main features of PVS-Studio

Simple and seamless integration with Visual Studio 2010-2017
Automatic analysis of individual files after their recompilation
Online reference guide concerning all the diagnostics available in the program, on the web site and documentation (presented as a .pdf file) Up to 400 pages of documentation
Saving and loading analysis results allow doing overnight checks – during the night the analyzer does the scanning and provides you with the results in the morning.
Project analysis run from the command line: helps integrate PVS-Studio into overnight builds; a new log will be issued in the morning.
Great scalability Support of multi-core and multi-processor systems with the possibility to specify the number of the cores to use; IncrediBuild support.
Interactive filtering of the analysis results (the log file) in the PVS-Studio window: by the diagnostic number, file name, the keyword in the text of the diagnostic.
Automatic check of PVS-Studio updates (during the work in IDE and overnight builds).
BlameNotifier utility. The tool allows you to send e-mail notifications to the developers about bugs that PVS-Studio found during a night run.
A large number of options for integration into projects developed under Linux.
Mark as False Alarm – ability to mark the code to suppress a certain diagnostic in a particular code fragment.
Mass Suppression – ability to suppress all old messages raised for the legacy code, so that the analyzer reports 0 warnings. You can always go back to the suppressed messages later. This feature allows you to seamlessly integrate PVS-Studio into your development process and focus on errors found in new code only.
Error statistics can be viewed in Excel. Ability to view the speed of error correction, amount of bugs found for a certain period of time and so on.
Relative paths in report files to view them on different machines.
CLMonitoring feature allows analyzing the projects that have no Visual Studio files (.sln/.vcxproj); in case the CLMonitoring functionality is not enough, there is a possibility to integrate PVS-Studio in a Makefile-based build system manually.
pvs-studio-analyzer – a utility similar to CLMonitoring, but working under Linux.
Possibility to exclude files from the analysis by name, folder or mask; to run the analysis on the files modified during the last N days.
Integration with SonarQube. It is an open source platform, designed for continuous analysis and measurement of code quality.


Supported languages and compilers

Windows. Visual Studio 2017 C, C++, C++/CLI, C++/CX (WinRT), C#
Windows. Visual Studio 2015 C, C++, C++/CLI, C++/CX (WinRT), C#
Windows. Visual Studio 2013 C, C++, C++/CLI, C++/CX (WinRT), C#
Windows. Visual Studio 2012 C, C++, C++/CLI, C++/CX (WinRT), C#
Windows. Visual Studio 2010 C, C++, C++/CLI, C#
Windows. MinGW C, C++
Windows/Linux. Clang C, C++
Linux. GCC C, C++

Docs
Download