PVS-Studio is a static code analyzer for C, C++, C#, and Java that detects bugs and vulnerabilities. It supports various compilers and IDE plugins. It uses data flow analysis, symbolic execution, pattern matching, and other techniques to detect bugs like buffer overflows, leaks, dead code, and undefined behavior. Over 700 diagnostics are implemented to date across the supported languages. The analyzer produces warnings classified by standard taxonomies. Users can exclude files, suppress warnings, and integrate it with continuous integration systems. Support and documentation is provided through online and PDF references.
2. Speaker
Lead C++/C# developer in PVS-
Studio team
Have been working in the
company since 2016
Popularizing modern C++
3. Static code analyzers for C, C++, C++/CLI, C++/CX,
C#, and Java on Windows, Linux and macOS;
Supported compilers (C/C++): MSVC, GCC, Clang,
MingW, ARM GCC, ARM Clang, Keil ARM
Compiler 5/6, IAR C/C++ Compiler for ARM, TI
ARM CGT;
Plugins for Visual Studio 2010-2019, Rider, IntelliJ
IDEA;
PVS-Studio infrastructure
4. Compilation monitoring utility for performing
analysis independently of the IDE or build system
(C/C++ only);
Suppress files: ability to view warnings only on
newly written code;
Incremental analysis: automatic analysis of changed
files
PVS-Studio infrastructure
5. Integration with TeamCity, Azure DevOps, Travis CI,
CircleCI, GitLab CI/CD, Jenkins, SonarQube, etc.
PlogConverter utility to convert raw log to desirable
format
BlameNotifier utility to distribute warnings by mail
PVS-Studio infrastructure
6. C, C++ diagnostics : 510
C# diagnostics : 153
Java diagnostics : 82
By July 2020 we’ve implemented in PVS-Studio:
7. Copy-paste errors
Array index out of bounds
Buffer overrun
Memory/resource leaks
Invalid operator precedence
Dereferencing of nullable types
Dead/unreachable code
Use of uninitialized variables
Undefined/unspecified behavior
….
What can be detected?
8. Great attention is paid to analyzer warnings:
Warnings classification is supported according to:
Common Weakness Enumeration (CWE)
SEI CERT C Coding Standard
SEI CERT C++ Coding Standard
MISRA C, MISRA C++
Detailed documentation in Russian and English:
Online
PDF
10. This error demonstrates greatly how DataFlow analysis works in
PVS-Studio
This error was found using PVS-Studio in Chromium project
(Protocol Buffers)
The analyzer issues two warnings:
V547 Expression 'time.month <= kDaysInMonth[time.month] + 1' is always
true. time.cc 83
V547 Expression 'time.month <= kDaysInMonth[time.month]' is always true.
time.cc 85
Data Flow analysis
15. int x0 = ....; int x1 = ....;
int y0 = ....; int y1 = ....;
assert(x0 <= x1 && "....");
assert(y0 <= y1 && "....");
assert((x1 - x0) == (y1 - y0) && "....");
assert(x0 >= 0 && x0 < int(some_value) && "....");
assert(x1 >= 0 && x1 < int(some_value) && "...."); // x1 >= 0
assert(y0 >= 0 && y0 < int(some_value) && "...."); // y0 >= 0
assert(y1 >= 0 && y1 < int(some_value) && "...."); // y1 >= 0
Symbolic execution
V560 A part of conditional expression is always true.
V560 A part of conditional expression is always true.
V560 A part of conditional expression is always true.
16. Method/class annotations
Our team has annotated thousands of functions and classes, given in:
standard C library
standard С++ library
WinAPI
glibc (GNU C Library)
Qt
MFC
and so on
17. void EnableFloatExceptions(....)
{
....
CONTEXT ctx;
memset(&ctx, sizeof(ctx), 0);
....
}
Method/class annotations
V575 The 'memset' function processes '0' elements. Inspect the third argument.
crythreadutil_win32.h 294
This error was found using PVS-Studio in CryEngine V project
18. static void FwdLockGlue_InitializeRoundKeys()
{
unsigned char keyEncryptionKey[KEY_SIZE];
....
memset(keyEncryptionKey, 0, KEY_SIZE); // Zero out key data.
}
Pattern-based matching analysis
V597 CWE-14 The compiler could delete the 'memset' function call, which is used to flush
'keyEncryptionKey' buffer. The memset_s() function should be used to erase the private data.
FwdLockGlue.c 102
This error was found using PVS-Studio in Android
project
20. For VS2010-2019: just install plugin and check your solution!
For other cases you can capture compiler invocations and gather all needed
information for the analysis
Using PVS-Studio: quick start
Windows:
C and C++ Compiler Monitoring UI tool
Linux/macOS
pvs-studio-analyzer utility
21. Using PVS-Studio: mass suppression
It can be difficult to start using static analysis in a large project
It’s not clear what to do with warnings in old code
We suggest a decision: hiding messages using suppress files
22. Using PVS-Studio: suppressing of false positives
Various ways to suppress false positives in specific lines of code
Suppression of false positives in macros
Suppression of false positives using pvsconfig diagnostics
configuration files
23. Using PVS-Studio: excluding from analysis
Possibility to exclude files from analysis by their name, directory or mask
Interactive filtration of analysis results (log) in PVS-Studio window:
by diagnostic code and warning level
by the file name
by including the word in the text of a diagnostic
24. The most efficient way of fixing an error is to do it right after it
appeared in code
Using PVS-Studio: automatic analysis of files after
their recompilation
25. Using PVS-Studio: scalability
Support of multicore and multiprocessor systems with configuration
of the number of utilized cores
IncrediBuild support
26. Running analysis from command line for
checking the whole project
Saving and loading of analysis results
Using of relative paths in report files
Send mail notifications with
BlameNotifier utility
Using PVS-Studio: continuous integration
27. Convenient online reference on all diagnostics
Using PVS-Studio: documentation
28. We developed a plugin for importing analysis results into SonarQube
Using of this plugin allows to add warnings found by PVS-Studio
analyzer to the warnings base of SonarQube server
Using PVS-Studio: SonarQube
32. Write to us: support@viva64.com
Subscribe:
Twitter: @Code_Analysis
RSS: http://feeds.feedburner.com/viva64-blog-en
Facebook: https://www.facebook.com/StaticCodeAnalyzer
Telegram: https://t.me/pvsstudio_en
Download PVS-Studio:
https://www.viva64.com/download_cpp_on_sea/
Thank you for attention!
Editor's Notes
Hello everybody, today I’d like to present you some feature overview of PVS-Studio static code analyzer
My name is Phillip, I’m a lead C++/C# developer in PVS-Studio team and I’ve been working in the company since 2016
So, what is PVS-Studio? PVS-Studio is a ecosystem that provides you static code analyzer for C, C++, C# and Java programming languages and utilities to make life with static code analyzer easier. PVS-Studio works on Windows, Linux and macOS platforms.
I’ll focus more on C/C++ features. So, we support modern and famous compilers such as: MSVC, GCC, Clang - and several compiler for Embedded systems: ARM GCC/Clang, Keil, IAR, TI.
We also have several plugins for modern IDEs for convenient work: Visual Studio 2010-2019, JetBrains Rider and IntelliJ IDEA.
Compilation monitoring. We provide a tool that may help you to check your project with “exotic” build system (e.g. SCons, Bazel, etc).
Suppress files. After you’ve checked your project, you may get tons of warnings on your legacy code. There is a solution – you push all your warnings in some file called suppress base, and in the next run you’ll get 0 warnings.
Incremental analysis. If you modify some files in your project, you want only them to be checked as the compiler recompiles them. We have scenery for that. We call it incremental analysis.
I think everybody would want to automate such process, like how we’re doing it with compilation, testing, etc. Of course, you can directly integrate PVS-Studio in CI-servers, such as Jenkins, TeamCity, etc.
After analysis you get raw log and probably you want it to some format that suits you. E.g., HTML, QtCreator tasklist, errorlist (format of compilers output), etc. PlogConverter may help you with this.
And finally BlameNotifier. If you get warnings after you’ve checked your project after commit, you may want to notify developers who made a mistake about this. BlameNotifier send mails corresponding to your VCS.
By July 2020 we’ve implemented 510 diagnostic for C/C++, 153 for C# and 82 for Java. We’re continuously adding new rules.
What type of errors can be detected? Here is a short list what our analyzer can detect: copy-paste errors, dereferencing of nullable types, undefined or unspecified behavior and so on. You can find full information about detectable errors from this QR-code.
We pay great attention while implementing diagnostic rules. Many of them is classified according to Common Weakness Enumeration and CERT C/C++ Coding Standard. We’ve also implemented rules for MISRA C/C++ compliance. For each rule we provide detailed documentation from website or download a pdf. By the way, you can access docs from VS plugin too.
We use several technologies to find bugs in source code.
First is the data flow analysis. Let’s see how it can help to find bugs on a following code snippet from protobuf. PVS-Studio warns about two expressions that they’re always true.
Here we have ValidateDateTime function that check for incorrect DateTime and static const array ‘kDaysInMonth’ that contains the number of days per month. The first element is extra element for convenient access to array: we’ll use indexes [1..12]. Let’s look at the first if statement.
Data flow analysis knows if ‘time.month’ field isn’t in the range [1..12], execution of the function will stop.
Now let’s look at the second ‘if’ statement. If ‘time.month’ is two (it’s February) and the year is leap, we return the result of comparison ‘time.month <= kDaysInMonth[time.month] + 1’. ‘2 <= 29’ – this is always true.
If you look at ‘else’ branch, expression in return statement is always true too, now we compare two range: lhs – [1..12] and rhs – [28..31].
It’s needed to compare ‘time.day’ field.
Next technology is Symbolic execution. It helps when we don’t know we exact value of variables. Look at this example. Here PVS-Studio tells that 3 lash subconditions is always true. Let’s find out why/
First two asserts set relation between pairs of variables [x0, x1] and [y0; y1]. So, we know that x1 may be equal to or greater than x0, absolutely the same with y0 and y1. Third assert sets that differences between pairs of values are equal.
And now fourth assert. If x0 is non-negative, then x1 is non-negative too because of the first assert. So, the part of condition in the fifth assert is always true.
If x0 and x1 are both non-negative, their subtraction is non-negative too. This means that y0 and y1 are non-negative too. So, parts of the last two assert are always true.
Next technology is method/class annotations. We know a behavior of many functions from different libraries and this helps to find interesting bugs.
For example, in CryEngine V we have function EnableFloatExceptions. We want to zeroize the ‘ctx’ variable. But the second and the third function parameters were mixed up, and now memset will do nothing.
And the last thing we use in our analyzer is ‘pattern-based’ matching. We’re looking for code patterns that lead to bugs in the parse tree. This isn’t regular expression search.
For example, there is a errorneous pattern when we want to zeroize some private data in an array. Most often this is done by calling the ‘memset’ function. But modern compilers can optimize this call out. We can fix that by calling safe methods, such as memset_s from C11.
So, how to start using PVS-Studio in your project?
As I mentioned earlier, if you have VS project, you can install plugin and easily check your project in one click.
If you have project that isn’t VS- or Cmake-based, you can check it with C and C++ Compiler Monitoring UI or pvs-studio-analyzer tools.
It captures compiler invocations to get information about your project and then start analysis on files that were compiled.
If you want to get more information – you can follow the link in QR codes.
Ok, but your project is too old and you have legacy. When you’ve checked your project, you get tons of warnings and you want to get rid of them.
We have a solution – suppress base: you push all your warnings to some files and in the next run of the analysis you will get 0 warnings. This makes possible to integrate a static code analyzer into a project of any size.
You will get warnings only on fresh code. You can return to your technical debt later and fix these warnings.
Follow the link in QR code to get more information.
There are several ways to mark some warnings that false positive for you.
For example, static code analyzer warns you about some code that was expanded from a macro. You can mark this macro and analyzer won’t warn you about this code anymore.
You can add these mark directly to your code or special pvsconfig-file. Follow the link in QR code to get more information.
What if you have some third-party libraries and you don’t want to get messages from these projects.
Of course It’s possible to exclude these projects from analysis by specifying some name of the file, directory or wildcard pattern.
Another thing that we provide interactive filtration of warnings in PVS-Studio output window in VS plugin. You can filter messages by the level of the warning, type of the warning, filename, text in the message.
If you change only one file, you may want to analyze only modified file. This may be done by incremental analysis.
PVS-Studio may analyze up to “the number of logical cores” files simultaneously. This may dramatically reduce the analysis time.
If this isn’t enough, you can try PVS-Studio together with IncrediBuild. IncrediBuild may distribute analysis on several machines.
Until this moment, I meant that analysis is performed on developer machine. But what if we want to analyze project on continuous integration server on each commit / PR?
PVS-Studio can be directly integrated in CI-servers and can perform analysis on commit / PR / night build.
If there is some warning in analysis report, you can notify developers about this problem with help of BlameNotifier tool.
If you want to get more information – you can follow the link in QR codes.
For each our diagnostic rule we provide documentation with the description what is wrong and how to fix it. You can access this documentation on our website or download pdf.
If you use VS plugin, you can open the documentation for diagnostic rule in VS itself – just click on the warning number in PVS-Studio output windows.
On the screen you can see how it looks.
Many our customers were interested in importing analysis results into SonarQube. SonarQube is a platform for continuous code inspection of projects.
We developed a plugin for SonarQube that can do that.
If you want to get more information – you can follow the link in QR codes.
Here you can see all imported diagnostic rules from PVS-Studio into SonarQube.
This is how it looks as a result.
If you don’t have SonarQube, but you want to review warnings with source code in CI-server, you can convert analysis report into FullHTML format.
This format looks like output from Clang SA. You click a location link in the “Location column” for the warning, and it opens a source code in HTML and scrolls to the interested line.
This FullHTML report then can be published on CI-server.
That’s all for now. Thank you for you attention!
If you have questions, I’m ready to answer them.