Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio

•

1 like•438 views

We have carried out a thorough comparison of four analyzers for C/C++ code: CppCat, Cppcheck, PVS-Studio and Visual Studio's built-in analyzer. It is a serious, large investigation that we had spent about 170 man-hours on and which, in our opinion, gives a good idea of the general state of things in static analysis nowadays.

Software

Comparison of static code analyzers:
CppCat, Cppcheck, PVS-Studio and Visual
Studio
Author: Evgeniy Ryzhkov, Andrey Karpov, Paul Eremeev, Svyatoslav Razmyslov
Date: 12.03.2014
We have carried out a thorough comparison of four analyzers for C/C++ code: CppCat, Cppcheck, PVS-Studio
and Visual Studio's built-in analyzer. It is a serious, large investigation that we had spent about
170 man-hours on and which, in our opinion, gives a good idea of the general state of things in static
analysis nowadays.
About the comparison
We picked out over ten open-source test projects for the investigation.
Each analyzer was used with the recommended settings of severity levels of diagnostic messages:
• CppCat: all diagnostics enabled (no severity levels);
• Cppcheck: Errors and Warnings;
• PVS-Studio: the 1-st and 2-nd level of general diagnostics;
• Visual Studio: Microsoft Native Recommended Rules.
We closely studied the analysis reports and picked out those warnings which seemed to indicate
genuine bugs or code fragments which at least required close examination. The summarized results are
presented in this article.
The comparison methodology is described in detail in the article: "How we compared code analyzers:
CppCat, Cppcheck, PVS-Studio and Visual Studio". In that article, you will also find the list of the test
projects, the list of the diagnostic messages we picked out, examples of detected bugs and so on. You
will also learn from that article why we didn't provide the information about the number of false
positives.
Comparison results
The results of the comparison of the analyzers CppCat, Cppcheck, PVS-Studio and Visual Studio's built-in
analyzer are presented in three tables:

Table 1 - The number of detected genuine bugs (numerical form)
Table 2 - The number of detected genuine bugs (percentage form)
Table 3 - Analysis time (in minutes)
Analysis time
We don't think analysis time to be a significant comparison metric. But people often wonder about our
tools' performance, so we decided to include these figures into the article.
As you can see, Cppcheck is the fastest analyzer. But notice also that the table shows the total analysis
time. On some projects, Cppcheck was running slower than the other analyzers. So the actual analysis
speed rather depends on a particular project.
CppCat is actually a bit faster than PVS-Studio as it has fewer diagnostic rules to check. But the
difference is really insignificant (a few dozens of seconds), so we found it pointless to show it in the
table.
Diagnostics
Our team has selected a total of 965 unique code fragments that require investigation and fixing.
As you can see from the table, CppCat and PVS-Studio have shown identical results. The reason is that
the PVS-Studio analyzer with recommended settings uses the same set of diagnostics as CppCat.
The total number of defects detected by the analyzers is 742 for CppCat and PVS-Studio each; 193 for
Cppcheck; 116 for Visual Studio.
Thus, CppCat and PVS-Studio detect 4 times more errors than Cppcheck and 6 times more errors than
Visual Studio's built-in analyzer.
Conclusion
The CppCat and PVS-Studio analyzers have proved to be evident leaders in the number of revealed
genuine and potential defects.

References
1. Evgeniy Ryzhkov, Andrey Karpov, Paul Eremeev, Svyatoslav Razmyslov. "How we compared code
analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio".

DevOps has emerged, as a major cultural movement to handle the need for increased agility in software development. While this movement is loosely bound to development methods, a number of practices have emerged to operationalize this extreme agility: loosely coupled software architectures meant to support incremental updates and build (services or micro services with clear APIs); a very high degree of automation at multiple stages of the development lifecycle. Quality assurance is a major challenge in this context. There is very little time for manual testing and the responsibility of bug detection is placed upon the automated test suites. STAMP (Software Testing AMPlification), is a new European R&D project, which aims to bolster automated test suites through the automatic transformation of test assets. The key technical challenge that STAMP aims at overcoming is to reduce the cost due to regression bugs that propagate to production, through advanced research in automatic test generation. The key novelty of our research agenda is to leverage existing assets (such as test cases or execution logs) in order to increase test effectiveness. This innovative research is at the crossroads of program analysis and transformation, software testing, automatic deployment and search-based software engineering.

SophiaConf 2018 - P. Urso (Activeeon)

TelecomValley

STAMP (Software Testing Amplification) is a suite of tools to increase testing capacity and detect bugs. It includes Descartes, which tests test cases against mutants to evaluate effectiveness, and DSpot, which aims to improve code coverage and mutation score by generating new test cases. CAMP (Configuration Amplification) executes test cases against multiple configurations, and Evocrash generates test cases to reproduce bugs found in production logs. The tools can be used standalone, with IDEs like Eclipse, or integrated into build tools like Maven and Jenkins to amplify testing practices and help improve quality.

100 tests per second - 40 releases per week

Lars Thorup

This talk shows how the Triggerz engineering team continuously deliver new software versions to our users. The Triggerz product is a web application built with React, Node.js and PostgreSQL. The product has been live since October 2017 with users worldwide. We have built a simple continuous deployment pipeline, also mostly in JavaScript, that we use to validate every push to master before deploying it automatically to production. This talk demonstrates how we write tests and how the pipeline is scripted. We discuss the thinking behind and the tools that we've used to do continuous delivery.

Atpg design rule checking project

Minh Anh Nguyen

This project aims to reduce test time, track design mistakes and failures, save time and money, and meet tape out deadlines. It involves reading in new netlists, ATPG library and test procedure files, building an ATPG model, running ATPG design rule checking, and generating reports of any failures to send to the design team. The flow chart shows the process of checking for new or existing files, running the ATPG DRC, and saving or reporting the results.

The best day for qa

Julian Farizi

This document outlines a typical daily workflow for a QA member at an internet company, with the goal of understanding their daily tasks and testing process. It involves analyzing new requirements, designing and adapting test cases, performing testing on staging environments, and testing on the live site. The day is broken down into phases including analysis, preparation, staging testing, and live testing. Testing tasks are interspersed with coffee and food breaks to recharge throughout the day. The overall goal is to thoroughly test new features before they are deployed to the live site.

Comparing Functionalities of PVS-Studio and CppCat Static Code Analyzers

Andrey Karpov

Agile analysis development

setitesuk

This document describes the development of an agile analysis pipeline for processing next generation DNA sequencing data. The pipeline was developed iteratively using short 2-3 week iterations. Early iterations involved replacing sections of the pipeline with new pluggable components. Later iterations focused on refactoring the code and adding new features like automated quality control checks. A key iteration involved quickly fixing the pipeline when new analysis code introduced bugs. The agile development approach helped allow the priority to change to the critical fix and incorporate it with minimal disruption.

This document discusses the principles of test-driven development (TDD). It explains that TDD involves specifying an application programming interface (API) through tests before implementing it to prove correctness. The core cycle of TDD is described as red-green-refactor, where tests are written (red), made to pass (green), and code is refactored for maintainability. Common structures for unit tests, advantages of TDD, and heuristics for the process are also outlined, along with examples of coding katas and how to set up a project and run unit tests.

Bottlenecks rel b works and rel c planning

Jun Li

This document discusses the Bottlenecks project which aims to identify system bottlenecks in OPNFV infrastructure through testing. It provides updates on Release B which implemented throughput testing and virtual switch testing. Release C planning includes refactoring deployment using Puppet for increased reusability, implementing multi-scenario testing for different configurations, and cooperating with other projects to integrate requirements and tools. The goal is to automatically detect bottlenecks during staging to prevent issues in production.

Codemotion tech pills - Continuous performance

Bert Jan Schrijver

The document discusses using Gatling for continuous performance testing as part of the development process. It recommends designing generic and specialized test scenarios and recording them in Gatling's DSL. A demo shows converting a browser recording to Gatling code and executing the test to generate reports. While this approach provides early feedback on performance impacts, it is noted that it does not determine maximum supported load in production. The benefits seen so far include preventing issues and helping optimize performance.

Intro to front-end testing

Juriy Zaytsev

Game Engine Code Quality: Is Everything Really That Bad?

Andrey Karpov

Performance Analysis and Monitoring with Perf4j

Craig Dickson

How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)

Andrey Karpov

Monitoring Clojure Applications with Prometheus

Joachim Draeger

Code Coverage and Test Suite Effectiveness: Empirical Study with Real Bugs in...

Pavneet Singh Kochhar

IoT 개발자를 위한 Embedded C에서 Test Coverage를 추출해보자

Taeyeop Kim

Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...

Andrey Karpov

George Gribkov presented on how to introduce static analysis to make programmers' and QA engineers' lives easier. Static analysis automatically checks code for bugs without executing it. While initial attempts to analyze Unreal Engine 4 failed, monitoring compiler calls directly succeeded in finding over 1800 warnings. Epic Games now uses continuous static analysis to receive early warnings. The best practices are to start analysis early and regularly in development and CI/CD pipelines, and to gradually fix old warnings using suppression files to ratchet down reported issues over time. Static and dynamic analysis complement each other to thoroughly check for errors.

Amsterdam JUG - Continuous performance

Bert Jan Schrijver

The document discusses using Gatling for continuous performance testing. It recommends making performance testing part of the development process rather than something done by specialists separately. Gatling allows developers to define load testing scenarios in a Scala DSL and get reports on performance. The presentation demonstrates recording a browser session in Gatling, modifying the scenario, running a test and interpreting the results. While Gatling gives performance feedback quickly, it is best for monitoring trends rather than determining a system's maximum load capacity.

Slideshare accuracy and speed

Spectrolytic - Innovative solutions in spectroscopy

The document compares spectrolytic analysis and lab analysis in terms of time and accuracy for sample testing. Lab analysis takes 5 days to process samples and provide results, while at-line/in-line analysis using portable sensors can provide results in just 5 minutes with the same level of accuracy as a lab. Real-time inline monitoring using industry 4.0 sensors allows for analysis from the sampling point with no shipping or lab time required.

Principals, Practices, and Habits

Jeremy Leipzig

IGUANA: A Generic Framework for Benchmarking the Read-Write Performance of Tr...

Lixi Conrads

Iguana is a framework for benchmarking the read-write performance of triple stores. It provides a realistic scenario by simulating multiple concurrent users querying and updating a triple store. Iguana executes benchmarks on different datasets and triple stores, measuring key performance indicators like queries per second. Results are stored in files and triple stores for analysis. The framework is extensible and can benchmark any dataset, SPARQL/update queries, and triple store configuration.

Comp 122 lab 4 lab report and source code

pradesigali1

Synaptop

Jesse Smith

Stress Test & Chaos Engineering

Diego Pacheco

The document discusses stress testing and chaos engineering techniques to test the reliability, availability, and scalability of systems and services. It recommends starting with functional requirements and productivity, then stress testing services with increasing loads to identify breaking points and understand metrics. Fallback mechanisms need continuous testing to avoid outages. Chaos engineering techniques intentionally introduce failures to test infrastructure resilience to different failures like instance, availability zone, or region outages. Stress testing and chaos engineering are important to ensure systems can withstand failures and growing usage.

How PVS-Studio does the bug search: methods and technologies

PVS-Studio

Checking the Source SDK Project

Andrey Karpov

The Source SDK is a software development kit compiled by Valve Corporation that is used to create games or mods for the Source engine. I downloaded and checked the project's source codes at the end of 2013 already and intended to write an article about it during the New Year holidays. But laziness prevailed over the craving for creativity, and I sat down to writing the article only on getting back to work. However, I doubt that the source codes have changed during this time. Now you are welcome to have a look at the suspicious code fragments found in the project code by the PVS-Studio code analyzer.

PVS-Studio confesses its love for Linux

PVS-Studio

Comparing PVS-Studio with other code analyzers

PVS-Studio

What's hot

TDD - A Reminder of the Principles

Matthias Noback

Bottlenecks rel b works and rel c planning

Jun Li

Codemotion tech pills - Continuous performance

Bert Jan Schrijver

Intro to front-end testing

Juriy Zaytsev

Game Engine Code Quality: Is Everything Really That Bad?

Andrey Karpov

Performance Analysis and Monitoring with Perf4j

Craig Dickson

How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)

Andrey Karpov

Monitoring Clojure Applications with Prometheus

Joachim Draeger

Code Coverage and Test Suite Effectiveness: Empirical Study with Real Bugs in...

Pavneet Singh Kochhar

IoT 개발자를 위한 Embedded C에서 Test Coverage를 추출해보자

Taeyeop Kim

Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...

Andrey Karpov

Amsterdam JUG - Continuous performance

Bert Jan Schrijver

Slideshare accuracy and speed

Spectrolytic - Innovative solutions in spectroscopy

Principals, Practices, and Habits

Jeremy Leipzig

IGUANA: A Generic Framework for Benchmarking the Read-Write Performance of Tr...

Lixi Conrads

Comp 122 lab 4 lab report and source code

pradesigali1

Synaptop

Jesse Smith

Stress Test & Chaos Engineering

Diego Pacheco

What's hot (18)

TDD - A Reminder of the Principles

Bottlenecks rel b works and rel c planning

Codemotion tech pills - Continuous performance

Intro to front-end testing

Game Engine Code Quality: Is Everything Really That Bad?

Performance Analysis and Monitoring with Perf4j

How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)

Monitoring Clojure Applications with Prometheus

Code Coverage and Test Suite Effectiveness: Empirical Study with Real Bugs in...

IoT 개발자를 위한 Embedded C에서 Test Coverage를 추출해보자

Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...

Amsterdam JUG - Continuous performance

Slideshare accuracy and speed

Principals, Practices, and Habits

IGUANA: A Generic Framework for Benchmarking the Read-Write Performance of Tr...

Comp 122 lab 4 lab report and source code

Synaptop

Stress Test & Chaos Engineering

Similar to Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio

How PVS-Studio does the bug search: methods and technologies

PVS-Studio

Checking the Source SDK Project

Andrey Karpov

PVS-Studio confesses its love for Linux

PVS-Studio

Comparing PVS-Studio with other code analyzers

PVS-Studio

Analysis of PascalABC.NET using SonarQube plugins: SonarC# and PVS-Studio

PVS-Studio

In November 2016, we posted an article about the development and use of the PVS-Studio plugin for SonarQube. We received great feedback from our customers and interested users who requested testing the plugin on a real project. As the interest in this subject is not decreasing, we decided to test the plugin on a C# project PascalABC.NET. Also, it should be borne in mind, that SonarQube have their own static analyzer of C# code - SonarC#. To make the report more complete, we decided to test SonarC# as well. The objective of this work was not the comparison of the analyzers, but the demonstration of the main peculiarities of their interaction with the SonarQube service. Plain comparison of the analyzers would not be fair due to the fact that PVS-Studio is a specialized tool for bug detection and potential vulnerabilities, while SonarQube is a service for the assessment of the code quality by a large number of parameters: code duplication, compliance with the code standards, unit tests coverage, potential bugs in the code, density of comments in the code, technical debt and so on.

Comparing PVS-Studio for C# and a built-in Visual Studio analyzer, using the ...

Ekaterina Milovidova

Recently I have done comparison of C# analyzers by PVS-Studio and SonarQube on the base of PascalABC.NET code. The research turned out to be pretty engaging, so I decided to continue working in this direction. This time I compared a C# analyzer of PVS-Studio with a static analyzer built into Visual Studio. In my opinion, this is a very worthy adversary. Despite the fact that the analyzer from the Visual Studio kit is primarily designed to improve the quality of the code, not to look for bugs, this does not mean that it cannot be used to detect real errors, although this may be not easy. Let's see which peculiarities in the work of the analyzers will be detected in the course of our investigation. Let's start!

Interview with Issam Lahlali, one of the CppDepend tool creators

PVS-Studio

PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...

Andrey Karpov

The developers of PVS-Studio analyzer regularly publish new articles about their tool (and sometimes about other analyzers as well) where they share the analysis results of various software projects produced by the analyzer and demonstrate code samples in which defects were found. Quite recently, a new product, CppCat, was released, which is a lightweight version of PVS-Studio at a low cost - compared to that of its heavier counterpart. You can find a brief description of the PVS-Studio project for Visual C++ here and here, and for a description of the new product see the article "An Alternative to PVS-Studio at $250".

New Year PVS-Studio 6.00 Release: Scanning Roslyn

PVS-Studio

The long wait is finally over. We have released a static code analyzer PVS-Studio 6.00 that supports the analysis of C# projects. It can now analyze projects written in languages C, C++, C++/CLI, C++/CX, and C#. For this release, we have prepared a report based on the analysis of open-source project Roslyn. It is thanks to Roslyn that we were able to add the C# support to PVS-Studio, and we are very grateful to Microsoft for this project.

How we test the code analyzer

PVS-Studio

PVS-Studio advertisement - static analysis of C/C++ code

Andrey Karpov

This document advertises the PVS-Studio static analyzer. It describes how using PVS-Studio reduces the number of errors in code of C/C++/C++11 projects and costs on code testing, debugging and maintenance. A lot of examples of errors are cited found by the analyzer in various Open-Source projects. The document describes PVS-Studio at the time of version 4.38 on October 12-th, 2011, and therefore does not describe the capabilities of the tool in the next versions. To learn about new capabilities, visit the product's site <a>http://www.viva64.com</a> or search for an updated version of this article.

Difficulties of comparing code analyzers, or don't forget about usability

PVS-Studio

Difficulties of comparing code analyzers, or don't forget about usability

Andrey Karpov

This document discusses the difficulties in comparing code analyzers based on usability. Simply comparing metrics like number of diagnostics or speed is unreasonable because they don't reflect how usable a tool is for a particular project or user. The document analyzes six usability issues with an analyzer integrated into Visual Studio compared to PVS-Studio when analyzing the eMule project, such as inability to save analysis results or filter duplicate messages. While the Visual Studio analyzer was faster, it took much longer to complete analysis due to usability issues. The document concludes that usability is very important for comparing analyzers and there is no single best tool, only what is better for a specific project and user.

Difficulties of comparing code analyzers, or don't forget about usability

PVS-Studio

Static analysis is most efficient when being used regularly. We'll tell you w...

Andrey Karpov

Some of our users run static analysis only occasionally. They find new errors in their code and, feeling glad about this, willingly renew PVS-Studio licenses. I should feel glad too, shouldn't I? But I feel sad - because you get only 10-20% of the tool's efficiency when using it in such a way, while you could obtain at least 80-90% if you used it otherwise. In this post I will tell you about the most common mistake among users of static code analysis tools.

How we test the code analyzer

PVS-Studio

HPX and PVS-Studio

PVS-Studio

Hartmut Kaiser evaluates his experience using the static analysis tool PVS-Studio to analyze the HPX C++ library source code. PVS-Studio found several issues, including an unused variable, an incorrect return type, and a missing copy constructor. Integrating PVS-Studio into continuous integration was seen as very useful. While the tool caught real problems, it also produced some false positives that could be suppressed. Overall the analysis was seen as valuable for finding subtle bugs.

How to Improve Visual C++ 2017 Libraries Using PVS-Studio

PVS-Studio

The title of this article is a hint for the Visual Studio developers that they could benefit from the use of PVS-Studio static code analyzer. The article discusses the analysis results of the libraries in the recent Visual C++ 2017 release and gives advice on how to improve them and eliminate the bugs found. Read on to find out how the developers of Visual C++ Libraries shoot themselves in the foot: it's going to be interesting and informative.

Finding bugs in the code of LLVM project with the help of PVS-Studio

PVS-Studio

About two months ago I wrote an article about the analysis of GCC using PVS-Studio. The idea of the article was as follows: GCC warnings are great, but they're not enough. It is necessary to use specialized tools for code analysis, for example, PVS-Studio. As proof of my words I showed errors that PVS-Studio was able to find the GCC code. A number of readers have noticed that the quality of the GCC code, and its diagnosis, aren't really great; while Clang compiler is up to date, of high quality, and fresh. In general Clang is awesome! Well, apparently, it's time to check LLVM project with the help of PVS-Studio.

Checking PVS-Studio with Clang

Andrey Karpov

Clang static analyzer found some errors in PVS-Studio source code when it was checked against Clang. The errors included using uninitialized variables, uninitialized pointers, and unsafe type conversions. While not critical bugs, they indicate areas for improvement. Clang also reported some false positives but helped uncover unused code that could be removed. Overall, using Clang provided a useful review of PVS-Studio and highlighted opportunities to strengthen the code quality.

Similar to Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio (20)

How PVS-Studio does the bug search: methods and technologies

Checking the Source SDK Project

PVS-Studio confesses its love for Linux

Comparing PVS-Studio with other code analyzers

Analysis of PascalABC.NET using SonarQube plugins: SonarC# and PVS-Studio

Comparing PVS-Studio for C# and a built-in Visual Studio analyzer, using the ...

Interview with Issam Lahlali, one of the CppDepend tool creators

PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...

New Year PVS-Studio 6.00 Release: Scanning Roslyn

How we test the code analyzer

PVS-Studio advertisement - static analysis of C/C++ code

Difficulties of comparing code analyzers, or don't forget about usability

Static analysis is most efficient when being used regularly. We'll tell you w...

How we test the code analyzer

HPX and PVS-Studio

How to Improve Visual C++ 2017 Libraries Using PVS-Studio

Finding bugs in the code of LLVM project with the help of PVS-Studio

Checking PVS-Studio with Clang

More from Andrey Karpov

60 антипаттернов для С++ программиста

Andrey Karpov

Здесь вы найдёте 60 вредных советов для программистов и пояснение, почему они вредные. Всё будет одновременно в шутку и серьёзно. Как бы глупо ни смотрелся вредный совет, он не выдуман, а подсмотрен в реальном мире программирования.

60 terrible tips for a C++ developer

Andrey Karpov

Ошибки, которые сложно заметить на code review, но которые находятся статичес...

Andrey Karpov

Есть ошибки, которые легко прячутся от программистов на обзорах кода. Чаще всего они связаны с опечатками или недостаточным знанием тонких нюансах языка/библиотеки. Давайте посмотрим интересные примеры таких ошибок и как их можно выявить с помощью статического анализа. При этом анализаторы не конкурируют с обзорами кода или, например, юнит-тестами. Они отлично дополняют другие методологии борьбы с ошибками.

PVS-Studio in 2021 - Error Examples

Andrey Karpov

PVS-Studio analyzes source code and finds various errors and code quality issues across multiple languages and frameworks. The document highlights 20 examples of issues found, including uninitialized variables, unreachable code, incorrect operations, security flaws, and typos. PVS-Studio is able to find these issues using techniques such as data-flow analysis, method annotation analysis, symbolic execution, type inference, and pattern-based analysis to precisely evaluate the code and pinpoint potential bugs or code smells.

PVS-Studio in 2021 - Feature Overview

Andrey Karpov

PVS-Studio в 2021 - Примеры ошибок

Andrey Karpov

PVS-Studio в 2021

Andrey Karpov

Best Bugs from Games: Fellow Programmers' Mistakes

Andrey Karpov

George Gribkov will present on errors found in the code of popular games like System Shock, Doom 3, and osu!. He will discuss how his tool searches for code errors, provide examples of bugs detected, and conclude his presentation. The examples will showcase issues like unused variables, incorrect increment variables in for loops, null pointer dereferences, and misunderstandings of operators like ??. Corrections will be proposed to address the bugs.

Does static analysis need machine learning?

Andrey Karpov

This document discusses whether static analysis needs machine learning. It begins with an introduction to static analysis and outlines existing static analysis solutions like DeepCode, Infer, SapFix, Embold, Source{d}, Clever-Commit, and CodeGuru. It then addresses problems with learning manually or from real large code bases, like outdated code and lack of documentation. Finally, it discusses promising approaches like analyzing code style, collecting additional metrics, and best practices for specific frameworks.

Typical errors in code on the example of C++, C#, and Java

Andrey Karpov

C++ Code as Seen by a Hypercritical Reviewer

Andrey Karpov

The Use of Static Code Analysis When Teaching or Developing Open-Source Software

Andrey Karpov

The document discusses using static code analysis when teaching or developing open-source software. It outlines how static analysis can help instructors check student homework and projects more efficiently, and help students learn about error patterns. When using static analysis for open-source projects, it recommends integrating it into developers' workflows locally and via continuous integration systems. Regular use is key to maximizing its benefits for finding and fixing bugs.

Static Code Analysis for Projects, Built on Unreal Engine

Andrey Karpov

Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems

Andrey Karpov

The Great and Mighty C++

Andrey Karpov

Static code analysis: what? how? why?

Andrey Karpov

Zero, one, two, Freddy's coming for you

Andrey Karpov

This post continues the series of articles, which can well be called "horrors for developers". This time it will also touch upon a typical pattern of typos related to the usage of numbers 0, 1, 2. The language you're writing in doesn't really matter: it can be C, C++, C#, or Java. If you're using constants 0, 1, 2 or variables' names contain these numbers, most likely, Freddy will come to visit you at night. Go on, read and don't say we didn't warn you.

PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps

Andrey Karpov

The document discusses integrating the PVS-Studio static code analyzer with Azure DevOps and Chocolatey. It provides steps to configure a build pipeline in Azure DevOps to install PVS-Studio using Chocolatey, run analysis on a project, and publish the results. The analysis found several potential bugs in the Chocolatey code including logical errors, redundant checks, and null reference issues. Integrating PVS-Studio with these tools helps improve code quality.

PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...

Andrey Karpov

A Zero-day (0-day) vulnerability is a computer-software vulnerability introduced during the development process and not yet discovered by the developers. Zero-day vulnerabilities can be exploited by hackers, thus affecting the company's reputation. Developers should seek to minimize the number of defects leading to such vulnerabilities. PVS-Studio, a static code analyzer for C, C++, C#, and Java code, is one of the tools capable of detecting security issues.

Analysis of commits and pull requests in Travis CI, Buddy and AppVeyor using ...

Andrey Karpov

Starting from the version 7.04, the PVS-Studio analyzer for C and C++ languages on Linux and macOS provides the test feature of checking the list of specified files. Using the new mode, you can configure the analyzer to check commits and pull requests. This article covers setting up the check of certain modified files from a GitHub project in such popular CI (Continuous Integration) systems, as Travis CI, Buddy and AppVeyor.

More from Andrey Karpov (20)

60 антипаттернов для С++ программиста

60 terrible tips for a C++ developer

Ошибки, которые сложно заметить на code review, но которые находятся статичес...

PVS-Studio in 2021 - Error Examples

PVS-Studio in 2021 - Feature Overview

PVS-Studio в 2021 - Примеры ошибок

PVS-Studio в 2021

Best Bugs from Games: Fellow Programmers' Mistakes

Does static analysis need machine learning?

Typical errors in code on the example of C++, C#, and Java

C++ Code as Seen by a Hypercritical Reviewer

The Use of Static Code Analysis When Teaching or Developing Open-Source Software

Static Code Analysis for Projects, Built on Unreal Engine

Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems

The Great and Mighty C++

Static code analysis: what? how? why?

Zero, one, two, Freddy's coming for you

PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps

PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...

Analysis of commits and pull requests in Travis CI, Buddy and AppVeyor using ...

Recently uploaded

All you need to know about Spring Boot and GraalVM

Alina Yurenko

What next after learning python programming basics

Rakesh Kumar R

Unveiling the Advantages of Agile Software Development.pdf

brainerhub1

Artificia Intellicence and XPath Extension Functions

Octavian Nadolu

Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf

VALiNTRY360

Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems. For more info visit us https://valintry360.com/solutions/health-life-sciences

How Can Hiring A Mobile App Development Company Help Your Business Grow?

ToXSL Technologies

Modelling Up - DDDEurope 2024 - Amsterdam

Alberto Brandolini

8 Best Automated Android App Testing Tool and Framework in 2024.pdf

kalichargn70th171

Hand Rolled Applicative User ValidationCode Kata

Philip Schwarz

Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>? The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory. Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away. The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

Green Software Development

一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理

dakas1

UMN硕士毕业证成绩单【微信95270640】购买（明尼苏达大学毕业证成绩单硕士学历）Q微信95270640代办UMN学历认证留信网伪造明尼苏达大学学位证书精仿明尼苏达大学本科/硕士文凭证书补办明尼苏达大学 diplomaoffer,Transcript购买明尼苏达大学毕业证成绩单购买UMN假毕业证学位证书购买伪造明尼苏达大学文凭证书学位证书,专业办理雅思、托福成绩单，学生ID卡，在读证明，海外各大学offer录取通知书，毕业证书，成绩单，文凭等材料:1:1完美还原毕业证、offer录取通知书、学生卡等各种在读或毕业材料的防伪工艺（包括烫金、烫银、钢印、底纹、凹凸版、水印、防伪光标、热敏防伪、文字图案浮雕，激光镭射，紫外荧光，温感光标）学校原版上有的工艺我们一样不会少，不论是老版本还是最新版本，都能保证最高程度还原，力争完美以求让所有同学都能享受到完美的品质服务。 #毕业证成绩单 #毕业証 #成绩单 #學生卡 #OFFER录取通知书 #雅思#托福等…… 国外大学明尼苏达大学明尼苏达大学毕业证offer制作方法（一对一专业服务） 1客户提供办理信息：姓名生日专业学位毕业时间等（如信息不确定可以咨询顾问：我们有专业老师帮你查询）； 2开始安排制作毕业证成绩单电子图； 3毕业证成绩单电子版做好以后发送给您确认； 4毕业证成绩单电子版您确认信息无误之后安排制作成品； 5成品做好拍照或者视频给您确认； 6快递给客户（国内顺丰国外DHLUPS等快读邮寄） — — 制作工艺【高仿真】— — 凭借多年的制作经验本公司制作明尼苏达大学明尼苏达大学毕业证offer《激光》《水印》《钢印》《烫金》《紫外线》凹凸版uv版等防伪技术一流高精仿度几乎跟学校100%相同！让您绝对满意。 — — -公司理念【诚信为主】— — — 我們以質量求生存.以服务求发展有雄厚的实力专业的团队咨询顾问为您细心解答可详谈是真是假眼见为实让您真正放心平凡人生,尽我所能助您一臂之力让我們携手圆您梦想! 此贴长年有效【贴心专线/微-信: 95270640】敬请保留此联系方式以备用！如有不在线请给我们留言！我们将在第一时间给您回复!上散发着一抹抹的光晕而这每处自然形成的细节融合在一起浑然天成的美实在令人心生愉悦小道的周边无秩序的生长着几株艳丽的野花红的粉的紫的虽混乱无章却给这幅美景更增添一份性感夹杂着一份纯洁的妖娆毫无违和感实在给人带来一份悠然幸福的心情如果说现在的审美已经断然拒绝了无声的话那么在树林间飞掠而过的小鸟叽叽咋咋的叫声是否就是这最后的点睛之笔悠然走在林间的小路上宁静与清香一丝丝的盛夏气息吸入身体昔日生活里的繁忙多

Project Management: The Role of Project Dashboards.pdf

Karya Keeper

Project management is a crucial aspect of any organization, ensuring that projects are completed efficiently and effectively. One of the key tools used in project management is the project dashboard, which provides a comprehensive view of project progress and performance. In this article, we will explore the role of project dashboards in project management, highlighting their key features and benefits.

Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)

safelyiotech

Consistent toolbox talks are critical for maintaining workplace safety, as they provide regular opportunities to address specific hazards and reinforce safe practices. These brief, focused sessions ensure that safety is a continual conversation rather than a one-time event, which helps keep safety protocols fresh in employees' minds. Studies have shown that shorter, more frequent training sessions are more effective for retention and behavior change compared to longer, infrequent sessions. Engaging workers regularly, toolbox talks promote a culture of safety, empower employees to voice concerns, and ultimately reduce the likelihood of accidents and injuries on site. The traditional method of conducting safety talks with paper documents and lengthy meetings is not only time-consuming but also less effective. Manual tracking of attendance and compliance is prone to errors and inconsistencies, leading to gaps in safety communication and potential non-compliance with OSHA regulations. Switching to a digital solution like Safelyio offers significant advantages. Safelyio automates the delivery and documentation of safety talks, ensuring consistency and accessibility. The microlearning approach breaks down complex safety protocols into manageable, bite-sized pieces, making it easier for employees to absorb and retain information. This method minimizes disruptions to work schedules, eliminates the hassle of paperwork, and ensures that all safety communications are tracked and recorded accurately. Ultimately, using a digital platform like Safelyio enhances engagement, compliance, and overall safety performance on site. https://safelyio.com/

Liberarsi dai framework con i Web Component.pptx

Massimo Artizzu

In Italian Presentazione sulle feature e l'utilizzo dei Web Component nell sviluppo di pagine e applicazioni web. Racconto delle ragioni storiche dell'avvento dei Web Component. Evidenziazione dei vantaggi e delle sfide poste, indicazione delle best practices, con particolare accento sulla possibilità di usare web component per facilitare la migrazione delle proprie applicazioni verso nuovi stack tecnologici.

Preparing Non - Technical Founders for Engaging a Tech Agency

ISH Technologies

Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au

Measures in SQL (SIGMOD 2024, Santiago, Chile)

Julian Hyde

SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries. SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL. To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context. A talk at SIGMOD, June 9–15, 2024, Santiago, Chile Authors: Julian Hyde (Google) and John Fremlin (Google) https://doi.org/10.1145/3626246.3653374

fiscal year variant fiscal year variant.

AnkitaPandya11

zOS Mainframe JES2-JES3 JCL-JECL Differences

YousufSait3

E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies

Quickdice ERP

E-commerce Development Services- Hornet Dynamics

Hornet Dynamics

Recently uploaded (20)

All you need to know about Spring Boot and GraalVM

What next after learning python programming basics

Unveiling the Advantages of Agile Software Development.pdf

Artificia Intellicence and XPath Extension Functions

Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf

How Can Hiring A Mobile App Development Company Help Your Business Grow?

Modelling Up - DDDEurope 2024 - Amsterdam

8 Best Automated Android App Testing Tool and Framework in 2024.pdf

Hand Rolled Applicative User ValidationCode Kata

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理

Project Management: The Role of Project Dashboards.pdf

Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)

Liberarsi dai framework con i Web Component.pptx

Preparing Non - Technical Founders for Engaging a Tech Agency

Measures in SQL (SIGMOD 2024, Santiago, Chile)

fiscal year variant fiscal year variant.

zOS Mainframe JES2-JES3 JCL-JECL Differences

E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies

E-commerce Development Services- Hornet Dynamics

Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio

1. Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio Author: Evgeniy Ryzhkov, Andrey Karpov, Paul Eremeev, Svyatoslav Razmyslov Date: 12.03.2014 We have carried out a thorough comparison of four analyzers for C/C++ code: CppCat, Cppcheck, PVS-Studio and Visual Studio's built-in analyzer. It is a serious, large investigation that we had spent about 170 man-hours on and which, in our opinion, gives a good idea of the general state of things in static analysis nowadays. About the comparison We picked out over ten open-source test projects for the investigation. Each analyzer was used with the recommended settings of severity levels of diagnostic messages: • CppCat: all diagnostics enabled (no severity levels); • Cppcheck: Errors and Warnings; • PVS-Studio: the 1-st and 2-nd level of general diagnostics; • Visual Studio: Microsoft Native Recommended Rules. We closely studied the analysis reports and picked out those warnings which seemed to indicate genuine bugs or code fragments which at least required close examination. The summarized results are presented in this article. The comparison methodology is described in detail in the article: "How we compared code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio". In that article, you will also find the list of the test projects, the list of the diagnostic messages we picked out, examples of detected bugs and so on. You will also learn from that article why we didn't provide the information about the number of false positives. Comparison results The results of the comparison of the analyzers CppCat, Cppcheck, PVS-Studio and Visual Studio's built-in analyzer are presented in three tables:

2. Table 1 - The number of detected genuine bugs (numerical form) Table 2 - The number of detected genuine bugs (percentage form) Table 3 - Analysis time (in minutes) Analysis time We don't think analysis time to be a significant comparison metric. But people often wonder about our tools' performance, so we decided to include these figures into the article. As you can see, Cppcheck is the fastest analyzer. But notice also that the table shows the total analysis time. On some projects, Cppcheck was running slower than the other analyzers. So the actual analysis speed rather depends on a particular project. CppCat is actually a bit faster than PVS-Studio as it has fewer diagnostic rules to check. But the difference is really insignificant (a few dozens of seconds), so we found it pointless to show it in the table. Diagnostics Our team has selected a total of 965 unique code fragments that require investigation and fixing. As you can see from the table, CppCat and PVS-Studio have shown identical results. The reason is that the PVS-Studio analyzer with recommended settings uses the same set of diagnostics as CppCat. The total number of defects detected by the analyzers is 742 for CppCat and PVS-Studio each; 193 for Cppcheck; 116 for Visual Studio. Thus, CppCat and PVS-Studio detect 4 times more errors than Cppcheck and 6 times more errors than Visual Studio's built-in analyzer. Conclusion The CppCat and PVS-Studio analyzers have proved to be evident leaders in the number of revealed genuine and potential defects.

3. References 1. Evgeniy Ryzhkov, Andrey Karpov, Paul Eremeev, Svyatoslav Razmyslov. "How we compared code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio".

Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio

Similar to Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio (20)

More from Andrey Karpov

More from Andrey Karpov (20)

Recently uploaded

Recently uploaded (20)

Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual Studio