PVS-Studio is a static code analyzer for C, C++, and C++11 applications designed to detect various types of errors, including 64-bit and parallel programming issues. It integrates with major IDEs like Visual Studio and provides features like incremental analysis, continuous integration support, and interactive filtering of error messages. The company offers a simple pricing model based on team size, with a standard license costing €5250 for up to five developers.

1. PVS-Studio,
a solution for developers of modern
resource-intensive applications
OOO “Program Verification Systems” (Co Ltd)
www.viva64.com

2. PVS-Studio Overview
PVS-Studio is a static analyzer that
detects errors in source code of C, C++,
C++11, C++/CX applications.
There are 3 sets of rules included into
PVS-Studio:
1. General-purpose diagnosis
2. Diagnosis of 64-bit errors (Viva64)
3. Diagnosis of parallel errors (VivaMP)

3. Examples of errors we detect

4. Priority of & and ! operations
Return to Castle Wolfenstein – computer game, first
person shooter, developed by id Software company. Game
engine is available under GPL license.
#define SVF_CASTAI 0x00000010
if ( !ent->r.svFlags & SVF_CASTAI )
if ( ! (ent->r.svFlags & SVF_CASTAI) )

5. Usage of && instead of &
Stickies – yellow sticky notes, just only on your
monitor.
#define REO_INPLACEACTIVE (0x02000000L)
#define REO_OPEN (0x04000000L)
if (reObj.dwFlags && REO_INPLACEACTIVE)
m_pRichEditOle->InPlaceDeactivate();
if(reObj.dwFlags && REO_OPEN)
hr = reObj.poleobj->Close(OLECLOSE_NOSAVE);

6. Undefined behavior
Miranda IM (Miranda Instant Messenger) –
instant messaging software for Microsoft
Windows.
while (*(n = ++s + strspn(s, EZXML_WS)) && *n != '>') {

7. Usage of `delete` for an array
Chromium – open source web browser developed by
Google. The development of Google Chrome browser is
based upon Chromium.
auto_ptr<VARIANT> child_array(new VARIANT[child_count]);
You should not use auto_ptr with arrays. Only one element is destroyed inside
auto_ptr destructor:
~auto_ptr() {
delete _Myptr;
}
For example you can use boost::scoped_array as an alternative.

8. Condition is always true
WinDjView is fast and small app for viewing
files of DjVu format.
inline bool IsValidChar(int c)
{
return c == 0x9 || 0xA || c == 0xD || c >= 0x20 && c <= 0xD7FF
|| c >= 0xE000 && c <= 0xFFFD || c >= 0x10000 && c <= 0x10FFFF;
}

9. Code formatting differs from it’s own
logic
Squirrel – interpreted programming
language, which is developed to be used as
a scripting language in real time
applications such as computer games.
if(pushval != 0)
if(pushval) v->GetUp(-1) = t;
else
v->Pop(1);
v->Pop(1); - will never be reached

10. Incidental local variable declaration
FCE Ultra – open source Nintendo Entertainment
System console emulator
int iNesSaveAs(char* name)
{
...
fp = fopen(name,"wb");
int x = 0;
if (!fp)
int x = 1;
...
}

11. Using char as unsigned char
// check each line for illegal utf8 sequences.
// If one is found, we treat the file as ASCII,
// otherwise we assume an UTF8 file.
char * utf8CheckBuf = lineptr;
while ((bUTF8)&&(*utf8CheckBuf))
{
if ((*utf8CheckBuf == 0xC0)||
(*utf8CheckBuf == 0xC1)||
(*utf8CheckBuf >= 0xF5))
{
bUTF8 = false;
break;
}
TortoiseSVN — client of Subversion revision control system,
implemented as Windows shell extension.

12. Incidental use of octal values
oCell._luminance = uint16(0.2220f*iPixel._red +
0.7067f*iPixel._blue +
0.0713f*iPixel._green);
....
oCell._luminance = 2220*iPixel._red +
7067*iPixel._blue +
0713*iPixel._green;
eLynx Image Processing SDK and Lab

13. One variable is used for two loops
Lugaru — first commercial game developed by
Wolfire Games independent team.
static int i,j,k,l,m;
...
for(j=0; j<numrepeats; j++){
...
for(i=0; i<num_joints; i++){
...
for(j=0;j<num_joints;j++){
if(joints[j].locked)freely=0;
}
...
}
...
}

14. Array overrun
LAME – free app for MP3 audio encoding.
#define SBMAX_l 22
int l[1+SBMAX_l];
for (r0 = 0; r0 < 16; r0++) {
...
for (r1 = 0; r1 < 8; r1++) {
int a2 = gfc->scalefac_band.l[r0 + r1 + 2];

15. Priority of * and ++ operations
eMule is a client for ED2K file sharing network.
STDMETHODIMP CCustomAutoComplete::Next(...,
ULONG *pceltFetched)
{
...
if (pceltFetched != NULL)
*pceltFetched++;
...
}
(*pceltFetched)++;

16. Comparison mistake
WinMerge — free open source software intended for
the comparison and synchronization of files and
directories.
BUFFERTYPE m_nBufferType[2];
...
// Handle unnamed buffers
if ((m_nBufferType[nBuffer] == BUFFER_UNNAMED) ||
(m_nBufferType[nBuffer] == BUFFER_UNNAMED))
nSaveErrorCode = SAVE_NO_FILENAME;
By reviewing the code close by, this should contain:
(m_nBufferType[0] == BUFFER_UNNAMED) ||
(m_nBufferType[1] == BUFFER_UNNAMED)

17. Forgotten array index
void lNormalizeVector_32f_P3IM(..., Ipp32s* mask, ...) {
Ipp32s i;
Ipp32f norm;
for(i=0; i<len; i++) {
if(mask<0) continue;
...
}
}
if(mask[i]<0) continue;
IPP Samples are samples demonstrating how to
work with Intel Performance Primitives Library
7.0.

18. Identical source code branches
Notepad++ - free text editor for Windows supporting
syntax highlight for a variety of programming languages.
if (!_isVertical) if (!_isVertical)
Flags |= DT_BOTTOM; Flags |= DT_VCENTER;
else else
Flags |= DT_BOTTOM; Flags |= DT_BOTTOM;

19. Calling incorrect function with similar
name
What a beautiful comment. But it is sad that here we’re doing not what was
intended.
/** Deletes all previous field specifiers.
* This should be used when dealing
* with clients that send multiple NEP_PACKET_SPEC
* messages, so only the last PacketSpec is taken
* into account. */
int NEPContext::resetClientFieldSpecs(){
this->fspecs.empty();
return OP_SUCCESS;
} /* End of resetClientFieldSpecs() */
Nmap Security Scanner – free utility intended for
diverse customizable scanning of IP-networks with
any number of objects and for identification of the
statuses of the objects belonging to the network
which is being scanned.

20. Dangerous ?: operator
Newton Game Dynamics – a well known physics
engine which allows for reliable and fast simulation
of environmental object’s physical behavior.
den = dgFloat32 (1.0e-24f) *
(den > dgFloat32(0.0f)) ? dgFloat32(1.0f) : dgFloat32(-1.0f);
The priority of ?: is lower than that of multiplication operator *.

21. And so on, and so on…
if((t=(char *)realloc(
next->name, strlen(name+1)))) FCE Ultra
if((t=(char *)realloc(
next->name, strlen(name)+1)))
minX=max(0,minX+mcLeftStart-2);
minY=max(0,minY+mcTopStart-2);
maxX=min((int)width,maxX+mcRightEnd-1);
maxY=min((int)height,maxX+mcBottomEnd-1);
minX=max(0,minX+mcLeftStart-2);
minY=max(0,minY+mcTopStart-2);
maxX=min((int)width,maxX+mcRightEnd-1);
maxY=min((int)height,maxY+mcBottomEnd-1);

22. Low level memory management
operations
ID_INLINE mat3_t::mat3_t( float src[3][3] ) Return to Castle
{
Wolfenstein
memcpy( mat, src, sizeof( src ) );
}
ID_INLINE mat3_t::mat3_t( float (&src)[3][3] )
{
memcpy( mat, src, sizeof( src ) );
}
itemInfo_t *itemInfo;
memset( itemInfo, 0, sizeof( &itemInfo ) );
memset( itemInfo, 0, sizeof( *itemInfo ) );

23. Low level memory management
operations
CxImage – open image processing library.
memset(tcmpt->stepsizes, 0,
sizeof(tcmpt->numstepsizes * sizeof(uint_fast16_t)));
memset(tcmpt->stepsizes, 0,
tcmpt->numstepsizes * sizeof(uint_fast16_t));

24. Low level memory management
operations
A beautiful example of 64-bit error:
dgInt32 faceOffsetHitogram[256];
dgSubMesh* mainSegmenst[256];
memset (faceOffsetHitogram, 0, sizeof (faceOffsetHitogram));
memset (mainSegmenst, 0, sizeof (faceOffsetHitogram));
This code was duplicated but was not entirely corrected. As a result the
size of pointer will not be equal to the size of dgInt32 type on Win64 and
we will flush only a fraction of mainSegmenst array.

25. Low level memory management
operations
#define CONT_MAP_MAX 50
int _iContMap[CONT_MAP_MAX];
...
memset(_iContMap, -1, CONT_MAP_MAX);
memset(_iContMap, -1, CONT_MAP_MAX * sizeof(int));

26. Low level memory management
operations
OGRE — open source Object-Oriented Graphics
Rendering Engine written in C++.
Real w, x, y, z;
...
inline Quaternion(Real* valptr)
{
memcpy(&w, valptr, sizeof(Real)*4);
}
Yes, at present
this is not a
mistake.
But it is a
landmine!

27. And a whole lot of other errors in well
known projects
• WinMerge
• Chromium, Return to Castle Wolfenstein, etc
• Miranda IM
• Intel IPP Samples
• Fennec Media Project
• Ultimate Toolbox
• Loki
• eMule Plus, Pixie, VirtualDub, WinMerge, XUIFramework
• Chromium
• Qt
• Apache HTTP Server
• TortoiseSVN
Here are the links to the articles containing descriptions of the errors:
http://www.viva64.com/en/pvs-studio/

28. Types of detectable errors
• copy-paste errors;
• Incorrect formatting strings (printf);
• buffer overflow;
• Incorrect utilization of STL, WinAPI;
• ...
• errors concerning the migration of 32-bit
applications to 64-bit systems (Viva64);
• errors concerning the incorrect usage of
OpenMP;

29. Integration
• Visual Studio 2012: C, C++, C++11,
C++/CX (WinRT).
• Visual Studio 2010: C, C++, C++0x.
• Visual Studio 2008: C, C++.
• Visual Studio 2005: C, C++.
• Embarcadero RAD Studio XE3: C, C++, C++11.
• Embarcadero RAD Studio XE2: C, C++.
• MinGW: C, C++.

30. PVS-Studio Features
• Incremental Analysis – verification of newly compiled files;
• Verification of files which were recently modified several days ago;
• Verification of files by their filenames from within the text file list;
• continuous integration systems support;
• version control systems integration;
• ability to operate fro m command line interface;
• «False Alarms» marking;
• saving and loading of analysis results;
• utilizing all available cores and processors;
• interactive filters;
• Russian and English online documentation;
• Pdf documentation;

31. Integration with Visual Studio
2005/2008/2010/2012

32. Integration with
Embarcadero RAD Studio XE2/XE3

33. Incremental Analysis – verification of newly
compiled files
• you just work with Visual Studio as usual;
• compile by F7;
• the verification of newly compiled files will start in
background automatically;
• At the end of verification the notification will appear,
allowing you to inspect detected errors;

34. VCS and CI support
(revision control, continuous integration)
• launching from command line:
"C:Program Files (x86)PVS-Studiox64PVS-Studio.exe"
--sln-file "C:UsersevgDocuments OmniSampleOmniSample (vs2008).sln"
--plog-file "C:UsersevgDocumentsresult.plog"
--vcinstalldir "C:Program Files (x86)Microsoft Visual Studio 9.0VC"
--platform "x64"
--configuration "Release”
• sending the results by mail:
cmd.exe /c type result-log.plog.only_new_messages.txt
• commands for launching from CruiseControl.Net,
Hudson, Microsoft TFS are readily available

35. Interactive filters
• filtering messages without restarting the
analysis
• Filtering by errors’ code, by filenames
(including masks), by messages’ text, by
warning levels;
• displaying/hiding false alarms.

36. Integrated
help
reference
(description
of the
errors)

37. PVS-Studio Advantages
• Easy-to-download! You may download the PVS-Studio
distribution package without registering and filling in
any forms.
• Easy-to-try! The PVS-Studio program is implemented
as a plug-in for Visual Studio and Embarcadero RAD
Studio.
• Easy-to-buy! Unlike other code analyzers, we have
simple pricing and licensing policy.
• Easy-to-support! It is the analyzer's developers who
directly communicate with users, which enables you to
quickly get answers to even complicated questions
related to programming.

38. Pricing policy
• a license for a team of no more than five
developers is €5250;
• prolongation for one year – 80% of base price;
• the site license for teams with 20+
developers;

39. Information about company
OOO “Program Verification Systems” (Co Ltd)
300027, Russia, Tula, Metallurgov 70-1-88.
www.viva64.com
support@viva64.com
Working time: 09:00 – 18:00 (GMT +3:00)