PVS-Studio is a static code analyzer for C, C++, C#, and Java that detects bugs and vulnerabilities. It supports various compilers and IDE plugins. It uses data flow analysis, symbolic execution, pattern matching, and other techniques to detect bugs like buffer overflows, leaks, dead code, and undefined behavior. Over 700 diagnostics are implemented to date across the supported languages. The analyzer produces warnings classified by standard taxonomies. Users can exclude files, suppress warnings, and integrate it with continuous integration systems. Support and documentation is provided through online and PDF references.
PVS-Studio, a static analyzer detecting errors in the source code of C/C++/C+...Andrey Karpov
This document summarizes the features and capabilities of PVS-Studio, a static code analyzer for C/C++/C++11 code. It detects over 200 common and rare errors using general analysis diagnostics, finds code that can be optimized, and helps with porting code from 32-bit to 64-bit systems. PVS-Studio can be integrated into Visual Studio and run from the command line or by monitoring compiler launches. It analyzes code incrementally, provides help documentation, and has been used to find errors in many open source projects.
At some moment, long ago, we somehow started to cover in our articles any subject but the PVS-Studio tool itself. We told you about the projects we checked and the C++ language's subtle details; we told you how to create plugins in C# or how to launch PVS-Studio from the command line... But PVS-Studio is first of all meant for developers working in Visual Studio. We've done quite a lot to make it easier and more comfortable for them to use our tool. Yet this particular aspect usually stays off screen. Now I decided to improve that and tell you about the PVS-Studio plugin from scratch. If you are a Visual C++ user, this article is for you.
Overview of PVS-studio analyzer advanced features. PVS-Studio Standalone is an IDE/compiler independent tool which allows you to analyze your code and review analysis results.
PVS-Studio advertisement - static analysis of C/C++ codeAndrey Karpov
This document advertises the PVS-Studio static analyzer. It describes how using PVS-Studio reduces the number of errors in code of C/C++/C++11 projects and costs on code testing, debugging and maintenance. A lot of examples of errors are cited found by the analyzer in various Open-Source projects. The document describes PVS-Studio at the time of version 4.38 on October 12-th, 2011, and therefore does not describe the capabilities of the tool in the next versions. To learn about new capabilities, visit the product's site <a>http://www.viva64.com</a> or search for an updated version of this article.
PVS-Studio for Linux (CoreHard presentation)Andrey Karpov
This document discusses the development process of the Linux version of the static analysis tool PVS-Studio. It describes testing the tool on various open source projects written in C/C++ to identify compatibility issues. It also discusses integrating the tool with common build systems like Make, CMake, and QMake. The goal was to make the tool easily usable without complex installation or configuration. Based on feedback from beta tests, improvements were made to support non-standard compilers, handle false alarms better, and provide DEB/RPM packages. Ultimately the tool was integrated into large projects and made available as both a standalone analyzer and integrated with IDEs and build systems.
PVS-Studio is a static code analyzer that checks C, C++ and C# code for bugs. It supports projects developed with Windows (Visual Studio) and Linux (Clang, GCC). It integrates with tools like Visual Studio, SonarQube and supports standalone use. PVS-Studio detects many types of bugs like null pointer dereferences, uninitialized variables, dead code, buffer overflows, security issues and more. It has been effective at finding real bugs in major open source projects.
Static Code Analysis for Projects, Built on Unreal EngineAndrey Karpov
Why Do You Need Static Analysis? Detect errors early in the program development process. Get recommendations on code formatting. Check your spelling. Calculate various software metrics.
PVS-Studio, a static analyzer detecting errors in the source code of C/C++/C+...Andrey Karpov
This document summarizes the features and capabilities of PVS-Studio, a static code analyzer for C/C++/C++11 code. It detects over 200 common and rare errors using general analysis diagnostics, finds code that can be optimized, and helps with porting code from 32-bit to 64-bit systems. PVS-Studio can be integrated into Visual Studio and run from the command line or by monitoring compiler launches. It analyzes code incrementally, provides help documentation, and has been used to find errors in many open source projects.
At some moment, long ago, we somehow started to cover in our articles any subject but the PVS-Studio tool itself. We told you about the projects we checked and the C++ language's subtle details; we told you how to create plugins in C# or how to launch PVS-Studio from the command line... But PVS-Studio is first of all meant for developers working in Visual Studio. We've done quite a lot to make it easier and more comfortable for them to use our tool. Yet this particular aspect usually stays off screen. Now I decided to improve that and tell you about the PVS-Studio plugin from scratch. If you are a Visual C++ user, this article is for you.
Overview of PVS-studio analyzer advanced features. PVS-Studio Standalone is an IDE/compiler independent tool which allows you to analyze your code and review analysis results.
PVS-Studio advertisement - static analysis of C/C++ codeAndrey Karpov
This document advertises the PVS-Studio static analyzer. It describes how using PVS-Studio reduces the number of errors in code of C/C++/C++11 projects and costs on code testing, debugging and maintenance. A lot of examples of errors are cited found by the analyzer in various Open-Source projects. The document describes PVS-Studio at the time of version 4.38 on October 12-th, 2011, and therefore does not describe the capabilities of the tool in the next versions. To learn about new capabilities, visit the product's site <a>http://www.viva64.com</a> or search for an updated version of this article.
PVS-Studio for Linux (CoreHard presentation)Andrey Karpov
This document discusses the development process of the Linux version of the static analysis tool PVS-Studio. It describes testing the tool on various open source projects written in C/C++ to identify compatibility issues. It also discusses integrating the tool with common build systems like Make, CMake, and QMake. The goal was to make the tool easily usable without complex installation or configuration. Based on feedback from beta tests, improvements were made to support non-standard compilers, handle false alarms better, and provide DEB/RPM packages. Ultimately the tool was integrated into large projects and made available as both a standalone analyzer and integrated with IDEs and build systems.
PVS-Studio is a static code analyzer that checks C, C++ and C# code for bugs. It supports projects developed with Windows (Visual Studio) and Linux (Clang, GCC). It integrates with tools like Visual Studio, SonarQube and supports standalone use. PVS-Studio detects many types of bugs like null pointer dereferences, uninitialized variables, dead code, buffer overflows, security issues and more. It has been effective at finding real bugs in major open source projects.
Static Code Analysis for Projects, Built on Unreal EngineAndrey Karpov
Why Do You Need Static Analysis? Detect errors early in the program development process. Get recommendations on code formatting. Check your spelling. Calculate various software metrics.
Every now and then, we have to write articles about how we've checked another fresh version of some compiler. That's not really much fun. However, as practice shows, if we stop doing that for a while, folks start doubting whether PVS-Studio is worth its title of a good catcher of bugs and vulnerabilities. What if the new compiler can do that too? Sure, compilers evolve, but so does PVS-Studio – and it proves, again and again, its ability to catch bugs even in high-quality projects such as compilers.
PVS-Studio is ready to improve the code of Tizen operating systemAndrey Karpov
Objective. Contract agreement with PVS-Studio team concerning the error fixing and regular code audit.
Currently, PVS-Studio detects more than 10% of errors that are present in the code of the Tizen project.
In the case of regular use of PVS-Studio on the new code, about 20% of errors can be prevented.
I predict that PVS-Studio team can detect and fix about 27 000 errors in the Tizen project.
Date Processing Attracts Bugs or 77 Defects in Qt 6Andrey Karpov
The recent Qt 6 release compelled us to recheck the framework with PVS-Studio. In this article, we reviewed various interesting errors we found, for example, those related to processing dates. The errors we discovered prove that developers can greatly benefit from regularly checking their projects with tools like PVS-Studio.
This document summarizes the analysis of the Qt 5.2.1 framework using the PVS-Studio static analysis tool. PVS-Studio detected 14 typos in Qt's code, including mistakes in variable names, missing comparisons, and identical subexpressions. It also found issues like loss of accuracy from integer division and an error related to operator priority. Overall, the author concludes Qt's code is high-quality but still contains ordinary typos that static analysis can help catch. Regular use of these tools could help prevent bugs early in development.
How to Improve Visual C++ 2017 Libraries Using PVS-StudioPVS-Studio
The title of this article is a hint for the Visual Studio developers that they could benefit from the use of PVS-Studio static code analyzer. The article discusses the analysis results of the libraries in the recent Visual C++ 2017 release and gives advice on how to improve them and eliminate the bugs found. Read on to find out how the developers of Visual C++ Libraries shoot themselves in the foot: it's going to be interesting and informative.
IoT 개발자를 위한 Embedded C에서 Test Coverage를 추출해보자Taeyeop Kim
gcov is a tool that reports code coverage statistics when used with GCC. It shows which lines and sections of code were executed and which were not. lcov is a graphical front-end for gcov that produces HTML reports of code coverage. CppUTest is a C/C++ unit testing framework that can be configured to work with gcov to produce code coverage reports when tests are run.
One of the Microsoft development teams already uses PVS-Studio analyzer in their work. It's great, but it's not enough. That's why I keep demonstrating how static code analysis could benefit developers, using Microsoft projects as examples. We scanned Casablanca project three years ago and found nothing. As a tribute to its high quality, the project was awarded with a "bugless code" medal. As time went by, Casablanca developed and grew. PVS-Studio's capabilities, too, have significantly improved, and now I've finally got the opportunity to write an article about errors found by the analyzer in Casablanca project (C++ REST SDK). These errors are few, but the fact that their number is still big enough for me to make this article, does speak a lot in favor of PVS-Studio's effectiveness.
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerAndrey Karpov
The author downloaded and analyzed the source code of the TortoiseSVN project using the PVS-Studio static code analyzer. The analysis found several bugs, including identical comparisons, unsafe uses of formatting functions like printf(), and obsolete null checks after memory allocation. While many of the issues would not cause failures, some could lead to undefined behavior, especially in 64-bit systems where pointer sizes are larger than integer types. The author concludes by recommending regular use of static analysis to find bugs early.
Virtual machines are important tools in the arsenal of a software developer. Being an active user of VirtualBox, and checking various open source projects with the help of it, I was personally interested in checking its source code. We did the first check of this project in 2014, and the description of 50 errors barely fit into two articles. With the release of Windows 10 and VirtualBox 5.0.XX the stability of the program got significantly worse, in my humble opinion. So, I decided to check the project again.
We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual practice for developers to use demo samples as a basis for their own projects or borrow code fragments from them.
The PVS-Studio team is now actively developing a static analyzer for C# code. The first version is expected by the end of 2015. And for now my task is to write a few articles to attract C# programmers' attention to our tool in advance. I've got an updated installer today, so we can now install PVS-Studio with C#-support enabled and even analyze some source code. Without further hesitation, I decided to scan whichever program I had at hand. This happened to be the Umbraco project. Of course we can't expect too much of the current version of the analyzer, but its functionality has been enough to allow me to write this small article.
Errors that static code analysis does not find because it is not usedAndrey Karpov
Readers of our articles occasionally note that the PVS-Studio static code analyzer detects a large number of errors that are insignificant and don't affect the application. It is really so. For the most part, important bugs have already been fixed due to manual testing, user feedback, and other expensive methods. At the same time, many of these errors could have been found at the code writing stage and corrected with minimal loss of time, reputation and money. This article will provide several examples of real errors, which could have been immediately fixed, if project authors had used static code analysis.
The document summarizes the results of analyzing the OpenCV computer vision library with the PVS-Studio code analyzer. Several real bugs were found in older versions of OpenCV and have since been fixed. New analysis of the current OpenCV version uncovered additional bugs, including copy-paste errors, meaningless loops, misprints in conditions, pointer errors, and poor test cases. The analysis demonstrates that static analysis is useful for finding real bugs in large, complex libraries like OpenCV during development.
We Continue Exploring Tizen: C# Components Proved to be of High QualityPVS-Studio
This time I go back again to the check of the Tizen project. In my recent post "Experiment of Bug Detection in the Code of C #Components of Tizen" in our blog, I analyzed the code of C# superficially and came to a conclusion that it makes sense to check the whole code of C# components of this project for errors using PVS-Studio and write the article about it. Right away, I would like to share with you the results of the work that I have done. I shall tell at once that PVS-Studio analyzer showed itself not on the bright side on C# code. Anyway, first things first: let's see what the analyzer found, and then we will deal with statistics and make conclusions.
Comparing Functionalities of PVS-Studio and CppCat Static Code AnalyzersAndrey Karpov
Our company develops two code analyzers to check C/C++ projects: PVS-Studio and CppCat. In this article, we are going to tell you about the functional differences between these two tools.
We continue checking Microsoft projects: analysis of PowerShellPVS-Studio
It has become a "good tradition" for Microsoft to make their products open-source: CoreFX, .Net Compiler Platform (Roslyn), Code Contracts, MSBuild, and other projects. For us, the developers of PVS-Studio analyzer, it's an opportunity to check well-known projects, tell people (including the project authors themselves) about the bugs we find, and additionally test our analyzer. Today we are going to talk about the errors found in another project by Microsoft, PowerShell.
In this article, we will speak about the static analysis of the doxygen documentation generator tool. This popular and widely used project, which, as its authors claim, not without reason, has become "the de facto standard tool for generating documentation from annotated C++ sources", has never been scanned by PVS-Studio before. Doxygen scans the program source code and generates the documentation relying on it. Now it's time for us to peep into its source files and see if PVS-Studio can find any interesting bugs there.
Waiting for the Linux-version: Checking the Code of Inkscape Graphics EditorPVS-Studio
In this article, I talk about the analysis results for another popular open-source project, vector graphics editor Inkscape 0.92. The project has been developing for over 12 years now and provides a large number of features to work with various vector-image formats. Over this time, its code base has grown up to 600 thousand lines of code, and now is the right time to check it with PVS-Studio static analyzer.
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...Andrey Karpov
One of the most relevant scenarios for using the PVS-Studio analyzer is its integration into CI systems. Even though a project analysis by PVS-Studio can already be embedded with just a few commands into almost any continuous integration system, we continue to make this process even more convenient. PVS-Studio now supports converting the analyzer output to the TeamCity format-TeamCity Inspections Type. Let's see how it works.
PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms.
Every now and then, we have to write articles about how we've checked another fresh version of some compiler. That's not really much fun. However, as practice shows, if we stop doing that for a while, folks start doubting whether PVS-Studio is worth its title of a good catcher of bugs and vulnerabilities. What if the new compiler can do that too? Sure, compilers evolve, but so does PVS-Studio – and it proves, again and again, its ability to catch bugs even in high-quality projects such as compilers.
PVS-Studio is ready to improve the code of Tizen operating systemAndrey Karpov
Objective. Contract agreement with PVS-Studio team concerning the error fixing and regular code audit.
Currently, PVS-Studio detects more than 10% of errors that are present in the code of the Tizen project.
In the case of regular use of PVS-Studio on the new code, about 20% of errors can be prevented.
I predict that PVS-Studio team can detect and fix about 27 000 errors in the Tizen project.
Date Processing Attracts Bugs or 77 Defects in Qt 6Andrey Karpov
The recent Qt 6 release compelled us to recheck the framework with PVS-Studio. In this article, we reviewed various interesting errors we found, for example, those related to processing dates. The errors we discovered prove that developers can greatly benefit from regularly checking their projects with tools like PVS-Studio.
This document summarizes the analysis of the Qt 5.2.1 framework using the PVS-Studio static analysis tool. PVS-Studio detected 14 typos in Qt's code, including mistakes in variable names, missing comparisons, and identical subexpressions. It also found issues like loss of accuracy from integer division and an error related to operator priority. Overall, the author concludes Qt's code is high-quality but still contains ordinary typos that static analysis can help catch. Regular use of these tools could help prevent bugs early in development.
How to Improve Visual C++ 2017 Libraries Using PVS-StudioPVS-Studio
The title of this article is a hint for the Visual Studio developers that they could benefit from the use of PVS-Studio static code analyzer. The article discusses the analysis results of the libraries in the recent Visual C++ 2017 release and gives advice on how to improve them and eliminate the bugs found. Read on to find out how the developers of Visual C++ Libraries shoot themselves in the foot: it's going to be interesting and informative.
IoT 개발자를 위한 Embedded C에서 Test Coverage를 추출해보자Taeyeop Kim
gcov is a tool that reports code coverage statistics when used with GCC. It shows which lines and sections of code were executed and which were not. lcov is a graphical front-end for gcov that produces HTML reports of code coverage. CppUTest is a C/C++ unit testing framework that can be configured to work with gcov to produce code coverage reports when tests are run.
One of the Microsoft development teams already uses PVS-Studio analyzer in their work. It's great, but it's not enough. That's why I keep demonstrating how static code analysis could benefit developers, using Microsoft projects as examples. We scanned Casablanca project three years ago and found nothing. As a tribute to its high quality, the project was awarded with a "bugless code" medal. As time went by, Casablanca developed and grew. PVS-Studio's capabilities, too, have significantly improved, and now I've finally got the opportunity to write an article about errors found by the analyzer in Casablanca project (C++ REST SDK). These errors are few, but the fact that their number is still big enough for me to make this article, does speak a lot in favor of PVS-Studio's effectiveness.
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerAndrey Karpov
The author downloaded and analyzed the source code of the TortoiseSVN project using the PVS-Studio static code analyzer. The analysis found several bugs, including identical comparisons, unsafe uses of formatting functions like printf(), and obsolete null checks after memory allocation. While many of the issues would not cause failures, some could lead to undefined behavior, especially in 64-bit systems where pointer sizes are larger than integer types. The author concludes by recommending regular use of static analysis to find bugs early.
Virtual machines are important tools in the arsenal of a software developer. Being an active user of VirtualBox, and checking various open source projects with the help of it, I was personally interested in checking its source code. We did the first check of this project in 2014, and the description of 50 errors barely fit into two articles. With the release of Windows 10 and VirtualBox 5.0.XX the stability of the program got significantly worse, in my humble opinion. So, I decided to check the project again.
We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual practice for developers to use demo samples as a basis for their own projects or borrow code fragments from them.
The PVS-Studio team is now actively developing a static analyzer for C# code. The first version is expected by the end of 2015. And for now my task is to write a few articles to attract C# programmers' attention to our tool in advance. I've got an updated installer today, so we can now install PVS-Studio with C#-support enabled and even analyze some source code. Without further hesitation, I decided to scan whichever program I had at hand. This happened to be the Umbraco project. Of course we can't expect too much of the current version of the analyzer, but its functionality has been enough to allow me to write this small article.
Errors that static code analysis does not find because it is not usedAndrey Karpov
Readers of our articles occasionally note that the PVS-Studio static code analyzer detects a large number of errors that are insignificant and don't affect the application. It is really so. For the most part, important bugs have already been fixed due to manual testing, user feedback, and other expensive methods. At the same time, many of these errors could have been found at the code writing stage and corrected with minimal loss of time, reputation and money. This article will provide several examples of real errors, which could have been immediately fixed, if project authors had used static code analysis.
The document summarizes the results of analyzing the OpenCV computer vision library with the PVS-Studio code analyzer. Several real bugs were found in older versions of OpenCV and have since been fixed. New analysis of the current OpenCV version uncovered additional bugs, including copy-paste errors, meaningless loops, misprints in conditions, pointer errors, and poor test cases. The analysis demonstrates that static analysis is useful for finding real bugs in large, complex libraries like OpenCV during development.
We Continue Exploring Tizen: C# Components Proved to be of High QualityPVS-Studio
This time I go back again to the check of the Tizen project. In my recent post "Experiment of Bug Detection in the Code of C #Components of Tizen" in our blog, I analyzed the code of C# superficially and came to a conclusion that it makes sense to check the whole code of C# components of this project for errors using PVS-Studio and write the article about it. Right away, I would like to share with you the results of the work that I have done. I shall tell at once that PVS-Studio analyzer showed itself not on the bright side on C# code. Anyway, first things first: let's see what the analyzer found, and then we will deal with statistics and make conclusions.
Comparing Functionalities of PVS-Studio and CppCat Static Code AnalyzersAndrey Karpov
Our company develops two code analyzers to check C/C++ projects: PVS-Studio and CppCat. In this article, we are going to tell you about the functional differences between these two tools.
We continue checking Microsoft projects: analysis of PowerShellPVS-Studio
It has become a "good tradition" for Microsoft to make their products open-source: CoreFX, .Net Compiler Platform (Roslyn), Code Contracts, MSBuild, and other projects. For us, the developers of PVS-Studio analyzer, it's an opportunity to check well-known projects, tell people (including the project authors themselves) about the bugs we find, and additionally test our analyzer. Today we are going to talk about the errors found in another project by Microsoft, PowerShell.
In this article, we will speak about the static analysis of the doxygen documentation generator tool. This popular and widely used project, which, as its authors claim, not without reason, has become "the de facto standard tool for generating documentation from annotated C++ sources", has never been scanned by PVS-Studio before. Doxygen scans the program source code and generates the documentation relying on it. Now it's time for us to peep into its source files and see if PVS-Studio can find any interesting bugs there.
Waiting for the Linux-version: Checking the Code of Inkscape Graphics EditorPVS-Studio
In this article, I talk about the analysis results for another popular open-source project, vector graphics editor Inkscape 0.92. The project has been developing for over 12 years now and provides a large number of features to work with various vector-image formats. Over this time, its code base has grown up to 600 thousand lines of code, and now is the right time to check it with PVS-Studio static analyzer.
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...Andrey Karpov
One of the most relevant scenarios for using the PVS-Studio analyzer is its integration into CI systems. Even though a project analysis by PVS-Studio can already be embedded with just a few commands into almost any continuous integration system, we continue to make this process even more convenient. PVS-Studio now supports converting the analyzer output to the TeamCity format-TeamCity Inspections Type. Let's see how it works.
PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms.
Story of static code analyzer developmentAndrey Karpov
The document discusses the history and development of static code analyzers. It describes how early tools used regular expressions that were ineffective for complex code analysis. Modern static analyzers overcome these limitations through techniques like type inference, data flow analysis, symbolic execution, and pattern-based analysis. They also leverage method annotations and a mixture of analysis approaches. While machine learning is hyped, static analysis remains very challenging due to the complexity of code and rapid language evolution.
Detection of errors and potential vulnerabilities in C and C++ code using the...Andrey Karpov
The document discusses static analysis of C/C++ code using the PVS-Studio analyzer. It provides examples of errors found by PVS-Studio in various projects, including uninitialized buffers, potential null pointer dereferences, and array overruns. It also describes some of the techniques used by PVS-Studio, such as type inference, data flow analysis, symbolic execution, and pattern-based analysis to detect errors. Method annotations are used to provide information about standard library functions to improve analysis accuracy.
MASTER-CLASS: "CODE COVERAGE ON Μ-CONTROLLER" Sebastian GötzingerIevgenii Katsan
Verifysoft provides a code coverage tool called Testwell CTC++ that analyzes test coverage of C/C++ code. The presentation discusses why code coverage is important, how it works, its support for embedded targets and compilers, and its integration with IDEs. It also covers safety standards requirements, different coverage levels, reports, and the low instrumentation overhead.
Are С and C++ Alive? Even More, IBM RPG Is! C and C++ Are Not Just for Old Systems. Are С and C++ Alive? Summary for C, C++. Embedded: C and С++ Are on the Rise.
PVS-Studio for Linux Went on a Tour Around DisneyPVS-Studio
Recently we released a Linux version of PVS-Studio analyzer, which we had used before to check a number of open-source projects such as Chromium, GCC, LLVM (Clang), and others. Now this list includes several projects developed by Walt Disney Animation Studios for the community of virtual-reality developers. Let's see what bugs and defects the analyzer found in these projects.
How to instantiate any view controller for freeBenotCaron
The document describes how to create a debug view that instantiates any view controller for an app. It explains that the ObjectiveC runtime can be used to retrieve a list of all view controller classes in a bundle. An extension on Bundle is defined to retrieve all view controllers. Protocols are defined to configure view controllers for the debug view and provide initial data based on different use cases. The ControllerFactory library on GitHub implements this to allow instantiating any view controller for debugging purposes.
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMERAndrey Karpov
Static code analysis tools can analyze Java programs to find defects without executing the code. They use techniques like pattern matching, type inference, data flow analysis and symbolic execution. PVS-Studio is a static analysis tool for Java that was created using lessons from a C++ analyzer. It finds bugs like integer divisions by zero, dead code, copy-paste errors and other defects. Integrating static analysis into development processes helps improve code quality over time by detecting and fixing issues early.
Technologies used in the PVS-Studio code analyzer for finding bugs and potent...Andrey Karpov
A brief description of technologies used in the PVS-Studio tool, which let us effectively detect a large number of error patterns and potential vulnerabilities. The article describes the implementation of the analyzer for C and C++ code, but this information is applicable for modules responsible for the analysis of C# and Java code.
"Ускорение сборки большого проекта на Objective-C + Swift" Иван Бондарь (Avito)AvitoTech
После внедрения Swift в проект значительно увеличилось время сборки, что стало для нас существенным препятствием. В своём докладе я расскажу о том, как мы решили эту проблему, сократив время компиляции более чем в два раза.
Code coverage is a measure of how much source code is covered during testing. It is not a goal in itself but can be used pragmatically to improve testing in several ways. Coverage data should be filtered and combined with other metrics to prioritize test development and focus on the most important or risky code. While 100% coverage may not be needed or prove quality, coverage is a useful tool when used properly along with other techniques rather than in isolation or as the only metric.
.NET Code Coverage for Continuous Integrationusing TeamCity and dotCoverMaarten Balliauw
How much of our code is being covered by our unit tests? Are there areas we are not testing? By capturing code coverage data during a test run, we can analyze which areas of our applications are well-tested and which ones require additional tests to be written. And where better to capture code coverage information than on our build server?
In this webinar we will use dotCover to collect code coverage information while running tests in our CI process. We will see how we can configure code coverage and how we can use the TeamCity Visual Studio plugin to download the coverage snapshot generated on the build server and inspect it using dotCover on a developer machine.
The document describes experiments measuring the performance of two algorithms for counting digits in numbers from 1 to a target number: a linear O(n) algorithm and a logarithmic O(log(n)) algorithm. Testing showed the linear algorithm had poor performance for large target numbers like 10^11, taking over 7 hours to run, while the logarithmic algorithm scaled well. A complete demo program was created to test number ranges from 10^0 to 10^19 and display average runtimes.
This document provides 7 reasons to move C++ code to Visual Studio 2017. It highlights improvements in performance, diagnostics, and features for editing, debugging, testing, and committing code. Specific enhancements mentioned include faster IntelliSense, new compiler warnings, improved error experience, and support for additional unit test frameworks and languages. Benchmark results show Visual Studio 2017 providing better performance than 2015 for SPEC CPU2017 tests.
當線上運作環境發生問題時,如何在最短時間找出問題核心?我們使用 counter 這個工具來解決。Counter 是在程式裡的一行程式碼,用來記錄感興趣的事件。本演講包含以下內容:Golang counter 程式碼範例,後台系統架構,線上 dashboard,以及如何使用 counter 來偵錯,甚至可以一路追至某一行程式碼。另外,本演講會提及幾個有趣的應用:counter 如何協助定期伺服器更新,如何使用 counter 協助 autoscaling,以及未來的應用。
When production alert triggers, how to identify the root cause within the shortest amount of time? We solve the problem by counter, a line of code inserted by developer to count interesting events. In this talk, we'll cover the following topics: 1) how counter looks like in Golang production code, 2) our counter pipeline, 3) service dashboard with counters, 4) how to use counter to find production issues all the way to certain line of code. We'll also cover a few interesting counter use-cases, including: 1) How counter helps our weekly server upgrade, 2) Use counter for autoscaling, and 3) case-studies to demonstrate what counter can do when outages happen.
This presentation covers:
The main components in the connectivity path.
Best practices in your code to avoid connectivity issues.
How to solve most common connectivity problems.
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsAndrey Karpov
The document discusses integrating the PVS-Studio static code analyzer with Azure DevOps and Chocolatey. It provides steps to configure a build pipeline in Azure DevOps to install PVS-Studio using Chocolatey, run analysis on a project, and publish the results. The analysis found several potential bugs in the Chocolatey code including logical errors, redundant checks, and null reference issues. Integrating PVS-Studio with these tools helps improve code quality.
Observability in a Dynamically Scheduled WorldSneha Inguva
The industry is moving toward a microservices architecture, and many companies have embraced container orchestration solutions such as Kubernetes. DigitalOcean is no different. Over the past year, DigitalOcean’s Delivery team has been building a runtime platform based on Kubernetes with the goal of making shipping code easier. The system has empowered service owners to quickly and efficiently deploy and update their applications. A vital component is a white box monitoring and alerting solution based on Prometheus and Alertmanager.
Sneha Inguva offers an overview of the system and shares problems encountered, potential solutions, and key lessons learned in the process. Sneha dives into the setup of Prometheus and Alertmanager that allows service owners to instrument their own metrics and alerts, explaining the service owner’s point of view and the internals that allow for the dynamic addition of alerts, and offers a glimpse of future modifications to the system. Join in to learn how to leverage open source tools for your monitoring and alerting needs.
Similar to PVS-Studio features overview (2020) (20)
Здесь вы найдёте 60 вредных советов для программистов и пояснение, почему они вредные. Всё будет одновременно в шутку и серьёзно. Как бы глупо ни смотрелся вредный совет, он не выдуман, а подсмотрен в реальном мире программирования.
In this article, you're going to find 60 terrible coding tips — and explanations of why they are terrible. It's a fun and serious piece at the same time. No matter how terrible these tips look, they aren't fiction, they are real: we saw them all in the real programming world.
Ошибки, которые сложно заметить на code review, но которые находятся статичес...Andrey Karpov
Есть ошибки, которые легко прячутся от программистов на обзорах кода. Чаще всего они связаны с опечатками или недостаточным знанием тонких нюансах языка/библиотеки. Давайте посмотрим интересные примеры таких ошибок и как их можно выявить с помощью статического анализа. При этом анализаторы не конкурируют с обзорами кода или, например, юнит-тестами. Они отлично дополняют другие методологии борьбы с ошибками.
PVS-Studio analyzes source code and finds various errors and code quality issues across multiple languages and frameworks. The document highlights 20 examples of issues found, including uninitialized variables, unreachable code, incorrect operations, security flaws, and typos. PVS-Studio is able to find these issues using techniques such as data-flow analysis, method annotation analysis, symbolic execution, type inference, and pattern-based analysis to precisely evaluate the code and pinpoint potential bugs or code smells.
When should you start using PVS-Studio? What can PVS-Studio detect? Supported standards: MISRA, CWE, CERT, OWASP, AUTOSAR. What about analysis options? What about legacy code?
Двойное освобождение ресурсов. Недостижимый код. Некорректные операции сдвига. Неправильная работа с типами. Опечатки и copy-paste. Проблемы безопасности. Путаница с приоритетом операций.
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...Andrey Karpov
George Gribkov presented on how to introduce static analysis to make programmers' and QA engineers' lives easier. Static analysis automatically checks code for bugs without executing it. While initial attempts to analyze Unreal Engine 4 failed, monitoring compiler calls directly succeeded in finding over 1800 warnings. Epic Games now uses continuous static analysis to receive early warnings. The best practices are to start analysis early and regularly in development and CI/CD pipelines, and to gradually fix old warnings using suppression files to ratchet down reported issues over time. Static and dynamic analysis complement each other to thoroughly check for errors.
Best Bugs from Games: Fellow Programmers' MistakesAndrey Karpov
George Gribkov will present on errors found in the code of popular games like System Shock, Doom 3, and osu!. He will discuss how his tool searches for code errors, provide examples of bugs detected, and conclude his presentation. The examples will showcase issues like unused variables, incorrect increment variables in for loops, null pointer dereferences, and misunderstandings of operators like ??. Corrections will be proposed to address the bugs.
Does static analysis need machine learning?Andrey Karpov
This document discusses whether static analysis needs machine learning. It begins with an introduction to static analysis and outlines existing static analysis solutions like DeepCode, Infer, SapFix, Embold, Source{d}, Clever-Commit, and CodeGuru. It then addresses problems with learning manually or from real large code bases, like outdated code and lack of documentation. Finally, it discusses promising approaches like analyzing code style, collecting additional metrics, and best practices for specific frameworks.
Typical errors in code on the example of C++, C#, and JavaAndrey Karpov
Objectives of this webinar
How we detected error patterns
Patterns themselves and how to avoid them:
3.1 Copy-paste and last line effect
3.2 if (A) {...} else if (A)
3.3 Errors in checks
3.4 Array index out of bounds
3.5 Operator precedence
3.6 Typos that are hard to spot
How to use static analysis properly
Conclusion
Q&A
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)Andrey Karpov
How to fight bugs in legacy code?
Should you do it at all?
What to do if there are hundreds or even thousands of errors?(that’s usually the case)
How to avoid spending a plethora of man-hours on this?
And still, how did you work with Unreal Engine?
C++ Code as Seen by a Hypercritical ReviewerAndrey Karpov
We all do code reviews. Who doesn't admit this – does it twice as often. C++ code reviewers look like a sapper. .. except that they can make a mistake more than once. But sometimes the consequences are painful . Brave code review world.
The Use of Static Code Analysis When Teaching or Developing Open-Source SoftwareAndrey Karpov
The document discusses using static code analysis when teaching or developing open-source software. It outlines how static analysis can help instructors check student homework and projects more efficiently, and help students learn about error patterns. When using static analysis for open-source projects, it recommends integrating it into developers' workflows locally and via continuous integration systems. Regular use is key to maximizing its benefits for finding and fixing bugs.
Zero, one, two, Freddy's coming for youAndrey Karpov
This post continues the series of articles, which can well be called "horrors for developers". This time it will also touch upon a typical pattern of typos related to the usage of numbers 0, 1, 2. The language you're writing in doesn't really matter: it can be C, C++, C#, or Java. If you're using constants 0, 1, 2 or variables' names contain these numbers, most likely, Freddy will come to visit you at night. Go on, read and don't say we didn't warn you.
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...Andrey Karpov
A Zero-day (0-day) vulnerability is a computer-software vulnerability introduced during the development process and not yet discovered by the developers. Zero-day vulnerabilities can be exploited by hackers, thus affecting the company's reputation. Developers should seek to minimize the number of defects leading to such vulnerabilities. PVS-Studio, a static code analyzer for C, C++, C#, and Java code, is one of the tools capable of detecting security issues.
Analysis of commits and pull requests in Travis CI, Buddy and AppVeyor using ...Andrey Karpov
Starting from the version 7.04, the PVS-Studio analyzer for C and C++ languages on Linux and macOS provides the test feature of checking the list of specified files. Using the new mode, you can configure the analyzer to check commits and pull requests. This article covers setting up the check of certain modified files from a GitHub project in such popular CI (Continuous Integration) systems, as Travis CI, Buddy and AppVeyor.
This is a new piece of our series of articles about using the PVS-Studio static analyzer with cloud CI systems. Today we are going to look at another service, CircleCI. We'll take the Kodi media player application as a test project and see if we can find any interesting bugs in its source code.
The document discusses configuring the PVS-Studio static code analyzer on the Azure DevOps cloud platform. It provides steps to integrate the analyzer using both Microsoft-hosted and self-hosted agents. Examples of bugs found by the analyzer in the ShareX project are presented, including redundant checks, incorrect assumptions, and a bug in pixelation logic that causes transparency issues. The pixelation bug demonstration highlights how visualizing issues can aid understanding.
The Comprehensive Guide to Validating Audio-Visual Performances.pdfkalichargn70th171
Ensuring the optimal performance of your audio-visual (AV) equipment is crucial for delivering exceptional experiences. AV performance validation is a critical process that verifies the quality and functionality of your AV setup. Whether you're a content creator, a business conducting webinars, or a homeowner creating a home theater, validating your AV performance is essential.
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
The Role of DevOps in Digital Transformation.pdfmohitd6
DevOps plays a crucial role in driving digital transformation by fostering a collaborative culture between development and operations teams. This approach enhances the speed and efficiency of software delivery, ensuring quicker deployment of new features and updates. DevOps practices like continuous integration and continuous delivery (CI/CD) streamline workflows, reduce manual errors, and increase the overall reliability of software systems. By leveraging automation and monitoring tools, organizations can improve system stability, enhance customer experiences, and maintain a competitive edge. Ultimately, DevOps is pivotal in enabling businesses to innovate rapidly, respond to market changes, and achieve their digital transformation goals.
What is Continuous Testing in DevOps - A Definitive Guide.pdfkalichargn70th171
Once an overlooked aspect, continuous testing has become indispensable for enterprises striving to accelerate application delivery and reduce business impacts. According to a Statista report, 31.3% of global enterprises have embraced continuous integration and deployment within their DevOps, signaling a pervasive trend toward hastening release cycles.
Nashik's top web development company, Upturn India Technologies, crafts innovative digital solutions for your success. Partner with us and achieve your goals
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Paul Brebner
Closing talk for the Performance Engineering track at Community Over Code EU (Bratislava, Slovakia, June 5 2024) https://eu.communityovercode.org/sessions/2024/why-apache-kafka-clusters-are-like-galaxies-and-other-cosmic-kafka-quandaries-explored/ Instaclustr (now part of NetApp) manages 100s of Apache Kafka clusters of many different sizes, for a variety of use cases and customers. For the last 7 years I’ve been focused outwardly on exploring Kafka application development challenges, but recently I decided to look inward and see what I could discover about the performance, scalability and resource characteristics of the Kafka clusters themselves. Using a suite of Performance Engineering techniques, I will reveal some surprising discoveries about cosmic Kafka mysteries in our data centres, related to: cluster sizes and distribution (using Zipf’s Law), horizontal vs. vertical scalability, and predicting Kafka performance using metrics, modelling and regression techniques. These insights are relevant to Kafka developers and operators.
Penify - Let AI do the Documentation, you write the Code.KrishnaveniMohan1
Penify automates the software documentation process for Git repositories. Every time a code modification is merged into "main", Penify uses a Large Language Model to generate documentation for the updated code. This automation covers multiple documentation layers, including InCode Documentation, API Documentation, Architectural Documentation, and PR documentation, each designed to improve different aspects of the development process. By taking over the entire documentation process, Penify tackles the common problem of documentation becoming outdated as the code evolves.
https://www.penify.dev/
Consistent toolbox talks are critical for maintaining workplace safety, as they provide regular opportunities to address specific hazards and reinforce safe practices.
These brief, focused sessions ensure that safety is a continual conversation rather than a one-time event, which helps keep safety protocols fresh in employees' minds. Studies have shown that shorter, more frequent training sessions are more effective for retention and behavior change compared to longer, infrequent sessions.
Engaging workers regularly, toolbox talks promote a culture of safety, empower employees to voice concerns, and ultimately reduce the likelihood of accidents and injuries on site.
The traditional method of conducting safety talks with paper documents and lengthy meetings is not only time-consuming but also less effective. Manual tracking of attendance and compliance is prone to errors and inconsistencies, leading to gaps in safety communication and potential non-compliance with OSHA regulations. Switching to a digital solution like Safelyio offers significant advantages.
Safelyio automates the delivery and documentation of safety talks, ensuring consistency and accessibility. The microlearning approach breaks down complex safety protocols into manageable, bite-sized pieces, making it easier for employees to absorb and retain information.
This method minimizes disruptions to work schedules, eliminates the hassle of paperwork, and ensures that all safety communications are tracked and recorded accurately. Ultimately, using a digital platform like Safelyio enhances engagement, compliance, and overall safety performance on site. https://safelyio.com/
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio, Inc.
Alluxio Webinar
June. 18, 2024
For more Alluxio Events: https://www.alluxio.io/events/
Speaker:
- Jianjian Xie (Staff Software Engineer, Alluxio)
As Trino users increasingly rely on cloud object storage for retrieving data, speed and cloud cost have become major challenges. The separation of compute and storage creates latency challenges when querying datasets; scanning data between storage and compute tiers becomes I/O bound. On the other hand, cloud API costs related to GET/LIST operations and cross-region data transfer add up quickly.
The newly introduced Trino file system cache by Alluxio aims to overcome the above challenges. In this session, Jianjian will dive into Trino data caching strategies, the latest test results, and discuss the multi-level caching architecture. This architecture makes Trino 10x faster for data lakes of any scale, from GB to EB.
What you will learn:
- Challenges relating to the speed and costs of running Trino in the cloud
- The new Trino file system cache feature overview, including the latest development status and test results
- A multi-level cache framework for maximized speed, including Trino file system cache and Alluxio distributed cache
- Real-world cases, including a large online payment firm and a top ridesharing company
- The future roadmap of Trino file system cache and Trino-Alluxio integration
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Orca: Nocode Graphical Editor for Container OrchestrationPedro J. Molina
Tool demo on CEDI/SISTEDES/JISBD2024 at A Coruña, Spain. 2024.06.18
"Orca: Nocode Graphical Editor for Container Orchestration"
by Pedro J. Molina PhD. from Metadev
2. Speaker
Lead C++/C# developer in PVS-
Studio team
Have been working in the
company since 2016
Popularizing modern C++
3. Static code analyzers for C, C++, C++/CLI, C++/CX,
C#, and Java on Windows, Linux and macOS;
Supported compilers (C/C++): MSVC, GCC, Clang,
MingW, ARM GCC, ARM Clang, Keil ARM
Compiler 5/6, IAR C/C++ Compiler for ARM, TI
ARM CGT;
Plugins for Visual Studio 2010-2019, Rider, IntelliJ
IDEA;
PVS-Studio infrastructure
4. Compilation monitoring utility for performing
analysis independently of the IDE or build system
(C/C++ only);
Suppress files: ability to view warnings only on
newly written code;
Incremental analysis: automatic analysis of changed
files
PVS-Studio infrastructure
5. Integration with TeamCity, Azure DevOps, Travis CI,
CircleCI, GitLab CI/CD, Jenkins, SonarQube, etc.
PlogConverter utility to convert raw log to desirable
format
BlameNotifier utility to distribute warnings by mail
PVS-Studio infrastructure
6. C, C++ diagnostics : 510
C# diagnostics : 153
Java diagnostics : 82
By July 2020 we’ve implemented in PVS-Studio:
7. Copy-paste errors
Array index out of bounds
Buffer overrun
Memory/resource leaks
Invalid operator precedence
Dereferencing of nullable types
Dead/unreachable code
Use of uninitialized variables
Undefined/unspecified behavior
….
What can be detected?
8. Great attention is paid to analyzer warnings:
Warnings classification is supported according to:
Common Weakness Enumeration (CWE)
SEI CERT C Coding Standard
SEI CERT C++ Coding Standard
MISRA C, MISRA C++
Detailed documentation in Russian and English:
Online
PDF
10. This error demonstrates greatly how DataFlow analysis works in
PVS-Studio
This error was found using PVS-Studio in Chromium project
(Protocol Buffers)
The analyzer issues two warnings:
V547 Expression 'time.month <= kDaysInMonth[time.month] + 1' is always
true. time.cc 83
V547 Expression 'time.month <= kDaysInMonth[time.month]' is always true.
time.cc 85
Data Flow analysis
15. int x0 = ....; int x1 = ....;
int y0 = ....; int y1 = ....;
assert(x0 <= x1 && "....");
assert(y0 <= y1 && "....");
assert((x1 - x0) == (y1 - y0) && "....");
assert(x0 >= 0 && x0 < int(some_value) && "....");
assert(x1 >= 0 && x1 < int(some_value) && "...."); // x1 >= 0
assert(y0 >= 0 && y0 < int(some_value) && "...."); // y0 >= 0
assert(y1 >= 0 && y1 < int(some_value) && "...."); // y1 >= 0
Symbolic execution
V560 A part of conditional expression is always true.
V560 A part of conditional expression is always true.
V560 A part of conditional expression is always true.
16. Method/class annotations
Our team has annotated thousands of functions and classes, given in:
standard C library
standard С++ library
WinAPI
glibc (GNU C Library)
Qt
MFC
and so on
17. void EnableFloatExceptions(....)
{
....
CONTEXT ctx;
memset(&ctx, sizeof(ctx), 0);
....
}
Method/class annotations
V575 The 'memset' function processes '0' elements. Inspect the third argument.
crythreadutil_win32.h 294
This error was found using PVS-Studio in CryEngine V project
18. static void FwdLockGlue_InitializeRoundKeys()
{
unsigned char keyEncryptionKey[KEY_SIZE];
....
memset(keyEncryptionKey, 0, KEY_SIZE); // Zero out key data.
}
Pattern-based matching analysis
V597 CWE-14 The compiler could delete the 'memset' function call, which is used to flush
'keyEncryptionKey' buffer. The memset_s() function should be used to erase the private data.
FwdLockGlue.c 102
This error was found using PVS-Studio in Android
project
20. For VS2010-2019: just install plugin and check your solution!
For other cases you can capture compiler invocations and gather all needed
information for the analysis
Using PVS-Studio: quick start
Windows:
C and C++ Compiler Monitoring UI tool
Linux/macOS
pvs-studio-analyzer utility
21. Using PVS-Studio: mass suppression
It can be difficult to start using static analysis in a large project
It’s not clear what to do with warnings in old code
We suggest a decision: hiding messages using suppress files
22. Using PVS-Studio: suppressing of false positives
Various ways to suppress false positives in specific lines of code
Suppression of false positives in macros
Suppression of false positives using pvsconfig diagnostics
configuration files
23. Using PVS-Studio: excluding from analysis
Possibility to exclude files from analysis by their name, directory or mask
Interactive filtration of analysis results (log) in PVS-Studio window:
by diagnostic code and warning level
by the file name
by including the word in the text of a diagnostic
24. The most efficient way of fixing an error is to do it right after it
appeared in code
Using PVS-Studio: automatic analysis of files after
their recompilation
25. Using PVS-Studio: scalability
Support of multicore and multiprocessor systems with configuration
of the number of utilized cores
IncrediBuild support
26. Running analysis from command line for
checking the whole project
Saving and loading of analysis results
Using of relative paths in report files
Send mail notifications with
BlameNotifier utility
Using PVS-Studio: continuous integration
27. Convenient online reference on all diagnostics
Using PVS-Studio: documentation
28. We developed a plugin for importing analysis results into SonarQube
Using of this plugin allows to add warnings found by PVS-Studio
analyzer to the warnings base of SonarQube server
Using PVS-Studio: SonarQube
32. Write to us: support@viva64.com
Subscribe:
Twitter: @Code_Analysis
RSS: http://feeds.feedburner.com/viva64-blog-en
Facebook: https://www.facebook.com/StaticCodeAnalyzer
Telegram: https://t.me/pvsstudio_en
Download PVS-Studio:
https://www.viva64.com/download_cpp_on_sea/
Thank you for attention!
Editor's Notes
Hello everybody, today I’d like to present you some feature overview of PVS-Studio static code analyzer
My name is Phillip, I’m a lead C++/C# developer in PVS-Studio team and I’ve been working in the company since 2016
So, what is PVS-Studio? PVS-Studio is a ecosystem that provides you static code analyzer for C, C++, C# and Java programming languages and utilities to make life with static code analyzer easier. PVS-Studio works on Windows, Linux and macOS platforms.
I’ll focus more on C/C++ features. So, we support modern and famous compilers such as: MSVC, GCC, Clang - and several compiler for Embedded systems: ARM GCC/Clang, Keil, IAR, TI.
We also have several plugins for modern IDEs for convenient work: Visual Studio 2010-2019, JetBrains Rider and IntelliJ IDEA.
Compilation monitoring. We provide a tool that may help you to check your project with “exotic” build system (e.g. SCons, Bazel, etc).
Suppress files. After you’ve checked your project, you may get tons of warnings on your legacy code. There is a solution – you push all your warnings in some file called suppress base, and in the next run you’ll get 0 warnings.
Incremental analysis. If you modify some files in your project, you want only them to be checked as the compiler recompiles them. We have scenery for that. We call it incremental analysis.
I think everybody would want to automate such process, like how we’re doing it with compilation, testing, etc. Of course, you can directly integrate PVS-Studio in CI-servers, such as Jenkins, TeamCity, etc.
After analysis you get raw log and probably you want it to some format that suits you. E.g., HTML, QtCreator tasklist, errorlist (format of compilers output), etc. PlogConverter may help you with this.
And finally BlameNotifier. If you get warnings after you’ve checked your project after commit, you may want to notify developers who made a mistake about this. BlameNotifier send mails corresponding to your VCS.
By July 2020 we’ve implemented 510 diagnostic for C/C++, 153 for C# and 82 for Java. We’re continuously adding new rules.
What type of errors can be detected? Here is a short list what our analyzer can detect: copy-paste errors, dereferencing of nullable types, undefined or unspecified behavior and so on. You can find full information about detectable errors from this QR-code.
We pay great attention while implementing diagnostic rules. Many of them is classified according to Common Weakness Enumeration and CERT C/C++ Coding Standard. We’ve also implemented rules for MISRA C/C++ compliance. For each rule we provide detailed documentation from website or download a pdf. By the way, you can access docs from VS plugin too.
We use several technologies to find bugs in source code.
First is the data flow analysis. Let’s see how it can help to find bugs on a following code snippet from protobuf. PVS-Studio warns about two expressions that they’re always true.
Here we have ValidateDateTime function that check for incorrect DateTime and static const array ‘kDaysInMonth’ that contains the number of days per month. The first element is extra element for convenient access to array: we’ll use indexes [1..12]. Let’s look at the first if statement.
Data flow analysis knows if ‘time.month’ field isn’t in the range [1..12], execution of the function will stop.
Now let’s look at the second ‘if’ statement. If ‘time.month’ is two (it’s February) and the year is leap, we return the result of comparison ‘time.month <= kDaysInMonth[time.month] + 1’. ‘2 <= 29’ – this is always true.
If you look at ‘else’ branch, expression in return statement is always true too, now we compare two range: lhs – [1..12] and rhs – [28..31].
It’s needed to compare ‘time.day’ field.
Next technology is Symbolic execution. It helps when we don’t know we exact value of variables. Look at this example. Here PVS-Studio tells that 3 lash subconditions is always true. Let’s find out why/
First two asserts set relation between pairs of variables [x0, x1] and [y0; y1]. So, we know that x1 may be equal to or greater than x0, absolutely the same with y0 and y1. Third assert sets that differences between pairs of values are equal.
And now fourth assert. If x0 is non-negative, then x1 is non-negative too because of the first assert. So, the part of condition in the fifth assert is always true.
If x0 and x1 are both non-negative, their subtraction is non-negative too. This means that y0 and y1 are non-negative too. So, parts of the last two assert are always true.
Next technology is method/class annotations. We know a behavior of many functions from different libraries and this helps to find interesting bugs.
For example, in CryEngine V we have function EnableFloatExceptions. We want to zeroize the ‘ctx’ variable. But the second and the third function parameters were mixed up, and now memset will do nothing.
And the last thing we use in our analyzer is ‘pattern-based’ matching. We’re looking for code patterns that lead to bugs in the parse tree. This isn’t regular expression search.
For example, there is a errorneous pattern when we want to zeroize some private data in an array. Most often this is done by calling the ‘memset’ function. But modern compilers can optimize this call out. We can fix that by calling safe methods, such as memset_s from C11.
So, how to start using PVS-Studio in your project?
As I mentioned earlier, if you have VS project, you can install plugin and easily check your project in one click.
If you have project that isn’t VS- or Cmake-based, you can check it with C and C++ Compiler Monitoring UI or pvs-studio-analyzer tools.
It captures compiler invocations to get information about your project and then start analysis on files that were compiled.
If you want to get more information – you can follow the link in QR codes.
Ok, but your project is too old and you have legacy. When you’ve checked your project, you get tons of warnings and you want to get rid of them.
We have a solution – suppress base: you push all your warnings to some files and in the next run of the analysis you will get 0 warnings. This makes possible to integrate a static code analyzer into a project of any size.
You will get warnings only on fresh code. You can return to your technical debt later and fix these warnings.
Follow the link in QR code to get more information.
There are several ways to mark some warnings that false positive for you.
For example, static code analyzer warns you about some code that was expanded from a macro. You can mark this macro and analyzer won’t warn you about this code anymore.
You can add these mark directly to your code or special pvsconfig-file. Follow the link in QR code to get more information.
What if you have some third-party libraries and you don’t want to get messages from these projects.
Of course It’s possible to exclude these projects from analysis by specifying some name of the file, directory or wildcard pattern.
Another thing that we provide interactive filtration of warnings in PVS-Studio output window in VS plugin. You can filter messages by the level of the warning, type of the warning, filename, text in the message.
If you change only one file, you may want to analyze only modified file. This may be done by incremental analysis.
PVS-Studio may analyze up to “the number of logical cores” files simultaneously. This may dramatically reduce the analysis time.
If this isn’t enough, you can try PVS-Studio together with IncrediBuild. IncrediBuild may distribute analysis on several machines.
Until this moment, I meant that analysis is performed on developer machine. But what if we want to analyze project on continuous integration server on each commit / PR?
PVS-Studio can be directly integrated in CI-servers and can perform analysis on commit / PR / night build.
If there is some warning in analysis report, you can notify developers about this problem with help of BlameNotifier tool.
If you want to get more information – you can follow the link in QR codes.
For each our diagnostic rule we provide documentation with the description what is wrong and how to fix it. You can access this documentation on our website or download pdf.
If you use VS plugin, you can open the documentation for diagnostic rule in VS itself – just click on the warning number in PVS-Studio output windows.
On the screen you can see how it looks.
Many our customers were interested in importing analysis results into SonarQube. SonarQube is a platform for continuous code inspection of projects.
We developed a plugin for SonarQube that can do that.
If you want to get more information – you can follow the link in QR codes.
Here you can see all imported diagnostic rules from PVS-Studio into SonarQube.
This is how it looks as a result.
If you don’t have SonarQube, but you want to review warnings with source code in CI-server, you can convert analysis report into FullHTML format.
This format looks like output from Clang SA. You click a location link in the “Location column” for the warning, and it opens a source code in HTML and scrolls to the interested line.
This FullHTML report then can be published on CI-server.
That’s all for now. Thank you for you attention!
If you have questions, I’m ready to answer them.