Home Conferences Everything you wanted to know about PVS-Studio and didn’t hesitate to ask

Everything you wanted to know about PVS-Studio and didn’t hesitate to ask

by admin

Everything you wanted to know about PVS-Studio and didn't hesitate to ask
We have recently strengthened our presence at various specialized IT conferences in Russia and abroad.At most of the events we try to stand with a stand, at some of them we make presentations.Conferences allow us not only to increase awareness of our product (the PVS-Studio static code analyzer), but also, and most importantly, to get acquainted with potential and existing users.While communicating with visitors at the booth, our workers often answer one-type questions that can sometimes be rather odd.In this article, I will try to answer the most frequently asked questions of visitors regarding static analysis in general and PVS-Studio in particular.
Let’s start with some humor on the subject of "Expectation and Reality". We write a lot of articles and naively think that if people read them, they know at least in general terms about our product and its features. Unfortunately, it is not always true. Here is an example of a real communication with a visitor at a recent conference. Visitor: "We read your articles on Habra. It is interesting. It’s a pity your analyzer does not suit us at all. All our sources are secret and we cannot send them out. But you have everything there. on the cloud. "

Everything you wanted to know about PVS-Studio and didn't hesitate to ask
Our marketing department probably has some work to do.
Below I will give other common questions from the average visitor to our booth at the show, as well as answers to them in an impromptu dialogue format.
Q: Heard something about you. Where are you from, what do you do, and how can I find out more about you?
A: We are a small independent team from Tula. We develop PVS-Studio – a static code analyzer for the languages C, C++, C# and Java. You can learn more about us at PVS-Studio site We also write articles and post them at our blog , at Habra and other resources.
Q: What is this static analysis? In our team, we have enough compiler warnings and cooperative code reviews.
A: The compiler can only point to gross and fairly obvious errors. For example, unreachable code or use of uninitialized variables. Error detection is a side task for the compiler. Yes, compilers have become quite smart lately. But any specialized tool for finding bugs in code is far superior to a compiler, allowing detailed analysis of code and detecting typos, logical errors, potential use of null pointers/links, etc.
Collaborative code reviews are not a bad, time-tested technology. But it also has disadvantages related to the necessity of hiring additional people to work on someone else’s code. It increases development costs, while you are likely to miss an error or add a new one, because it is human nature to make mistakes.
Static analysis is a check of the source code of a program without executing it. We recommend you to use static code analysis tools as additional barrier in the way of errors.
Q: Does PVS-Studio analyze executable files or the source code itself?
A: Speaking about searching for vulnerabilities, analysis of executable code is more similar to the way an anti-virus works, looking for signatures in a binary code from some database.
PVS-Studio analyzes source code This allows detecting a much wider range of bugs and potential vulnerabilities, increasing speed and giving more reliable results.
Yes, of course you can try to disassemble the code and find an error in the algorithm. But you have to understand that a lot of information is lost in the binary code. For example, always the true condition will simply be deleted when the code is compiled, and there is no way to know that something was wrong with that condition.
Q: What are the integration options? Do you have plugins for any IDEs?
A: PVS-Studio is currently integrated into Visual Studio 2010-2017 as a plugin. There is a Java-plugin for IntelliJ IDEA. You can also manage CMake projects in Qt Creator and CLion thanks to a specialized module.
The analyzer is constantly evolving, so you can get the most up-to-date information about the product features by visiting our website
Q: We use SonarQube.
A: A great choice. PVS-Studio plugin for SonarQube allows you to import analysis results into SonarQube and work with them in the usual way.
Q: Okay, I need to somehow build analysis into our assembly system.
A: PVS-Studio can be used from the command line. The analyzer contains a large set of options to solve a wide range of tasks. Also, regardless of the scenario of use, we provide our customers with assistance at the stage of deployment of the analyzer and technical support during the whole license term.
Q: How do I try your analyzer?
A: Use download page , download the necessary distribution package and work with PVS-Studio in trial mode. If you need some more time to evaluate our product or you are not satisfied with the demo-version limitations, contact us
Also at trade shows, our visitors can get an Enterprise Key, which is valid for one month. Just come to our booth with a unicorn. Besides, you can enter the lottery and get a prize from PVS-Studio.
Q: I am a student, can I use PVS-Studio for free?
A: This is possible by adding comments of a special kind to your source code. Files marked in this way will be checked for errors without any restrictions. You can learn more about this mode in the article " How to use PVS-Studio for free ".
Q: Who are your customers?
A: At the moment more than 200 companies all over the world have already become our clients. Their field of activity is very diverse. You can find a list of current customers at our website
Q: So do you have a local mode of operation or not?
A: The PVS-Studio analyzer is installed locally on the dedicated computer(s) and can work completely isolated. Connection to the Internet is necessary to get updates and also to quickly get links to documentation (descriptions of diagnostics, etc.) from the plugins. We are currently thinking about options for working via the cloud, but this will be in addition to the standard mode of operation.
Q: How exactly are you better than, say, a Coverity analyzer?
A: It is impossible to give a simple and comprehensive answer to this question. All our attempts at comparison with other analyzers have failed. We were accused of bias, "twisting" the results, using a specially prepared test base and other deadly sins. Besides, you cannot simply compare analyzers "directly". Each tool is unique and has its own strengths and weaknesses. Some tools focus on performance, others focus on detecting "smells" in code and improving style. We look for bugs and potential vulnerabilities.
If you have a desire and proper methodology, you can make a research and compare our analyzer to others and then write an article about it. We will even give you a temporary unlimited license key for that. But be prepared for criticism.
Q: I don’t understand, so you’re only looking for errors in uncompiled code? So the program didn’t even pass the compiler checks?
A: That’s not true. PVS-Studio searches for and finds errors only in compiled programs. They are in applications that are actually working. These programs are not just compiled without errors – some of them are checked by other analyzers. But we still find errors there. We often write about it. articles on our blog, checking out open source projects.
Q: What errors can PVS-Studio detect in our project? Just typos?
A: Misprints, of course, belong to the class of classic errors detected during static analysis. But besides that, PVS-Studio can potentially detect a few hundred more patterns errors. Examples: null pointer dereferencing, division by zero, the condition is always false or true, incorrect index operations, array overruns and many others. You can find a full list of errors on the page documentation
Q: After checking with your analyzer, can I be sure that the program is error free?
A: No. PVS-Studio is not a tool to prove that programs are correct. It is a separate class of tools. The task of our analyzer is to provide you with the fastest and most reliable indicate to potential error in the code. It is always the developer who decides whether or not a particular construct is wrong, using the context of error occurrence and his knowledge about the project. And the analyzer helps the developer by minimizing the number of false positives if possible and providing additional options of handling the list of received warnings.
Q: How does PVS-Studio work exactly? What kind of error-finding mechanisms are there? You must be using regular expressions.
A: Using regular expressions is extremely inefficient. It allows to find only the most primitive errors, for example, in conditions (compare two identical subexpressions):

if ((a+b+c) == (a+b+c)) {....}

And a small change in the code (without any change in the logic) would most likely lead to a deadlock with such an analyzer :

if ((a+b+c) == (b+a+c)) {....}

The PVS-Studio analyzer is much smarter and uses the following mechanisms :

  • Pattern-based analysis based on abstract syntax tree.
  • Construction of semantic model and then type inference.
  • Symbolic execution, which allows to calculate the values of variables which can lead to errors and also range checking.
  • Data-flow analysis.
  • Method annotations.

My colleague Andrei Karpov described all this in more detail in a recent article " Technologies used in the PVS-Studio code analyzer to search for errors and potential vulnerabilities ".
Q: Okay, we have a C/C++ project, 15 years of development, and five million lines of code. Are we really able to start using PVS-Studio now?
A: Yes. During the implementation phase, it will be necessary to do a full check of your project once.Then you can mark all the warnings you have received (there will probably be quite a few of them) as uninteresting for now (suppress their output temporarily) in order to return to this technical duty later. After that you can use PVS-Studio to regularly check only new code. To learn more about this and other features of the analyzer, please visit documentation page
Q: How often should I run the check? And what, check the entire code base every time?
A: The most efficient use of static analysis implies that new code is checked as often as possible. For this purpose PVS-Studio implements the incremental analysis mode. Files that have been modified since the time of the last project build are submitted for analysis. There are other operating modes as well. This allows you to detect errors already at the development stage, which reduces the risk of them getting into the release.
Q: We are using PVS-Studio. The analyzer finds errors but many of them are in unused code or tests. Is it normal?
A: This is quite normal. One of the features of static analysis, as opposed to dynamic analysis, is checking the whole code base, not just the code you run at startup. Suppose you’ve spent a lot of time and effort debugging the program code, and everything works consistently. But there is a function which is rarely used or is not used at all yet. The probability of finding an error in such a function is high. And when the function is used one day, something might go wrong. Using static analysis will allow you to minimize the risk of such a situation.
The code may also contain deliberately incorrect constructs (it usually happens in tests), so it often makes sense to exclude them from the check (specifying projects or paths) through the PVS-Studio settings. But sometimes tests themselves contain errors. Such situations are quite difficult to detect, and in this case it is up to the developer to decide.
Q: What about searching for vulnerabilities?
A: PVS-Studio analyzer is a SAST (Static Application Security Testing) tool and can detect potential vulnerabilities that are classified according to the CWE (Common Weakness Enumeration). The CWE warnings overlap with the classic PVS-Studio warnings in many ways. You can learn more about SAST from documentation It is important to understand that potential vulnerabilities do not necessarily lead to actual vulnerabilities that can be exploited by a hacker. Identified vulnerabilities are classified by CVE (Common Vulnerabilities and Exposures). Nevertheless, the elimination of potential vulnerabilities definitely improves the security of the program and minimizes the risk of detecting real vulnerabilities in the future.
Q: I manage a development team. How exactly would using PVS-Studio help me?
A: Besides increasing the quality and reliability of the code, introduction of PVS-Studio will also allow you to solve purely managerial tasks, related, for instance, to division of responsibility. The analyzer is shipped together with the BlameNotifier utility that allows you to automatically detect employees who have sent incorrect code to the version control system. The tool sends notifications by post both to the performer and his/her manager.
You can also customize the conversion of bug reports into any form you like, including an itemized html report for executive use.
Finally, if you use SonarQube you can use all the advantages of this tool to provide continuous code quality control by uploading to SonarQube the results of PVS-Studio analysis using a specialized plugin.
Q: Are you using or planning to use machine learning?
A: This is a large and interesting topic. We plan to write a critical article about it. For now, I’ll just give you a couple of brief thoughts.
You don’t need to make a machine learning calculator. There is a certain rule (formula), and you have to apply it to the code and draw some conclusion. It is unclear why to tune a neural network to detect a new error pattern, when these patterns already exist, and you just need to apply them correctly. And, most importantly, it is not clear where to get the basis for such training. Where is that sample of hundreds of thousands of projects with written out errors that you can learn from?
The only place where we think it might make sense to use machine learning algorithms is to filter out false positives.
Q: Do you check the PVS-Studio code with PVS-Studio?
A: Of course! Moreover, if errors are found, the list of guilty parties is made public, followed by their excommunication from the ice cream fridge. But seriously, we think it’s very useful to use your own tool. It allows you to look at a product from the user’s point of view and notice some flaws.
Q: How do I get your awesome desktop statuses and branded hat with earflaps?
A: Come to our unicorn booth at the next show where we will be present with a booth. We’ll work something out 🙂

Everything you wanted to know about PVS-Studio and didn't hesitate to ask
I hope I’ve managed to answer the most popular questions from visitors to our booths at trade shows. Of course, there are also more complex questions that may require a separate article to answer.
When communicating with our visitors, we try to get the main idea: static analysis is not a panacea for all the troubles, but it is very useful for (your programs’) health. Use PVS-Studio and don’t get ill!
I will conclude with a number of useful links again:

Everything you wanted to know about PVS-Studio and didn't hesitate to ask

If you want to share this article with an English-speaking audience, please use the translation link : Sergey Khrenov. Everything You Wanted to Know about PVS-Studio and Dared to Ask

You may also like