PVS-Studio for Visual Studio

    Many of our articles are devoted to anything, but not to the PVS-Studio tool itself. But we do a lot to make it convenient for developers to use our tool. But this is precisely what is often behind the scenes. I decided to fix this situation and talk about the PVS-Studio plugin for Visual Studio. If you are using Visual Studio, then this article is for you.

    What is static code analysis and why is it needed

    Static code analysis is the process of identifying errors and shortcomings in the source code of programs. Static analysis can be considered as an automated code review process. A collaborative code review is a great methodology. But it also has a significant drawback - high cost. It is necessary to regularly gather several programmers to review the new code or re-review the code after making recommendations.

    On the one hand, I want to regularly review the code. On the other hand, it is too expensive. The tradeoff is static code analysis tools. They tirelessly process the source code of programs and give the programmer recommendations to pay increased attention to certain sections of the code. Of course, the program does not replace a full review of the code executed by a team of programmers. However, the benefit / price ratio makes using static analysis a very useful practice for many companies. If the reader is interested in specific numbers, then I propose to get acquainted with the article " PVS-Studio ROI ".

    There are a large number of commercial and free static code analyzers. A large list of static analyzers is available on the Wikipedia website:List of tools for static code analysis . The list of languages ​​for which static code analyzers exist is also quite large (C, C ++, C #, Java, Ada, Fortran, Perl, Ruby, ...). Naturally, we will tell you about the PVS-Studio analyzer .

    The main advantage of static analysis is the possibility of a significant reduction in the cost of eliminating defects in the program. The earlier the error is identified, the lower the cost of fixing it. So, according to the data provided in McConnell’s book “Perfect Code”, fixing a mistake at the testing stage will cost ten times more than at the construction (writing) stage:

    Figure 1. The average cost of fixing defects depending on the time of their introduction and detection (data for the table are taken from the book by S. McConnell "Perfect Code").

    Figure 1. The average cost of fixing defects depending on the time of their introduction and detection (data for the table are taken from the book by S. McConnell "Perfect Code").

    Static analysis tools allow you to identify a large number of errors in the design phase, which significantly reduces the cost of developing the entire project. For example, the PVS-Studio static code analyzer can start in the background immediately after compilation, and if a potential error is found, it will notify the programmer. More on this mode will be described below.

    PVS-Studio Static Code Analyzer

    PVS-Studio is a static analyzer that identifies errors and potential vulnerabilities in the source code of applications in C, C ++ (extensions are also supported: C ++ / CLI and C ++ / CX ), C # and Java on Windows, Linux and macOS platforms. The analyzer integrates perfectly with Visual Studio 2010 - 2019 and IntelliJ IDEA. In this article we will take a closer look at the work of PVS-Studio for checking code in C, C ++, and C #. You can read about how to use PVS-Studio to test Java code in IntelliJ IDEA here .

    After installing PVS-Studio and integrating into Visual Studio, users receive an additional “PVS-Studio” item in the main menu and a window for working with diagnostic messages (see Figure 2).

    Figure 2. The main elements added by the PVS-Studio analyzer during integration into Visual Studio.

    Figure 2. The main elements added by the PVS-Studio analyzer during integration into Visual Studio.

    Initial settings

    The analyzer is ready for operation immediately after installation. In most cases, you do not need to configure anything to complete the first run. The only setup you may need at the beginning is the exclusion of third-party libraries. After all, you still will not edit anything in the source files, for example, the jpeg library, so there is no need to check it. In addition, the exclusion of extra folders will reduce the analysis time of the project. The directories excluded from the analysis are set here: PVS-Studio> Options ...> Don't Check Files> PathMasks (see Figure 3).

    Figure 3. Editing a list of directories that the analyzer will not check.

    Figure 3. Editing a list of directories that the analyzer will not check.

    If one of the specified names is in the full path of the file, then the analysis will not be performed. By default, the names of some directories are already included in the list. However, in your project the folder with the ZLib library may not be called “zlib”, but, for example, “zip_lib”. Therefore, you should edit this list. To start editing, click the button with three dots.

    Examples of valid masks for the PathMasks list:

    • c: \ Libs \ - all project files located in this folder and its subfolders will be excluded.
    • \ Libs \ or * \ Libs \ * - all files located in directories whose path to which contains the Libs subfolder will be excluded. If the "*" characters are not specified, they will still be automatically added, so both recording options are the same.
    • Libs or * Libs * - all files will be excluded, the path to which contains a subfolder that has 'Libs' as a name or a fragment of a name. Also in this case files containing Libs in the name will be excluded, for example, c: \ project \ mylibs.cpp. To avoid confusion, we recommend that you always use slashes.

    In addition to excluding entire folders, you can specify masks to exclude individual files. For this, there is a FileNameMasks setting. For more details on how to work with exclusion lists, see the documentation: Settings: Don't Check Files .

    Project Verification

    Upon completion of the initial settings, you can begin to check the project. PVS-Studio for Visual Studio supports checking C ++ (.vcxproj) and C # (.csproj) projects. You can also immediately try to check out a solution that contains projects of these types in its entirety. To do this, select the menu item Extensions> PVS-Studio> Check> Solution (see Figure 4).

    Figure 4. Solution verification using the PVS-Studio analyzer.

    Figure 4. Solution verification using the PVS-Studio analyzer.

    If there are any difficulties with the verification, we recommend that you refer to the " Can't verify? " Section on our website. These are not clueless “check that the plug is plugged in” receptacles. The section describes typical situations that users have contacted us with and suggested options for action.

    Working with a list of diagnostic messages

    After checking, all diagnostic messages will be displayed in a special window. A window has many controls. All of them serve to show exactly those diagnostic messages that are of interest to the user. However, at first, the window may seem complicated. Let's look at all the controls (see Figure 5).

    Figure 5. A window with diagnostic messages.

    Figure 5. A window with diagnostic messages.

    1. Actually, the PVS-Studio window.
    2. Extra menu. Allows you to access options such as: marking a warning as false, hiding messages, adding files to exceptions (more on this below).
    3. The button includes the message "something went wrong." For example, you cannot preprocess one of the files.
    4. Go to the previous / next message. This opens the corresponding file, and the cursor is placed on the line with a potential error. You can also always select diagnostics from the list by double-clicking. You can assign hotkeys to jump to the previous / next message. By default, these are Alt + '[' and Alt + ']'.
    5. Buttons that include alerts at different levels. Now the first two levels of diagnostics are included. At the same time, 90 warnings of the first level and 6700 warnings of the second level are displayed in the window. The message level is shown on the left side of the window, in the form of a bar corresponding to the color of the bar on the button of the corresponding level. Why are there so many positives? Where are the 6700 warnings from? To demonstrate the capabilities of the interface, a set of MISRA rules is included , which is contraindicated for ordinary applications :).
    6. Active sets of diagnostic rules. General - general purpose diagnostics, Optimization - microoptimization, 64-bit - 64-bit diagnostics, MISRA - MISRA C and MISRA C ++ standard diagnostics. Now the window displays all types of alerts.
    7. Shows the number of messages marked as False Alarms. You can enable / disable the display of tagged messages in the settings, PVS-Studio> Options ...> Specific Analyzer Settings> Display False Alarms.
    8. Quick filters. For example, you can leave in the list only messages with the code V501 and that are in the XYZ project.
    9. Some diagnostics suggest paying attention not to one, but to several lines. In this case, an ellipsis appears next to the line number. By clicking on it with the mouse, you can see a list of lines and select one of them.

    The table with diagnostic messages is divided into the following columns:

    • Level. Reliability level that the error is found. 1st level (red) - the most suspicious places. 3rd (yellow) level - most likely a minor inaccuracy in the code.
    • The asterisk . She has no specific purpose. The user can interpret it at his discretion. For example, he may point out the most interesting warnings for further careful analysis. An analogy is to mark letters with an asterisk in an email program such as Thunderbird or Outlook.
    • ID . Unique message number. It may come in handy when working with a large list. For example, you can go to the message with a specific number (see the "Navigate to ID ..." item in the context menu ).
    • Below code . Message Code If you click on it with the mouse, a page with a description of the warning will open.
    • CWE. Identifies a warning using the CWE (Common Weakness Enumeration) code . By clicking on the link, you can see a description of this CWE on the network.
    • Misra. Same as above, but only for the MISRA standard .
    • The Message . The text of the diagnostic message.
    • By Project . Project name (you can disable this column using the context menu).
    • The File . File name.
    • Line . Line number. Important! Please note that after some lines there is an ellipsis. Example: "123 (...)". By clicking on this number, you will get a list of all lines of code that relate to this message. In this case, it is possible to go to each of the lines in the list.

    Yes, reading all this was tiring. However, I assure you, starting to use it, you quickly get comfortable with the tool. And you will rarely press something to configure.

    Context menu

    So, by double-clicking on the message you go to the desired code fragment. By pressing the right mouse button, a context menu opens.

    The menu is quite simple, and you should not overload the article with a description of each of the items. If something is not clear, you can peek in the documentation.

    However, I want to dwell on one very useful feature. Remember that in the settings you can add folders / files for exclusion (see Figure 2). So, adding something is much easier than it sounds!

    Pay attention to the item "Don't check files and hide all messages from ...". When you click on it, a list of paths can be added that can be added to the exception (see Figure 6).

    Figure 6. Excluding files from scanning.

    Figure 6. Excluding files from scanning.

    You can select either a single file or one of the directories. The figure shows that the folder "SDL2-2.0.9 \ src \ haptic \ windows" is selected. This means that all files in this folder and all subfolders will be excluded from analysis. Moreover, all messages related to these files will immediately disappear from the list. Very comfortably. You do not need to restart the analysis to remove all test related messages.

    Incremental analysis mode

    Introduction to PVS-Studio will be incomplete if you do not talk about one of the most important features - incremental code analysis .

    The earlier the error is found, the cheaper it is to fix it. It is ideal to immediately emphasize errors in the edited text of the program. However, it is technically difficult and resource intensive. Therefore, PVS-Studio starts in the background at the moment when the corrected code was successfully compiled. Thus, errors are searched in the just modified code. The fact that the analysis is taking place can be judged by the icon in the system notification area.

    When an error is found, a pop-up window appears warning about the danger (see Figure 7).

    Figure 7. A pop-up message that suspicious places were found in the edited files.

    Figure 7. A pop-up message that suspicious places were found in the edited files.

    If you click on the icon, the IDE will open with the result of the project verification (see Figure 2) and it will be possible to examine the suspicious code fragments.

    In fact, than to describe this mode, it is easier to try to work with it. You write the code as before. And if necessary, the analyzer will disturb you. Give it a try!

    We ourselves constantly use this mode. Yes, we also sometimes make coding errors. And the ability to immediately fix them significantly reduces the time to detect a defect and an attempt to understand why the program does not behave as planned. It’s a shame to spend 15-20 minutes debugging, then to find a typo in the index. Here is one of the cases when PVS-Studio found an error in PVS-Studio right after it appeared in the code:

    if (in[0] == '\\' && in[1] == '.' && in[1] == '\\')
      in += 2;

    But these, of course, are flowers. The PVS-Studio analyzer can sometimes be much more useful. Here is one of the reviews about our analyzer: " An example of using a static analyzer ." The text makes you think.

    I summarize. Incremental analysis is something you should definitely try. You will love him as soon as you find a couple of mistakes in the fresh code.

    PVS-Studio features

    Let’s be brief. It is impossible to concisely describe all the diagnostics that are available in PVS-Studio. A complete list of diagnostics and their detailed description can be found in the documentation: Description of diagnosed errors . We restrict ourselves to a table in which diagnostics are grouped by type. Some diagnostics are included in more than one group. The fact is that division is very arbitrary. For example, a typo can lead to the use of uninitialized memory. On the contrary, some errors did not find a place in the table; they are too specific. Nevertheless, the table as a whole gives an idea of ​​the functionality of a static code analyzer (see Figure 8).

    Figure 8. PVS-Studio features.

    Figure 8. PVS-Studio features.

    As you can see, the analyzer manifests itself as much as possible in areas such as searching for errors that have occurred due to typos, Copy-Paste. It diagnoses problems that are related to code security.

    You can find out how all this works in practice by looking at the error database . We collect in this database all the errors that we found by checking various Open-Source projects.


    PVS-Studio is a tool for static application security testing (Static Application Security Testing, SAST) - the analyzer can identify potential vulnerabilities in the project code and show the corresponding error identifier in a certain classification.

    PVS-Studio supports the following error classifications:

    1. CWE
    2. SEI CERT
    3. Misra

    You can enable the display of CWE codes using the context menu in the analyzer window under Show Columns> CWE

    Figure 9. Context menu and an example of the output of CWE codes.

    Figure 9. Context menu and an example of the output of CWE codes.

    Or in the menu above (Extensions> PVS-Studio> Display CWE Codes in Output Window)

    Figure 10. The extension menu.

    Figure 10. The extension menu.

    MISRA diagnostics are included separately in the settings:

    Figure 11. List of detected errors.

    Figure 11. List of detected errors.

    Read more about these classifications here .

    Checking projects from the command line

    PVS-Studio_Cmd.exe is a utility for checking C ++ / C # Visual Studio projects (.vcxproj / .csproj) and .sln solutions from the command line. It can be useful for automating analysis. The program is located in the directory where the installation was made - by default it is 'C: \ Program Files (x86) \ PVS-Studio'.

    The program has many parameters , but first we need only 3 of them:

    • --target: the project or solution file to be verified.
    • --output: the plog file where you want to write the report.
    • --progress: show verification progress.

    This is what the launch will look like:

    Figure 12. The output of the PVS-Studio_Cmd.exe program

    Figure 12. The output of the PVS-Studio_Cmd.exe program

    After execution, we will get a plog file with the report, the path to which we specified in the launch options. This report can be converted to other formats using the PlogConverter.exe utility, and to view the report in the IDE, just double-click on the plog file in Explorer.

    You can also open the report file in the extension menu under Extensions> PVS-Studio> Open / Save> Open Analysis Report ...

    Picture 4

    Detailed information on the utility and its parameters can be found in the documentation .

    Suppression of false warnings

    Some messages issued by the analyzer will inevitably be false. Nothing can be done about it. A static analyzer is just a program that does not have artificial intelligence and cannot determine exactly whether it found a real error or not.

    To combat false positives, the analyzer provides a set of different mechanisms. They are described in detail in the following sections of the documentation:


    Of course, here we did not tell all about the instrument. If you tell everything, then the article will turn into documentation. The goal was to show how easy it is to work with the tool within the Visual Studio environment. You can read about other environments and operating modes in the documentation and other articles located on our website . There, by the way, a lot of interesting things for programmers. Come wander around.

    It should be noted that PVS-Studio works not only in the environment from Microsoft. We also support the Java language, we can work under Linux and macOS, integrate into CMake and much more. For more information, see the documentation .

    I wish you a codeless code and hope you enjoy PVS-Studio. If you have any questions, we will always help and tell you. Write us.

    Дополнительные ресурсы:

    1. Обзор кода (code review).
    2. Статический анализ кода.
    3. Инструменты статического анализа кода.
    4. SAST.
    5. Технологии, используемые в анализаторе PVS-Studio.
    6. Скачать PVS-Studio и попробовать в деле.
    7. Поддержка Visual Studio 2019.
    8. Обсудить цену на анализатор PVS-Studio для вашей команды и способах его приобретения: купить PVS-Studio.
    9. Пример использования статического анализатора.
    10. Ответы на вопросы, которые часто задают на конференциях.
    11. Как запустить PVS-Studio Java
    12. Как запустить PVS-Studio в Linux и macOS

    If you want to share this article with an English-speaking audience, then please use the link to the translation: Sergey Larin. PVS-Studio for Visual Studio

    Also popular now: