Everything you wanted to know about PVS-Studio and did not hesitate to ask

    Picture 1

    Recently, we have strengthened our presence at various specialized IT conferences in Russia and abroad. At most events we try to stand with a stand, at some we give reports. Conferences allow us not only to increase the awareness of our product (PVS-Studio static code analyzer), but also, more importantly, to get closer to potential and current users. Communicating with visitors at the booth, our employees often answer questions of the same type, which are sometimes quite funny. In this article I will try to answer the most frequently asked questions of visitors about static analysis in general and PVS-Studio in particular.

    First, a little humor on the subject of “Expectation and reality”. We write a lot of articles and naively believe that if people really read them, then they at least know in general terms about our product and its features. Unfortunately, this is not always the case. Here is an example of real communication with the visitor at one of the latest conferences. Visitor: “We read your articles on Habré. Interesting. It is a pity that your analyzer does not suit us at all. We have all secret sources, we cannot send them outside. And you have everything there on the cloud works . "

    Picture 4

    Probably, our marketing department has work to do.

    Further I will give other common questions from the average visitor to our stand at the exhibition, as well as answers to them in the format of an improvised dialogue.

    Q: I heard something about you. Where are you from, what are you doing and how to find out more about you?

    A: We are a small independent team from Tula. We are developing PVS-Studio - a static code analyzer for C, C ++, C #, Java languages. More details about us can be found on the PVS-Studio website . We also write articles and post them on our blog , on Habré and other resources.

    Q:What kind of static analysis? In our team, we have enough compiler warnings and joint code reviews.

    A: The compiler is able to point out only gross and fairly obvious errors. For example, unreachable code or the use of uninitialized variables. Identifying errors for the compiler is a side task. Yes, lately compilers have become quite intelligent. But any specialized tool for finding errors in the code is far superior to the compiler, allowing for detailed analysis of the code and identifying typos, logical errors, the potential use of null pointers / references, etc.

    Collaborative code reviews are a good, time-tested technology. But it also has drawbacks associated with the need to attract additional employees to work on someone else's code. This increases the cost of development, with the likelihood of missing an error or adding a new one, since it is human to err.

    Static analysis is the verification of the source code of a program without the need to execute it. We recommend using static code analysis tools as an additional barrier to errors.

    Q: Does PVS-Studio analyze executable files or the source code itself?

    A:If we talk about the search for vulnerabilities, then the analysis of the executable code is more similar to how the antivirus works, looking for signatures in a binary code from some database.

    PVS-Studio analyzes source code . This allows you to identify a much larger circle of errors and potential vulnerabilities, increases the speed of work and gives more reliable results.

    Yes, of course, you can try to disassemble the code and find an error in the algorithm. But it must be understood that in the binary code a lot of information is lost. For example, always the true condition will be simply deleted when the code is compiled, and there is no way to know that something was wrong with this condition.

    Q: And what are the integration possibilities? Do you have plugins for any IDE?

    A:Currently, PVS-Studio is integrated into Visual Studio 2010-2017 as a plug-in. There is a java plugin for IntelliJ IDEA. Also, thanks to a specialized module, you can manage CMake projects in Qt Creator and CLion.

    The analyzer is constantly evolving, so you can find out the most current information about the capabilities of the product by visiting our website .

    Q: We use SonarQube.

    A: An excellent choice. The PVS-Studio plugin for SonarQube will allow you to import analysis results into SonarQube and work with them in the usual way.

    Q: Well, I need to somehow integrate the analysis into our build system.

    A:PVS-Studio can be used from the command line. The analyzer contains a large set of settings for solving a wide range of tasks. Also, regardless of the usage scenario, we provide assistance to our clients during the implementation phase of the analyzer and technical support during the entire license period.

    Q: How to try your analyzer?

    A: Use the download page , download the necessary distributive and work with PVS-Studio in trial mode. If you need additional time to evaluate our product or you are not satisfied with the limitations of the demo version, please contact us .

    Also at trade shows, our visitors can get an Enterprise-key, which is valid for one month. To do this, simply come to our booth with a unicorn. In addition, you can become a participant of the lottery and receive a prize from PVS-Studio.

    Q: I am a student, is it possible to use PVS-Studio for free?

    A: This is possible if you add special type comments to your source code. Files marked this way will be checked for errors without any restrictions. More details about this mode of operation can be found in the article " How to use PVS-Studio for free ."

    Q: Who are your customers?

    A:At the moment, more than 200 companies worldwide have become our clients. The scope of their activities is very diverse. A list of existing customers can be found on our website .

    Q: So you have a local mode of operation or not?

    A: The PVS-Studio analyzer is installed locally on a dedicated computer (computers) and can work completely in isolation. Connecting to the Internet is necessary to receive updates, as well as to quickly follow links to documentation (description of diagnostics, etc.) from plug-ins. We are currently considering options for working through the "cloud", but this will be in addition to the standard mode of operation.

    Q: And what exactly are you better at, say, the Coverity analyzer?

    A:This question can not be given a simple and comprehensive answer. All our attempts at comparing with other analyzers failed. We were accused of bias, “winding up” the results, using a specially prepared test base and other deadly sins. In addition, analyzers cannot simply be compared head-on. Each tool is unique and has its strengths and weaknesses. Some tools focus on performance, others focus on searching for “smells” in the code and improving the style. We are looking for bugs and potential vulnerabilities.

    If you have a desire and a suitable methodology, you can conduct research and compare our analyzer with others, and then write an article about it. To do this, we will even issue you a temporary license key without any restrictions. But be prepared for criticism.

    Q:I did not understand, so you are looking for errors only in non-compiled code? That is, the program did not even pass compiler check?

    A: It is not. PVS-Studio only finds and finds errors in compiled programs. In real-life applications. These programs are not just compiled without errors, some of them are checked by other analyzers. Still, we look for errors there. About this, we often write articles in our blog, checking open source projects.

    Q: And what errors can PVS-Studio reveal in our project? Only typos?

    A: Typos, of course, belong to the class of classical errors detected by static analysis. But beyond that, PVS-Studio could potentially reveal several hundred more patterns.mistakes. Examples: null pointer dereference, division by zero, condition is always false or true, incorrect operations with the index, going beyond the array boundary, and many others. A complete list of errors is provided on the documentation page .

    Q: After checking with your analyzer, can I be sure that the program contains no errors?

    A: No. PVS-Studio is not a tool for proving the correctness of programs. This is a separate class of tools. The task of our analyzer is to quickly and reliably indicate the potentialerror in the code. The decision about the inaccuracy of a particular design is always taken by the developer, using the context of the occurrence of errors and their knowledge of the project. And the analyzer helps the developer by minimizing the number of false positives to the minimum and providing additional options for processing the list of alerts received.

    Q: How exactly does PVS-Studio work? What kind of error search mechanisms? You probably use regular expressions.

    A: Using regular expressions is extremely inefficient. It allows you to find only the most primitive errors, for example, in conditions (compare two identical subexpressions):

    if ((a+b+с) == (a+b+с)) {....}

    At the same time, a small code change (without changing the operation logic) is very likely to put such an analyzer at a standstill:

    if ((a+b+с) == (b+a+с)) {....}

    The PVS-Studio analyzer is much smarter and uses the following mechanisms:

    • Pattern matching based on an abstract syntax tree.
    • Building a semantic model followed by type inference (type inference).
    • Symbolical execution, which allows to calculate the values ​​of variables that can lead to errors, as well as to check the ranges of values ​​(range checking).
    • Data flow analysis (data-flow analysis).
    • Annotation of methods (method annotations).

    My colleague Andrey Karpov described this in more detail in a recent article " Technologies used in the PVS-Studio code analyzer for searching for errors and potential vulnerabilities ."

    Q: Well, we have a C / C ++ project, 15 years of development and five million lines of code. Do we really start using PVS-Studio now?

    A: Yes. At the implementation stage, it will be necessary to carry out a complete check of your project once. Then all the received warnings (probably there will be a lot of them) can be noted as still uninteresting (to temporarily suppress their withdrawal) in order to return to this technical debt later. After that, you can use PVS-Studio to regularly check only new code. For more information about this and other features of the analyzer, seedocumentation page .

    Q: How often should I run a scan? And what, the entire code base every time to check?

    A: The most effective use of static analysis involves the most frequent checks of the new code. To do this, PVS-Studio implements an incremental analysis mode. Files that have been modified since the last build of the project are submitted for review. There are other modes of operation. This allows you to identify errors at the design stage, which reduces the risk of their release.

    Q: We use PVS-Studio. The analyzer finds errors, but many of them are in unused code or tests. This is normal?

    A: It is quite normal. One of the features of static analysis, as opposed to dynamic, is checkingthe entire codebase, and not just the code executed at startup. Let's say you spent a lot of time and effort debugging the program code, and everything works stably. But there is a function that is rarely used, or not yet used at all. The probability of finding an error in such a function is high. And when one day they start using the function, something can go wrong. The use of static analysis will minimize the risk of such a situation.

    Also, the code may contain deliberately incorrect constructions (usually it happens in tests), therefore, it often makes sense to exclude them from checking (specifying projects or paths) through the PVS-Studio settings. However, sometimes the tests themselves contain errors. Such situations are quite difficult to identify, and in this case the decision must be made by the developer.

    Q: What about vulnerability search?

    A: The PVS-Studio analyzer is a SAST (Static Application Security Testing) tool and allows you to identify potential vulnerabilities classified according to CWE (Common Weakness Enumeration). CWE warnings largely overlap with the classic PVS-Studio warnings. You can learn more about SAST from the documentation . It is important to understand that potential vulnerabilities do not necessarily lead to real vulnerabilities that can be exploited by a hacker. Vulnerabilities identified are classified by CVE (Common Vulnerabilities and Exposures). However, the elimination of potentialVulnerabilities uniquely contributes to improving program security and minimizes the risk of identifying real vulnerabilities in the future.

    Q: I lead the development team. How exactly will PVS-Studio help me?

    A: In addition to improving the quality and reliability of the code, the introduction of PVS-Studio will also allow solving purely managerial tasks related, for example, to sharing responsibility. The analyzer includes the BlameNotifier utility, which allows you to automatically identify employees who sent the erroneous code to the version control system. In this case, mail notifications are sent to both the performer and his manager.

    You can also customize the conversion of error reports to any form convenient for you, including a detailed html report convenient for the manager to use.

    Finally, in the case of the use of SonarQube, you can use all the advantages of this tool to ensure continuous quality control of the code by uploading to the SonarQube the results of project verification with the PVS-Studio analyzer using a specialized plug-in.

    Q: Do you use or plan to use machine learning?

    A: This is a big and interesting topic. We plan to write about this article of a critical plan. Now I will voice only a couple of short thoughts.

    There is no need to make a calculator by machine learning. There is a certain rule (formula), and it should be applied to the code and make some kind of conclusion. It is not clear why setting up a neural network to identify a new error pattern, when these patterns already exist, and you just need to correctly apply them. And, most importantly, it is not clear where to take the base for such training. Where is that sample of hundreds of thousands of projects with written errors on which you can learn?

    The only place where, in our opinion, the use of machine learning algorithms can make sense is the filtering of false positives.

    Q: Do you check the PVS-Studio code with PVS-Studio?

    A:Of course! Moreover, in case of detection of errors, the list of perpetrators is made public with their subsequent weaning from the refrigerator with ice cream. But seriously, we believe that it is very useful to use your own tool. This allows you to look at the product from the user's point of view and notice some flaws.

    Q: How to get your great statuses for the desktop and branded earflaps?

    A: Come to our booth with the unicorn at the nearest exhibition, where we will be present with the booth. We'll come up with something :)

    Picture 2

    I hope I managed to answer the most popular questions of visitors to our stands at exhibitions. Of course, there are more complex questions that may require writing a separate article to answer.

    When communicating with visitors, we try to convey the main point: static analysis is not a panacea for all ills, but its use is very good for your health (your programs). Use PVS-Studio and do not get sick!

    In conclusion, I will cite a number of useful links:

    If you want to share this article with an English-speaking audience, then please use the link to the translation: Sergey Khrenov. Everything You Wanted To Know About PVS-Studio and Dared To Ask

    Also popular now: