PVS‑Studio is a Static Application Security Testing (SAST) solution. This tool helps enhance code in terms of quality, reliability, and safety.
PVS‑Studio detects errors and potential vulnerabilities at the early stages of development, thus reducing the cost of fixing them. The analyzer supports analysis of programs written in C, C++, C#, Java.
The PVS‑Studio analyzer is extremely in demand where any error can lead to large losses of time, reputation, or money.
One of these software development areas is the financial area — for example, trading and banking software.
Here's a little story our user told us at a conference.
The analyzer has the V3040 diagnostic rule, which detects a situation when one integer value is divided by another integer value. The result of division is placed in a variable of the float or double type. Of course, such code is not always erroneous, but it is definitely suspicious and requires checking.
Someone might think this error if far-fetched and V3040 is often false. They may be right and wrong. It all depends on the application type and what this program actually calculates.
The user said that the team they work in found a nasty error with the help of this diagnostic rule. We won't tell you where this person works, since this story was told on condition of anonymity (no, it wasn't a bank).
The module where the error was found calculated flexible prices for various options and conditions of orders. In other words, the software calculated what price managers should tell the potential client. The error crept into the calculation of a certain coefficient. An integer division was used where it is not necessary:
double K; .... if (foo) K = 200 / 95; else ....
Let's state right away that this code fragment is just an example, and we don't know what the real code looks like. The idea is that instead of a coefficient of 2.1, a coefficient of 2 was used in code. As a result, while communicating with customers, managers set the price a bit lower than they expected. The price was calculated incorrectly only under a certain combination of conditions, so no one ever noticed the error, trusting the numbers that the program gives out.
Since this coefficient was calculated incorrectly only in rare cases, this error did not significantly harm the company's revenue. Nevertheless, the error was so unpleasant, that the developers decided to hide it from the management and quietly fixed it.
Let's not delve into discussion about whether such behavior is ethical or not. What's more interesting, a simple error in integer division leads to such consequences that developers are afraid to tell the management about.
As you can see, even the simplest errors can lead to losses of money, time, and effort. If we are talking about more serious software, then errors can be extremely expensive in general. Those who develop software for the financial area use an integrated approach to ensure reliability. The PVS‑Studio static analyzer can be an excellent addition to the code quality control tools.