>
>
For professors' note: use PVS-Studio to…

Andrey Karpov
Articles: 673

For professors' note: use PVS-Studio to get students familiar with code analysis tools

Our support chats and some other indirect signs showed that there are many students among our free users. Here's the reason: PVS-Studio is now more often used by professors in courses related to software development. We are very pleased with this, and we decided to write this small article to fall under notice of other teachers. We are pleased that students become acquainted with the methodology of static code analysis in general and the PVS-Studio tool in particular. Our team will try to contribute to this trend.

Development of modern software is impossible without an integrated approach for ensuring software quality and reliability. The reason is that the size of the codebase of today's applications is growing rapidly. Let numbers speak for themselves. For example, let's take operating systems:

  • MS DOS 1.0: 4,000 lines of code. One person could read this code entirety, sort it out, find bugs.
  • Linux 1.0.0 kernel: 176,000 lines of code. A team still might thoroughly review the code, although it would take a lot of time and effort.
  • Linux 5.0 kernel: more than 26 000 000 lines of code. One just can't embrace such a boundless project.

The Linux kernel example shows that the codebase size has grown 150 times in 25 years. Now it is impossible for a programmer to review the code of the entire application in one sitting, that is to understand it, find errors, improve architectural solutions. Inner workings of modern programs might be too overwhelming for one person. At the present time there are no more specialists who can answer any question regarding the project's internals.

The inability to grasp the project is only half the trouble. As the size of a project grows, so does the error density. I would like to emphasize that it is not just about the increase in the number of errors, but about their density! In a coursework program, you can write 1,000 lines of code and avoid a single error. Whereas there's no way you can add 1000 lines of code in a large application and avoid a few errors. To explain we will resort again to the numbers:

Figure 1. Typical error density in projects of different sizes. The data is taken from Steve McConnell's book "Code complete".

So, it is impossible to write reliable programs using the same approaches as 20-30 years ago. You have to use a set of methodologies to help control the growing complexity of a software project and ensure the necessary code quality:

  • Coding standards
  • Code reviews
  • Unit tests
  • Regression testing
  • Load testing
  • Manual testing
  • ....
  • Dynamic analysis
  • Static analysis

Methodologies from the top of the list are quite familiar to programmers and have long been successfully applied by almost all teams. But the last two methodologies are still much less common, although not new. Therefore, now in the course of training students, professors should pay extra attention to the study of the static and dynamic analysis tools.

I won't say anything about dynamic analysis now, although it is no less important than static.

As for static analysis, it's our thing and I invite professors to pay attention to our PVS-Studio software product.

PVS-Studio is a tool designed to detect errors and potential vulnerabilities in the source code of programs, written in C, C++, C# and Java. Works in 64-bit systems on Windows, Linux and macOS and can analyze code for 32-bit, 64-bit and embedded ARM platforms.

The PVS-Studio analyzer can be regarded as a fine example of a modern static code analysis tool. First, it's a great example to show the abilities of static analysis tools in detecting errors and security defects (SAST). Second, you can demonstrate its integration into the software development cycle to enable continuous code control. In its example, you can show integration with such systems as Jenkins, TeamCity, Azure DevOps, SonarQube, Travis CI and others.

In order to start using PVS-Studio as part of the training, you don't need to do anything special.

We provide several options for free PVS-Studio licensing, including the ones for open projects. Specifically for educational purposes, in case if student's works aren't open, the best option is to add the following comment to the code:

// This is a personal academic project. Dear PVS-Studio, please check it.

// PVS-Studio Static Code Analyzer for C, C++, C#, and Java: http://www.viva64.com

You need to follow two steps to start using the PVS-Studio code analyzer for free:

Step one

If you are using PVS-Studio as a Visual Studio plugin or you are using the "C and C++ Compiler Monitoring UI" (Standalone.exe) utility, enter the following license key:

Name: PVS-Studio Free

Key: FREE-FREE-FREE-FREE

If you are using PVS-Studio for Linux/macOS, use the following command:

pvs-studio-analyzer credentials PVS-Studio Free FREE-FREE-FREE-FREE

Note. Previously, a comment was enough to activate the free license for the Linux version. Now you also need to enter this special key, because without it, some scenarios for using the analyzer turned out to be inconvenient. Read more.

Step two

You have to write two lines of comments at the beginning of each file. Make edits in all compilable files of your project. We mean files with the extensions c, cc, cpp, cs, java and others. You don't have to change h-files.

You can both add comments manually and use an auxiliary utility to do so. You can download the utility (together with the source code) here: how-to-use-pvs-studio-free.

You can find the details in the article: "How to use PVS-Studio for free". Ask students to check it out. In particular, we should take into account that we provide support for free users at the Stack Overflow website. But do not confuse support and notifications about bugs. These are the points that the above article describes.

Thank you for your attention. In case of any questions, we are ready to provide assistance and consultations. Don't hesitate to write to our support.

Additional links: