PVS-Studio in 2024

• General updates
  • Plugins for IDE
  • Integrations
  • Other changes
• C++
  • Enhancements and new functionality
  • New diagnostic rules
  • Articles
• C#
  • Enhancements and new functionality
  • New diagnostic rules
  • Articles
• Java
  • Enhancements and new functionality
  • New diagnostic rules
  • Articles
• Conclusion

It's January 2025, so it's a perfect time to reflect on everything in 2024. In this article, we explore what the PVS-Studio team introduced last year: new plugins, integrations, features, and much more!

General updates

Plugins for IDE

Java project analysis in Visual Studio Code

In 2023, we introduced the PVS-Studio plugin for Visual Studio Code. It has come quite a long way from a simple report viewer to a full-fledged feature for analyzing C++ and C# projects. And the journey is far from over!

In 2024, our team added the analysis of Java projects in the PVS-Studio plugin for Visual Studio Code! Now the Java plugin enables developers to:

• run the analysis and view reports;
• suppress warnings using suppress files;
• perform incremental analysis;
• and more (see the documentation for the full list of features.)

Enhanced mode to mark false positives and other fixes for Visual Studio

The PVS-Studio plugin for Visual Studio 2024 now includes a new mode that considers the source code line hashes with issued warnings when users mark warnings as false positives.

Prior to this, hashes were used for navigation and operation of suppress files. The new mode allows developers to track whether the line has changed since its warning was marked as false positives. If the line has been changed, the marker of a false positive will no longer suppress the warning.

std::string(4, std::string().at(0)); //-V530 //-VH"920700501"

In version 7.33, we've fixed compatibility issues between the PVS-Studio plugin and Visual Studio 2022 (versions 17.12 and later). We can't help but share—a user has pointed out this error! Our support team is standing by to help with any issues you encounter. So, don't hesitate to let us know if something breaks or if you have any ideas on how to enhance the analyzer!

New requirements for IntelliJ IDEA, CLion, and Rider

To maintain plugin stability and compatibility in 2024, the minimum supported versions of JetBrains IDEs for our plugins have been raised to version 2022.2.

Additionally, our team has added support for .pvsconfig files to configure diagnostic rules in the PVS-Studio plugin for CLion.

Qt Creator plugin enhancements

The PVS-Studio plugin for Qt Creator—like the plugin for Visual Studio Code—was introduced two years ago, in 2023. In 2024, we vastly expanded the range of supported IDE versions:

• first, Qt Creator 12 on macOS;
• then, Qt Creator 13 and 14.

Along with supporting new versions, we've also started retiring deprecated ones. The first to be retired was Qt Creator 8.x, released in July 2022. We've decided to support all official Qt Creator versions no older than two years.

Integrations

Splitting the SonarQube plugin

In 2024, the PVS-Studio plugin for SonarQube was split into two separate ones.

It was all about the modified SonarQube API: the severity level of warnings was incorrectly displayed in the list. To resolve this, we had to split the plugin into two. You can read about these changes in our article.

New integration: CodeChecker

In 2024, many users requested it, and we couldn't help but deliver it! We implemented the PVS-Studio reports in CodeChecker, the server which provides web interface for viewing and aggregating static analysis results.

New functionality for Unreal Engine

Last year, we added support for SN-DBS, the distributed build system, to ensure better integration PVS-Studio with Unreal Engine (starting with Unreal Engine 5.5.)

We've also made numerous other improvements to the PVS-Studio for Unreal Engine. If you're interested, we invite you to read the article, which describes them in detail.

Other changes

Documentation revision

Throughout the year, we continued enhancing our documentation. We added new documentation sections for the latest features and diagnostic rules, while also revising the existing ones.

For example, we updated the documentation for integrating the analyzer into CircleCI, the cloud CI system. In the section on analyzing C and C++ projects with the JSON Compilation Database, we've added instructions for working with the Bazel and SCons build systems.

Modified file analysis mode

A new modified file analysis mode evaluates file hashes and saves them to a dependency cache. At the next run, only files with changed hashes will be analyzed.

Currently, you can analyze modified files in MSBuild C, C++, and C# projects on Windows using the PVS-Studio_Cmd utility and in C# projects on Linux/macOS using the pvs-studio-dotnet utility.

PVS-Studio is now on ARM!

PVS-Studio has been available on macOS since 2019—but until now, it only supported x86 processors.

That changed with version 7.34! The latest 2024 release has brought full support of PVS-Studio on macOS for processors with ARM architecture.

C++

Enhancements and new functionality

The enhanced individual file analysis mode

In 2024, we extended the individual file analysis in the pvs-studio-analyzer utility, introducing the ‑‑source-files flag. This made it possible to streamline the utility usage when the compilation dependency cache for C and C++ files differs from the project structure.

Note. To learn more about the cache of compilation dependencies for C and C++, refer to the documentation section.

GNU RISC-V GCC Toolchain support

We supported the GNU RISC-V GCC Toolchain on the RISC-V platform for C and C++ analyzers.

Memory optimization for template instantiation analysis

We made significant strides in reducing memory usage when analyzing template instantiations in C++. Thanks to our team's efforts, the average resource consumption of the analyzer was significantly reduced. One of the open-source projects we used for testing showed a reduction in memory usage of over 90%.

Try the updated PVS-Studio analyzer here!

User annotations

PVS-Studio had various mechanisms that helped tailor the analyzer for the specific code base and enabled users to customize diagnostic rules.

Note. To learn more about the additional configuration of the C and C++ analyzer diagnostic rules, refer to the documentation section.

However, in 2024, we took it a step further and implemented a more powerful mechanism: user annotations in JSON files. This new format offers greater flexibility, scalability, and readability compared to the previous functionality. It also allows users to annotate even third-party code by marking user-defined functions and types. Even now, the new user annotation system enables developers to set the following parameters:

• For types:
  • similarity to standard classes like std::unique_ptr, std::string, std::vector, etc.;
  • semantics (cheap-to-copy, copy-on-write, etc.);
• For functions:
  • function properties: does not return control (noreturn), declared as deprecated, etc.;
  • function parameter properties: the nullable object should be valid, the parameter should differ from other parameters, etc.;
  • parameter constraints: allow and disallow the passing of certain integers;
  • return value properties: taint data (for taint analysis), the nullable object is always valid, etc.

How user annotations help the analyzer? You can find the answer in the article: User annotations for PVS-Studio.

Note. To learn more about user annotations, refer to the documentation section.

The enhancement: analyzer parsing

In 2024, we made significant improvements to C++ code parsing.

Enhancements:

• The parsing of libc++ standard library: we've improved the template parsing and added support for nested inline namespace from C++20.
• The parsing of hexadecimal integer literals (C++17).
• The parsing of large nested loops.

New features:

• The parsing of flags (C20, C++23, and C++26 standards) and their GNU analogs for C and C++;
• The parsing of Boost smart pointers: boost::unique_ptr and boost::shared_ptr;
• The parsing of multiple declarators in using-declaration.

New diagnostic rules

Diagnostic rules (General Analysis)

• V839. Function returns a constant value. This may interfere with move semantics.
• V1104 . Priority of the 'M' operator is higher than that of the 'N' operator. Possible missing parentheses.
• V1105. Suspicious string modification using the 'operator+='. The right operand is implicitly converted to a character type.
• V1106. Qt. Class inherited from 'QObject' should contain at least one constructor that takes a pointer to 'QObject'.
• V1107. Function was declared as accepting unspecified number of parameters. Consider explicitly specifying the function parameters list.
• V1108. Constraint specified in a custom function annotation on the parameter is violated.
• V1109 . Function is deprecated. Consider switching to an equivalent newer function.
• V1110. Constructor of a class inherited from 'QObject' does not use a pointer to a parent object.
• V1111. The index was used without check after it was checked in previous lines.
• V1112. Comparing expressions with different signedness can lead to unexpected results.
• V1113. Potential resource leak. Calling the 'memset' function will change the pointer itself, not the allocated resource. Check the first and third arguments.
• V1114. Suspicious use of type conversion operator when working with COM interfaces. Consider using the 'QueryInterface' member function.
• V1115. Function annotated with the 'pure' attribute has side effects.
• V1116. Creating an exception object without an explanatory message may result in insufficient logging.
• V1117. The declared function type is cv-qualified. The behavior when using this type is undefined.

Requested by users

• V2021. Using assertions may cause the abnormal program termination in undesirable contexts.
• V2022. Implicit type conversion from integer type to enum type.

MISRA

• V2625. MISRA. Identifiers that define objects or functions with external linkage shall be unique.

Articles

During the year, we've published 45 articles dedicated to the C++ language. As it turned out, the most popular ones are about arrays:

• std::array in C++ isn't slower than array in C
• How not to check array size in C++
• I _____ hate arrays in C++!
• Error on verge of extinction, or why I put if (x = 42) in Red List of C & C++ bugs

Throughout the year, we've been working on an especially gorgeous project that's quickly gaining popularity. Now we're thrilled to present the full version of the e-book dedicated to undefined behavior in C++. Written in collaboration with Dmitry Sviridkin, an experienced software engineer, and Andrey Karpov, co-founder of PVS-Studio, this guide will be a trove of knowledge for developers.

C++ programmer's guide to undefined behavior consists of 12 parts that explore the most mysterious and exotic aspects of undefined behavior. The authors share practical examples and tips to avoid common development mistakes. This book will not only be useful but also entertaining for anyone working with C++.

C#

Enhancements and new functionality

New .NET version support

In 2024, the C# analyzer team supported the analysis of projects under .NET 9, including all its latest features.

PVS-Studio quickly adapts to new versions of .NET and C# after their releases. To ensure you don't miss a new analyzer version, subscribe to our release digest.

User annotations for the C# analyzer

Like in C++, we added user annotations in JSON format to the C# analyzer.

At the moment, user annotations in the C# analyzer are available only for taint analysis.

Now, users can mark sources and sinks of sensitive data, which helps the analyzer more precisely identify potential vulnerabilities in a given project.

Looking ahead, we plan to extend C# annotations beyond taint analysis to further enhance error detection capabilities.

The present and future of Unity

In 2024, the C# analyzer team focused on Unity-specific diagnostic rules.

Unity-specific diagnostic rules:

• V3205. Unity Engine. Improper creation of 'MonoBehaviour' or 'ScriptableObject' object using the 'new' operator. Use the special object creation method instead.
• V3206. Unity Engine. A direct call to the coroutine-like method will not start it. Use the 'StartCoroutine' method instead.
• V3207. The 'not A or B' logical pattern may not work as expected. The 'not' pattern is matched only to the first expression from the 'or' pattern.
• V3208. Unity Engine. Using 'WeakReference' with 'UnityEngine.Object' is not supported. GC will not reclaim the object's memory because it is linked to a native object.
• V3209. Unity Engine. Using await on 'Awaitable' object more than once can lead to exception or deadlock, as such objects are returned to the pool after being awaited.
• V3210. Unity Engine. Unity does not allow removing the 'Transform' component using 'Destroy' or 'DestroyImmediate' methods. The method call will be ignored.
• V4006. Unity Engine. Multiple operations between complex and numeric values. Prioritizing operations between numeric values can optimize execution time.
• V4007. Unity Engine. Avoid creating and destroying UnityEngine objects in performance-sensitive context. Consider activating and deactivating them instead.

In 2025, we plan to add even more optimization-focused and Unity-specific diagnostic rules. If you have suggestions for rules that would benefit Unity developers, we'd love to hear from you—feel free to email us!

Other enhancements

• Implemented change tracking for method return values between calls.
• Refined data flow for alias analysis.
• Improved interaction between logical and reference variables.
• Optimized memory usage and reduced the time required to open large reports (over 1 GB) in .plog and .json formats in Visual Studio.

New diagnostic rules

Diagnostic rules (General Analysis)

• V3194. Calling 'OfType' for collection will return an empty collection. It is not possible to cast collection elements to the type parameter.
• V3195. Collection initializer implicitly calls 'Add' method. Using it on member with default value of null will result in null dereference exception.
• V3196. Parameter is not utilized inside the method body, but an identifier with a similar name is used inside the same method.
• V3197. The compared value inside the 'Object.Equals' override is converted to a different type that does not contain the override.
• V3198. The variable is assigned the same value that it already holds.
• V3199. The index from end operator is used with the value that is less than or equal to zero. Collection index will be out of bounds.
• V3200. Possible overflow. The expression will be evaluated before casting. Consider casting one of the operands instead.
• V3201. Return value is not always used. Consider inspecting the 'foo' method.
• V3202. Unreachable code detected. The 'case' value is out of the range of the match expression.
• V3203. Method parameter is not used.
• V3204. The expression is always false due to implicit type conversion. Overflow check is incorrect.
• V3205. Unity Engine. Improper creation of 'MonoBehaviour' or 'ScriptableObject' object using the 'new' operator. Use the special object creation method instead.
• V3206. Unity Engine. A direct call to the coroutine-like method will not start it. Use the 'StartCoroutine' method instead.
• V3207. The 'not A or B' logical pattern may not work as expected. The 'not' pattern is matched only to the first expression from the 'or' pattern.
• V3208. Unity Engine. Using 'WeakReference' with 'UnityEngine.Object' is not supported. GC will not reclaim the object's memory because it is linked to a native object.
• V3209. Unity Engine. Using await on 'Awaitable' object more than once can lead to exception or deadlock, as such objects are returned to the pool after being awaited.
• V3210. Unity Engine. Unity does not allow removing the 'Transform' component using 'Destroy' or 'DestroyImmediate' methods. The method call will be ignored.

Micro-optimizations

• V4006. Unity Engine. Multiple operations between complex and numeric values. Prioritizing operations between numeric values can optimize execution time.
• V4007. Unity Engine. Avoid creating and destroying UnityEngine objects in performance-sensitive context. Consider activating and deactivating them instead.

Articles

Over a year, the C# team wrote over 20 articles about analyzing various projects and exploring different features of C#. Here are the most popular ones:

• Top 10 errors found in C# projects in 2024
• The last source code: digging into bugs in projects after indie game studio shuts down.
• Time to refactor legacy with OOP
• WolvenKit code analysis: things to know before modding Cyberpunk 2077
• How can one code line crash application? Looking for issues and vulnerabilities in ScreenToGif

We also have a new regular series, .NET Digest. We cover the most interesting news and events in the world of .NET! You can read the latest installment here.

Java

Enhancements and new functionality

Taint analysis

The December release brought a new mechanism to the Java analyzer, taint analysis! Now we can develop diagnostic rules for taint analysis. This marks a significant step in our evolution as a SAST solution.

Taint analysis is a technology that helps track the external data flow. If such data reaches key areas of the code, it can lead to various vulnerabilities.

The first diagnostic rule for taint analysis in the Java analyzer, V5309, can detect potential SQL injections.

If you'd like to go a little deeper into the theory of what taint analysis is and how such mechanisms are implemented, I recommend reading our article about it.

Setting analysis timeouts in IDEA

We've added the option to set a timeout for analysis in the IDEA plugin. Now, you can specify a maximum duration, after which the analysis will automatically stop.

And that's not all! The next release will bring a lot of changes and improvements to our IDEA plugin. Stay tuned for updates :)

New diagnostic rules

Diagnostic rules (General Analysis)

• V6108. Do not use real-type variables in 'for' loop counters;
• V6109. Potentially predictable seed is used in pseudo-random number generator;
• V6110. Using an environment variable could be unsafe or unreliable. Consider using trusted system property instead;
• V6111. Potentially negative value is used as the size of an array;
• V6112. Calling the 'getClass' method repeatedly or on the value of the '.class' literal will always return the instance of the 'Class<Class>' type;
• V6113. Suspicious division. Absolute value of the left operand is less than the value of the right operand;
• V6114. The 'A' class containing Closeable members does not release the resources that the field is holding;
• V6115. Not all Closeable members are released inside the 'close' method;
• V6116. The class does not implement the Closeable interface, but it contains the 'close' method that releases resources;
• V6117. Possible overflow. The expression will be evaluated before casting. Consider casting one of the operands instead;
• V6118. The original exception object was swallowed. Cause of original exception could be lost;
• V6119. The result of '&' operator is always '0';
• V6120. The result of the '&' operator is '0' because one of the operands is '0';
• V6121. Return value is not always used. Consider inspecting the 'foo' method;
• V6122. The 'Y' (week year) pattern is used for date formatting. Check whether the 'y' (year) pattern was intended instead;
• V6123. Modified value of the operand is not used after the increment/decrement operation;
• V6124. Converting an integer literal to the type with a smaller value range will result in overflow;
• V6125. Calling the 'wait', 'notify', and 'notifyAll' methods outside of synchronized context will lead to 'IllegalMonitorStateException';
• V5309. OWASP. Possible SQL injection. Potentially tainted data is used to create SQL command;

Articles

In 2024, we posted articles detailing the process of creating diagnostic rules. Highly recommended reading:

• OOP in real-life cases
• YYYY? yyyy!

Conclusion

We've highlighted many of the most significant new features added to the analyzer in 2024, but this is only a glimpse into the full scope of changes. You can find a full list of changes in the release history.

Want to stay informed about future updates? Subscribe to our release digest. We also offer you to take a peek at our event and article digests.

What enhancements would you like to see in PVS-Studio in 2025? Share your ideas with us in the comments!