To get a trial key
fill out the form below
Team License (standard version)
Enterprise License (extended version)
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
GBP
RUB
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
Getting Started with the PVS-Studio Sta…

Getting Started with the PVS-Studio Static Analyzer for Visual C++

Jul 23 2019
Author:

In this article, I'm going to tell you about PVS-Studio, an analyzer for C and C++ code, and show you how to use it in the Visual C++ environment. This guide is specifically intended for beginner users.

0642_PVS-Studio-for-Visual-Cpp/image1.png

Installing the analyzer

PVS-Studio supports Microsoft Visual Studio 2019, 2017, 2015, 2013, 2012, and 2010. See the documentation for the system requirements. Currently, PVS-Studio can analyze projects written in C, C++, C#, and Java. However, this article focuses on programmers who work in Visual C++ and are looking for help to get started with the analyzer.

The installation package can be downloaded here. After running it, you'll be offered a number of integration options (Figure 1) to choose from. Unavailable options are greyed out.

0642_PVS-Studio-for-Visual-Cpp/image2.png

Figure 1. Integration components selection window.

After you have installed PVS-Studio, open the About window of Visual Studio and make sure the analyzer is present among installed products.

Checking a project

Once the installation is complete, you can go on to check your project. You can also try analyzing the entire solution. To do that, click Extensions > PVS-Studio > Check > Solution (Figure 2).

0642_PVS-Studio-for-Visual-Cpp/image3.png

Figure 2. Checking a solution with PVS-Studio.

If you have any difficulties running the check, see the "PVS-Studio: Troubleshooting" section on our website. Those are not some dumb hints like "make sure the plug is plugged into the outlet". The section describes typical issues that our users have reported and ways to solve them.

Handling the warnings list

Once the check is complete, the diagnostic messages will appear in a special window. This window has a lot of elements, which all serve to manipulate the list so that you can view only the warnings of interest. At first, however, it might look somewhat complicated.

0642_PVS-Studio-for-Visual-Cpp/image4.png

Figure 3. Warnings window. Click on the image to enlarge.

The complete overview of the window's elements can be found in the documentation, but now we'll focus only on the basic ones:

  • Warnings' certainty levels. The screenshot above shows the medium and high levels enabled. The low level deals more with "Code Smells" and warnings that, unfortunately, tend to produce too many false positives. Why are there so many low- and medium-level warnings but so few high-level ones? The answer is that the MISRA diagnostics have been enabled, which contain rules such as "the function should have only a single exit point". Of course, you normally don't need these diagnostics, so they are disabled by default. Note: "How to quickly check out interesting warnings given by the PVS-Studio analyzer for C and C++ code?".
  • The filter. You can filter the messages by code, CWE, text, project, or file.
  • The number of the triggering line. Some diagnostics can refer to a number of lines: such warnings have an ellipsis next to the line number.

SAST

PVS-Studio is a tool for static application security testing (SAST), which means it can detect potential vulnerabilities in source code and show the corresponding weakness identifier according to a particular classification.

PVS-Studio supports the following weakness classifications:

  • CWE
  • SEI CERT
  • MISRA

To enable CWE codes, open the analyzer window's drop-down menu and then tick Show Columns > CWE

0642_PVS-Studio-for-Visual-Cpp/image6.png

Figure 4. Enabling CWE codes from the drop-down menu.

Another way to do that is Extensions > PVS-Studio > Display CWE Codes in Output Window on Visual Studio's menu bar

0642_PVS-Studio-for-Visual-Cpp/image7.png

Figure 5. PVS-Studio submenu in the Extensions menu.

Unlike that, MISRA diagnostics are enabled in the options window:

0642_PVS-Studio-for-Visual-Cpp/image8.png

Figure 6. List of detectable weaknesses.

You can learn more about these classifications here.

Checking projects from the command line

PVS-Studio_Cmd.exe is a utility to check C++ .vcxproj projects and solutions from the command line. It can be useful if you want to automate the analysis process. The program can be found in the installation directory, which is 'C:\Program Files (x86)\PVS-Studio' by default.

The utility has multiple parameters, but you'll need only three to get started:

  • --target: the file of the project or solution to be checked.
  • --output: the plog file to store the analysis report to.
  • --progress: track the analysis progress.

This is what you will see after starting the check:

0642_PVS-Studio-for-Visual-Cpp/image10.png

Figure 7. Output of the PVS-Studio_Cmd.exe utility

Once the check is finished, a plog file containing the analysis report will be created in the directory specified in the start parameters. This report can be converted into other formats using the PlogConverter.exe utility, and if you want to open the report in the IDE, simply double-click on the plog file in the Windows Explorer.

The report file can also be opened from the Extensions menu: Extensions > PVS-Studio > Open/Save > Open Analysis Report...

0642_PVS-Studio-for-Visual-Cpp/image12.png

Figure 8. Opening an analysis report from the plugin's menu.

See the documentation for details on the utility and its parameters.

Suppressing false positives

The analyzer provides a variety of means to suppress false positives. They are described in detail in the following sections:

  • Fine tuning.
  • Mass suppression, which is especially useful when you want to suppress only those warnings that refer to new or modified code.

Sample warning

Let's take a look at an example of a warning issued by the analyzer. The following code snippet is taken from the ReactOS project:

VOID NTAPI
AtapiDmaInit(....)
{
  ....
  ULONG treg = 0x54 + (dev < 3) ? (dev << 1) : 7;
  ....
}

PVS-Studio's diagnostic message: V502 Perhaps the '?:' operator works in a different way than it was expected. The '?:' operator has a lower priority than the '+' operator. uniata id_dma.cpp 1610

The 0x54 + (dev < 3) expression will always evaluate to true: the non-null constant 0x54 is first added to the result of the (dev < 3) expression, which can evaluate either to 0 or 1, and only then is the resulting value compared with zero.

This is what the correct version looks like:

VOID NTAPI
AtapiDmaInit(....)
{
  ....
  ULONG treg = 0x54 + ((dev < 3) ? (dev << 1) : 7);
  ....
}

We have solved the issue by enclosing the '?:' operation in parentheses so that its result will now depend on the result of the (dev < 3) expression.

Conclusion

That was a brief introduction into getting started with PVS-Studio for Visual C++. It doesn't cover all of the aspects, of course, so welcome to our blog, where we explain in detail how to work with the analyzer, and see the documentation for complete descriptions of the diagnostic messages and tool's settings.

Popular related articles
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
The Last Line Effect

Date: May 31 2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
Free PVS-Studio for those who develops open source projects

Date: Dec 22 2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
The way static analyzers fight against false positives, and why they do it

Date: Mar 20 2017

Author: Andrey Karpov

In my previous article I wrote that I don't like the approach of evaluating the efficiency of static analyzers with the help of synthetic tests. In that article, I give the example of a code fragment…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…
The Ultimate Question of Programming, Refactoring, and Everything

Date: Apr 14 2016

Author: Andrey Karpov

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The au…
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…

Comments (0)

Next comments

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept