Searching for Errors Using PVS-Studio

Author: Sergey Khrenov, PVS-Studio

This article is sponsored by PVS-Studio

Static code analysis is the process of detecting errors and bugs in the source code of programs, performed without their actual execution. It can be considered as the process of automated code review. Unlike an expensive procedure of regular meetings of several developers in one place to review a new code or re-reviewing code after making changes, static analysis tools are more profitable in terms of benefit/price ratio. One such tool is PVS-Studio.


Source: xkcd

PVS-Studio Analyzer

Now, a growing number of companies give preference to the usage of static analysis. Static analyzers typically handle program source code and produce recommendations for a developer who studies them and fixes the code himself. A list of recommendations (warnings), especially with infrequent using of the analyzer, can include thousands of messages, studying of which is quite labor-intensive. Therefore, one of the criteria for evaluating the quality of static analyzer work is minimizing the number of so-called "false positives", i.e. warnings indicating correct code. Such warnings make it difficult to find real bugs in the process of studying the report. Along with minimization of the number of false positives, analyzers of high quality typically provide possibilities for grouping warnings by levels of certainty, allowing studying the most suspicious code fragments in the first place. The analyzer should also provide additional tools to handle the warnings report, such as filtering, sorting, categorization, etc. All these requirements are fully satisfied by PVS-Studio analyzer.

PVS-Studio is a static code analyzer for programs in C, C++ and C#, designed to find vulnerabilities and bugs. In its 10-year history, PVS-Studio has come all the way from a supporting utility for converting C/C++ programs on 64-bit platform, to a fully functional modern static analysis tool that can be used on both Windows and Linux and that supports integration with Visual Studio as a plugin. It also supports offline usage through the Standalone application and console utilities.

A report of the PVS-Studio analyzer work (.plog) can be viewed with PVS-Studio plugin for Visual Studio or with a Standalone version of the analyzer. If needed, it is possible to convert the report to other formats. For this purpose, a PVS-Studio distribution package includes a number of utilities that allow handling the plog file different ways.

The most effective approach of using the analyzer is a continuous use of it that allows you to detect and correct errors immediately after they appear in code, before the code gets into a version control system or release. This significantly reduces the price of errors. According to the book "Code Complete" by McConnell, correction of an error at the stage of testing the code is ten times more expensive than at the stage of coding:

The PVS-Studio static code analyzer can be run in a background mode right after compilation, and in case of finding a potential error, will notify a programmer. Incremental analysis mode is available for the console version of the analyzer.

Generally, one static analysis is insufficient for full-fledged organization of code quality improving process. The best results can be achieved using a combination of various approaches, such as a good coding style, static code analysis, dynamic code analysis, unit testing, and regression testing and so on. Only in this case you can count on getting the best results.

Using PVS-Studio with IDE Visual Studio

PVS-Studio static analyzer is primarily targeted at Visual Studio users. You can use the plugin to integrate the analyzer into a Visual Studio 2010-2017 environment. Users get an additional "PVS-Studio" entry in the main menu and a window for working with error messages:



The analyzer is ready to work right after it is installed. In most cases, you do not need to configure anything to implement the first launch. Open the solution in the IDE, select the scan mode for the entire solution or specify individual projects and files in the navigation window. You can also check the currently open files in the editor.

One the analysis has run, you can view the results in the output window of PVS-Studio. To read the results you can sort by columns, filter through the levels of certainty and types of diagnostics, or exclude files, folders or entire projects from a report. If you wish, you can also configure additional custom filters. Descriptions of diagnostics are available by clicking on the warning code in the column "Code". To get acquainted with the full list of PVS-Studio diagnostics rules, see the documentation for PVS-Studio analyzer.

You can also do incremental analysis (a check of changed files since the last build), as well as a selective or mass suppression of warnings, false positive suppression, view stats of checks, or store and convert reports.

The options menu allows you to fine-tune the analyzer:

In addition to the general settings, specifying of applicable diagnostic rules is available, as is the ability to filter by file names and keywords.

Using this panoply of features significantly reduces the work required to study reports of large codebases, often containing thousands of warnings. If that is not enough, you can also use the PVS-Studio plugin for SonarQube. Download the report in SonarQube and use the additional abilities of metrics analysis of your code.

Offline Analyzer Mode

The Standalone application is designed for offline work with the PVS-Studio analyzer. In this application, checking projects during their build is implemented. Transitions along the code and the diagnostic warnings, and searching for code fragments, definitions, macros and data types are also supported. Standalone lets you the code regardless of the compiler or build system you used, and then lets you work with analysis results providing a user interface similar to the PVS-Studio plugin for Visual Studio.

Standalone provides a user interface for a tracking compilation system. The tracking system itself (console utility CLMonitor.exe) can be used regardless of Standalone, e.g. for integration static analysis into an automated build system. After the end of the analysis, you can use the same abilities of working with an analyzer report as in Visual Studio plugin: a window of diagnostic messages, analyzer configurations and so on.

For offline work with the analyzer, you can also use its console version, the utility "PVS-Studio_Cmd.exe". The most popular scenario for standalone mode is regular automatic analyzer runs, which can be run, for example, in conjunction with a scheduled "nightly build" on a build server. To check C++/C# projects or solutions (sln files), including such projects, you can use PVS-Studio analyzer straight away, without IDE Visual Studio. The utility provides an extensive list of settings, which you can read in the documentation section Analyzing Visual C++ (.vcxproj) and Visual C# (.csproj) projects from the command line.

PVS-Studio can work on a Linux environment as well as Windows. The code analyzer for Linux is a console application named pvs-studio that can perform checks in C and C++.You can learn more about using PVS-Studio on Linux in the article How to run PVS-Studio on Linux.

PVS-Studio in Action

As always, there is nothing better than to see the real results of the product's work. Recently, we have published articles on checks of Unreal Engine and Tizen projects:

Here we will consider two bugs found in these projects -- for more examples, read the articles above.

Unreal Engine

PVS-Studio warning: V767 Suspicious access to element of 'SelectedObjects' array by a constant index inside a loop. skeletonnotifydetails.cpp 38

for(int i = 0; i < SelectedObjects.Num(); ++i)
{
  UObject* Obj = SelectedObjects[0].Get();
  EdObj = Cast(Obj);
  if(EdObj)
  {
    break;
  }
}

The loop should contain a search of the element that has UEditorSkeletonNotifyObj type. Due to a typo, a numeric literal 0 was written instead of the i variable when choosing the element.

Correct code variant:

UObject* Obj = SelectedObjects[i].Get();

Tizen

PVS-Studio warning: V517 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error presence. Check lines: 144, 146. voice_setting_language.c 144

Software weaknesses type - CWE-570 Expression is Always False

char *voice_setting_language_conv_lang_to_id(const char* lang)
{
  ....
  } else if (!strcmp(LANG_PT_PT, lang)) {
    return "pt_PT";
  } else if (!strcmp(LANG_ES_MX, lang)) {     // <=
    return "es_MX";
  } else if (!strcmp(LANG_ES_US, lang)) {     // <=
    return "es_US";
  } else if (!strcmp(LANG_EL_GR, lang)) {
    return "el_GR";
  ....
}

It is hard to say where the error is here just by looking at the code. The issue is that the LANG_ES_MX and LANG_ES_US strings are identical.

#define LANG_ES_MX "\x45\x73\x70\x61\xC3\xB1\x6f\x6c\x20\x28\" \
 "x45\x73\x74\x61\x64\x6f\x73\x20\x55\x6e\x69\x64\x6f\x73\x29"

#define LANG_ES_US "\x45\x73\x70\x61\xC3\xB1\x6f\x6c\x20\x28\" \
 "x45\x73\x74\x61\x64\x6f\x73\x20\x55\x6e\x69\x64\x6f\x73\x29"

These strings should be different. However, since the strings are the same, the second condition will always be false and the function will never return the value "es_US". [ES_MX is Spanish (Mexico), ES_US is Spanish (United States).]

Conclusion

This article describes only the basic operating modes of PVS-Studio static code analyzer. Detailed technical documentation is available on the official website. There you can find a list of verified projects and detected mistakes in them.

If you still have questions: write to us.

Download and try PVS-Studio: https://www.viva64.com/en/pvs-studio-download/

Additional materials

  1. Handing out PVS-Studio Analyzer Licenses to Security Experts
  2. How Can PVS-Studio Help in the Detection of Vulnerabilities?
  3. The Evil within the Comparison Functions
  4. Bug of the month: taking the baton from PC-Lint to PVS-Studio