Using PVS-Studio to Get Beginners Familiar With Code Analysis Tools

DZone 's Guide to

Using PVS-Studio to Get Beginners Familiar With Code Analysis Tools

PVS-Studio is an ideal static code analysis tool for students and beginners alike.

· DevOps Zone ·
Free Resource

Image title

PVS-Studio wants to be your first static code analyzer.

Our support chats and some other indirect signs showed that there are many students among our free users. Here's the reason: PVS-Studio is now more often used by professors in courses related to software development. We are very pleased with this, and we decided to write this small article for teachers to try to contribute to this trend.

Development of modern software is impossible without an integrated approach for ensuring software quality and reliability. The reason is that the size of the codebase of today's applications is growing rapidly. Let numbers speak for themselves. For example, take these operating systems:

  • MS-DOS 1.0: 4,000 lines of code. One person could read this code entirety, sort it out, and find bugs.
  • Linux 1.0.0 kernel: 176,000 lines of code. A team still might thoroughly review the code, although it would take a lot of time and effort.
  • Linux 5.0 kernel: more than 26,000,000 lines of code. One just can't embrace such a boundless project.

The Linux kernel example shows that the standard codebase size has grown 150 times in the past 25 years. Now it is impossible for a programmer to review the code of the entire application, understand it, find errors, and improve architectural solutions in one sitting. The inner workings of modern programs can be too overwhelming for one person. 

You may also enjoy:  Getting Started With PVS-Studio Static Analyzer for C++ Development Under Linux

The inability to grasp the project is only half the trouble. As the size of a project grows, so does the error density. In a coursework program, you can write 1,000 lines of code and avoid a single error, whereas there's no way you can add 1,000 lines of code in a large application and avoid at least a few errors. To explain, we can take a look at the numbers for :

Figure 1. Typical error density in projects of different sizes. The data is taken from Steve McConnell's book "Code Complete."

It is impossible to write reliable programs using the same approaches as 20-30 years ago. You have to use a set of methodologies to help control the growing complexity of a software project and ensure the necessary code quality:

  • Coding standards
  • Code reviews
  • Unit tests
  • Regression testing
  • Load testing
  • Manual testing
  • Dynamic analysis
  • Static analysis

Methodologies from the top of the list are quite familiar to programmers and have long been successfully applied by almost all teams. But the last two methodologies are still much less common, although not new. Therefore, now in the course of training students, professors should pay extra attention to the study of the static and dynamic analysis tools.

I won't say anything about dynamic analysis now, although it is no less important than static.

As for static analysis, it's our thing and I invite professors to look into our PVS-Studio software product.

PVS-Studio is a tool designed to detect errors and potential vulnerabilities in the source code of programs, written in C, C++, C#, and Java. It works in 64-bit systems on Windows, Linux, and macOS, and can analyze code for 32-bit, 64-bit, and embedded ARM platforms.

It's a great example of a static code analyzer that shows the abilities of static analysis tools in detecting errors and security defects (SAST). Second, you can demonstrate its integration into the software development cycle to enable continuous code control. In its example, you can show integration with such systems as Jenkins, TeamCity, Azure DevOps, SonarQube, Travis CI, and others.

In order to start using PVS-Studio as part of the training, you don't need to do anything special.

We provide several options for free PVS-Studio licensing, including the ones for open projects. Specifically for educational purposes, if student's works aren't open, the best option is to add the following comment to the code:

// This is a personal academic project. Dear PVS-Studio, please check it.
// PVS-Studio Static Code Analyzer for C, C++, C#, and Java: http://www.viva64.com

If you are using PVS-Studio as a Visual Studio plugin, then enter the following license key:

  • Name: PVS-Studio Free

If you are using PVS-Studio for Linux, then go to the second step, then you won't need a license file.

For the second step, you have to write two lines of comments at the beginning of each file. Make edits in all compilable files of your project. We mean files with the extensions c, cc, cpp, cs, java, and others. You don't have to change h-files.

You can both add comments manually and use an auxiliary utility to do so. You can download the utility (together with the source code) here.

Ask students to check it out. In particular, we should mention that we provide support for free users at the StackOverflow website. But do not confuse support and notifications about bugs. These are the points that the above article describes.

Thank you for your attention. In case of any questions, we are ready to provide assistance and consultations. Don't hesitate to write to our support team.

Further Reading

Development of a New Static Analyzer: PVS-Studio Java

How PVS-Studio Found an Error in the Library Used in PVS-Studio

c# ,c++ ,devops ,education ,java ,programming ,pvs-studio ,sast ,static code analysis

Published at DZone with permission of Andrey Karpov . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}