PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms.
PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, and it is also useful in finding misprints and Copy-Paste errors. Examples of such errors: V501, V517, V522, V523, V3001.
The main value of static analysis is in its regular use, so that errors are identified and fixed at the earliest stages. There is no point in wasting 50 hours looking for a bug that could be found with static analysis. So, let's point that out again - the main idea of static analysis is not to find one hidden bug on the day before the release, but to fix dozens of bugs day by day.
The analyzer can be run at night on a server and it will warn about suspicious code fragments automatically. Ideally, these errors can be detected and fixed before getting into the version control system. PVS-Studio can automatically be launched immediately after the compiler for the files that have been just modified. It works in Windows, Linux and macOS.
Quick start in Windows, Linux and macOS
PVS-Studio is integrated with Visual Studio 2010-2019 development environment. If you use this IDE, then just go to the PVS-Studio section of the menu and choose "Check Current Project".
However, quite often it is a more complicated process, that will require you to integrate PVS-Studio into a build system, even an exotic one. The topic of such integration is too broad to describe here. You can find all the relevant information in our detailed documentation.
One more point to notice - PVS-Studio for Windows and Linux provides special tools, that can collect compilation information during build. These tools provide a way to perform a quick analysis of a project regardless of its build system. You can quickly try out the analyzer's capabilities, without wasting time on integrating it with a makefile or any other build script. Check out the documentation on the C and C++ Compiler Monitoring tool (Windows) and pvs-studio-analyzer (Linux/macOS) for more details.
The technology of analysis
- The pattern-based analysis on the basis of an abstract syntax tree is used to look for fragments in the source code that are similar to the known code patterns with an error.
- The type inference based on the semantic model of the program allows the analyzer to have full information about all variables and statements in the code.
- The symbolic execution allows evaluating values of variables that can lead to errors, perform range checking of values.
- The data-flow analysis is used to evaluate limitations that are imposed on values of variables when processing various language constructs. For example, values that a variable can take inside if/else blocks.
- Method annotations provide more information about the used methods than can be obtained by analyzing only their signatures.
Main features of PVS-Studio
- Simple and seamless integration with Visual Studio 2010-2019
- Automatic analysis of individual files after their recompilation
- Online reference guide for all of the diagnostic rules, that is available locally, on our web site, and as a single .pdf file. More than 700 pages of documentation!
- Saving and loading analysis results allow performing overnight checks - during the night the analyzer does the scanning and provides you with the results in the morning.
- You can save analysis results as HTML with full source code navigation.
- Analysis can be performed from command line: it helps with integrating PVS-Studio into overnight builds; a fresh log will be issued in the morning.
- Great scalability: support of multi-core and multi-processor systems with the possibility to specify the number of the cores to use; IncrediBuild support for distributed analysis.
- Interactive filtering of the analysis results (the log file) in the PVS-Studio window: by the diagnostic rule number, file name, the keyword in the text of the diagnostic, etc.
- Automatic check for updates (inside IDEs and when running overnight builds).
- blame-notifier utility. The tool allows you to send e-mail notifications to the developers about bugs that PVS-Studio found during a night run.
- Analysis of commits, merge and pull requests - analyzer can be configured to analyze only the modified files. This allows to quickly and automatically analyze every commit to version control system.
- A large number of options for integration into projects that are developed under Linux and macOS.
- Mark as False Alarm - ability to mark a code fragment to suppress a certain diagnostic at that line.
- Mass Suppression - ability to suppress all of the analyzer's existing messages raised for the legacy code, so that the analyzer starts reporting 0 warnings. You can always go back to the suppressed messages later. This feature allows you to seamlessly integrate PVS-Studio into your development process and focus on errors found in new code only.
- Statistics on analyzer warnings can be viewed in Excel - provides a way to track the speed of error correction, amount of bugs found for a certain period of time and so on.
- Relative paths in report files to view them on different machines.
- Compiler Monitoring feature allows analyzing the projects that have no Visual Studio files (.sln/.vcxproj) without the need to manually integrate with a build system; manual integration into any build system is possible, if necessary.
- pvs-studio-analyzer - a tool for Compiler Monitoring under Linux.
- Ability to exclude files from analysis by name, folder or mask; to run the analysis on the files modified during the last N days.
- Integration with SonarQube - an open source platform, designed for continuous analysis and measurement of code quality.
Detect security and safety flaws in application lifecycle with Static Application Security Testing (SAST) methodology. PVS‑Studio is included in the Forrester Research report "Now Tech: Static Application Security Testing, Q3 2020" as a SAST specialist. The report is available by purchase or with a subscription with Forrester Research.
Supported languages and compilers
- Windows. Visual Studio, C, C++, C++/CLI, C++/CX (WinRT)
- Windows. IAR Embedded Workbench, C/C++ Compiler for ARM C, C++
- Windows. QNX Momentics, QCC C, C++
- Windows/Linux. Keil µVision, DS-MDK, ARM Compiler 5/6 C, C++
- Windows/Linux. Texas Instruments Code Composer Studio, ARM Code Generation Tools C, C++
- Windows/Linux/macOS. GNU Arm Embedded Toolchain, Arm Embedded GCC compiler, C, C++
- Windows/Linux/macOS. Qt Creator, Eclipse, GCC, Clang, C, C++
- Windows. MinGW C, C++
- Windows/Linux/macOS. IntelliJ IDEA, Android Studio, Java
- Windows/Linux/macOS. Visual Studio, JetBrains Rider, C#, .NET Framework, .NET Core
Are you interested? Here's what you can do next:
- Download PVS-Studio.
- Check your project.
- Note down interesting bugs, make it as a presentation.
- Show them to your colleagues and managers.