Note to teachers: PVS-Studio for introducing students to code analysis tools

By communication in support and some other indirect signs, we noticed that among our free users there were many students. Reason: PVS-Studio analyzer began to be used by some teachers in the disciplines related to software development. This is very pleasant for us, and we decided to write this small note in order to attract the attention of other teachers. We are pleased that students are introduced to the methodology of static code analysis in general and the PVS-Studio tool in particular. Our team will try to contribute to the development of this trend.



The development of modern software is impossible without an integrated approach to ensuring the quality and reliability of software. The reason is that the code base of modern applications is growing rapidly. I will explain this on numbers. Take, for example, operating systems:

• MS DOS 1.0: 4,000 lines of code. One person could read the whole code, figure it out, find errors.
• Linux kernel 1.0.0: 176,000 lines of code. The team still has the opportunity to do a detailed review of the code, although it will take a lot of time and effort.
• Linux kernel 5.0: over 26,000,000 lines of code. It is impossible to realize the project.

Using the Linux kernel as an example, you can see that the size of the code base has grown 150 times over 25 years. Now it’s impossible for a programmer to just sit down and review the code of the entire application, understand it, find errors, and improve architectural solutions. The device of modern programs simply does not fit in the head of one person, and there are no more specialists who can answer any question regarding the design of the project.



The inability to realize the project is only half the trouble. As the project size grows, so does the error density. I emphasize: this is not just about an increase in the number of errors, but namely about their density ! In a program written as part of a term paper, you can write 1000 lines of code and not make a single mistake. And it’s unrealistic to add 1000 lines of code to a large application and prevent a few mistakes. For clarification, we again resort to the numbers:

Figure 1. Typical error density in projects of various sizes. Data taken from Steve McConnell’s book, Perfect Code.



So, it is impossible to write reliable programs using the same approaches as 20-30 years ago. It is necessary to use a set of methodologies that help control the growth of complexity of a software project and ensure the necessary quality of code:

• Coding standards
• Code Reviews
• Unit tests
• Regression testing
• Stress Testing
• Manual testing
• ....
• Dynamic analysis
• Static analysis

The methodologies from the top of the list are quite familiar to programmers and have long been successfully applied by almost all teams. But the last two methodologies, although not new, are far less common. Therefore, now during the preparation of students it is worth paying extra attention to the study of tools of static and dynamic analysis.



I will not talk about dynamic analysis now, although it is no less important than static.



But static analysis is our element, and I invite teachers to pay attention to our software product PVS-Studio.



PVS-Studio is a tool for detecting errors and potential vulnerabilities in the source code of programs written in C, C ++, C # and Java. It works on 64-bit systems on Windows, Linux and macOS and can analyze code designed for 32-bit, 64-bit and embedded ARM platforms.



The PVS-Studio analyzer can be considered as an example of a modern tool for static code analysis. Firstly, it’s good to demonstrate the capabilities of static analysis tools in detecting errors and security defects ( SAST ) using his example. Secondly, you can demonstrate its integration into the software development cycle so that code control is continuous. Using his example, you can show the possibility of integration with systems such as Jenkins , TeamCity , Azure DevOps , SonarQube , Travis CI , etc.



In order to start using PVS-Studio as part of the training, there is no need to do anything special or coordinate.



We provide several options for free licensing of PVS-Studio, including for open source projects. Specifically for educational purposes, when student work is not open, the best option is to add the following comment to the code:



// This is a personal academic project. Dear PVS-Studio, please check it.

// PVS-Studio Static Code Analyzer for C, C++, C#, and Java: http://www.viva64.com







To start using the PVS-Studio static analyzer for free, you must complete the following two steps:



Step one



If you use PVS-Studio as a plug-in for Visual Studio or use the Standalone utility, enter the following license key:



Name: PVS-Studio Free

Key: FREE-FREE-FREE-FREE







If you use PVS-Studio for Linux, then go directly to the second step, you will not need a license file.



Second step



You must enter two lines with a comment at the beginning of each file. Make corrections to all compiled files of your project. This refers to files with the extensions c, cc, cpp, cs, java and so on. Header h-files do not need to be changed.



You can add comments both manually and use the auxiliary utility for this. You can download the utility (along with the source code) here: how-to-use-pvs-studio-free .



All this is described in more detail in the article " How to use PVS-Studio for free ." Ask students to familiarize themselves with it. In particular, it should be borne in mind that we provide support for free users through the StackOverflow website. But you should not confuse support and bug notifications. Just about such moments and is described in the article.



Thanks for your attention. In case of any questions, we are ready to provide assistance and advice. Feel free to contact us in support.



Additional links:

1. Ivan Ponomarev. Report at the Heisenbug 2019 Moscow conference: Continuous Static Code Analysis .
2. Sergey Khrenov, Philip Handelyants. Master class at the Saint HighLoad ++ 2019 conference: PVS-Studio code analyzer .
3. Andrey Karpov. Free licensing options for PVS-Studio .
4. PVS-Studio. Documentation

If you want to share this article with an English-speaking audience, then please use the link to the translation: Andrey Karpov. For professors' note: use PVS-Studio to get students familiar with code analysis tools .