1/ Choice of a project

2/ Outcomes

3/ Conclusion

Hi folks,In the software development process, the static code analysis is an important step and I am personally convinced by its utility (although knowing it is a difficult science) even when I contribute to open source projects. Usually I use either the popular clang scan-build command line tool and/or the excellent online solution Scan Coverity. Sometimes cppcheck as well.But today, I m going to present another set of tools, PVS-Studio from viva64.com which has originally a Windows version with an integration with Visual Studio but appears to have been working on a Linux version as well which I will be focusing with. It works with my main languages C / C++ and in addition with .NET/C#With the Linux version 6.09.18904, we have the choice between a simple tgz archive, a RedHat family rpm and a Debian family package. I did all my tests under Linux Mint 18 and the GCC suite.Let's try with one well known open source project, the PHP programming language, which is basically uses the not less famous trio configure/make/make install ... Thus after setting our preferences via the configure script, we can now use pvs-studio on top of the make build system.pvs-studio-analyser trace -- makepvs-studio-analyser analyse -o php.plog -l -j Which produces an output file in the PLOG format which can be converted to xml, task files with the provided plog-converter command line. Fortunately as the process can take a certain time, it is possible to parallelize via the j flag.The output gotten, here in XML, contains well known useful good practices like about realloc http://www.viva64.com/en/w/V701/ or the return check for strcmp http://www.viva64.com/en/w/V526/ some rules specific to C++ obviously like implementing the copy constructor but not the assignment operator http://www.viva64.com/en/w/V690/ or the uselessness of checking null from a raw pointer after a new operator use... and many more, there is a list available here PVS-studio was successfully exploited by another user in another open source project I pushed a pull request to recently, Unvanquished One of the few criticisms I may have is it seems not able to catch resource / memory leaks even very simple cases, whether it is C or C++. Another proof that using more than one analyser is mandatory.Maybe a Mac OS version with an integration with Xcode would be a plus in the future, although I perfectly understand the cost of development but ... might be worthy.

Labels: php, pvs-studio linux, unvanquished