Static Analysis in C++

Cherno could you explain clang-tigy usage ?

All jetbrains products to that out of the box. They also automatically highlight such mistakes, which saved me lots of headaches in the past years

PVS studio doesn't seem to have a single user license. Doesn't matter, I never buy anything if I can't see the price right away.

Truly love your cpp series. Could you make some video about cmake?

I'm looking for a tool that will better help with syntax errors. Any suggestions?

Hey Cherno! Can you make video about cache misses optimisation?

isnt using "new" in c++ meant to be frowned upon ?

1st 4 minutes were so interesting.. so informative 😇

how i didn't know u befor e wtf just thx

Good advertisement for PVS studio. Instead you can use clang-static -analyzer

I'm a little disappointed that you didn't mention clang-tidy, or clangd (which includes clang-tidy) in this video. I get that this was a sponsored video, but I think you should be fair and mention the free and open-source tools here.

Can this be used as part of Continuous Integration? (as in, a server runs static analysis?) Because a static analyzer I’m trying out now (cppcheck) is taking a very long time. ‘Seems like a good candidate for CI, no?

This was probably the first brand deal ever that offered something I am actually really interested in. Good job.

Strings are automatically null-terminated, so no need to explicitly add it at the end.

I want video end full music theme...

It doesn't detect the memory leaks. You can avoid the first error by stop copying code. If you copy because it's too much to type it should probably be refactored instead of copied. The second one can be solved by not using c functions and using string_view/std::string instead. That said, their blog is useful and it's embarrassing how many errors they can find :)

Cherno, huge thanks for this video, not only was it informative, but more importantly it managed to knock my 4 year old out for the night.
Great stuff 👍🏾

Visual Studio comes with built-in static analysis tools: Analyze, Run Code Analysis, On Solution. It would be nice if you make a video comparing them.

What about buffer overflow inside 'for loops' : buffer[x+y*width] where buffer size = width*height.
Can it detect this one?

Lol, that y was burning my eyes the moment he left it untouched... ><

Little advice for static analyzer users: they complement each other (e.g., I use Resharper C++ and PVS-Studio together). Also, dynamic analysis is quite critical too! For example, PVS-Studio and Resharper C++ can't detect every memory leak, so you have to do some dynamic analysis to catch them. For example, in Visual Studio, you can expose memory leaks easily using a simple function (_CrtSetDbgFlag ( _CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF );
There exist static analyzers that can discover every bug: they are called "sound" static analyzers. Polyspace (by Mathworks) uses abstract interpretation to "prove the absence of certain run-time errors in source code for C/C++, and Ada," but it is computationally very expensive

angenommen ich nutze VS 2017, was diesen Extension Button im Menü nicht besitzt. Wie starte ich PVS-Studio in Visual Studio nach der Installation. Das Ausführen der exe lässt ja nur ein kleines Infofenster aufgehen. Ist PVS ohne Visual Studio 2019 nutzbar?

I wish you had shown how to install PVS Studio. I cannot get it to work because it keeps stating the license is not valid (or has not be activated?).

Charno The GOAT!!!

I am seriously surprised to learn that in the Visual Studio world this is not taken for granted. I'm coming from JetBrains IDEs and they have all of those nice features built-in without question. And a very sophisticated and granular approach to warning levels as well; you can basically customize everything. To see that Visual Studio is only able to do all this nice stuff only by depending on 2 (paid) extensions (Visual Assist and PVS) while at the same time being the most buggy and unstable software I ever had on a computer is pretty sad. Especially considering its age and development time advantage. You'd expect it to be mature, but it is not. At work I am forced to use it and it gets in my way wherever possible. Only after you learn to ignore like 70% of all IntelliSense errors since they are false-positives, your programming experience gets bearable.

Less bugs? How about unit tests? :)

26 video cuts in first 5 minutes

Summary: You need static analysis tool for your program as much as you need spell checker for your document. Here are some example usage of PBS (static analysis tool) for your program.

Hold on... Do actual native-speaking adults use spellcheckers? Is that not a meme?

There are many free tools but not so many great tools for VS integration.
I mean, VS has it's own rules for static analysis but I feel it lacks interactive feeling with the user.

Clang tidy and C++ Check are free tools to use as well. (I like C++ Check, it's awesome).

please also list what are the disadvantages when using PVS tudio

Not C++, but I would never ever write a bash script without shellcheck anymore. It's soooo good.

Sometimes listening to some "cpp talks", they are always saying "Static Analysis" to be used quite often, I thought it's a programming technique but now some misplaced memories in my brain will find the right places. Thank you!

With how cheap compute is, I think you should be running a spell check and logical analyser. Spelling matters esp for public member functions that you’re defining. I’ve seen this a few times where someone spells the member wrong and this causes issues in dependencies.

I can tell you have a very clear and organized mind.

where can i get a 5000 line single file c++ code? i need it for static and dynamic analysis practice.

Le frère caché d'Antoine Daniel

PVS Studio do not sell single-user licenses,

A tip to avoid the classic copy and paste and forgetting the old variable name error... You can just select the lasted portion of code and search and replace text only within the selected portion of text in Visual Studio, or VSCode... And probably many other editors.
Just press Ctrl+F and there is a little button to enable it (probably with a shortcut that I don't remember), it will only highlight the matches inside the selected text so you can be sure... Pretty useful seems like a lot of people don't know about it tho

Gotta say; damn these are enjoyable.

Nested for loop bugs... I learned how to use gdb's hardware breakpoints because of a nested for loop bug in the quake source code (a month or two after id released the source code). Specifically, it was in the updating of beams (lightning gun). It took me a few days to figure everything out (programming in Linux was still new to me, gdb very new, and quake was pretty big (I now know it like the back of my hand))

So I used PVS-Studio extension in MVS, and it suggested that I replace my std::vector<std::pair<int, float>> with an std::array instead as the size was known at compile time.
I said, alright, let me do just that... Switching over to use std::array<std::pair<int, float>, 21> now instead gives me an error: "incomplete type is not allowed"... Looking up solutions for similar issues with using an array and pair only says to add more curly brackets, but this doesn't seem to help... Any pointers?

Well, yeah it spotted a typo in the copy-pasted loop with y++, but wow, it couldn't even detect an obvious memory leak!

Jesus, 5 mins of nonsense speaking before going to a code

Thank you. Can you demo any interesting find by PVS-Studio in a multithreaded C/C++ app?

If only it were free software...

pvs is free for students and teachers

Well maybe it has been 4 years since this video has been uploaded, so its prob outdated ady. However, you could mention a teensy bit more on how to actually make pvs studio run on windows, cause personally i had to do quite a bit of research before even getting to the code part, well its just my opinion so yeah, the video is still helpful, thanks