Evaluating static analysis defect warnings on production software

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Evaluating static analysis defect warnings on production software

Full text

Pdf (171 KB)

Source

Workshop on Program Analysis for Software Tools and Engineering archive
Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering table of contents

San Diego, California, USA

Pages: 1 - 8

Year of Publication: 2007

ISBN:978-1-59593-595-3

Authors

Nathaniel Ayewah	Univ. of Maryland, College Park, MD
William Pugh	Univ. of Maryland, College Park, MD
J. David Morgenthaler	Google: Inc., Mountain View, MD
John Penix	Google: Inc., Mountain View, MD
YuQian Zhou	Google: Inc., Mountain View, MD

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages
ACM: Association for Computing Machinery
SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 26, Downloads (12 Months): 193, Citation Count: 10

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1251535.1251536 What is a DOI?

ABSTRACT

Static analysis tools for software defect detection are becoming widely used in practice. However, there is little public information regarding the experimental evaluation of the accuracy and value of the warnings these tools report. In this paper, we discuss the warnings found by FindBugs, a static analysis tool that finds defects in Java programs. We discuss the kinds of warnings generated and the classification of warnings into false positives, trivial bugs and serious bugs. We also provide some insight into why static analysis tools often detect true but trivial bugs, and some information about defect warnings across the development lifetime of software release. We report data on the defect warnings in Sun's Java 6 JRE, in Sun's Glassfish JEE server, and in portions of Google's Java codebase. Finally, we report on some experiences from incorporating static analysis into the software development process at Google.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	A. Almossawi, K. Lim, and T. Sinha. Analysis tool evaluation: Coverity prevent, May 2006. http://www.cs.cmu.edu/ aldrich/courses/654/tools/cure-coverity-06.pdf.
	2	K. I. Boudnik. Static analyzers comparison, October 2006. http://weblogs.java.net/blog/cos/archive/2006/10/static analyzer.html.
	3	Benjamin Chelf , Dawson Engler , Seth Hallem, How to write system-specific, static checkers in metal, Proceedings of the 2002 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, p.51-60, November 18-19, 2002, Charleston, South Carolina, USA
	4	T. Copeland. PMD Applied. Centennial Books, November 2005.
	5	Dawson Engler , David Yu Chen , Seth Hallem , Andy Chou , Benjamin Chelf, Bugs as deviant behavior: a general approach to inferring errors in systems code, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada
	6	Isil Dillig , Thomas Dillig , Alex Aiken, Static error detection using semantic inconsistency inference, Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, June 10-13, 2007, San Diego, California, USA
	7	Zhenmin Li , Lin Tan , Xuanhui Wang , Shan Lu , Yuanyuan Zhou , Chengxiang Zhai, Have things changed now?: an empirical study of bug characteristics in modern open source software, Proceedings of the 1st workshop on Architectural and system support for improving software dependability, p.25-33, October 21-21, 2006, San Jose, California [doi>10.1145/1181309.1181314]
	8	R. O'Callahan. Static analysis and scary headlines, September 2006. http://weblogs.mozillazine.org/roc/archives/2006/09/static analysis and scary head.html.
	9	Nick Rutar , Christian B. Almazan , Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java, Proceedings of the 15th International Symposium on Software Reliability Engineering (ISSRE'04), p.245-256, November 02-05, 2004 [doi>10.1109/ISSRE.2004.1]
	10	Jaime Spacco , David Hovemeyer , William Pugh, Tracking defect warnings across versions, Proceedings of the 2006 international workshop on Mining software repositories, May 22-23, 2006, Shanghai, China [doi>10.1145/1137983.1138014]
	11	S. Wagner, F. Deissenboeck, M. A. J. Wimmer, and M. Schwalb. An evaluation of bug pattern tools for java, January 2007. unpublished.
	12	S. Wagner, J. Jurjens, C. Koller, and P. Trischberger. Comparing bug finding tools with reviews and tests. In Proc. 17th International Conference on Testing of Communicating Systems, pages 40--55, 2005.
	13	Misha Zitser , Richard Lippmann , Tim Leek, Testing static analysis tools using exploitable buffer overflows from open source code, Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, October 31-November 06, 2004, Newport Beach, CA, USA

CITED BY 10

	Joseph R. Ruthruff , John Penix , J. David Morgenthaler , Sebastian Elbaum , Gregg Rothermel, Predicting accurate and actionable static analysis warnings: an experimental approach, Proceedings of the 30th international conference on Software engineering, May 10-18, 2008, Leipzig, Germany
	William W. Pugh, Finding bugs in eclipse, Companion to the 22nd ACM SIGPLAN conference on Object oriented programming systems and applications companion, October 21-25, 2007, Montreal, Quebec, Canada
	Nathaniel Ayewah , William Pugh, A report on a survey and study of static analysis users, Proceedings of the 2008 workshop on Defects in large software systems, July 20-20, 2008, Seattle, Washington
	Nathaniel Ayewah , William Pugh , J. David Morgenthaler , John Penix , YuQian Zhou, Using FindBugs on production software, Companion to the 22nd ACM SIGPLAN conference on Object oriented programming systems and applications companion, October 21-25, 2007, Montreal, Quebec, Canada
	Sarah Heckman , Laurie Williams, On establishing a benchmark for evaluating static analysis alert prioritization and classification techniques, Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement, October 09-10, 2008, Kaiserslautern, Germany
	Michael S. Ware , Christopher J. Fox, Securing Java code: heuristics and an evaluation of static analysis tools, Proceedings of the 2008 workshop on Static analysis, p.12-21, June 12-12, 2008, Tucson, Arizona
	Nathaniel Ayewah , William Pugh, Using checklists to review static analysis warnings, Proceedings of the 2nd International Workshop on Defects in Large Software Systems: Held in conjunction with the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2009), July 19-19, 2009, Chicago, Illinois
	Haihao Shen , Sai Zhang , Jianjun Zhao , Jianhong Fang , Shiyuan Yao, XFindBugs: eXtended FindBugs for AspectJ, Proceedings of the 8th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, November 09-10, 2008, Atlanta, Georgia
	Mangala Gowri Nanda , Saurabh Sinha, Accurate Interprocedural Null-Dereference Analysis for Java, Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, p.133-143, May 16-24, 2009
	Dan Hao , Lu Zhang , Ming-Hao Liu , He Li , Jia-Su Sun, Test-data generation guided by static defect detection, Journal of Computer Science and Technology, v.24 n.2, p.284-293, March 2009