ABSTRACT
Various static analysis tools will analyze a software artifact in order to identify potential defects, such as misused APIs, race conditions and deadlocks, and security vulnerabilities. For a number of reasons, it is important to be able to track the occurrence of each potential defect over multiple versions of a software artifact understudy: in other words, to determine when warnings reported in multiple versions of the software all correspond the same underlying issue. One motivation for this capability is to remember decisions about code that has been reviewed and found to be safe despite the occurrence of a warning. Another motivation is constructing warning deltas between versions, showing which warnings are new, which have persisted,and which have disappeared. This allows reviewers to focus their efforts on inspecting new warnings. Finally, tracking warnings through a series of software versions reveals where potential defects are introduced and fixed, and how long they persist, exposing interesting trends and patterns.We will discuss two different techniques we have implemented in FindBugs (a static analysis tool to find bugs in Java programs) for tracking defects across versions, discuss their relative merits and how they can be incorporated into the software development process, and discuss the results of tracking defect warnings across Sun's Java runtime library.
- Bug tracking across multiple code streams? http://ask.slashdot.org/article.pl?sid=05/10/06/2248259&tid=128, 2006.Google Scholar
- bugzilla.org. http://www.bugzilla.org/, 2006.Google Scholar
- FindBugs--Find Bugs in Java Programs. http://findbugs.sourceforge.net, 2006.Google Scholar
- Fortify Software. http://www.fortifysoftware.com, 2006.Google Scholar
- D. Hovemeyer and W. Pugh. Finding Bugs is Easy. In Companion of the 19th ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, Vancouver, BC, October 2004. Google ScholarDigital Library
Index Terms
- Tracking defect warnings across versions
Recommendations
Evaluating static analysis defect warnings on production software
PASTE '07: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineeringStatic analysis tools for software defect detection are becoming widely used in practice. However, there is little public information regarding the experimental evaluation of the accuracy and value of the warnings these tools report. In this paper, we ...
Finding bugs in eclipse
OOPSLA '07: Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companionThis will be a live demonstration of FindBugs, a static analysis bug finding tool, on the current development version of Eclipse 3.4. FindBugs reports issues such as null pointer dereferences, comparing incompatible types with equals, invalid method ...
Using checklists to review static analysis warnings
DEFECTS '09: Proceedings of the 2nd International Workshop on Defects in Large Software Systems: Held in conjunction with the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2009)Static analysis tools find silly mistakes, confusing code, bad practices and property violations. But software developers and organizations may or may not care about all these warnings, depending on how they impact code behavior and other factors. In ...
Comments