Cited By
View all- Nam JWang SXi YTan L(2019)A bug finder refined by a large set of open-source projectsInformation and Software Technology10.1016/j.infsof.2019.04.014112:C(164-175)Online publication date: 1-Aug-2019
Designing bug detection rules for fewer false alarms
Authors: 
Jaechang Nam, Song Wang, Yuan Xi, Lin TanAuthors Info & Claims
Jaechang Nam, Song Wang, Yuan Xi, Lin TanAuthors Info & ClaimsPages 315 - 316
Abstract
One of the challenging issues of the existing static analysis tools is the high false alarm rate. To address the false alarm issue, we design bug detection rules by learning from a large number of real bugs from open-source projects from GitHub. Specifically, we build a framework that learns and refines bug detection rules for fewer false positives. Based on the framework, we implemented ten patterns, six of which are new ones to existing tools. To evaluate the framework, we implemented a static analysis tool, FeeFin, based on the framework with the ten bug detection rules and applied the tool for 1,800 open-source projects in GitHub. The 57 detected bugs by FeeFin has been confirmed by developers as true positives and 44 bugs out of the detected bugs were actually fixed.
References
[1]
2017. AppScan. (2017). http://www-03.ibm.com/software/products/en/appscan
[2]
2017. Coverity. (2017). https://scan.coverity.com/
[3]
2017. Fortify. (2017). https://saas.hpe.com/en-us/software/sca
[4]
2017. Inferbo: Infer-based buffer overrun analyzer. (2017). https://research.fb.com/inferbo-infer-based-buffer-overrun-analyzer/
[5]
2017. Klocwork. (2017). http://www.klocwork.com/
[6]
2017. FeeFin. (2017). http://feefin.github.io
[7]
A. Aggarwal and P. Jalote. 2006. Integrating Static and Dynamic Analysis for Detecting Vulnerabilities. In COMPSAC 2006. 343--350.
[8]
Quinn Hanam, Lin Tan, Reid Holmes, and Patrick Lam. 2014,. Finding Patterns in Static Analysis Alerts: Improving Actionable Alert Ranking. In MSR 2014. 152--161.
[9]
Guoliang Jin, Linhai Song, Xiaoming Shi, Joel Scherpelz, and Shan Lu. 2012. Understanding and Detecting Real-world Performance Bugs. In PLDI 2012. 77--88.
[10]
Brittany Johnson, Yoonki Song, Emerson Murphy-Hill, and Robert Bowdidge. 2013. Why Don't Software Developers Use Static Analysis Tools to Find Bugs?. In ICSE 2013. 672--681.
[11]
Sunghun Kim and Michael D. Ernst. 2007. Which Warnings Should I Fix First?. In ESEC-FSE 2007. 45--54.
[12]
Ted Kremenek, Ken Ashcraft, Junfeng Yang, and Dawson Engler. 2004. Correlation Exploitation in Error Ranking. In FSE 2004. 83--93.
[13]
Fabio Palomba, Gabriele Bavota, Massimiliano Di Penta, Rocco Oliveto, Andrea De Lucia, and Denys Poshyvanyk. 2013. Detecting Bad Smells in Source Code Using Change History Information. In ASE 2013. 268--278.
[14]
Caitlin Sadowski, Jeffrey van Gogh, Ciera Jaspan, Emma Söderberg, and Collin Winter. 2015. Tricorder: Building a Program Analysis Ecosystem. In ICSE 2015. 598--608.
[15]
Song Wang, Devin Chollak, Dana Movshovitz-Attias, and Lin Tan. 2016. Bugram: Bug Detection with N-gram Language Models. In ASE 2016. 708--719.
Index Terms
- Designing bug detection rules for fewer false alarms
Recommendations
A bug finder refined by a large set of open-source projects
Abstract ContextStatic bug detection techniques are commonly used to automatically detect software bugs. The biggest obstacle to the wider adoption of static bug detection tools is false positives, i.e., reported bugs that ...
A Comparative Study of Bug Patterns in Java Cloned and Non-cloned Code
SCAM '14: Proceedings of the 2014 IEEE 14th International Working Conference on Source Code Analysis and ManipulationCode cloning via copy-and-paste is a common practice in software engineering. Traditionally, this practice has been considered harmful, and a symptom that some important design abstraction is being ignored. As such, many previous studies suggest ...
Discovering bug patterns in JavaScript
FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software EngineeringJavaScript has become the most popular language used by developers for client and server side programming. The language, however, still lacks proper support in the form of warnings about potential bugs in the code. Most bug finding tools in use today ...
Comments
Information & Contributors
Information
Published In
May 2018
231 pages
ISBN:9781450356633
DOI:10.1145/3183440
- Conference Chair:
- Michel Chaudron,
- General Chair:
- Ivica Crnkovic,
- Program Chairs:
- Marsha Chechik,
- Mark Harman
Copyright © 2018 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
- SIGSOFT: ACM Special Interest Group on Software Engineering
- IEEE-CS: Computer Society
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 May 2018
Check for updates
Author Tags
Qualifiers
- Poster
Funding Sources
- Korea government (MSIT)
Conference
ICSE '18
Sponsor:
- SIGSOFT
- IEEE-CS
ICSE '18: 40th International Conference on Software Engineering
May 27 - June 3, 2018
Gothenburg, Sweden
Acceptance Rates
Overall Acceptance Rate 276 of 1,856 submissions, 15%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 178Total Downloads
- Downloads (Last 12 months)8
- Downloads (Last 6 weeks)1
Reflects downloads up to 08 Mar 2025
Other Metrics
Citations
Cited By
View all- Nam JWang SXi YTan L(2019)A bug finder refined by a large set of open-source projectsInformation and Software Technology10.1016/j.infsof.2019.04.014112:C(164-175)Online publication date: 1-Aug-2019
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in