ABSTRACT
[Context] Several static analysis tools allow the development of custom rules for locating application-specific defects. Although this feature is powerful and commonly available, it is not well explored in practice. Custom static analysis rules can check design and policies that are shared between applications, allowing the reuse of rules. However, the benefits, scope, and concerns that software engineers should have on reusing custom static analysis rules are unknown. [Goal] In this preliminary study, we investigate the reuse of custom static analysis rules produced by applying Pattern-Driven Maintenance (PDM). PDM is a method to locate defect patterns in web applications that produces custom static analysis rules as output. [Method] We selected a set of rules produced by a previous usage of the PDM method and applied them to other three applications in two contexts, within the same company where the rules were produced, and in other companies. [Results] We successfully reused some rules in both scenarios with minor adjustments, finding new defects to be fixed. The reuse of rules could discard from 58-90% of source code locations found by a naive search for the defects, reducing verification effort. However, the reused rules need adjustments to improve precision for defect localization, as precision ranged from 40-75%. Finally, we identified factors that have an impact on reusing custom rules. [Conclusions] We put forward that reusing customized static analysis rules can be beneficial, in particular when similarities in the architecture and programming style are observed. However, adjustment of the rules might be needed to enable effective reuse. We shared our insights and methodology on how to reuse custom static analysis rules properly.
- N Ayewah, D Hovemeyer, J D Morgenthaler, J Penix, and W Pugh. 2008. Using Static Analysis to Find Bugs. IEEE Software 25, 5 (2008), 22–29. https://doi.org/10.1109/MS.2008.130Google ScholarDigital Library
- M Beller, R Bholanath, S McIntosh, and A Zaidman. 2016. Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Vol. 1. 470–481. https://doi.org/10.1109/SANER.2016.105Google Scholar
- Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A few billion lines of code later: Using static analysis to find bugs in the real world. Commun. ACM (2010). https://doi.org/10.1145/1646353.1646374Google ScholarDigital Library
- Maria Christakis and Christian Bird. 2016. What developers want and need from program analysis: An empirical study. In ASE 2016 - Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. https://doi.org/10.1145/2970276.297Google ScholarCross Ref
- David Darais, Matthew Might, and David Van Horn. 2015. Galois transformers and modular abstract interpreters reusable metatheory for program analysis. In Proceedings of the Conference on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA. https://doi.org/10.1145/2814270.2814308Google ScholarDigital Library
- Alessandro Gurgel, Isela Macia, Alessandro Garcia, Arndt von Staa, Mira Mezini, Michael Eichberg, and Ralf Mitschke. 2014. Blending and reusing rules for architectural degradation prevention. In Proceedings of the 13th international conference on Modularity - MODULARITY ’14. https://doi.org/10.1145/2577080.2577087Google ScholarDigital Library
- Sarah Heckman and Laurie Williams. 2011. A systematic literature review of actionable alert identification techniques for automated static code analysis. Information and Software Technology 53, 4 (2011), 363–387.Google ScholarDigital Library
- InfoEther Inc. [n.d.]. PMD. http://pmd.github.io/Google Scholar
- Diogo S Mendonça, Tarcila G Da Silva, Daniel Ferreira De Oliveira, Julliany Sales Brandão, Helio Lopes, Simone D J Barbosa, Marcos Kalinowski, and Arndt Von Staa. 2018. Applying Pattern-Driven Maintenance: A Method to Prevent Latent Unhandled Exceptions in Web Applications ACM Reference format. In Proceedings of 12th International Symposium on Empirical Software Engineering and Measurement, Oulu, Finland, October 2018 (ESEM’18). Oulu, Finland, 10.Google Scholar
- Johannes Mey, Thomas Kühn, René Schöne, and Uwe Assmann. 2020. Reusing Static Analysis across Different Domain-Specific Languages using Reference Attribute Grammars. The Art, Science, and Engineering of Programming 4, 3 (feb 2020). https://doi.org/10.22152/programming-journal.org/2020/4/15Google ScholarCross Ref
- Tukaram Muske and Alexander Serebrenik. 2016. Survey of approaches for handling static analysis alarms. In Source Code Analysis and Manipulation (SCAM), 2016 IEEE 16th International Working Conference on. IEEE, 157–166.Google ScholarCross Ref
- Vladimir A. Shekhovtsov, Yuriy Tomilko, and Mikhail D. Godlevskiy. 2009. Facilitating Reuse of Code Checking Rules in Static Code Analysis. In Lecture Notes in Business Information Processing. 91–102. https://doi.org/10.1007/978-3-642-01112-2_10Google Scholar
- SonarSource. 2008. SonarQube. https://www.sonarqube.org/Google Scholar
- The University of Maryland. [n.d.]. FindBugs. http://findbugs.sourceforge.net/Google Scholar
- Yuriy Tymchuk, Mohammad Ghafari, and Oscar Nierstrasz. 2018. JIT feedback: What experienced developers like about static analysis. In Proceedings - International Conference on Software Engineering. https://doi.org/10.1145/3196321.3196327Google ScholarDigital Library
Recommendations
Towards specifying pragmatic software reuse
ECSAW '15: Proceedings of the 2015 European Conference on Software Architecture WorkshopsSoftware reuse has numerous benefits, including reduced development time, defect density, and increased developer productivity. Numerous approaches to software reuse have been developed and we can divide them into two categories: preplanned approaches, ...
An empirical investigation on the challenges of creating custom static analysis rules for defect localization
AbstractCustom static analysis rules, i.e., rules specific for one or more applications, have been successfully applied to perform corrective and preventive software maintenance. Pattern-driven maintenance (PDM) is a method designed to support the ...
Unanticipated reuse of large-scale software features
ICSE '06: Proceedings of the 28th international conference on Software engineeringSoftware reuse has been endorsed as a way to reduce development times and costs while increasing software quality and reliability. Techniques designed to encourage software reuse have concentrated on creating reusable software in the form of frameworks, ...
Comments