Survey of Approaches for Handling Static Analysis Alarms

Muske, Tukaram; Serebrenik, Alexander

doi:10.1109/scam.2016.25

Cited by 52 publications

(38 citation statements)

References 93 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Subsequently, it classifies and groups warnings 4 by applying the GDC 5 on them. Next, it writes out the result files for the visualizer 6 . Finally, UAV opens the user's web browser and runs the visualizer 7 .…”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

UAV: Warnings from multiple Automated Static Analysis Tools at a glance

Buckers

Cao

Doesburg

et al. 2017

2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

Abstract-Automated Static Analysis Tools (ASATs) are an integral part of today's software quality assurance practices. At present, a plethora of ASATs exist, each with different strengths. However, there is little guidance for developers on which of these ASATs to choose and combine for a project. As a result, many projects still only employ one ASAT with practically no customization. With UAV, the Unified ASAT Visualizer, we created an intuitive visualization that enables developers, researchers, and tool creators to compare the complementary strengths and overlaps of different Java ASATs. UAV's enriched treemap and source code views provide its users with a seamless exploration of the warning distribution from a high-level overview down to the source code. We have evaluated our UAV prototype in a user study with ten second-year Computer Science (CS) students, a visualization expert and tested it on large Java repositories with several thousands of PMD, FindBugs, and Checkstyle warnings. Project Website: https://clintoncao.github.io/uav/

show abstract

Section: Methodsmentioning

confidence: 99%

“…By contrast, existing research has tackled the problem of how to deal with a flood of warnings mainly by prioritizing them. Muske and Serebrenik give a comprehensive overview of the approaches that have been suggested so far [6].…”

Section: B User Workflowmentioning

confidence: 99%

UAV: Warnings from multiple Automated Static Analysis Tools at a glance

Buckers

Cao

Doesburg

et al. 2017

2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

show abstract

“…As we explain in § IV and § VI, we use simple heuristics to match the location contained in the tool's warning with the location of the known bug and determine that the correct bug has been identified if the bug types match and the locations are within a certain maximum distance. We could refine this heuristic by using more sophisticated matching techniques from related work on the issue of deduplicating and/or clustering tool warning reports [53], [54].…”

Section: Limitations and Future Workmentioning

confidence: 99%

Automated Customized Bug-Benchmark Generation

Kashyap

Ruchti

Kot

et al. 2019

2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM)

View full text Add to dashboard Cite

We introduce BUG-INJECTOR, a system that automatically creates benchmarks for customized evaluation of static analysis tools. We share a benchmark generated using BUG-INJECTOR and illustrate its efficacy by using it to evaluate the recall of two leading open-source static analysis tools: Clang Static Analyzer and Infer.BUG-INJECTOR works by inserting bugs based on bug templates into real-world host programs. It runs tests on the host program to collect dynamic traces, searches the traces for a point where the state satisfies the preconditions for some bug template, then modifies the host program to "inject" a bug based on that template. Injected bugs are used as test cases in a static analysis tool evaluation benchmark. Every test case is accompanied by a program input that exercises the injected bug. We have identified a broad range of requirements and desiderata for bug benchmarks; our approach generates on-demand test benchmarks that meet these requirements. It also allows us to create customized benchmarks suitable for evaluating tools for a specific use case (e.g., a given codebase and set of bug types).Our experimental evaluation demonstrates the suitability of our generated benchmark for evaluating static bug-detection tools and for comparing the performance of different tools.

show abstract

“…There have been an increasing number of approaches for handling static analysis alarms, and the approaches are categorized in a few literature reviews (Heckman and Williams 2011;Muske and Serebrenik 2016). One of the promising approaches is in a position to simplify the inspection effort by designing a set of features from the related information of source codes and reported alarms for clustering, ranking schemes and classification tasks.…”

Section: Related Workmentioning

confidence: 99%

“…To mitigate the effort of manual inspection, efficient defect identification techniques for handling static analysis alarms have been put forward by numerous studies and summarized in a few literature reviews (Heckman and Williams 2011;Muske and Serebrenik 2016). One of the promising approaches addressing the problem is to come up with a set of artifact characteristics for classifying alarms as actionable and unactionable, probability-based ranking of each alarm being true, and clustering by the similarity of alarms.…”

Section: Introductionmentioning

confidence: 99%

A variable-level automated defect identification model based on machine learning

et al. 2019

View full text Add to dashboard Cite

Static analysis tools, automatically detecting potential source code defects at an early phase during the software development process, are diffusely applied in safety-critical software fields. However, alarms reported by the tools need to be inspected manually by developers, which is inevitable and costly, whereas a large proportion of them are found to be false positives. Aiming at automatically classifying the reported alarms into true defects and false positives, we propose a defect identification model based on machine learning. We design a set of novel features at variable level, called variable characteristics, for building the classification model, which is more fine-grained than the existing traditional features. We select 13 base classifiers and two ensemble learning methods for model building based on our proposed approach, and the reported alarms classified as unactionable (false positives) are pruned for the purpose of mitigating the effort of manual inspection. In this paper, we firstly evaluate the approach on four open-source C projects, and the classification results show that the proposed model achieves high performance and reliability in practice. Then, we conduct a baseline experiment to evaluate the effectiveness of our proposed model in contrast to traditional features, indicating that features at variable level improve the performance significantly in defect identification. Additionally, we use machine learning techniques to rank the variable characteristics in order to identify the contribution of each feature to our proposed model.

show abstract

Survey of Approaches for Handling Static Analysis Alarms

Cited by 52 publications

References 93 publications

UAV: Warnings from multiple Automated Static Analysis Tools at a glance

UAV: Warnings from multiple Automated Static Analysis Tools at a glance

Automated Customized Bug-Benchmark Generation

A variable-level automated defect identification model based on machine learning

Contact Info

Product

Resources

About