Evaluating static analysis defect warnings on production software

Nathaniel Ayewah, William Pugh, J. David Morgenthaler, John Penix, YuQian Zhou
2007 Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering - PASTE '07  
Static analysis tools for software defect detection are becoming widely used in practice. However, there is little public information regarding the experimental evaluation of the accuracy and value of the warnings these tools report. In this paper, we discuss the warnings found by FindBugs, a static analysis tool that finds defects in Java programs. We discuss the kinds of warnings generated and the classification of warnings into false positives, trivial bugs and serious bugs. We also provide
more » ... ome insight into why static analysis tools often detect true but trivial bugs, and some information about defect warnings across the development lifetime of software release. We report data on the defect warnings in Sun's Java 6 JRE, in Sun's Glassfish JEE server, and in portions of Google's Java codebase. Finally, we report on some experiences from incorporating static analysis into the software development process at Google.
doi:10.1145/1251535.1251536 dblp:conf/paste/AyewahPMPZ07 fatcat:3s7zqknrcjai7d7aqyueu7vqcu