Using checklists to review static analysis warnings

Authors:
Nathaniel Ayewah;William Pugh
Affiliations:
Univ. of Maryland, College Park, MD;Univ. of Maryland, College Park, MD
Venue:
Proceedings of the 2nd International Workshop on Defects in Large Software Systems: Held in conjunction with the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2009)
Year:
2009

Citing 7
Cited 2

Finding bugs is easy

OOPSLA '04 Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
Static analysis tools as early indicators of pre-release defect density

Proceedings of the 27th international conference on Software engineering
Evaluating static analysis defect warnings on production software

PASTE '07 Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Finding more null pointer bugs, but not too many

PASTE '07 Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Which warnings should I fix first?

Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
A report on a survey and study of static analysis users

DEFECTS '08 Proceedings of the 2008 workshop on Defects in large software systems
Path projection for user-centered static analysis tools

Proceedings of the 8th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering

The Google FindBugs fixit

Proceedings of the 19th international symposium on Software testing and analysis
Effective false positive filtering for evolving software

Proceedings of the 4th India Software Engineering Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

Static analysis tools find silly mistakes, confusing code, bad practices and property violations. But software developers and organizations may or may not care about all these warnings, depending on how they impact code behavior and other factors. In the past, we have tried to identify important warnings by asking users to rate them as severe, low impact or not a bug. In this paper, we observe that the user's rating may be more complicated depending on whether the warning is feasible, changes code behavior, occurs in deployed code and other factors. To better model this, we ask users to review warnings using a checklist which enables more detailed reviews. We find that reviews are consistent across users and across checklist questions, though some users may disagree about whether to fix or filter out certain bug classes.