Why don't software developers use static analysis tools to find bugs?

Using static analysis tools for automating code inspections can be beneficial for software engineers. Such tools can make finding bugs, or software defects, faster and cheaper than manual inspections. Despite the benefits of using static analysis tools to find bugs, research suggests that these tools are underused. In this paper, we investigate why developers are not widely using static analysis tools and how current tools could potentially be improved. We conducted interviews with 20 developers and found that although all of our participants felt that use is beneficial, false positives and the way in which the warnings are presented, among other things, are barriers to use. We discuss several implications of these results, such as the need for an interactive mechanism to help developers fix defects.

[1]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[2]  Lucas Layman,et al.  Toward Reducing Fault Fix Time: Understanding Developer Behavior for the Design of Automated Fault Detection Tools , 2007, First International Symposium on Empirical Software Engineering and Measurement (ESEM 2007).

[3]  Sarah Smith Heckman,et al.  On establishing a benchmark for evaluating static analysis alert prioritization and classification techniques , 2008, ESEM '08.

[4]  K. Barraclough Eclipse , 2006, BMJ : British Medical Journal.

[5]  Mik Kersten,et al.  Mylar: a degree-of-interest model for IDEs , 2005, AOSD '05.

[6]  Margaret M. Burnett,et al.  Impact of interruption style on end-user debugging , 2004, CHI.

[7]  S. V. Subrahmanya,et al.  A Survey of Enterprise Software Development Risks in a Flat World , 2007, ESEM 2007.

[8]  GIDEON STRASSMANN,et al.  , ANt ) , 2003 .

[9]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[10]  L. Williams,et al.  Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components , 2007, Second International Conference on Internet Monitoring and Protection (ICIMP 2007).

[11]  Andrew P. Black,et al.  An interactive ambient visualization for code smells , 2010, SOFTVIS '10.

[12]  刘杰,et al.  Microsoft Visual Studio 在电阻箱检定结果处理中的应用 , 2013 .

[13]  Bente Anda,et al.  Experiences from conducting semi-structured interviews in empirical software engineering research , 2005, 11th IEEE International Software Metrics Symposium (METRICS'05).

[14]  Mehdi Dastani,et al.  The Role of Visual Perception in Data Visualization , 2002, J. Vis. Lang. Comput..

[15]  Jianjun Zhao,et al.  EFindBugs: Effective Error Ranking for FindBugs , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[16]  Padmanabhan Krishnan,et al.  Comparing model checking and static program analysis: A case study in error detection approaches , 2010 .

[17]  N. Nagappan,et al.  Static analysis tools as early indicators of pre-release defect density , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[18]  Jacob West,et al.  Secure Programming with Static Analysis , 2007 .

[19]  Vibha Sazawal,et al.  Path projection for user-centered static analysis tools , 2008, PASTE '08.

[20]  Clay Spinuzzi,et al.  The Methodology of Participatory Design , 2005 .

[21]  William Pugh,et al.  A report on a survey and study of static analysis users , 2008, DEFECTS '08.

[22]  Lionel C. Briand,et al.  Modeling and managing risk early in software development , 1993, Proceedings of 1993 15th International Conference on Software Engineering.

[23]  Murray Hill,et al.  Lint, a C Program Checker , 1978 .

[24]  陈立兵 IntelliJ IDEA——开发人员利器 , 2009 .

[25]  E. Murphy-Hill,et al.  Refactoring Tools: Fitness for Purpose , 2006, IEEE Software.

[26]  Brittany Johnson,et al.  A study on improving static analysis tools: Why are we not using them? , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[27]  David Notkin,et al.  Error reporting with graduated color , 1992, IEEE Software.

[28]  William Pugh,et al.  The Google FindBugs fixit , 2010, ISSTA '10.