Which Defect Should Be Fixed First? Semantic Prioritization of Static Analysis Report

The usability of static analyzers is plagued by excessive false alarms. It is laborious yet error-prone to manually examine the spuriousness of defect reports. Moreover, the inability to preclude overwhelming false alarms deters user’s confidence on such tools and severely limits their adoption in development cycles. In this paper, we propose a semantic approach for prioritizing defect reports emitted by static analysis. Our approach evaluates the importance of defect reports by their fatality and priorities defects by their affection to critical functions. Compared to the existing approaches that prioritize defect reports by analyzing external attributes, ours substantially utilizes semantic information derived by static analysis to measure the severity of defect reports more precisely. We have implemented a prototype which is evaluated to real-world code bases, and the results show that our approach can effectively evaluate the severity of defects.

[1]  Dawson R. Engler,et al.  Z-Ranking: Using Statistical Analysis to Counter the Impact of Static Analysis Approximations , 2003, SAS.

[2]  Thomas Zimmermann,et al.  Improving bug triage with bug tossing graphs , 2009, ESEC/FSE '09.

[3]  Thomas A. Henzinger,et al.  Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis , 2007, CAV.

[4]  Haruhiko Kaiya,et al.  Adapting a fault prediction model to allow inter languagereuse , 2008, PROMISE '08.

[5]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[6]  Qian Wu,et al.  An Effective Defect Detection and Warning Prioritization Approach for Resource Leaks , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.

[7]  Rozaida Ghazali,et al.  A survey on bug prioritization , 2017, Artificial Intelligence Review.

[8]  Philip J. Guo,et al.  Characterizing and predicting which bugs get fixed: an empirical study of Microsoft Windows , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[9]  J. David Morgenthaler,et al.  Predicting accurate and actionable static analysis warnings , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[10]  Wen-mei W. Hwu,et al.  Modular interprocedural pointer analysis using access paths: design, implementation, and evaluation , 2000, PLDI '00.

[11]  Onaiza Maqbool,et al.  Managing Open Bug Repositories through Bug Report Prioritization Using SVMs , 2010 .

[12]  Bart Goethals,et al.  Predicting the severity of a reported bug , 2010, 2010 7th IEEE Working Conference on Mining Software Repositories (MSR 2010).

[13]  Ladan Tahvildari,et al.  Defect Prioritization in the Software Industry: Challenges and Opportunities , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[14]  M. Kholief,et al.  Bug fix-time prediction model using naïve Bayes classifier , 2012, 2012 22nd International Conference on Computer Theory and Applications (ICCTA).

[15]  Lech Madeyski,et al.  Towards identifying software project clusters with regard to defect prediction , 2010, PROMISE '10.