The Unexplored Terrain of Compiler Warnings

The authors’ industry experiences suggest that compiler warnings, a lightweight version of program analysis, are valuable early bug detection tools. Significant costs are associated with patches and security bulletins for issues that could have been avoided if compiler warnings were addressed. Yet, the industry’s attitude towards compiler warnings is mixed. Practices range from silencing all compiler warnings to having a zero-tolerance policy as to any warnings. Current published data indicates that addressing compiler warnings early is beneficial. However, support for this value theory stems from grey literature or is anecdotal. Additional focused research is needed to truly assess the cost-benefit of addressing warnings.

[1]  Robert K. Cunningham,et al.  The Real Cost of Software Errors , 2009, IEEE Security & Privacy.

[2]  Michael Howard,et al.  Writing Secure Code for Windows Vista(TM) (Pro - Step By Step Developer) , 2007 .

[3]  Emerson R. Murphy-Hill,et al.  How should compilers explain problems to developers? , 2018, ESEC/SIGSOFT FSE.

[4]  Gerard J. Holzmann,et al.  The power of 10: rules for developing safety-critical code , 2006, Computer.

[5]  Michael A. Howard,et al.  A process for performing security code reviews , 2006, IEEE Security & Privacy.

[6]  Giancarlo Succi,et al.  Empirical analysis on the correlation between GCC compiler warnings and revision numbers of source files in five industrial software projects , 2006, Empirical Software Engineering.

[7]  Zhendong Su,et al.  Finding and Analyzing Compiler Warning Defects , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[8]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[9]  P. Oman,et al.  Maintainability measurements on industrial source code maintenance activities , 1995, Proceedings of International Conference on Software Maintenance.