Using Static Analysis to Find Bugs
Summary (2 min read)
Using Static Analysis
- Rather than trying to prove that the code fulfills its specification, such tools look for violations of reasonable or recommended programming practice.
- A vibrant commercial industry has developed around advanced (and expensive) static-analysis tools,2,3 and several companies have their own proprietary in-house tools, such as Microsoft’s PREfix.
- FindBugs has grown, paying careful attention to mistakes that occur in practice and to the techniques and features needed to effectively incorporate it into production software development.
FindBugs in practice
- In its current form, FindBugs recognizes more than 300 programming mistakes and dubious coding idioms that it can identify using simple analysis techniques.
- FindBugs also uses more sophisticated analysis techniques, devised to help effectively identify certain issues—such as dereferencing of null pointers—that occur frequently enough to warrant their development.
- Unlike some other tools designed to provide security guarantees, FindBugs doesn’t try to identify all defects in a particular category or prove that software doesn’t contain a particular defect.
- Rather, it’s designed to effectively identify lowhanging fruit—to cheaply detect defects the authors believe developers will want to review and remedy.
- Many developers use FindBugs ad hoc, and a growing number of projects and companies are integrating it into their standard build and testing systems.
Defects in real code
- To appreciate static analysis for defect detection in general, and FindBugs in particular, it helps to be familiar with some sample defects found in real code.
- In some cases, the conditions might be closely related and some simple theorem proving can show whether the path is feasible or infeasible.
FindBugs nuts and bolts
- FindBugs has a plug-in architecture in which detectors can be defined, each of which might report several different bug patterns.
- Detectors can access information about types, constant values, and special flags, as well as values stored on the stack or in local variables.
- FindBugs groups each bug pattern into a category (such as correctness, bad practice, performance, and internationalization) and assigns each bug pattern report either high, medium, or low priority.
- Because the char type in Java is unsigned, this check will never be true.
Experiences at Google
- Google’s use of FindBugs has evolved over the past two years in three distinct phases.
- Successfully injecting FindBugs into Google’s development process required more than just making all warnings available outside an engineer’s normal workflow.
- As the authors gained experience and developer feedback, they prioritized their evaluation on the basis of their prior empirical results.
- Engineers discuss the code using these comments and note completed modifications.
- The authors rank- ing and false-positive suppression mechanisms are crucial to keeping the displayed warnings relevant and valuable so that users don’t start ignoring the more recent, important warnings along with the older, more trivial ones.
Survey of findBugs users
- Many organizations place the responsibility for deciding whether a warning is a bug into a single individual’s hands.
- Through user surveys, the authors found that actual FindBugs use is more diverse than we’d expected and that many things they believe to be best practices have yet to be widely adopted.
- We’re continuing studies with users and development organizations because it seems clear to us that development, measurement, validation, and adoption of best practices for static-analysis tools is key to enabling their effective use.
Did you find this useful? Give us your feedback
Citations
488 citations
Cites background from "Using Static Analysis to Find Bugs"
...She wants to make sure that she is following the company’s standards while maintaining quality code....
[...]
...There are a variety of ways to perform automatic static analyses [3], including at the developers request, continuously while creating the software in a development environment, and just before the software is committed to a version control system....
[...]
...There have been many studies on static analysis tools, many of which focus on their correctness and functionality [6], [10], [14], [15]....
[...]
254 citations
Cites background from "Using Static Analysis to Find Bugs"
...…is a static program analysis approach where untrusted data from input sources is marked as tainted and its flow to sensitive program statements known as sinks is tracked as a potential indicator of vulnerability (Evans and Larochelle 2002; Larus et al. 2004; Ayewah et al. 2008; Bessey et al. 2010)....
[...]
241 citations
213 citations
201 citations
Additional excerpts
...Public [24,57,63,81] [13,182] [10,15,54,152,182] [11,15] [22,23,47,104,108,156] [182]...
[...]
References
542 citations
230 citations
226 citations
123 citations
106 citations
Related Papers (5)
Frequently Asked Questions (9)
Q2. How does FindBugs evaluate the && and || operators?
Java evaluates the && and || operators using short-circuit evaluation: the right-hand side is evaluated only if needed in order to determine the expression’s value.
Q3. How many percent of users said a team does the review?
(Eleven percent of users said a team does the review, and 14 percent indicated that a reviewer can make independent decisions only for trivial cases.)
Q4. What other policies are used to suppress warnings?
Other policies include automatically inserting warnings into a bug tracker, having one or two people who maintain FindBugs and review warnings, requiring that warnings are human reviewed within a given time limit or warning-count threshold, integrating FindBugs into code review, running FindBugs automatically overnight and emailing problems to developers, and using a continuous-build server to display active warnings.
Q5. What is the main lesson from this experience?
The main lesson the authors learned from this experience is that developers will pay attention to, and fix, FindBugs warnings if they appear seamlessly within the workflow.
Q6. What was the first phase of the project?
In their project’s second phase, the authors implemented a service model in which two of the authors (David Morgenthaler and John Penix) spent half the time evaluating warnings and reporting those the authors decided were significant defects in Google’s bugtracking systems.
Q7. What makes it likely that many reviews take place closer to the release date?
This makes it likely that many reviews take place closer to the release date, when the pressure means that the emphasis is more on suppressing warnings than fixing code.
Q8. What is the reason why some users are wary of modifying code to avoid detections?
Some users are wary of “tuning code” to FindBugs by modifying the code to remove even low-pri-ority warnings or adding annotations.
Q9. What is the code that should have been a getter method for the field foundType?
}This code should have been a getter method for the field foundType, but the extra parenthesis means it always recursively calls itself until the stack overflows.