how many of all bugs do we find a study of static bug
play

How Many of All Bugs Do We Find? A Study of Static Bug Detectors - PowerPoint PPT Presentation

Apr 14, 2023 •311 likes •804 views

How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU Darmstadt, Germany software-lab.org 1 Static Bug Detection Error Prone 2 Static Bug Detection Error Prone General framework Scalable

  1. How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU Darmstadt, Germany software-lab.org 1

  2. Static Bug Detection Error Prone 2

  3. Static Bug Detection Error Prone � General framework � Scalable static analysis � Set of checkers for specific bug patterns 2

  4. How Many Bugs Do They Find? 3

  5. How Many Bugs Do They Find? Given a representative set of real-world bugs, how many of them do static bug detectors find? 3

  6. How Many Bugs Do They Find? Given a representative set of real-world bugs, how many of them do static bug detectors find? This talk: Empirical study with 594 real-world Java bugs and 3 popular static checkers 3

  7. Real-World Bugs � 594 bugs from 15 popular Java projects � Extended version of Defects4J data set � Why this set? � Gathered independently � Used in other bug-related studies * � Contains real fixes by developers * Just et al., 2014 (mutation testing); Shamshiri et al., 2015 (test generation); Pearson et al., 2017 (fault localization); Martinez et al., 2017 (program repair) 4

  8. Defects4J: Files Involved in Bug 550 501 500 450 Number of bugs 400 350 300 250 200 150 100 64 50 12 10 4 1 1 1 0 1 2 3 4 5 6 7 11 Number of buggy files 5

  9. Defects4J: Size of Bug Fix 550 500 450 Number of bugs 400 350 296 300 250 200 150 128 100 54 44 50 29 29 6 6 1 1 0 1-4 5-9 10-14 15-19 20-24 25-49 50-74 75-99 100-199 200-1.999 Diff size between buggy and fixed versions (LoC) 6

  10. Previous Approach How to determine which bugs are found? [Thung et al., 2012] � Get diff between buggy and fixed code � Run tool on code with buggy lines � If warning on buggy line: Bug found � Result: 50% – 95% of all bugs found � Limitation: � No check that warning points to bug � One tool flags up to 57% of all lines 7

  11. Previous Approach How to determine which bugs are found? [Thung et al., 2012] � Get diff between buggy and fixed code � Run tool on code with buggy lines � If warning on buggy line: Bug found � Result: 50% – 95% of all bugs found � Limitation: � No check that warning points to bug � One tool flags up to 57% of all lines 7

  12. Methodology: Overview Bugs + fixes Bug detectors Automated filtering of warnings Fixed Diff-based warnings- Combined based 8

  13. Methodology: Overview Bugs + fixes Bug detectors Automated filtering of warnings Fixed Diff-based warnings- Combined based 8

  14. Methodology: Overview Bugs + fixes Bug detectors Automated filtering of warnings Fixed Diff-based warnings- Combined based 8

  15. Methodology: Overview Bugs + fixes Bug detectors Automated filtering of warnings Fixed Diff-based warnings- Combined based Candidates for detected bugs Manual inspection of candidates Detected bugs 8

  16. Methodology: Diff-based Bugs + fixes Bug detectors Automated filtering of warnings Diff-based Candidates for detected bugs Manual inspection of candidates Detected bugs 9

  17. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning 9

  18. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: 9

  19. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Modified line 9

  20. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Modified line Removed line 9

  21. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Modified line Removed line Newly inserted line 9

  22. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Warnings by bug detector 9

  23. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Warnings by bug detector Candidate for detected bug 9

  24. Example: public Dfp multiply(final int x) { return multiplyFast(x); } Bug fix public Dfp multiply(final int x) { if (x >= 0 && x < RADIX) { return multiplyFast(x); } else { return multiply(newInstance(x)); } } 10

  25. Example: public Dfp multiply(final int x) { return multiplyFast(x); Warning: } Missing Bug fix @Override public Dfp multiply(final int x) { if (x >= 0 && x < RADIX) { return multiplyFast(x); } else { return multiply(newInstance(x)); } } 10

  26. Example: public Dfp multiply(final int x) { return multiplyFast(x); Warning: } Missing Bug fix @Override public Dfp multiply(final int x) { -1 if (x >= 0 && x < RADIX) { +1 return multiplyFast(x); } else { return multiply(newInstance(x)); } } Candidate for detected bug 10

  27. Method.: Fixed Warnings-based Bugs + fixes Bug detectors Automated filtering of warnings Fixed warnings- based Candidates for detected bugs Manual inspection of candidates Detected bugs 11

  28. Method.: Fixed Warnings-based 1) Compare warnings before and after fix 2) Warning that disappears was for bug 11

  29. Method.: Fixed Warnings-based 1) Compare warnings before and after fix 2) Warning that disappears was for bug Buggy file: Fixed file: 11

  30. Method.: Fixed Warnings-based 1) Compare warnings before and after fix 2) Warning that disappears was for bug Buggy file: Fixed file: Warnings by bug detector 11

  31. Method.: Fixed Warnings-based 1) Compare warnings before and after fix 2) Warning that disappears was for bug Buggy file: Fixed file: Warnings by bug detector Candidate for detected bug 11

  32. Example public Week(Date time , TimeZone zone) { this(time , RegularTimePeriod.DEFAULT_TIME_ZONE , Locale.getDefault ()); } Bug fix public Week(Date time , TimeZone zone) { this(time , zone , Locale.getDefault ()); } 12

  33. Example public Week(Date time , TimeZone zone) { this(time , RegularTimePeriod.DEFAULT_TIME_ZONE , Locale.getDefault ()); } Warning: Bug fix Chaining public Week(Date time , TimeZone zone) { constructor this(time , ignores zone , argument Locale.getDefault ()); } Candidate for detected bug 12

  34. Methodology: Combined Bugs + fixes Bug detectors Automated filtering of warnings Fixed = Diff-based warnings- Combined + based Candidates for detected bugs Manual inspection of candidates Detected bugs 13

  35. Results 14

  36. Warnings to Inspect All warnings Per bug Candidates Tool Min Max Avg Total only Error Prone 0 148 7.58 4,402 53 Infer 0 36 0.33 198 32 SpotBugs 0 47 1.1 647 68 Total 5,247 153 15

  37. Warnings to Inspect All warnings Per bug Candidates Tool Min Max Avg Total only Error Prone 0 148 7.58 4,402 53 Infer 0 36 0.33 198 32 SpotBugs 0 47 1.1 647 68 Total 5,247 153 15

  38. Warnings to Inspect All warnings Per bug Candidates Tool Min Max Avg Total only Error Prone 0 148 7.58 4,402 53 Infer 0 36 0.33 198 32 SpotBugs 0 47 1.1 647 68 Total 5,247 153 97% of all warnings are removed by the automated filtering step 15

  39. Manual Inspection Distinguish coincidental matches from actually detected bugs Candidate = (bug, warning) Full match Partial match Mismatch 16 Created by Freepik

  40. Manual Inspection: Example public Dfp multiply(final int x) { return multiplyFast(x); Warning: } Bug fix Missing @Override public Dfp multiply(final int x) { if (x >= 0 && x < RADIX) { return multiplyFast(x); } else { return multiply(newInstance(x)); } } Candidate for detected bug 17

  41. Manual Inspection: Example public Dfp multiply(final int x) { return multiplyFast(x); Warning: } Bug fix Missing @Override public Dfp multiply(final int x) { if (x >= 0 && x < RADIX) { return multiplyFast(x); } else { return multiply(newInstance(x)); } } Mismatch 17

  42. Manual Inspection: Example (2) public Week(Date time , TimeZone zone) { this(time , RegularTimePeriod.DEFAULT_TIME_ZONE , Locale.getDefault ()); } Warning: Bug fix Chaining public Week(Date time , TimeZone zone) { constructor this(time , ignores zone , argument Locale.getDefault ()); } Candidate for detected bug 18

  43. Manual Inspection: Example (2) public Week(Date time , TimeZone zone) { this(time , RegularTimePeriod.DEFAULT_TIME_ZONE , Locale.getDefault ()); } Warning: Bug fix Chaining public Week(Date time , TimeZone zone) { constructor this(time , ignores zone , argument Locale.getDefault ()); } Full match 18

  44. Most Bugs are Missed Three tools together: Detect 27 of 594 bugs (less than 5%) SpotBugs ErrorProne 6 14 2 0 0 2 3 Infer 19

  45. Why are Most Bugs Missed? Manual inspection of random sample of 20 missed bugs: 14 are domain-specific � Unrelated to any of the supported bug patterns � Application-specific algorithms � Forgot to handle special case � Difficult to decide whether behavior is intended 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker Senior Software Engineer, Video Product Line, Tektronix, Inc. Pacific Northwest Software Quality Conference, 2010 In the Beginning, There Was Lint

486 views • 20 slides
Why Dont Software Developers Use Static Analysis Tools to Find Bugs? Brittany Johnson, Yoonki

Why Dont Software Developers Use Static Analysis Tools to Find Bugs? Brittany Johnson, Yoonki

Why Dont Software Developers Use Static Analysis Tools to Find Bugs? Brittany Johnson, Yoonki Song, and Emerson Murphy-Hill and Robert Bowdidge Presented by Sandarbh Bhadauria Results Results Overview Previous research has shown these

345 views • 31 slides
[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[1/2] Fantastic C++ Bugs and Where to Find Them [2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014 @compsciclub.ru Agenda AddressSanitizer (aka ASan) detects use-after-free and buffer overflows

742 views • 55 slides
Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs at compile time by inspecting your source code Bugs it finds are more sophisticated than warnings or Clang-Tidy Clang Static Analyzer 1

544 views • 29 slides
CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley

CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley

CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley Weimer University of Virginia Static Analysis-based Bug Finders Use known-faulty semantic patterns to find suspected bugs statically

570 views • 26 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects

PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects

PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects use-after-free bugs Static, whole-program analyzer that finds use-after-free bugs in C/C++ code Implemented in C++ as an LLVM plugin that

591 views • 26 slides
Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland

Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland

Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland http://www.cs.umd.edu/~pugh TS-2007 2007 JavaOne SM Conference | Session TS-2007 | You will believe... Static analysis tools can find real bugs

991 views • 62 slides
Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner Security Bugs Common 6,515 vulnerabili/es reported in 2007 Major vendors : Adobe, Apple, MicrosoN Plus many more

480 views • 14 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire

A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire

A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire Michael Stephanie Westley Le Goues Dewey-Vogt Forrest Weimer 1 http://genprog.cs.virginia.edu Everyday, almost 300 Annual cost of bugs

647 views • 63 slides
Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook

Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook

Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook London github.com/facebook/infer/ Programming is Hard Need to think of ALL possible cases Keep track of all possible values If it can be null, it

1.09k views • 41 slides
Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
About Directed Fuzzing and Use-After-Free: How to Find Complex &amp; Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex &amp; Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex &amp; Silent Bugs? Manh-Dung Nguyen, Sbastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Universit Grenoble Alpes) #BHUSA @BLACKHATEVENTS

546 views • 44 slides
CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

701 views • 59 slides
Code Change Impact Analysis for Testing Configurable Software Systems Mithun Acharya ABB

Code Change Impact Analysis for Testing Configurable Software Systems Mithun Acharya ABB

Code Change Impact Analysis for Testing Configurable Software Systems Mithun Acharya ABB Corporate Research Raleigh NC USA ABB: A power and automation company &gt;125 years, &gt;100 nations, ~150,000 employees Power products and electronics,

1.62k views • 128 slides
Repackaged Applications Yury Zhauniarovich, Olga Gadyatskaya, Bruno Crispo, Francesco La Spina,

Repackaged Applications Yury Zhauniarovich, Olga Gadyatskaya, Bruno Crispo, Francesco La Spina,

FSquaDRA: Fast Detection of Repackaged Applications Yury Zhauniarovich, Olga Gadyatskaya, Bruno Crispo, Francesco La Spina, Ermanno Moser zhauniarovich, gadyatskaya, crispo, laspina, moser@disi.unitn.it University of Trento Repackaging

537 views • 17 slides
LLVM: built-in scalable code clone detection based on semantic analysis Institute for System

LLVM: built-in scalable code clone detection based on semantic analysis Institute for System

LLVM: built-in scalable code clone detection based on semantic analysis Institute for System Programming of the Russian Academy of Sciences Sevak Sargsyan : sevaksargsyan@ispras.ru Shamil Kurmangaleev : kursh@ispras.ru Andrey Belevantsev :

451 views • 19 slides
Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho

Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho

Automated Model Extraction and Testing of Graphical User Interface Applications Pekka Aho Abstract The industry practice for test automation through graphical user interface (GUI) is script-based. In some tools the scripts can be recorded from

193 views • 8 slides
Professional PostgreSQL monitoring made easy Kaarel Moppel www.cybertec.at Kaarel Moppel

Professional PostgreSQL monitoring made easy Kaarel Moppel www.cybertec.at Kaarel Moppel

Professional PostgreSQL monitoring made easy Kaarel Moppel www.cybertec.at Kaarel Moppel www.cybertec.at Why to monitor Kaarel Moppel www.cybertec.at Failure / Downtime detection Slowness / Performance analysis Proactive

802 views • 48 slides
Segmentation on remote sensing images by using Fusion-MRF model * Tams Szirnyi 7/10/2019 MTA

Segmentation on remote sensing images by using Fusion-MRF model * Tams Szirnyi 7/10/2019 MTA

Segmentation on remote sensing images by using Fusion-MRF model * Tams Szirnyi 7/10/2019 MTA SZTAKI / MPLab 1984 2000 2005 2007 7/10/2019 SZTAKI MPLab 2 Analysis Tasks in RS Image repositories Classifying segments and detection of

810 views • 65 slides
Descartes - Introduction and Status Update Prof. Samuel Kounev, Uni Wrzburg Chair of Software

Descartes - Introduction and Status Update Prof. Samuel Kounev, Uni Wrzburg Chair of Software

Descartes - Introduction and Status Update Prof. Samuel Kounev, Uni Wrzburg Chair of Software Engineering University of Wrzburg http://se.informatik.uni-wuerzburg.de/ http://descartes.tools 1 pmw.fortiss.org Munich, November 5th, 2015

304 views • 16 slides
Improving the Productivity of Scalable Application Development with TotalView May 18th, 2010

Improving the Productivity of Scalable Application Development with TotalView May 18th, 2010

Improving the Productivity of Scalable Application Development with TotalView May 18th, 2010 Chris Gottbrath Principal Product Manager Rogue Wave Major Product Offerings TotalView Technologies Proprietary Plans Subject to Change without

375 views • 24 slides

More recommend