Using Static Analysis to Find Bugs

Nathaniel Ayewah; John Penix; William Pugh; David Hovemeyer; J. David Morgenthaler

doi:10.1109/MS.2008.130

Software
2008
Issue No. 5 - Sept.-Oct.
Abstract - Using Static Analysis to Find Bugs

	This Article
	Subscribers, please Login Purchase article: $19 PDF RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Nathaniel Ayewah Articles by David Hovemeyer Articles by J. David Morgenthaler Articles by John Penix Articles by William Pugh

Using Static Analysis to Find Bugs

Sept.-Oct. 2008 (vol. 25 no. 5)

pp. 22-29

	ASCII Text	x
	Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, William Pugh, "Using Static Analysis to Find Bugs," IEEE Software, vol. 25, no. 5, pp. 22-29, Sept.-Oct., 2008.

	BibTex	x
	@article{ 10.1109/MS.2008.130, author = {Nathaniel Ayewah and David Hovemeyer and J. David Morgenthaler and John Penix and William Pugh}, title = {Using Static Analysis to Find Bugs}, journal ={IEEE Software}, volume = {25}, number = {5}, issn = {0740-7459}, year = {2008}, pages = {22-29}, doi = {http://doi.ieeecomputersociety.org/10.1109/MS.2008.130}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Software TI - Using Static Analysis to Find Bugs IS - 5 SN - 0740-7459 SP22 EP29 EPD - 22-29 A1 - Nathaniel Ayewah, A1 - David Hovemeyer, A1 - J. David Morgenthaler, A1 - John Penix, A1 - William Pugh, PY - 2008 KW - static analysis KW - FindBugs KW - code quality KW - bug patterns KW - software defects KW - software quality VL - 25 JA - IEEE Software ER -

Nathaniel Ayewah, University of Maryland, College Park

David Hovemeyer, York College of Pennsylvania

J. David Morgenthaler, Google

John Penix, Google

William Pugh, University of Maryland, College Park

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MS.2008.130

Static analysis examines code in the absence of input data and without running the code. It can detect potential security violations (SQL injection), runtime errors (dereferencing a null pointer) and logical inconsistencies (a conditional test that can't possibly be true). Although a rich body of literature exists on algorithms and analytical frameworks used by such tools, reports describing experiences in industry are much harder to come by. The authors describe FindBugs, an open source static-analysis tool for Java, and experiences using it in production settings. FindBugs evaluates what kinds of defects can be effectively detected with relatively simple techniques and helps developers understand how to incorporate such tools into software development.

1. I.F. Darwin, Checking C Programs with Lint, O'Reilly, 1988.
2. S. Hallem, D. Park, and D. Engler, "Uprooting Software Defects at the Source," ACM Press Queue, vol. 1, no. 8, 2003, pp. 64–71.
3. B. Chess and J. West, Secure Programming with Static Analysis, 1st ed., Addison-Wesley Professional, 2007.
4. W.R. Bush, J.D. Pincus, and D.J. Sielaff, "A Static Analyzer for Finding Dynamic Programming Errors," Software Practice and Experience, vol. 30, no. 7, 2000, pp. 775–802.
5. D. Hovemeyer, J. Spacco, and W. Pugh, "Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs," Proc. 6th ACM SIGPLAN-SIGSOFTWorkshop Program Analysis for Software Tools and Eng. (PASTE05), ACM Press, 2005, pp. 13–19.
6. J. Spacco, D. Hovemeyer, and W. Pugh, "Tracking Defect Warnings across Versions," Proc. 2006 Int'l Workshop Mining Software Repositories (MSR 06), ACM Press, 2006, pp. 133–136.
7. D. Hovemeyer and W. Pugh, "Finding More Null Pointer Bugs, but Not Too Many," Proc. 7th ACM SSIGPLAN-SIGSOFTWorkshop Program Analysis for Software Tools and Eng. (PASTE07), ACM Press, 2007, pp. 9–14.
8. Reasoning Inspection Service Defect Data Report for Tomcat, Version 4.1.24, tech. report, Reasoning, Inc., Jan. 2003.
9. T. Copeland, PMD Applied, Centennial Books, 2005.
10. B. Chelf, D. Engler, and S. Hallem, "How to Write System-Specific, Static Checkers in Metal," Proc. 2002 ACM SIGPLAN-SIGSOFTWorkshop Program Analysis for Software Tools and Eng. (PASTE02), ACM Press, 2002, pp. 51–60.
11. N. Ayewah et al., "Evaluating Static Analysis Defect Warnings on Production Software," Proc. 7th ACM SIGPLAN-SIGSOFTWorkshop Program Analysis for Software Tools and Eng. (PASTE07), ACM Press, 2007, pp. 1–8.
12. "Mondrian: Code Review on the Web," Dec. 2006, http://video.google.comvideoplay?docid=-8502904076440714866 .
13. D. Hovemeyer and W. Pugh, "Status Report on JSR-305: Annotations for Software Defect Detection," Companion to the 22nd ACM SIGPLANConf. Object-Oriented Programming Systems and Applications, ACM Press, 2007, pp. 799–800.
14. JSR 305: Annotations for Software Defect Detection, http://jcp.org/en/jsrdetail?id=305.

Index Terms:

static analysis, FindBugs, code quality, bug patterns, software defects, software quality

Citation:

Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, William Pugh, "Using Static Analysis to Find Bugs," IEEE Software, vol. 25, no. 5, pp. 22-29, Sept.-Oct. 2008, doi:10.1109/MS.2008.130

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.