how many of all bugs do we find a study of static bug
play

How Many of All Bugs Do We Find? A Study of Static Bug Detectors - PowerPoint PPT Presentation

Apr 14, 2023 •311 likes •804 views

How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU Darmstadt, Germany software-lab.org 1 Static Bug Detection Error Prone 2 Static Bug Detection Error Prone General framework Scalable

  1. How Many of All Bugs Do We Find? A Study of Static Bug Detectors Andrew Habib, Michael Pradel TU Darmstadt, Germany software-lab.org 1

  2. Static Bug Detection Error Prone 2

  3. Static Bug Detection Error Prone � General framework � Scalable static analysis � Set of checkers for specific bug patterns 2

  4. How Many Bugs Do They Find? 3

  5. How Many Bugs Do They Find? Given a representative set of real-world bugs, how many of them do static bug detectors find? 3

  6. How Many Bugs Do They Find? Given a representative set of real-world bugs, how many of them do static bug detectors find? This talk: Empirical study with 594 real-world Java bugs and 3 popular static checkers 3

  7. Real-World Bugs � 594 bugs from 15 popular Java projects � Extended version of Defects4J data set � Why this set? � Gathered independently � Used in other bug-related studies * � Contains real fixes by developers * Just et al., 2014 (mutation testing); Shamshiri et al., 2015 (test generation); Pearson et al., 2017 (fault localization); Martinez et al., 2017 (program repair) 4

  8. Defects4J: Files Involved in Bug 550 501 500 450 Number of bugs 400 350 300 250 200 150 100 64 50 12 10 4 1 1 1 0 1 2 3 4 5 6 7 11 Number of buggy files 5

  9. Defects4J: Size of Bug Fix 550 500 450 Number of bugs 400 350 296 300 250 200 150 128 100 54 44 50 29 29 6 6 1 1 0 1-4 5-9 10-14 15-19 20-24 25-49 50-74 75-99 100-199 200-1.999 Diff size between buggy and fixed versions (LoC) 6

  10. Previous Approach How to determine which bugs are found? [Thung et al., 2012] � Get diff between buggy and fixed code � Run tool on code with buggy lines � If warning on buggy line: Bug found � Result: 50% – 95% of all bugs found � Limitation: � No check that warning points to bug � One tool flags up to 57% of all lines 7

  11. Previous Approach How to determine which bugs are found? [Thung et al., 2012] � Get diff between buggy and fixed code � Run tool on code with buggy lines � If warning on buggy line: Bug found � Result: 50% – 95% of all bugs found � Limitation: � No check that warning points to bug � One tool flags up to 57% of all lines 7

  12. Methodology: Overview Bugs + fixes Bug detectors Automated filtering of warnings Fixed Diff-based warnings- Combined based 8

  13. Methodology: Overview Bugs + fixes Bug detectors Automated filtering of warnings Fixed Diff-based warnings- Combined based 8

  14. Methodology: Overview Bugs + fixes Bug detectors Automated filtering of warnings Fixed Diff-based warnings- Combined based 8

  15. Methodology: Overview Bugs + fixes Bug detectors Automated filtering of warnings Fixed Diff-based warnings- Combined based Candidates for detected bugs Manual inspection of candidates Detected bugs 8

  16. Methodology: Diff-based Bugs + fixes Bug detectors Automated filtering of warnings Diff-based Candidates for detected bugs Manual inspection of candidates Detected bugs 9

  17. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning 9

  18. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: 9

  19. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Modified line 9

  20. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Modified line Removed line 9

  21. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Modified line Removed line Newly inserted line 9

  22. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Warnings by bug detector 9

  23. Methodology: Diff-based 1) Identify lines changed to fix bug 2) Intersect with lines with warning Buggy file: Fixed file: Warnings by bug detector Candidate for detected bug 9

  24. Example: public Dfp multiply(final int x) { return multiplyFast(x); } Bug fix public Dfp multiply(final int x) { if (x >= 0 && x < RADIX) { return multiplyFast(x); } else { return multiply(newInstance(x)); } } 10

  25. Example: public Dfp multiply(final int x) { return multiplyFast(x); Warning: } Missing Bug fix @Override public Dfp multiply(final int x) { if (x >= 0 && x < RADIX) { return multiplyFast(x); } else { return multiply(newInstance(x)); } } 10

  26. Example: public Dfp multiply(final int x) { return multiplyFast(x); Warning: } Missing Bug fix @Override public Dfp multiply(final int x) { -1 if (x >= 0 && x < RADIX) { +1 return multiplyFast(x); } else { return multiply(newInstance(x)); } } Candidate for detected bug 10

  27. Method.: Fixed Warnings-based Bugs + fixes Bug detectors Automated filtering of warnings Fixed warnings- based Candidates for detected bugs Manual inspection of candidates Detected bugs 11

  28. Method.: Fixed Warnings-based 1) Compare warnings before and after fix 2) Warning that disappears was for bug 11

  29. Method.: Fixed Warnings-based 1) Compare warnings before and after fix 2) Warning that disappears was for bug Buggy file: Fixed file: 11

  30. Method.: Fixed Warnings-based 1) Compare warnings before and after fix 2) Warning that disappears was for bug Buggy file: Fixed file: Warnings by bug detector 11

  31. Method.: Fixed Warnings-based 1) Compare warnings before and after fix 2) Warning that disappears was for bug Buggy file: Fixed file: Warnings by bug detector Candidate for detected bug 11

  32. Example public Week(Date time , TimeZone zone) { this(time , RegularTimePeriod.DEFAULT_TIME_ZONE , Locale.getDefault ()); } Bug fix public Week(Date time , TimeZone zone) { this(time , zone , Locale.getDefault ()); } 12

  33. Example public Week(Date time , TimeZone zone) { this(time , RegularTimePeriod.DEFAULT_TIME_ZONE , Locale.getDefault ()); } Warning: Bug fix Chaining public Week(Date time , TimeZone zone) { constructor this(time , ignores zone , argument Locale.getDefault ()); } Candidate for detected bug 12

  34. Methodology: Combined Bugs + fixes Bug detectors Automated filtering of warnings Fixed = Diff-based warnings- Combined + based Candidates for detected bugs Manual inspection of candidates Detected bugs 13

  35. Results 14

  36. Warnings to Inspect All warnings Per bug Candidates Tool Min Max Avg Total only Error Prone 0 148 7.58 4,402 53 Infer 0 36 0.33 198 32 SpotBugs 0 47 1.1 647 68 Total 5,247 153 15

  37. Warnings to Inspect All warnings Per bug Candidates Tool Min Max Avg Total only Error Prone 0 148 7.58 4,402 53 Infer 0 36 0.33 198 32 SpotBugs 0 47 1.1 647 68 Total 5,247 153 15

  38. Warnings to Inspect All warnings Per bug Candidates Tool Min Max Avg Total only Error Prone 0 148 7.58 4,402 53 Infer 0 36 0.33 198 32 SpotBugs 0 47 1.1 647 68 Total 5,247 153 97% of all warnings are removed by the automated filtering step 15

  39. Manual Inspection Distinguish coincidental matches from actually detected bugs Candidate = (bug, warning) Full match Partial match Mismatch 16 Created by Freepik

  40. Manual Inspection: Example public Dfp multiply(final int x) { return multiplyFast(x); Warning: } Bug fix Missing @Override public Dfp multiply(final int x) { if (x >= 0 && x < RADIX) { return multiplyFast(x); } else { return multiply(newInstance(x)); } } Candidate for detected bug 17

  41. Manual Inspection: Example public Dfp multiply(final int x) { return multiplyFast(x); Warning: } Bug fix Missing @Override public Dfp multiply(final int x) { if (x >= 0 && x < RADIX) { return multiplyFast(x); } else { return multiply(newInstance(x)); } } Mismatch 17

  42. Manual Inspection: Example (2) public Week(Date time , TimeZone zone) { this(time , RegularTimePeriod.DEFAULT_TIME_ZONE , Locale.getDefault ()); } Warning: Bug fix Chaining public Week(Date time , TimeZone zone) { constructor this(time , ignores zone , argument Locale.getDefault ()); } Candidate for detected bug 18

  43. Manual Inspection: Example (2) public Week(Date time , TimeZone zone) { this(time , RegularTimePeriod.DEFAULT_TIME_ZONE , Locale.getDefault ()); } Warning: Bug fix Chaining public Week(Date time , TimeZone zone) { constructor this(time , ignores zone , argument Locale.getDefault ()); } Full match 18

  44. Most Bugs are Missed Three tools together: Detect 27 of 594 bugs (less than 5%) SpotBugs ErrorProne 6 14 2 0 0 2 3 Infer 19

  45. Why are Most Bugs Missed? Manual inspection of random sample of 20 missed bugs: 14 are domain-specific � Unrelated to any of the supported bug patterns � Application-specific algorithms � Forgot to handle special case � Difficult to decide whether behavior is intended 20

Recommend

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker

Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker Senior Software Engineer, Video Product Line, Tektronix, Inc. Pacific Northwest Software Quality Conference, 2010 In the Beginning, There Was Lint

486 views • 20 slides
Why Dont Software Developers Use Static Analysis Tools to Find Bugs? Brittany Johnson, Yoonki

Why Dont Software Developers Use Static Analysis Tools to Find Bugs? Brittany Johnson, Yoonki

Why Dont Software Developers Use Static Analysis Tools to Find Bugs? Brittany Johnson, Yoonki Song, and Emerson Murphy-Hill and Robert Bowdidge Presented by Sandarbh Bhadauria Results Results Overview Previous research has shown these

345 views • 31 slides
[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[1/2] Fantastic C++ Bugs and Where to Find Them [2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014 @compsciclub.ru Agenda AddressSanitizer (aka ASan) detects use-after-free and buffer overflows

742 views • 55 slides
Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs at compile time by inspecting your source code Bugs it finds are more sophisticated than warnings or Clang-Tidy Clang Static Analyzer 1

544 views • 29 slides
CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley

CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley

CLUSTERING STATIC ANALYSIS DEFECT REPORTS TO REDUCE MAINTENANCE COSTS Zachary P. Fry and Westley Weimer University of Virginia Static Analysis-based Bug Finders Use known-faulty semantic patterns to find suspected bugs statically

570 views • 26 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects

PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects

PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects use-after-free bugs Static, whole-program analyzer that finds use-after-free bugs in C/C++ code Implemented in C++ as an LLVM plugin that

591 views • 26 slides
Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland

Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland

Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland http://www.cs.umd.edu/~pugh TS-2007 2007 JavaOne SM Conference | Session TS-2007 | You will believe... Static analysis tools can find real bugs

991 views • 62 slides
Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner Security Bugs Common 6,515 vulnerabili/es reported in 2007 Major vendors : Adobe, Apple, MicrosoN Plus many more

480 views • 14 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire

A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire

A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire Michael Stephanie Westley Le Goues Dewey-Vogt Forrest Weimer 1 http://genprog.cs.virginia.edu Everyday, almost 300 Annual cost of bugs

647 views • 63 slides
Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook

Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook

Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook London github.com/facebook/infer/ Programming is Hard Need to think of ALL possible cases Keep track of all possible values If it can be null, it

1.09k views • 41 slides
Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
About Directed Fuzzing and Use-After-Free: How to Find Complex &amp; Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex &amp; Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex &amp; Silent Bugs? Manh-Dung Nguyen, Sbastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Universit Grenoble Alpes) #BHUSA @BLACKHATEVENTS

546 views • 44 slides
CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

701 views • 59 slides
Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc.

Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc.

Fuzzing Clang to find ABI Bugs David Majnemer Whats in an ABI? The size, alignment, etc. of types Layout of records, RTTI, virtual tables, etc. The decoration of types, functions, etc. To generalize: anything that you need N

632 views • 36 slides
To Type or Not to Type: Quantifying Detectable Bugs in JavaScript Zheng Gao , Christian Bird

To Type or Not to Type: Quantifying Detectable Bugs in JavaScript Zheng Gao , Christian Bird

To Type or Not to Type: Quantifying Detectable Bugs in JavaScript Zheng Gao , Christian Bird , Earl Barr University College London, Microsoft Research Static Typing vs. Dynamic Typing Static Typing vs. Dynamic Typing

807 views • 68 slides
Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Reflections|Projections 2007 Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org Overview of OpenBSD History Berkeley Software Distribution (BSD) First freely distributable BSD was released in June

810 views • 24 slides
Learning to Find Bugs (Work in progress) Michael Pradel TU Darmstadt 1 Joint work with Koushik

Learning to Find Bugs (Work in progress) Michael Pradel TU Darmstadt 1 Joint work with Koushik

Learning to Find Bugs (Work in progress) Michael Pradel TU Darmstadt 1 Joint work with Koushik Sen and Rohan Bavishi Automated Bug Detection Hundreds of bug Thousands of bug detectors patterns One analysis for each Existing bug

647 views • 38 slides
Bugs, au Naturale. % 0 % 0 0 1 0 l 1 a r l a u r t a u t N a N Premkumar

Bugs, au Naturale. % 0 % 0 0 1 0 l 1 a r l a u r t a u t N a N Premkumar

Bugs, au Naturale. % 0 % 0 0 1 0 l 1 a r l a u r t a u t N a N Premkumar Devanbu DECAL Laboratory public class FunctionCall { public static void funct1 () { System.out.println (&quot;Inside funct1&quot;); } University of

548 views • 6 slides
Harry Xu May 2012 Complex, concurrent software Precision (no false positives) Find real bugs in

Harry Xu May 2012 Complex, concurrent software Precision (no false positives) Find real bugs in

Harry Xu May 2012 Complex, concurrent software Precision (no false positives) Find real bugs in real executions Need to modify JVM (e.g., object layout, GC, or ISA-level code) Need to demonstrate realism (usually performance) Otherwise use

1.05k views • 64 slides
BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on blood They are reddish-brown in colour An adult bed bug is approximately the size of an apple seed An egg is approximately the size of a

163 views • 15 slides
Examining the Code [Reading assignment: Chapter 6, pp. 91-104] Static white-box testing

Examining the Code [Reading assignment: Chapter 6, pp. 91-104] Static white-box testing

Examining the Code [Reading assignment: Chapter 6, pp. 91-104] Static white-box testing Static white-box testing is the process of carefully and methodically reviewing the software design, architecture, or code for bugs without executing

309 views • 17 slides

More recommend