Why don't software developers use static analysis tools to find bugs?

Proceedings - International Conference on Software Engineering

Volumn , Issue , 2013, Pages 672-681

  Johnson, Brittany ^a   Song, Yoonki ^a   Murphy Hill, Emerson ^a   Bowdidge, Robert ^b  

^a NORTH CAROLINA STATE UNIVERSITY   (United States)

^b GOOGLE INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODE INSPECTIONS; FALSE POSITIVE; MANUAL INSPECTION; SOFTWARE DEFECTS; SOFTWARE DEVELOPER;

DEFECTS; PROGRAM DEBUGGING; SOFTWARE ENGINEERING; TOOLS;

STATIC ANALYSIS;

EID: 84886386212     PISSN: 02705257     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICSE.2013.6606613     Document Type: Conference Paper

References (39)

1. L. C. Briand, W. M. Thomas, and C. J. Hetmanski, "Modeling and managing risk early in software development," in Proc. ICSE, 1993, pp. 55-65.
2. N. Nagappan and T. Ball, "Static analysis tools as early indicators of pre-release defect density," in Proc. ICSE, 2005, pp. 580-586.
3. M. Gegick and L. Williams, "Towards the use of automated static analysis alerts for early identification of vulnerability-and attack-prone components," in Proc. ICIMP, 2007, pp. 18-23.
4. "IntelliJ IDEA," http://www.jetbrains.com/idea/.
5. "FindBugs," http://findbugs.sourceforge.net.
6. N. Ayewah, D. Hovemeyer, J. D. Morgenthaler, J. Penix, and W. Pugh, "Using Static Analysis to Find Bugs," IEEE Softw., vol. 25, no. 5, pp. 22-29, 2008.
7. "Eclipse," http://www.eclipse.org/.
8. "NetBeans," http://www.netbeans.org/.
9. N. Ayewah and W. Pugh, "The Google FindBugs Fixit," in Proc. ISSTA, 2010, pp. 241-252.
10. A. Bessey, D. Engler, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, and S. McPeak, "A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World," Commun. ACM, vol. 53, no. 2, pp. 66-75, 2010.
11. Y. P. Khoo, J. S. Foster, M. Hicks, and V. Sazawal, "Path projection for user-centered static analysis tools," in Proc. PASTE, 2008, pp. 57-63.
12. S. C. Johnson, "Lint, a C Program Checker," Bell Laboratories, Tech. Rep., 1978.
13. "PMD," http://pmd.sourceforge.net/.
14. B. Chess and J. West, Secure Programming with Static Analysis. Addison-Wesley Professional, 2007.
15. K. Vorobyov and P. Krishna, "Comparing Model Checking and Static Program Analysis: A Case Study in Error Detection Approaches," in Proc. SSV, 2010, pp. 1-7.
16. M. Dastani, "The role of visual perception in data visualization," Journal of Visual Languages and Computing, vol. 13, no. 6, pp. 601-622, 2002.
17. N. Ayewah and W. Pugh, "A report on a survey and study of static analysis users," in Proc. DEFECTS, 2008, pp. 1-5.
18. S. Heckman and L. Williams, "On Establishing a Benchmark for Evaluating Static Analysis Alert Prioritization and Classification Techniques," in Proc. ESEM, 2008, pp. 41-50.
19. L. Layman, L. Williams, and R. St. Amant, "Toward reducing fault fix time: Understanding developer behavior for the design of automated fault detection tools," in Proc. ESEM, 2007, pp. 176-185.
20. "Jtest," http://www.parasoft.com/jsp/products/jtest.jsp.
21. "Klocwork Insight," http://www.klocwork.com/products/insight.
22. "Microsoft Visual Studio," http://www.microsoft.com/ visualstudio/.
23. "Google CodePro AnalytiX," http://code.google.com/javadevtools/ codepro.
24. S. Hove and B. Anda, "Experiences from Conducting Semi-structured Interviews in Empirical Software Engineering Research," in Proc. METRICS, 2005, pp. 1-10.
25. B. Johnson, "A Study on Improving Static Analysis Tools: Why are we not using them?" in Proc. ICSE, Student Research Competition, 2012.
26. T. Robertson, S. Prabhakararao, M. Burnett, C. Cook, J. Ruthruff, L. Beckwith, and A. Phalgune, "Impact of interruption style on enduser debugging," in Proc. CHI, 2004, pp. 287-294.
27. J. Gluck, A. Bunt, and J. McGrenere, "Impact of interruption style on end-user debugging," in Proc. CHI, 2007, pp. 41-50.
28. C. H. Lewis, "Using the "Thinking Aloud" Method In Cognitive Interface Design," IBM, Tech. Rep. RC-9265, 1982.
29. "log4j," http://logging.apache.org/log4j/.
30. "ANT," http://ant.apache.org/.
31. C. Spinuzzi, "The Methodology of Participatory Design," Technical Commun., vol. 52, no. 2, pp. 163-174, 2005.
32. R. Gordon, "Coding interview responses," in Basic Interviewing Skills. Waveland Pr Inc., 1998, pp. 183-199.
33. H. Shen, J. Fang, and J. Zhao, "EFindBugs: Effective error ranking for findbugs," in Proc. ICST, 2011, pp. 299-308.
34. "FindBugs Cloud Storage," http://findbugs.sourceforge.net/ findbugs2. html#cloud.
35. E. Murphy-Hill and A. P. Black, "Refactoring Tools: Fitness for Purpose," IEEE Softw., vol. 25, no. 5, pp. 38-44, 2008.
36. B. Oberg and D. Notkin, "Error reporting with graduated color," IEEE Softw., vol. 9, no. 6, pp. 33-38, 1992.
37. E. Murphy-Hill and A. P. Black, "An Interactive Ambient Visualization for Code Smells," in Proc. SoftVis, 2010, pp. 5-14.
38. "Threats to Construct Validity," http://www. socialresearchmethods.net/kb/consthre.php.
39. M. Kersten and G. C. Murphy, "Mylar: a degree-of-interest model for IDEs," in Proc. AOSD, 2005, pp. 159-168.