Article

A Comparison of Bug Finding Tools for Java

Authors:

Nick Rutar,

Christian B. Almazan,

Jeffrey S. FosterAuthors Info & Claims

ISSRE '04: Proceedings of the 15th International Symposium on Software Reliability Engineering

Pages 245 - 256

https://doi.org/10.1109/ISSRE.2004.1

Published: 02 November 2004 Publication History

Publisher Site

Abstract

Bugs in software are costly and difficult to find and fix. In recent years, many tools and techniques have been developed for automatically finding bugs by analyzing source code or intermediate code statically (at compile time). Different tools and techniques have different tradeoffs, but the practical impact of these tradeoffs is not well understood. In this paper, we apply five bug finding tools, specifically Bandera, ESC/Java 2, FindBugs, JLint, and PMD, to a variety of Java programs. By using a variety of tools, we are able to cross-check their bug reports and warnings. Our experimental results show that none of the tools strictly subsumes another, and indeed the tools often find non-overlapping bugs. We discuss the techniques each of the tools is based on, and we suggest how particular techniques affect the output of the tools. Finally, we propose a meta-tool that combines the output of the tools together, looking for particular lines of code, methods, and classes that many tools warn about.

Cited By

View all

St. Amour LTilevich EErtl MKirsch C(2024)Toward Declarative Auditing of Java Software for Graceful Exception HandlingProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685057(90-97)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3679007.3685057
Yu XCogo FMcIntosh SGodfrey M(2024)Studying the impact of risk assessment analytics on risk awareness and code review performanceEmpirical Software Engineering10.1007/s10664-024-10443-x29:2Online publication date: 17-Feb-2024
https://dl.acm.org/doi/10.1007/s10664-024-10443-x
Al Kassar FCompagna LBalzarotti DCalandrino JTroncoso C(2023)WHIPProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620577(6079-6096)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620577
Show More Cited By

Index Terms

A Comparison of Bug Finding Tools for Java

Recommendations

Bug synthesis: challenging bug-finding tools with deep faults
ESEC/FSE 2018: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

In spite of decades of research in bug detection tools, there is a surprising dearth of ground-truth corpora that can be used to evaluate the efficacy of such tools. Recently, systems such as LAVA and EvilCoder have been proposed to automatically inject ...
Effective Bug Triage Based on Historical Bug-Fix Information
ISSRE '14: Proceedings of the 2014 IEEE 25th International Symposium on Software Reliability Engineering

For complex and popular software, project teams could receive a large number of bug reports. It is often tedious and costly to manually assign these bug reports to developers who have the expertise to fix the bugs. Many bug triage techniques have been ...
Memories of bug fixes
SIGSOFT '06/FSE-14: Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering

The change history of a software project contains a rich collection of code changes that record previous development experience. Changes that fix bugs are especially interesting, since they record both the old buggy code and the new fixed code. This ...

Reviews

Reviewer: Andrew Brooks

Static analysis tools hold great potential in software quality assurance, but how effective are they__?__ Five Java bug finding tools (Bandera, ESC/Java, FindBugs, Jlint, and PMD) were applied to five programs that ranged in size from around 8,000 to 55,000 lines of code. The tools often generated well over 1,000 warnings on any one program, so the authors decided to manually examine several dozen warnings only. Their analysis revealed that there was a wide variation in the warnings provided by the tools, that some warnings were not about real defects (false positives), and that a single bug can create a cascade of warnings. Given the absence of a single best bug finding tool, the authors propose two metrics: the normalized warning count, and the unique warning total, measured at an individual Java class level across the output from several bug finding tools. Metric results for the poorest performing classes (Figure 10) suggest that classes with an unusually high warning count tend also to have a larger breadth of unique warnings. These results, however, do not fully have proof-of-concept value since no analysis was undertaken to match the real defects present in the code with the warnings reported by the tools. This paper serves as a useful introduction to static analysis tools for Java, and makes several recommendations to improve these tools, whose usefulness is severely comprised by the sheer volume of warnings. As such, this paper is strongly recommended to those using and researching static analysis tools. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ISSRE '04: Proceedings of the 15th International Symposium on Software Reliability Engineering

November 2004

441 pages

ISBN:0769522157

Publisher

IEEE Computer Society

United States

Publication History

Published: 02 November 2004

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

80
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

St. Amour LTilevich EErtl MKirsch C(2024)Toward Declarative Auditing of Java Software for Graceful Exception HandlingProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685057(90-97)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3679007.3685057
Yu XCogo FMcIntosh SGodfrey M(2024)Studying the impact of risk assessment analytics on risk awareness and code review performanceEmpirical Software Engineering10.1007/s10664-024-10443-x29:2Online publication date: 17-Feb-2024
https://dl.acm.org/doi/10.1007/s10664-024-10443-x
Al Kassar FCompagna LBalzarotti DCalandrino JTroncoso C(2023)WHIPProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620577(6079-6096)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620577
Liu HChen SFeng RLiu CLi KXu ZNie LLiu YChen YJust RFraser G(2023)A Comprehensive Study on Quality Assurance Tools for JavaProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598056(285-297)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598056
Guo ZTan TLiu SLiu XLai WYang YLi YChen LDong WZhou Y(2023)Mitigating False Positive Static Analysis Warnings: Progress, Challenges, and OpportunitiesIEEE Transactions on Software Engineering10.1109/TSE.2023.332966749:12(5154-5188)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3329667
Richter CHaltermann JJakobs MPauck FSchott SWehrheim H(2022)Are Neural Bug Detectors Comparable to Software Developers on Variable Misuse Bugs?Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3561156(1-12)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3561156
Fulton KVotipka DAbrokwa DMazurek MHicks MParker JYin HStavrou ACremers CShi E(2022)Understanding the How and the WhyProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560569(1141-1155)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560569
Kang HAw KLo DDwyer MDamian DZeller A(2022)Detecting false alarms from automatic static analysis toolsProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510214(698-709)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510214
Liu MKittur AMyers B(2022)Crystalline: Lowering the Cost for Developers to Collect and Organize Information for Decision MakingProceedings of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491102.3501968(1-16)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3491102.3501968
Birillo AVlasov IBurylov ASelishchev VGoncharov ATikhomirova EVyahhi NBryksin TMerkle LDoyle MSheard JSoh LDorn B(2022)HyperstyleProceedings of the 53rd ACM Technical Symposium on Computer Science Education - Volume 110.1145/3478431.3499294(307-313)Online publication date: 22-Feb-2022
https://dl.acm.org/doi/10.1145/3478431.3499294
Show More Cited By

Abstract

Cited By

Index Terms

Recommendations

Bug synthesis: challenging bug-finding tools with deep faults

Effective Bug Triage Based on Historical Bug-Fix Information

Memories of bug fixes

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations