Static analyzers are commonly adopted to detect software bugs in modern software development. Upon a software update, the users often focus on the differential parts of static analysis alarms, namely delta alarms. Although there are several automatic techniques for classifying delta alarms, their classification results are far from satisfactory, of which the causes and impact have not been well investigated in previous research.

In this work, we conduct a comprehensive empirical study of classifying delta alarms from three industrial-strength static analyzers. As revealed by our study, there are 44.65% of the studied delta alarms misclassified by classifiers within the analyzers. The ineffective alarm equivalence checking and the instabilities of the analyzers introduce the issues of re...[ Read more ]

Static analyzers are commonly adopted to detect software bugs in modern software development. Upon a software update, the users often focus on the differential parts of static analysis alarms, namely delta alarms. Although there are several automatic techniques for classifying delta alarms, their classification results are far from satisfactory, of which the causes and impact have not been well investigated in previous research.

In this work, we conduct a comprehensive empirical study of classifying delta alarms from three industrial-strength static analyzers. As revealed by our study, there are 44.65% of the studied delta alarms misclassified by classifiers within the analyzers. The ineffective alarm equivalence checking and the instabilities of the analyzers introduce the issues of redundant alarms and flaky alarms, degrading the effectiveness of the classification and the usability of static analyzers.

We also propose a systematic approach DAC to improve the delta alarm classification. By measuring the similarity of two tokenized alarms, DAC identifies the pre-existing alarms and avoids redundant alarms. Meanwhile, DAC extracts the subgraph of a program dependency graph as the witness of an alarm, which supports the recovery of unreported alarms, effectively resolving the flaky alarm issue. Our experimental results show that DAC outperforms the other three classifiers in precision, achieving 97.40%, 91.76%, and 87.46% precision rates on delta alarm classification, respectively.