Which Defect Should Be Fixed First? Semantic Prioritization of Static Analysis Report

摘要

The usability of static analyzers is plagued by excessive false alarms. It is laborious yet error-prone to manually examine the spurious-ness of defect reports. Moreover, the inability to preclude overwhelming false alarms deters user's confidence on such tools and severely limits their adoption in development cycles. In this paper, we propose a semantic approach for prioritizing defect reports emitted by static analysis. Our approach evaluates the importance of defect reports by their fatality and priorities defects by their affection to critical functions. Compared to the existing approaches that prioritize defect reports by analyzing external attributes, ours substantially utilizes semantic information derived by static analysis to measure the severity of defect reports more precisely. We have implemented a prototype which is evaluated to real-world code bases, and the results show that our approach can effectively evaluate the severity of defects.