Visible to the public Biblio

Filters: Author is Smith, Justin  [Clear All Filters]
Smith, Justin.  2016.  Identifying Successful Strategies for Resolving Static Analysis Notifications. Proceedings of the 38th International Conference on Software Engineering Companion. :662–664.

Although static analysis tools detect potential code defects early in the development process, they do not fully support developers in resolving those defects. To accurately and efficiently resolve defects, developers must orchestrate several complex tasks, such as determining whether the defect is a false positive and updating the source code without introducing new defects. Without good defect resolution strategies developers may resolve defects erroneously or inefficiently. In this work, I perform a preliminary analysis of the successful and unsuccessful strategies developers use to resolve defects. Based on the successful strategies identified, I then outline a tool to support developers throughout the defect resolution process.

Do, Lisa Nguyen Quang, Ali, Karim, Livshits, Benjamin, Bodden, Eric, Smith, Justin, Murphy-Hill, Emerson.  2017.  Just-in-time Static Analysis. Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. :307–317.
We present the concept of Just-In-Time (JIT) static analysis that interleaves code development and bug fixing in an integrated development environment. Unlike traditional batch-style analysis tools, a JIT analysis tool presents warnings to code developers over time, providing the most relevant results quickly, and computing less relevant results incrementally later. In this paper, we describe general guidelines for designing JIT analyses. We also present a general recipe for transforming static data-flow analyses to JIT analyses through a concept of layered analysis execution. We illustrate this transformation through CHEETAH, a JIT taint analysis for Android applications. Our empirical evaluation of CHEETAH on real-world applications shows that our approach returns warnings quickly enough to avoid disrupting the normal workflow of developers. This result is confirmed by our user study, in which developers fixed data leaks twice as fast when using CHEETAH compared to an equivalent batch-style analysis.