Introduction
The continual expansion of software size and complexity has led to an increased focus on reducing defects and bugs during development. Although Automated Static Analysis Tools (ASATs) offer help, in practice, the significant number of false positives can impede developers' productivity and confidence in the tools. Therefore, previous research efforts have explored learning-based methods to validate the reported warnings. Nevertheless, there are still some limitations.(1) The granularity of the previous studies is coarse since they either identify warnings of long development history or at the function level, which are not sensitive to bugs and individual warnings. (2) Machine learning-based approaches need much manual effort for feature engineering while existing deep learning-based approaches ignore key semantics between source code and warnings. (3) The small number of selected projects hinders the comprehensive evaluation of these approaches.
In this paper, we proposed a fined-grained warning verification approach that is sensitive to bugs for improving the results of ASATs, namely FineWAVE. Specifically, we design a novel LSTM-based model that captures both fine-grained semantics of source code and warnings from ASATs and highlights their correlations with cross-attention. To tackle the data scarcity of training and evaluation, we collected a large-scale dataset of 280,273 bug-sensitive warnings, which is ten times larger than the existing largest dataset. Then, We conducted extensive experiments on the dataset to evaluate FineWAVE. The experimental results demonstrate the effectiveness of our approach, with an F1-score of 97.79% for reducing false alarms and 67.06% for confirming actual warnings, which also significantly outperforms all baselines. Moreover, we have applied our FineWAVE to filter out about 92% warnings in two popular real-world projects, and found 25 new bugs with minimal manual effort.
We provided a dataset of 280,273 warnings including 20,100 bug-sensitive warnings constructed from 607,259 commits. This is the largest warning-related dataset to date, ten times larger than the currently largest dataset. We spent 6 months finishing 1,214,518 scanning tasks.
We proposed FineWAVE, a novel neural approach to fine-grained warning verification of bugs for ASATs. We incorporate warning-aware slicing, warning information encoding and cross-attention mechanisms for capturing complex semantics. To the best of our knowledge, we are the first to consider fine-grained warning verification and make it more practical for developers to confirm bugs.
Experiments show that FineWAVE can reduce false alarms with an F1-score of 97.79%, and identify bug-sensitive warnings with 67.06%. Compared to three baselines, FineWAVE can improve 14.74% in precision, and 12.83% in F1-score. Moreover, with the help of FineWAVE, we filter out around 92% of warnings and found 25 new bugs in two popular real-world projects.
Data
New Bug Information