TY - GEN
T1 - Evaluating and Improving Static Analysis Tools Via Differential Mutation Analysis
AU - Groce, Alex
AU - Ahmed, Iftekhar
AU - Feist, Josselin
AU - Grieco, Gustavo
AU - Gesi, Jiri
AU - Meidani, Mehran
AU - Chen, Qihong
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021
Y1 - 2021
N2 - Static analysis tools attempt to detect faults in code without executing it. Understanding the strengths and weaknesses of such tools, and performing direct comparisons of their ef-fectiveness, is difficult, involving either manual examination of differing warnings on real code, or the bias-prone construction of artificial test cases. This paper proposes a novel automated approach to comparing static analysis tools, based on producing mutants of real code, and comparing detection rates over these mutants. In addition to making tool differences quantitatively observable without extensive manual effort, this approach offers a new way to detect and fix omissions in a static analysis tool's set of detectors. We present an extensive comparison of three smart contract static analysis tools, and show how our approach allowed us to add three effective new detectors to the best of these. We also evaluate popular Java and Python static analysis tools and discuss their strengths and weaknesses.
AB - Static analysis tools attempt to detect faults in code without executing it. Understanding the strengths and weaknesses of such tools, and performing direct comparisons of their ef-fectiveness, is difficult, involving either manual examination of differing warnings on real code, or the bias-prone construction of artificial test cases. This paper proposes a novel automated approach to comparing static analysis tools, based on producing mutants of real code, and comparing detection rates over these mutants. In addition to making tool differences quantitatively observable without extensive manual effort, this approach offers a new way to detect and fix omissions in a static analysis tool's set of detectors. We present an extensive comparison of three smart contract static analysis tools, and show how our approach allowed us to add three effective new detectors to the best of these. We also evaluate popular Java and Python static analysis tools and discuss their strengths and weaknesses.
KW - mutation testing
KW - smart contracts
KW - static analysis
UR - http://www.scopus.com/inward/record.url?scp=85145454183&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85145454183&partnerID=8YFLogxK
U2 - 10.1109/QRS54544.2021.00032
DO - 10.1109/QRS54544.2021.00032
M3 - Conference contribution
AN - SCOPUS:85145454183
T3 - IEEE International Conference on Software Quality, Reliability and Security, QRS
SP - 207
EP - 218
BT - Proceedings - 2021 21st International Conference on Software Quality, Reliability and Security, QRS 2021
PB - Institute of Electrical and Electronics Engineers
T2 - 21st International Conference on Software Quality, Reliability and Security, QRS 2021
Y2 - 6 December 2021 through 10 December 2021
ER -