A 2002 NIST study estimates that software bugs cost the U.S. economy $60 billion annually. Studies have shown that the longer a bug remains in a program, the more expensive it is to fix. For these reasons, techniques to find bugs before they become part of released software is an important problem.
Static analysis has become a popular technique for finding bugs in recent years. Using analysis techniques originally developed for compilers, a static analyzer examines a program's code in order to construct an approximation of its runtime behavior. If the approximation includes states that indicate erroneous runtime behavior---a potential bug---a warning is issued to the user. Because static analysis is inexpensive to perform and can inspect a large number of possible paths through a program, it can be a useful complement to more widely used bug-finding techniques, such as code inspection and testing.
In the talk I will describe my work on the FindBugs tool. FindBugs is a static bug-finder for Java programs. Using simple static analysis techniques, FindBugs has found thousands of serious bugs in widely used software artifacts, such as the core Java libraries and the Eclipse IDE. I will also describe work which combines the results of static analysis and unit testing in order to estimate the accuracy and completeness of static analysis for several kinds of bugs. This work led to several improvements to the FindBugs tool, and also provides insight on when "deep" static analysis is needed to effectively find bugs and when simpler techniques are sufficient.