Automated Static Warning Identification via Path-based Semantic Representation

TL;DR

This paper introduces a deep learning approach that uses control flow graph paths and pre-trained language models to improve static warning identification accuracy by capturing code semantics more effectively.

Contribution

It proposes a novel method employing path-based semantic representations and fine-tuning pre-trained models to enhance false positive classification in static analysis warnings.

Findings

Outperforms state-of-the-art baselines on eight open-source projects.

Effectively captures semantic information from control flow graph paths.

Reduces false positive rates in static warning identification.

Abstract

Despite their ability to aid developers in detecting potential defects early in the software development life cycle, static analysis tools often suffer from precision issues (i.e., high false positive rates of reported alarms). To improve the availability of these tools, many automated warning identification techniques have been proposed to assist developers in classifying false positive alarms. However, existing approaches mainly focus on using hand-engineered features or statement-level abstract syntax tree token sequences to represent the defective code, failing to capture semantics from the reported alarms. To overcome the limitations of traditional approaches, this paper employs deep neural networks' powerful feature extraction and representation abilities to generate code semantics from control flow graph paths for warning identification. The control flow graph abstractly represents the execution process of a given program. Thus, the generated path sequences of the control flow graph can guide the deep neural networks to learn semantic information about the potential defect more accurately. In this paper, we fine-tune the pre-trained language model to encode the path sequences and capture the semantic representations for model building. Finally, this paper conducts extensive experiments on eight open-source projects to verify the effectiveness of the proposed approach by comparing it with the state-of-the-art baselines.