Reducing False Positives in Static Bug Detection with LLMs: An Empirical Study in Industry

TL;DR

This study empirically evaluates the effectiveness of large language models in reducing false positives generated by static analysis tools in industrial software, demonstrating significant improvements and cost savings.

Contribution

First comprehensive empirical analysis of LLM-based false alarm reduction techniques in an industrial setting, specifically at Tencent, with real-world data and developer insights.

Findings

LLMs can eliminate 94-98% of false positives in industrial static analysis.

LLM-based methods are highly cost-effective, reducing manual inspection time significantly.

False positives in industrial static analysis demand substantial manual effort, which LLMs can substantially reduce.

Abstract

Static analysis tools (SATs) are widely adopted in both academia and industry for improving software quality, yet their practical use is often hindered by high false positive rates, especially in large-scale enterprise systems. These false alarms demand substantial manual inspection, creating severe inefficiencies in industrial code review. While recent work has demonstrated the potential of large language models (LLMs) for false alarm reduction on open-source benchmarks, their effectiveness in real-world enterprise settings remains unclear. To bridge this gap, we conduct the first comprehensive empirical study of diverse LLM-based false alarm reduction techniques in an industrial context at Tencent, one of the largest IT companies in China. Using data from Tencent's enterprise-customized SAT on its large-scale Advertising and Marketing Services software, we construct a dataset of 433 alarms (328 false positives, 105 true positives) covering three common bug types. Through interviewing developers and analyzing the data, our results highlight the prevalence of false positives, which wastes substantial manual effort (e.g., 10-20 minutes of manual inspection per alarm). Meanwhile, our results show the huge potential of LLMs for reducing false alarms in industrial settings (e.g., hybrid techniques of LLM and static analysis eliminate 94-98% of false positives with high recall). Furthermore, LLM-based techniques are cost-effective, with per-alarm costs as low as 2.1-109.5 seconds and $0.0011-$0.12, representing orders-of-magnitude savings compared to manual review. Finally, our case analysis further identifies key limitations of LLM-based false alarm reduction in industrial settings.