|Nguyen Quang Do, Lisa; Ali, Karim; Livshits, Benjamin; Bodden, Eric; Smith, Justin; Murphy-Hill, Emerson
|We present the concept of Just-In-Time (JIT) static analysis that
interleaves code development and bug fixing in an integrated development environment. Unlike traditional batch-style analysis tools,
a JIT analysis tool presents warnings to code developers over time,
providing the most relevant results quickly, and computing less relevant results incrementally later. In this paper, we describe general
guidelines for designing JIT analyses. We also present a general
recipe for transforming static data-flow analyses to JIT analyses
through a concept of layered analysis execution. We illustrate this
transformation through Cheetah, a JIT taint analysis for Android
applications. Our empirical evaluation of Cheetah on real-world
applications shows that our approach returns warnings quickly
enough to avoid disrupting the normal workflow of developers.
This result is confirmed by our user study, in which developers
fixed data leaks twice as fast when using Cheetah compared to an
equivalent batch-style analysis.
|Proceedings of ISSTA ’17, p.447