Several static analysis tools, such as Splint or FindBugs, have been proposed to the software development community to help detect security vulnerabilities or bad programming practices. However, the adoption of these tools is hindered by their high false positive rates. If the false positive rate is too high, developers may get acclimated to violation reports from these tools, causing concrete and severe bugs being overlooked. Fortunately, some violations are actually addressed and resolved by developers. We claim that those violations that are recurrently fixed are likely to be true positives, and an automated approach can learn to repair similar unseen violations. However, there is lack of a systematic way to investigate the distributions on existing violations and fixed ones in the wild, that can provide insights into prioritizing violations for developers, and an effective way to mine code and fix patterns which can help developers easily understand the reasons of leading violations and how to fix them. In this paper, we first collect and track a large number of fixed and unfixed violations across revisions of software. The empirical analyses reveal that there are discrepancies in the distributions of violations that are detected and those that are fixed, in terms of occurrences, spread and categories, which can provide insights into prioritizing violations. To automatically identify patterns in violations and their fixes, we propose an approach that utilizes convolutional neural networks to learn features and clustering to regroup similar instances. We then evaluate the usefulness of the identified fix patterns by applying them to unfixed violations. The results show that developers will accept and merge a majority (69/116) of fixes generated from the inferred fix patterns. It is also noteworthy that the yielded patterns are applicable to four real bugs in the Defects4J major benchmark for software testing and automated repair.

中文翻译：

---

挖掘 FindBugs 违规的修复模式

一些静态分析工具，例如 Splint 或 FindBugs，已被推荐给软件开发社区，以帮助检测安全漏洞或不良编程实践。然而，这些工具的采用受到其高误报率的阻碍。如果误报率太高，开发人员可能会习惯于这些工具的违规报告，从而导致忽略具体和严重的错误。幸运的是，一些违规行为实际上是由开发人员解决的。我们声称，那些反复修复的违规行为很可能是真正的阳性，并且自动化方法可以学习修复类似的未见违规行为。但是，缺乏系统的方法来调查现有违规行为和野外固定违规行为的分布情况，这可以为开发人员提供有关优先级违规的见解，以及一种挖掘代码和修复模式的有效方法，可以帮助开发人员轻松了解导致违规的原因以及如何修复它们。在本文中，我们首先收集和跟踪跨软件修订的大量已修复和未修复的违规行为。实证分析表明，检测到的违规行为的分布与固定的违规行为在发生次数、传播范围和类别方面存在差异，这可以为确定违规行为的优先顺序提供见解。为了自动识别违规模式及其修复，我们提出了一种利用卷积神经网络来学习特征和聚类以重新组合相似实例的方法。然后，我们通过将已识别的修复模式应用于未修复的违规行为来评估它们的有用性。结果表明，开发人员将接受并合并从推断的修复模式生成的大多数 (69/116) 修复。还值得注意的是，生成的模式适用于 Defects4J 主要软件测试和自动修复基准中的四个真实错误。