soft-an02/report.tex

\documentclass[11pt,a4paper]{scrartcl}
\usepackage{algorithm}
\usepackage{algpseudocode}
\usepackage[utf8]{inputenc}
\usepackage[margin=2.25cm]{geometry}
\usepackage{hyperref}
\usepackage{listings}
\usepackage{xcolor}
\usepackage{lmodern}
\usepackage{booktabs}
\usepackage{multirow}
\usepackage{graphicx}
\usepackage{float}
\usepackage{tikz}
\usepackage{listings}
\usepackage{pgfplots}
\pgfplotsset{compat=1.18}
\usepackage{subcaption}
\setlength{\parindent}{0cm}
\setlength{\parskip}{0.3em}
\hypersetup{pdfborder={0 0 0}}
%\usepackage[nomessages]{fp} no easter eggs this time
\usepackage{amsmath}
\DeclareMathOperator*{\argmax}{arg\,max}
\DeclareMathOperator*{\argmin}{arg\,min}
\usepackage{minted}

\definecolor{codegreen}{rgb}{0,0.6,0}
\definecolor{codegray}{rgb}{0.5,0.5,0.5}
\definecolor{codepurple}{rgb}{0.58,0,0.82}
\definecolor{backcolour}{rgb}{0.95,0.95,0.92}

\lstdefinestyle{mystyle}{
  backgroundcolor=\color{backcolour},   
  commentstyle=\color{codegreen},
  keywordstyle=\color{magenta},
  keywordstyle=[2]{\color{olive}},
  numberstyle=\tiny\color{codegray},
  stringstyle=\color{codepurple},
  basicstyle=\ttfamily\footnotesize,
  breakatwhitespace=false,         
  breaklines=true,                 
  captionpos=b,  
  keepspaces=true,                 
  numbers=left,  
  numbersep=5pt,
  showspaces=false,                
  showstringspaces=false,
  showtabs=false,
  tabsize=2,
  aboveskip=0.8em,
  belowcaptionskip=0.8em
}
\lstset{style=mystyle}

\geometry{left=2cm,right=2cm,top=2cm,bottom=3cm}
\title{
\vspace{-5ex} 
Assignment 1 -- Software Analysis \\\vspace{0.5cm}
\Large Static Analysis with Infer
\vspace{-1ex} 
}
\author{Claudio Maggioni}
\date{\vspace{-3ex}}

\begin{document}
\maketitle

\section{Project selection}
Given that this assignment draws parallels with the class of Software Design and
Modelling of last semester, specifically regarding static analyzers, I choose to
analyze the same project I analyzed in the past with PMD and SonarQube
Infer\footnote{\url{https://fbinfer.com/}} to make
for an interesting comparison between static analysis paradigms.

The project I analyze is therefore
\href{https://github.com/apache/commons-lang}{\textbf{apache/commons-lang}}.

\subsection{The Apache Commons Lang Project}
The Apache Commons family of libraries is an Apache Software
Foundation\footnote{\url{https://apache.org/}} sponsored collection of Java
libraries designed to complement the standard libraries of Java. The Apache
Commons Lang project focuses on classes that would have fitted in the
\textit{java.lang} package if they were included with Java.

All the source and test classes are contained within in the package
\textit{org.apache.commons.lang3} or in a sub-package of that package. For the
sake of brevity, this prefix is omitted from now on when mentioning packages and
classes in the project.

I choose to analyze version 3.12.0 of the library (i.e.\ the code under the
\textit{git} tag \textit{rel/commons-lang-3.12.0}) because it is the same
version analyzed during the SDM class.

To verify that the project satisfies the 5000 lines of code requirement, I run
the \textit{cloc} tool. Results are shown in table \ref{tab:cloc}. Given the
project has more than 118,000 lines of code, this requirement is satisfied.

\begin{table}[ht]
  \centering
  \begin{tabular}{lrrrr}
    \toprule
    Language & Files & Blank & Comment & Code \\
    \midrule
    Java & 409 & 15,790 & 60,363 & 86,056 \\ 
    HTML & 22 & 1,015 & 100 & 13,028 \\ 
    Text & 30 & 1,858 & 0 & 12,415 \\ 
    XML & 38 & 434 & 539 & 4,819 \\ 
    Maven & 1 & 31 & 37 & 940 \\ 
    JavaScript & 5 & 21 & 78 & 698 \\ 
    Markdown & 3 & 38 & 0 & 202 \\ 
    CSS & 4 & 36 & 66 & 140 \\ 
    Velocity Template Language & 1 & 23 & 31 & 90 \\ 
    Groovy & 1 & 12 & 22 & 81 \\ 
    YAML & 3 & 12 & 42 & 55 \\ 
    Bourne Shell & 1 & 0 & 2 & 2 \\
    \midrule
    Total & 518 & 19,270 & 61,280 & 118,526 \\
    \bottomrule
  \end{tabular}
  \caption{Output of the \textit{cloc} tool for the Apache Commons Lang project at
    tag \textit{rel/commons-lang-3.12.0} (before fixes are applied).}
  \label{tab:cloc}
\end{table}

\section{Running the Infer tool}

The relevant source code to analyze has been copied to the directory
\textit{before} in the assignment repository

\begin{center}
\href{https://gitlab.com/usi-si-teaching/msde/2022-2023/software-analysis/maggioni/assignment-2}{\textit{usi-si-teaching/msde/2022-2023/software-analysis/maggioni/assignment-2}}
\end{center}

on \textit{gitlab.com}. The script \textit{docker-infer.sh} can be ran to
automatically run the Infer tool using default options through the course
tools docker image \textit{bugcounting/satools:y23}. The analysis outputs
are located in \textit{before/infer-out/report.txt}.

\section{Results}

Table \ref{tab:infer} shows the results of the analysis performed by Infer
providing comments on true and false positives and the actions taken for each
result.

In total 

\begin{table}[]
   \small
    \begin{tabular}{@{}llp{1.2cm}p{0.8cm}p{6cm}@{}}
\toprule
        \textbf{File} & \textbf{Line} & \textbf{Kind} & \textbf{True Pos.} &
        \textbf{Comment} \\ \midrule
AnnotationUtils.java & 72 & Null & Yes & -- \\
reflect/MethodUtils.java & 486 & Null & Yes & -- \\
reflect/FieldUtils.java & 126 & Null & Yes & -- \\
concurrent/MultiBackgroundInitializer.java & 160 & Thread Safety & Yes & -- \\
\midrule
builder/ToStringBuilder.java & 223 & Null & ?? & \multirow{2}{6cm}{??} \\
builder/ReflectionToStringBuilder.java & 131 & Null & No & \\
\midrule
time/DurationUtils.java & 142 & Null & No & The method which may return a null
        value returns a non-null value if its parameter is non-null, and a
        non-null parameter is given \\
\midrule 
        CharSetUtils.java & 181 & Null & No & According to \textit{java.lang} documentation, the
        method always returns a non-null value \\
\midrule
reflect/FieldUtils.java & 341 & Null & No &
 \multirow{4}{6cm}{a utility method is used to guard the dereference reported
        with an exception throw} \\
 reflect/FieldUtils.java & 385 & Null & No & \\
 reflect/FieldUtils.java & 599 & Null & No & \\
 reflect/FieldUtils.java & 644 & Null & No & \\
\midrule
reflect/MethodUtils.java & 987 & Null & No & The method which may return a null
        value returns a non-null value if its parameter is non-null, and a
        non-null parameter is always given according to the \textit{java.lang}
        documentation for the inner nested method \\ \bottomrule
\end{tabular}
    \caption{Results of the Infer static analysis tool execution with default
    options. \textit{True Pos.} denotes whether a result is a true positive,
    while \textit{Kind} denotes with \textit{Null} and \textit{Thread Safety}
    respectively null dereference issues and thread safety violations.}
    \label{tab:infer}
\end{table}

\end{document}