Debugging Static Analysis

Lisa Nguyen Quang Do, Stefan Krüger, Patrick Hill, Karim Ali, Eric Bodden

Research output: Contribution to journalArticlepeer-review


Static analysis is increasingly used by companies and individual code developers to detect and fix bugs and security vulnerabilities. As programs grow more complex, the analyses have to support new code concepts, frameworks and libraries. However, static-analysis code itself is also prone to bugs. While more complex analyses are written and used in production systems every day, the cost of debugging and fixing them also increases tremendously. To understand the difficulties of debugging static analysis, we surveyed 115 static-analysis writers. From their responses, we determined the core requirements to build a debugger for static analyses, which revolve around two main issues: abstracting from both the analysis code and the code it analyses at the same time, and tracking the analysis internal state throughout both code bases. Most tools used by our survey participants lack the capabilities to address both issues. Focusing on those requirements, we introduce Visuflow, a debugging environment for static data-flow analysis. Visuflow features graph visualizations and custom breakpoints that enable users to view the state of an analysis at any time. In a user study on 20 static-analysis writers, Visuflow helped identify 25 and fix 50 percent more errors in the analysis code compared to the standard Eclipse debugging environment.

Original languageEnglish (US)
Article number8453858
Pages (from-to)697-709
Number of pages13
JournalIEEE Transactions on Software Engineering
Issue number7
StatePublished - Jul 1 2020


  • development tools
  • graphical environments
  • integrated environments
  • program analysis
  • Testing and debugging
  • usability testing

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'Debugging Static Analysis'. Together they form a unique fingerprint.

Cite this