Static code analyzers are widely used to help find program flaws. However, in practice the effectiveness and usability of such analyzers is affected by the problems of false negatives (FNs) and false positives (FPs). This paper aims to investigate the FNs and FPs of such analyzers from a new perspective, i.e., examining the historical issues of FNs and FPs of these analyzers reported by the maintainers, users and researchers in their issue repositories -- each of these issues manifested as a FN or FP of these analyzers in the history and has already been confirmed and fixed by the analyzers' developers. To this end, we conduct the first systematic study on a broad range of 350 historical issues of FNs/FPs from three popular static code analyzers (i.e., PMD, SpotBugs, and SonarQube). All these issues have been confirmed and fixed by the developers. We investigated these issues' root causes and the characteristics of the corresponding issue-triggering programs. It reveals several new interesting findings and implications on mitigating FNs and FPs. Furthermore, guided by some findings of our study, we designed a metamorphic testing strategy to find FNs and FPs. This strategy successfully found 14 new issues of FNs/FPs, 11 of which have been confirmed and 9 have already been fixed by the developers. Our further manual investigation of the studied analyzers revealed one rule specification issue and additional four FNs/FPs due to the weaknesses of the implemented static analysis. We have made all the artifacts (datasets and tools) publicly available at https://zenodo.org/doi/10.5281/zenodo.11525129.

翻译：静态代码分析器被广泛用于帮助发现程序缺陷。然而在实际应用中，此类分析器的有效性和可用性受到误报与漏报问题的影响。本文旨在从全新视角研究此类分析器的误报与漏报问题，即通过考察维护者、用户和研究者在问题仓库中报告的这些分析器误报与漏报的历史问题——每个历史问题都表现为分析器曾出现的误报或漏报案例，且均已得到开发者确认并修复。为此，我们首次对三种主流静态代码分析器（即PMD、SpotBugs和SonarQube）的350个历史误报/漏报问题进行了系统性研究。所有问题均经过开发者确认并修复。我们深入探究了这些问题的根本原因及触发问题的程序特征，揭示了若干关于减少误报与漏报的新发现与启示。基于研究中的部分发现，我们设计了一种蜕变测试策略来发现误报与漏报问题。该策略成功发现了14个新的误报/漏报问题，其中11个已获确认，9个已被开发者修复。通过对所研究分析器的进一步人工调查，我们发现了一个规则规范问题以及因静态分析实现缺陷导致的另外4个误报/漏报案例。我们已将全部实验材料（数据集与工具）公开于https://zenodo.org/doi/10.5281/zenodo.11525129。