STATIC 2025

The 1st International Workshop on Advancing Static Analysis for Researchers and Industry Practitioners in Software Engineering.

Program Tuesday, 29th April

Static analysis examines software without executing the code to detect defects, security vulnerabilities, code smells, etc. It is paramount for early bug detection, improving code quality, and enhancing security. By proactively identifying defects before code is executed, static analysis helps maintain robust and maintainable software. Static analysis has been a fundamental practice for many years, for both researchers in software engineering and security and for practitioners:

• Researchers: improving existing techniques and devising new methodologies to enhance software quality and security.
• Practitioners: supporting software development and DevOps by integrating static analysis tools into CI/CD pipelines.

However, while static analysis is powerful, it is inherently limited: any non-trivial semantic property of a program—a category that includes the targets of all but the simplest static analysis—is undecidable: all static analyses must either over-approximate the possible behaviors of the target program and so produce false positive warnings about problems that might not occur in practice, under-approximate the possible behaviors of the program and miss real problems, or both. These limitations present significant research challenges, driving the need for more advanced techniques and tools to improve precision (the percentage of warnings that are about real problems) and recall (the percentage of real problems about which an analysis warns). Besides, the rise of multi-language programs and the heavy use of frameworks and libraries in modern software development have introduced additional complexities for static analysis. Therefore, static analysis tools must now also handle the intricacies of different languages and framework-specific contexts, which create research problems and necessitate more advanced and sophisticated techniques to ensure comprehensive analyses.

STATIC promotes discussion on how the choices of program analysis designers impact the software engineers who actually use the tools. There is fertile ground for discussion of the practical limitations of various analysis backends/techniques, and whether there are lessons that we can share for alleviating some of the pain that those limitations cause for engineers. Some topics along this vein include (1) handling of libraries, (2) specification techniques, (3) aliasing, (4) error reporting, (5) analysis predictability, (6) entrypoint specification, and (7) integrations with build systems.

Furthermore, recent advances in artificial intelligence (AI) bring new questions to the field of static analysis: should we rely solely on traditional static analysis methods or explore combining them with AI to improve their efficiency? Large Language Models (LLMs) push us to reflect on traditional topics such as static analysis. Do they need to complement each other? We require sound analysis, but can LLMs provide the necessary soundness? This intersection brings us to consider whether AI can enhance or even transform the effectiveness of static analysis.

The goal of the workshop is to build a community at ICSE around static analysis. This workshop aims to be the premier venue for researchers to discuss static analysis techniques and their application to solving concrete software engineering problems.

Target Audience

The workshop is designed for software engineers and researchers that have a background in static analysis. The audience should have a basic understanding of static analysis principles and techniques, as the workshop will build on these to explore more advanced topics and practical applications.

The core objective of this workshop is to foster a collaborative environment where both researchers and industry practitioners can brainstorm about the current and upcoming challenges in static analysis. Our goal is twofold: (1) to foster research efforts towards solving specific unresolved challenges; and (2) to bridge the gap between research and practical application by addressing industry needs. Practitioners are particularly welcome to provide insights into the most valuable tools and techniques currently in use in the industry and their needs.

The workshop is sponsored by ACM SIGSOFT and IEEE-CS TCSE.