WANG Qiu-Zhen

DOI: https://doi.org/10.3785/j.issn.1008-942x.2005.04.012

2005-01-01

Abstract:Estimating the effort to develop a software system is an important project management concern. There are a number of different effort estimation techniques currently in use in the software industry. They fall into three general categories: expert judgment-based techniques, algorithmic model-based techniques and learning-oriented techniques. Expert judgment-based techniques are the techniques in most frequent use. They are useful in the absence of quantified, empirical data. However, ″intuitive″ processes constitute a major part of the expert estimation. It is difficult to articulate the estimation process and achieve organizational learning. Algorithmic model-based techniques attempt to represent the relationship between effort and one or more project characteristics. The existing algorithmic models, however, fail to produce accurate estimates of the development effort. There are four main disadvantages with these models. First, there is the problem of software sizing. Obtaining consistent size estimates and interpreting such estimates require high skill levels and good judgment. Secondly, there is the issue of historical data. Researchers have proposed models based on site-specific historical data, so these models can't be applied to local development circumstances. Thirdly, the dominant method of data analysis has been in linear regression. A good regression model needs a relatively large dataset which can be a problem in the software estimation field. Furthermore, the underlying assumptions of regression analysis are often questionable. Finally, many models estimate the effort for the later stages of the development process but almost ignore the early stages. Learning-oriented techniques are based on artificial intelligence techniques. Learning-oriented techniques don't require any function form assumption, as opposed to algorithmic models and they are good at modeling complex non-linear relationships. The performance of the learning-oriented techniques is to a large degree dependent on the large dataset for training or analogy. Each of the existing techniques for effort estimation has its advantages and disadvantages. No single technique is best for all situations, and all techniques are challenged by the rapid pace of change in the software technology. In order to improve estimation accuracy, a software development organization should: (1) select proper estimation techniques according to specific project characteristics and information availability; (2) combine more estimation techniques to improve effort estimates; (3) adapt algorithmic models to local circumstances; (4) develop their own store of projects; (5) estimate the effort for the whole development process, considering the effort of the early stages sufficiently.

Markus Borg,José-Luis de la Vara,Krzysztof Wnuk

DOI: https://doi.org/10.48550/arXiv.1605.07105

2016-05-24

Abstract:Safety standards prescribe change impact analysis (CIA) during evolution of safety-critical software systems. Although CIA is a fundamental activity, there is a lack of empirical studies about how it is performed in practice. We present a case study on CIA in the context of an evolving automation system, based on 14 interviews in Sweden and India. Our analysis suggests that engineers on average spend 50-100 hours on CIA per year, but the effort varies considerably with the phases of projects. Also, the respondents presented different connotations to CIA and perceived the importance of CIA differently. We report the most pressing CIA challenges, and several ideas on how to support future CIA. However, we show that measuring the effect of such improvement solutions is non-trivial, as CIA is intertwined with other development activities. While this paper only reports preliminary results, our work contributes empirical insights into practical CIA.

Software Engineering

Dhikra Kchaou,Nadia Bouassida,Hanêne Ben-Abdallah

DOI: https://doi.org/10.1049/iet-sen.2015.0113

2017-02-01

IET Software

Abstract:Given the inevitable software evolution, change impact analysis (CIA) is a vital activity in the software development life cycle. Existing CIA methods either focus on one model produced during one development phase or ignore the semantic dependencies among the various models produced throughout the development phases. The herein proposed CIA method overcomes this limit by exploiting the structural and semantic dependencies within and inter‐UML diagrams. It uses a graph technique to model the structural dependencies and an information retrieval (IR) technique to handle the semantic traceability between the use case documentation and the sequence diagrams. To identify the most appropriate IR technique to the CIA context, the authors present a quantitative experimentation of term frequency‐inverse document frequency and latent semantic indexing (LSI), two widely used IR techniques. In addition, to evaluate the overall performance of their method, they present an evaluation performed on changes in the open source system JHotDraw 7.4.1 compared with its 7.5.1 version and changes performed on a real existing application. Using LSI, their method achieves an average precision of 84% and a recall of 91% in the requirements CIA and management.

computer science, software engineering

Markus Borg,Emil Alégroth,Per Runeson

DOI: https://doi.org/10.48550/arXiv.1703.01897

2017-03-06

Abstract:Software engineers working in large projects must navigate complex information landscapes. Change Impact Analysis (CIA) is a task that relies on engineers' successful information seeking in databases storing, e.g., source code, requirements, design descriptions, and test case specifications. Several previous approaches to support information seeking are task-specific, thus understanding engineers' seeking behavior in specific tasks is fundamental. We present an industrial case study on how engineers seek information in CIA, with a particular focus on traceability and development artifacts that are not source code. We show that engineers have different information seeking behavior, and that some do not consider traceability particularly useful when conducting CIA. Furthermore, we observe a tendency for engineers to prefer less rigid types of support rather than formal approaches, i.e., engineers value support that allows flexibility in how to practically conduct CIA. Finally, due to diverse information seeking behavior, we argue that future CIA support should embrace individual preferences to identify change impact by empowering several seeking alternatives, including searching, browsing, and tracing.

Software Engineering

Thazin Win Win Aung,Huan Huo,Yulei Sui

DOI: https://doi.org/10.1145/3387904.3389251

2020-07-13

Abstract:In large-scale software development projects, change impact analysis (CIA) plays an important role in controlling software design evolution. Identifying and accessing the effects of software changes using traceability links between various software artifacts is a common practice during the software development cycle. Recently, research in automated traceability-link recovery has received broad attention in the software maintenance community to reduce the manual maintenance cost of trace links by developers. In this study, we conducted a systematic literature review related to automatic traceability link recovery approaches with a focus on CIA. We identified 33 relevant studies and investigated the following aspects of CIA: traceability approaches, CIA sets, degrees of evaluation, trace direction and methods for recovering traceability link between artifacts of different types. Our review indicated that few traceability studies focused on designing and testing impact analysis sets, presumably due to the scarcity of datasets. Based on the findings, we urge further industrial case studies. Finally, we suggest developing traceability tools to support fully automatic traceability approaches, such as machine learning and deep learning.

Alex Gyori,Shuvendu K. Lahiri,Nimrod Partush

DOI: https://doi.org/10.48550/arXiv.1609.08734

2016-09-28

Abstract:Change-impact analysis (CIA) is the task of determining the set of program elements impacted by a program change. Precise CIA has great potential to avoid expensive testing and code reviews for (parts of) changes that are refactorings (semantics-preserving). Existing CIA is imprecise because it is coarse-grained, deals with only few refactoring patterns, or is unaware of the change semantics. We formalize the notion of change impact in terms of the trace semantics of two program versions. We show how to leverage equivalence relations to make dataflow-based CIA aware of the change semantics, thereby improving precision in the presence of semantics-preserving changes. We propose an anytime algorithm that allows applying costly equivalence relation inference incrementally to refine the set of impacted statements. We have implemented a prototype in SymDiff, and evaluated it on 322 real-world changes from open-source projects and benchmark programs used by prior research. The evaluation results show an average 35% improvement in the size of the set of impacted statements compared to standard dataflow-based techniques.

Software Engineering

Gang Fan,Xiaoheng Xie,Xunjin Zheng,Yinan Liang,Peng Di

2023-10-13

Abstract:The escalating complexity of software systems and accelerating development cycles pose a significant challenge in managing code errors and implementing business logic. Traditional techniques, while cornerstone for software quality assurance, exhibit limitations in handling intricate business logic and extensive codebases. To address these challenges, we introduce the Intelligent Code Analysis Agent (ICAA), a novel concept combining AI models, engineering process designs, and traditional non-AI components. The ICAA employs the capabilities of large language models (LLMs) such as GPT-3 or GPT-4 to automatically detect and diagnose code errors and business logic inconsistencies. In our exploration of this concept, we observed a substantial improvement in bug detection accuracy, reducing the false-positive rate to 66\% from the baseline's 85\%, and a promising recall rate of 60.8\%. However, the token consumption cost associated with LLMs, particularly the average cost for analyzing each line of code, remains a significant consideration for widespread adoption. Despite this challenge, our findings suggest that the ICAA holds considerable potential to revolutionize software quality assurance, significantly enhancing the efficiency and accuracy of bug detection in the software development process. We hope this pioneering work will inspire further research and innovation in this field, focusing on refining the ICAA concept and exploring ways to mitigate the associated costs.

Software Engineering

Qi Luo,Kevin Moran,Denys Poshyvanyk

DOI: https://doi.org/10.1145/2950290.2950344

2018-01-18

Abstract:The large body of existing research in Test Case Prioritization (TCP) techniques, can be broadly classified into two categories: dynamic techniques (that rely on run-time execution information) and static techniques (that operate directly on source and test code). Absent from this current body of work is a comprehensive study aimed at understanding and evaluating the static approaches and comparing them to dynamic approaches on a large set of projects. In this work, we perform the first extensive study aimed at empirically evaluating four static TCP techniques comparing them with state-of-research dynamic TCP techniques at different test-case granularities (e.g., method and class-level) in terms of effectiveness, efficiency and similarity of faults detected. This study was performed on 30 real-word Java programs encompassing 431 KLoC. In terms of effectiveness, we find that the static call-graph-based technique outperforms the other static techniques at test-class level, but the topic-model-based technique performs better at test-method level. In terms of efficiency, the static call-graph-based technique is also the most efficient when compared to other static techniques. When examining the similarity of faults detected for the four static techniques compared to the four dynamic ones, we find that on average, the faults uncovered by these two groups of techniques are quite dissimilar, with the top 10% of test cases agreeing on only 25% - 30% of detected faults. This prompts further research into the severity/importance of faults uncovered by these techniques, and into the potential for combining static and dynamic information for more effective approaches.

Software Engineering

Yuan Huang,Jinyu Jiang,Xiapu Luo,Xiangping Chen,Zibin Zheng,Nan Jia,Gang Huang

DOI: https://doi.org/10.1109/tse.2021.3059481

IF: 7.4

2021-01-01

IEEE Transactions on Software Engineering

Abstract:Change impact analysis (CIA) is a specialized process of program comprehension that investigates the ripple effects of a code change in a software system. In this paper, we present a boosting way for change impact analysis via mapping the historical change-patterns to current CIA task in a cross-project scenario. The change-patterns reflect the coupling dependencies between changed entities in a change set. A traditional CIA tool (such as ImpactMiner) outputs an initial impact set for a starting entity. To boost the traditional CIA tool, our approach retrieves an equivalent entity from various historical change sets for the starting entity. Then, the change-patterns between the equivalent entity and the rest of entities in the change set are mapped to the CIA task at hand. For current CIA task, if an entity in the initial impact set involves the similar change-pattern with the starting entity when comparing with the mapped change-pattern, we will reward the impacted confidence of the entity. Accuracy improvements are observed in the experiments when applying our boosting method to three famous CIA tools, i.e., ImpactMiner, JRipples and ROSE.

Jinxin Xu,Yue Wang,Ruisi Li,Ziyue Wang,Qian Zhao

2024-06-30

Abstract:For one to guarantee higher-quality software development processes, risk management is essential. Furthermore, risks are those that could negatively impact an organization's operations or a project's progress. The appropriate prioritisation of software project risks is a crucial factor in ascertaining the software project's performance features and eventual success. They can be used harmoniously with the same training samples and have good complement and compatibility. We carried out in-depth tests on four benchmark datasets to confirm the efficacy of our CIA approach in closed-world and open-world scenarios, with and without defence. We also present a sequential augmentation parameter optimisation technique that captures the interdependencies of the latest deep learning state-of-the-art WF attack models. To achieve precise software risk assessment, the enhanced crow search algorithm (ECSA) is used to modify the ANFIS settings. Solutions that very slightly alter the local optimum and stay inside it are extracted using the ECSA. ANFIS variable when utilising the ANFIS technique. An experimental validation with NASA 93 dataset and 93 software project values was performed. This method's output presents a clear image of the software risk elements that are essential to achieving project performance. The results of our experiments show that, when compared to other current methods, our integrative fuzzy techniques may perform more accurately and effectively in the evaluation of software project risks.

Software Engineering,Machine Learning

Le Cheng,Yuxin Liu,Yun Zhao

DOI: https://doi.org/10.1515/ijld-2021-2058

2021-01-01

International Journal of Legal Discourse

Abstract:This study uses a combinative method of quantitative and qualitative discourse analysis applying the discourse-historical approach (DHA), based on a self-built special corpus composed of the U.S. laws, policies and strategy documents that are directly related to critical information infrastructure protection (CIIP); through a Word List ranked by frequency, it is found that there seems to be a coherent securitizing system which has been formed in the U.S. CIIP legislative practices, with some specific considerations in the CIIP policy-making process including the strategy for risk management. By further investigating the internal institutional relationships and institutional mechanisms with corpus tools, four discursive features and strategies of the U.S. CIIP institutional discourse can be discovered: the leading role of private and specific institutions in public-private cooperation; the coexisting characteristics of generality and precision in the process of object definition; the center-divergent institutional settings in executing CIIP execution; and the coordinating discourse patterns for CIIP within the U.S. legislation. Those discursive practices concerning different institutional actors can be further explained in the broader context of the U.S. social reality. This study is not only helpful in better understanding the legal practices in U.S. cybersecurity, but also provides some meaningful insights on CIIP legislation to policy makers in other countries as well as at the international level.

Xin Shi,Yu-Shen Liu,Ge Gao,Ming Gu,Haijiang Li

DOI: https://doi.org/10.1016/j.autcon.2017.10.013

IF: 10.3

2018-01-01

Automation in Construction

Abstract:With the growth in popularity of the IFC (Industry Foundation Classes) format used in construction industry, it often requires effective methods of IFC comparison to keep track of important changes during the lifecycle of construction projects. However, most IFC comparisons are based on a visual inspection, a manual count and a check of selective attributes. Although a few techniques about automatic IFC comparisons have been developed recently, they are usually time-consuming, and are sensitive to the GUID change or redundant instances in IFC files. To address these issues, we propose a content-based automatic comparison approach, named IFCdiff, for detecting differences between two IFC files. The proposed approach starts with a comprehensive analysis of the structure and content of each IFC file, and then constructs its hierarchical structure along with eliminating redundant instances. Next, the two hierarchical structures are compared with each other for detecting changes in an iterative bottom-up procedure. Our approach fully considers the content of IFC files without the need of flattening instances in IFC files. In contrast with previous methods, our approach can greatly reduce the computational time and space, and the comparison result is not sensitive to redundant instances in IFC files. Finally, we demonstrate a potential application to incremental backup of IFC files. The software can be found at: http://cgcad.thss.tsinghua.edu.cn/liuyushen/ifcdiff/.

Xiuyuan Guo,Ashwin Kallingal Joshy,Benjamin Steenhoek,Wei Le,Lori Flynn

DOI: https://doi.org/10.48550/arXiv.2305.02515

2023-05-04

Software Engineering

Abstract:Static analysis is widely used for software assurance. However, static analysis tools can report an overwhelming number of warnings, many of which are false positives. Applying static analysis to a new version, a large number of warnings can be only relevant to the old version. Inspecting these warnings is a waste of time and can prevent developers from finding the new bugs in the new version. In this paper, we report the challenges of cascading warnings generated from two versions of programs. We investigated program differencing tools and extend them to perform warning cascading automatically. Specifically, we used textual based diff tool, namely SCALe, abstract syntax tree (AST) based diff tool, namely GumTree, and control flow graph (CFG) based diff tool, namely Hydrogen. We reported our experience of applying these tools and hopefully our findings can provide developers understandings of pros and cons of each approach. In our evaluation, we used 96 pairs of benchmark programs for which we know ground-truth bugs and fixes as well as 12 pairs of real-world open-source projects. Our tools and data are available at https: //github.com/WarningCas/WarningCascading_Data.

Teng Wang,Haochen He,Xiaodong Liu,Shanshan Li,Zhouyang Jia,Yu Jiang,Qing Liao,Wang Li

DOI: https://doi.org/10.1109/ase56229.2023.00067

2024-01-01

Abstract:The prevalence and severity of software configuration-induced issues have driven the design and development of a number of detection and diagnosis techniques. Many of these techniques need to perform static taint analysis on configuration-related variables to analyze the data flow, control flow, and execution paths given by configuration options. However, existing taint analysis or static slicer tools are not suitable for configuration analysis due to the complex effects of configuration on program behaviors. In this experience paper, we conducted an empirical study on the propagation policy of configuration options. We concluded four rules of how configurations affect program behaviors, among which implicit data-flow and control-flow propagation are often ignored by existing tools. We report our experience designing and implementing a taint analysis infrastructure for configurations, ConfTainter. It can support various kinds of configuration analysis, e.g., explicit or implicit analysis for data or control flow. Based on the infrastructure, researchers and developers can easily implement analysis techniques for different configuration-related targets, e.g., misconfiguration detection. We evaluated the effectiveness of ConfTainter on 5 popular open-source systems. The result shows that the accuracy rate of data- and control-flow analysis is 96.1% and 97.7%, and the recall rate is 94.2% and 95.5%, respectively. We also apply ConfTainter to two types of configuration-related tasks: misconfiguration detection and configuration-related bug detection. The result shows that ConfTainter is highly applicable for configuration-related tasks with a few lines of code.

AN Jin-Xia,WANG Guo-Qing,LI Shu-Fang,ZHU Ji-Hong

DOI: https://doi.org/10.3724/SP.J.1001.2010.03659

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:As the size and complexity of mission-critical application software continues to grow, the cost of Software Testing (ST) is also increasing. The numerous methods and processes used to evaluate ST dynamically and quantitatively to improve testing efficiency serve as practice problems in the ST field. Based on multi-dimensional test coverage models, this paper proposes a dynamic evaluation method for ST and discusses it from the viewpoint of testing monitoring information, dynamic analysis and evaluation models, and testing optimized strategy. Furthermore, a concept, Synthetic Test Coverage (STC), is defined in this paper, and its empirical formulas are also presented. Examples show that the methods are useful in helping ST evaluation groups to track and control the effects of ST and for improving the user's ability to observe and control the ST process. © by Institute of Software, the Chinese Academy of Sciences. All rights reserved.

Asim Abdulkhaleq,Stefan Wagner

DOI: https://doi.org/10.48550/arXiv.1612.00330

2016-12-01

Software Engineering

Abstract:Context: Today's safety critical systems are increasingly reliant on software. Software becomes responsible for most of the critical functions of systems. Many different safety analysis techniques have been developed to identify hazards of systems. FTA and FMEA are most commonly used by safety analysts. Recently, STPA has been proposed with the goal to better cope with complex systems including software. Objective: This research aimed at comparing quantitatively these three safety analysis techniques with regard to their effectiveness, applicability, understandability, ease of use and efficiency in identifying software safety requirements at the system level. Method: We conducted a controlled experiment with 21 master and bachelor students applying these three techniques to three safety-critical systems: train door control, anti-lock braking and traffic collision and avoidance. Results: The results showed that there is no statistically significant difference between these techniques in terms of applicability, understandability and ease of use, but a significant difference in terms of effectiveness and efficiency is obtained. Conclusion: We conclude that STPA seems to be an effective method to identify software safety requirements at the system level. In particular, STPA addresses more different software safety requirements than the traditional techniques FTA and FMEA, but STPA needs more time to carry out by safety analysts with little or no prior experience.

WU Chunmei,XIA Nai,MAO Bing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.03.063

2006-01-01

Abstract:A testbed which includes the common vulnerabilities is built.The paper compares three typical and publicly available tools by applying them to the testbed individually for sake of preventing intrusion.The result reveals that the tools building on finding vulnerable library functions have low false negatives rates but high false positives rates,the constrained based tools have low false positives rates but high false negatives rates,and the module checkers have high true positives rates when finding attacks against given security rules,but have high false negatives rates when finding many kinds of vulnerabilities.

Bowen Zhang,Wei Chen,Hung-Chun Chiu,Charles Zhang

2024-05-21

Abstract:Static analysis techniques enhance the security, performance, and reliability of programs by analyzing and portraiting program behaviors without the need for actual execution. In essence, static analysis takes the Intermediate Representation (IR) of a target program as input to retrieve essential program information and understand the program. However, there is a lack of systematic analysis on the benefit of IR for static analysis, besides serving as an information provider. In general, a modern static analysis framework should possess the ability to conduct diverse analyses on different languages, producing reliable results with minimal time consumption, and offering extensive customization options. In this survey, we systematically characterize these goals and review the potential solutions from the perspective of IR. It can serve as a manual for learners and practitioners in the static analysis field to better understand IR design. Meanwhile, numerous research opportunities are revealed for researchers.

Programming Languages,Software Engineering

Saidong Liu

DOI: https://doi.org/10.1088/1742-6596/2037/1/012006

2021-09-01

Journal of Physics: Conference Series

Abstract:CAIT(Computer Artificial Intelligence Technology) is a modern science and technology based on computer technology and artificial intelligence technology. At present, the technology has been widely used in all aspects of society, and it can be predicted that its application prospects are very broad, so in recent years, it has been paid more and more attention by relevant departments. In order to explore the application effect of this technology in software development, we selected two software development companies a and B, of which a was the test object, which applied CAIT in its software development, while company B as the experimental control group, it has taken the original technical means as always. Finally, the experimental results show that the software development efficiency of company a is significantly higher than that of company B. The highest efficiency of software development in company a is 97%, while that of company B is 80%, which is 17% different. And when investigating consumer preferences, company a software is more popular on the market than company B.

Yi Bu,Tianyi Liu,Danqun Zhao,Wenbin Huang

DOI: https://doi.org/10.3969/j.issn.1002-1965.2015.12.010

IF: 3.1759

2015-01-01

Journal of Intelligence

Abstract:As an important method of citation analysis,author co-citation analysis ( ACA) has made great progress and plentiful achieve-ments since it was presented in 1981. By literature survey,this paper will give a comprehensive commentary and analysis on ACA research outside China over 30 years. In addition,to facilitate the development of ACA research in China,this paper points out some key issues from the perspective of methodology in ACA studies,including data procurement and author name disambiguation,construction of raw co-cita-tion matrix (calculation of co-citation,and assignment of main diagonal value),co-citation matrix transformation and Pearson Correla-tion,common data analysis methods,as well as results interpretation and peer review. At the end of this paper,we will state some meaning-ful issues on innovation of ACA methodologies combining with citation context analysis,and research on which is booming recently.