Haoran Liu,Zhouyang Jia,Shanshan Li,Yan Lei,Yue Yu,Yu Jiang,Xiaoguang Mao,Xiangke Liao

DOI: https://doi.org/10.1145/3660787

2024-01-01

Abstract:Error-handling bugs are prevalent in software systems and can result in severe consequences. Existing works on error-handling bug detection can be categorized into template-based and learning-based approaches. The former requires much human effort and is difficult to accommodate the software evolution. The latter usually focuses on errors of API and assumes that error handling should be right after the handled error. Such an assumption, however, may affect both learning and detecting phases. The existing learning-based approaches can be regarded as API-oriented, which starts from an API and learns if the API requires error handling. In this paper, we propose EH-Digger, an ERROR-oriented approach, which starts from an error handling. Our approach can learn why the error occurs and when the error has to be handled. We conduct a comprehensive study on 2,322 error-handling code snippets from 22 widely used software systems across 8 software domains to reveal the limitation of existing approaches and guide the design of EH-Digger. We evaluated EH-Digger on the Linux Kernel and 11 open-source applications. It detected 53 new bugs confirmed by the developers and 71 historical bugs fixed in the latest versions. We also compared EH-Digger with three state-of-the-art approaches, 30.1% of bugs detected by EH-Digger cannot be detected by the existing approaches.

Pan Bian,Bin Liang,Yan Zhang,Chaoqun Yang,Wenchang Shi,Yan Cai

DOI: https://doi.org/10.1109/tse.2018.2816639

IF: 7.4

2019-01-01

IEEE Transactions on Software Engineering

Abstract:Code mining has been proven to be a promising approach to inferring implicit programming rules for finding software bugs. However, existing methods may report large numbers of false positives and false negatives. In this paper, we propose a novel approach called EAntMiner to improve the effectiveness of code mining. EAntMiner elaborately reduces noises from statements irrelevant to interesting rules and different implementation forms of the same logic. During preprocessing, we employ program slicing to decompose the original source repository into independent sub-repositories. In each sub-repository, statements irrelevant to critical operations (automatically extracted from source code) are excluded and various semantics-equivalent implementations are normalized into a canonical form as far as possible. Moreover, to tackle the challenge that some bugs are difficult to be detected by mining frequent patterns as rules, we further developed a kNN-based method to identify them. We have implemented EAntMiner and evaluated it on four large-scale C systems. EAntMiner successfully detected 105 previously unknown bugs that have been confirmed by corresponding development communities. A set of comparative evaluations also demonstrate that EAntMiner can effectively improve the precision of code mining.

Mithun Acharya,Tao Xie

DOI: https://doi.org/10.1007/978-3-642-00593-0_25

2009-01-01

Abstract:API error-handling specifications are often not documented, necessitating automated specification mining. Automated mining of error-handling specifications is challenging for procedural languages such as C, which lack explicit exception-handling mechanisms. Due to the lack of explicit exception handling, error-handling code is often scattered across different procedures and files making it difficult to mine error-handling specifications through manual inspection of source code. In this paper, we present a novel framework for mining API error-handling specifications automatically from API client code, without any user input. In our framework, we adapt a trace generation technique to distinguish and generate static traces representing different API run-time behaviors. We apply data mining techniques on the static traces to mine specifications that define correct handling of API errors. We then use the mined specifications to detect API error-handling violations. Our framework mines 62 error-handling specifications and detects 264 real error-handling defects from the analyzed open source packages.

Jiaqi Li,Ke Wang,Yaoguang Chen,Yajin Zhou,Lei Wu,Jiashui Wang

2023-01-01

Abstract:DBMS bugs can cause serious consequences, posing severe security and privacy concerns. This paper works towards the detection of memory bugs and logic bugs in DBMSs, and aims to solve the two innate challenges, including how to generate semantically correct SQL queries in a test case, and how to propose effective oracles to capture logic bugs. To this end, our system proposes two key techniques. The first key technique is called context-sensitive instantiation, which considers all static semantic requirements (including but not limited to the identifier type used by existing systems) to generate semantically valid SQL queries. The second key technique is called multi-plan execution, which can effectively capture logic bugs. Given a test case, multi-plan execution makes the DBMS execute all query plans instead of the default optimal one, and compares the results. A logic bug is detected if a difference is found among the execution results of the executed query plans. We have implemented a prototype system called Kangaroo and applied it to three widely used and well-tested DBMSs, including SQLite, PostgreSQL, and MySQL. Our system successfully detected 50 new bugs. The comparison between our system with the state-of-the-art systems shows that our system outperforms them in terms of the number of generated semantically valid SQL queries, the explored code paths during testing, and the detected bugs.

Bin Liang,Pan Bian,Yan Zhang,Wenchang Shi,Wei You,Yan Cai

DOI: https://doi.org/10.1145/2884781.2884870

2016-01-01

Abstract:Detecting bugs with code mining has proven to be an effective approach. However, the existing methods suffer from reporting serious false positives and false negatives. In this paper, we developed an approach called AntMiner to improve the precision of code mining by carefully preprocessing the source code. Specifically, we employ the program slicing technique to decompose the original source repository into independent sub-repositories, taking critical operations (automatically extracted from source code) as slicing criteria. In this way, the statements irrelevant to a critical operation are excluded from the corresponding sub-repository. Besides, various semantics-equivalent representations are normalized into a canonical form. Eventually, the mining process can be performed on a refined code database, and false positives and false negatives can be significantly pruned. We have implemented AntMiner and applied it to detect bugs in the Linux kernel. It reported 52 violations that have been either confirmed as real bugs by the kernel development community or fixed in new kernel versions. Among them, 41 cannot be detected by a widely used representative analysis tool Coverity . Besides, the result of a comparative analysis shows that our approach can effectively improve the precision of code mining and detect subtle bugs that have previously been missed.

Hao Zhang,Ji Luo,Mengze Hu,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/icse48619.2023.00098

2023-01-01

Abstract:Exception handling is a mechanism in modern programming languages. Studies have shown that the exception handling code is error-prone. However, there is still limited research on detecting exception handling bugs, especially for C++ programs. To tackle the issue, we try to precisely represent the exception control flow in C++ programs and propose an analysis method that makes use of the control flow to detect such bugs. More specifically, we first extend control flow graph by introducing the concepts of five different kinds of basic blocks, and then modify the classic symbolic execution framework by extending the program state to a quadruple and properly processing try, throw and catch statements. Based on the above techniques, we develop a static analysis tool on the top of Clang Static Analyzer to detect exception handling bugs. We run our tool on projects with high stars from GitHub and find 36 exception handling bugs in 8 projects, with a precision of 84%. We compare our tool with four state-of-the-art static analysis tools (Cppcheck, Clang Static Analyzer, Facebook Infer and IKOS) on projects from GitHub and handmade benchmarks. On the GitHub projects, other tools are not able to detect any exception handling bugs found by our tool. On the handmade benchmarks, our tool has a significant higher recall.

Chi Li,Min Zhou,Xinrong Han,Ming Gu

DOI: https://doi.org/10.1109/trustcom53373.2021.00101

2021-01-01

Abstract:SSL library plays an important role in ensuring secure connections against remote attacks, and thus the correct usages of SSL library should be guaranteed to avoid security and reliability flaws. However, improper error handling of API function failures frequently happens in SSL library usages, which could introduce security vulnerabilities. To detect such bugs in SSL usages, existing tools need correct error handling specifications. Manually write specifications is tedious and time-consuming. Therefore, a few works towards automatic inferring specifications are presented. However, the principles used in such works are insufficient for SSL library. Thus, in this paper, we first conduct an empirical study of error handling bugs in SSL applications to understand the true nature of such bugs, and the properties of these bugs are summarized, including the frequently used code structure for handling errors, the commonly occurred error-indicating features of the handling actions, and the general bug categories. Based on these properties, we design and implement a tool that can automatically infer error handling specifications and detect error handling bugs by exploiting the specifications in SSL applications. We evaluated our tool on 9 real-world open-source SSL applications. The tool infers 424 specifications in total, out of which 383 are confirmed correct, with a precision of 90%. Moreover, 27 real-world bugs have been detected, and all of them are confirmed by developers.

Xuezhi Song,Yijian Wu,Junming Cao,Bihuan Chen,Yun Lin,Zhengjie Lu,Dingji Wang,Xin Peng

DOI: https://doi.org/10.1109/ase56229.2023.00201

2024-01-01

Abstract:Bugs and their fixes in the code evolution histories are important assets for many software engineering tasks such as deriving new state-of-the-art automatic bug fixing techniques. Existing bug datasets are either manually built which is difficult to grow efficiently to a scale large enough for massive data analysis, or lack of precise information of how bugs are introduced and fixed which is critical for in-depth analysis such as buggy/fixing code identification. Moreover, the types of the bugs are typically missing in the existing bug datasets, limiting the possibility of developing high-precision type-specific approaches for enterprise-level purposes. In this work, we propose BugMiner, an approach to automatically collecting bugs from code repositories by isolating the critical changes of the bugs. We also propose a learning-based approach for automating bug type classification with relatively small manual labels of bug types. We evaluate our approach regarding the precision of bug information and the efficiency of the bug-mining process with 2,082 bugs automatically mined from 100 open-source projects. We demonstrate the improved effectiveness and efficiency in bug-fixing location identification, compared to the SOTA BugBuilder, and high recall and precision in bug-inducing location identification. We also compare our learning-based bug classification approach to traditional baseline method, indicating about 17 % improvement in classification effectiveness under macro-F1.

Linna Xie,Lu,Shunjie Ding,Yu Pei,Minxue Pan,Tian Zhang

DOI: https://doi.org/10.1145/3457913.3457940

2021-01-01

Abstract:Developers often neglect to handle exceptions, which leads to exception handling defects that affect the robustness of applications or even cause crashes. To improve the robustness of android applications while reducing the development burden of developers, we present Fixeh and Automatic Detection Tool, as an approach that can automatically detect exception handling defects related to external resources. By implanting exception control codes into the input application, Fixeh helps applications throw exceptions at the specified call position while running the UI test. During running the UI test, Automatic Detection Tool generates a limited number of exception trigger patterns by using suspicious call filtering algorithm and traversal algorithm. After collecting and analyzing the running results under these patterns, the exception handling defects will be detected. We evaluate our approach by applying it to detect anomalies in 6 different types of applications with stable operation. We conducted 1422 rounds of experiments under different exception triggering patterns, and we observed abnormalities in 517 rounds. A comparison with other related work shows that our approach can detect defects more effectively. Through the analysis of our experiments, we confirmed 39 exception handling defects related to external resources. Finally, we summarized three common types of defects from them.

Mohammad Jafar Mashhadi,Taha R. Siddiqui,Hadi Hemmati,Howard Loewen

DOI: https://doi.org/10.1016/j.infsof.2019.05.002

IF: 3.9

2019-09-01

Information and Software Technology

Abstract:<p><strong>Context:</strong> Specification mining techniques are typically used to extract the specification of a software in the absence of (up-to-date) specification documents. This is useful for program comprehension, testing, and anomaly detection. However, specification mining can also potentially be used for debugging, where a faulty behavior is abstracted to give developers a context about the bug and help them locating it. <strong>Objective:</strong> In this project, we investigate this idea in an industrial setting. We propose a very basic semi-automated specification mining approach for debugging and apply that on real reported issues from an AutoPilot software system from our industry partner, MicroPilot Inc. The objective is to assess the feasibility and usefulness of the approach in a real-world setting. <strong>Method:</strong> The approach is developed as a prototype tool, working on C code, which accept a set of relevant state fields and functions, per issue, and generates an extended finite state machine that represents the faulty behavior, abstracted with respect to the relevant context (the selected fields and functions). <strong>Results:</strong> We qualitatively evaluate the approach by a set of interviews (including observational studies) with the company's developers on their real-world reported bugs. The results show that a) our approach is feasible, b) it can be automated to some extent, and c) brings advantages over only using their code-level debugging tools. We also compared this approach with traditional fully automated state-merging algorithms and reported several issues when applying those techniques on a real-world debugging context. <strong>Conclusion:</strong> The main conclusion of this study is that the idea of an "interactive" specification mining rather than a fully automated mining tool is NOT impractical and indeed is useful for the debugging use case.</p>

computer science, information systems, software engineering

Huqiu Liu,Yuping Wang,Lingbo Jiang,Shimin Hu

DOI: https://doi.org/10.1016/j.jss.2016.02.007

IF: 3.5

2016-01-01

Journal of Systems and Software

Abstract:Drivers are significant components of the operating systems(OSs), and they run in kernel mode. Generally, drivers have many errors to handle, and the functions called in the normal execution paths and error handling paths are in pairs, which are named as paired functions. However, some developers do not handle the errors completely as they forget about or are unaware of releasing the acquired resources, thus memory leaks and other potential problems can be easily introduced. Therefore, it is highly valuable to automatically extract paired functions for these problems and detect violations for the programmers. This paper proposes an efficient tool named PF-Miner, which can automatically extract paired functions and detect violations between normal execution paths and error handling paths from the source code of C program with the data mining and statistical methods. We have evaluated PF-Miner on different versions of Android kernel 2.6.39 and 3.10.0, and 81 bugs reported by PF-Miner in 2.6.39 have been fixed before the latest version 3.10.0. PF-Miner only needs about 150 seconds to analyze the source code of 3.10.0, and 983 violations have been detected from 546 paired functions that have been extracted. We have reported the top 51 violations as potential bugs to the developers, and 15 bugs have been confirmed.

Tao Xie,Thummalapenta, S.

DOI: https://doi.org/10.1109/WEH.2012.6226593

2012-01-01

Abstract:The exception-handling mechanism has been widely adopted to deal with exception conditions that may arise during program executions. To produce high-quality programs, developers are expected to handle these exception conditions and take necessary recovery or resource-releasing actions. Failing to handle these exception conditions can lead to not only performance degradation, but also critical issues. Developers can write formal specifications to capture expected exception-handling behavior, and then apply tools to automatically analyze program code for detecting specification violations. However, in practice, developers rarely write formal specifications. To address this issue, mining techniques have been used to mine common exception-handling behavior out of program code. In this paper, we discuss challenges and achievements in precisely specifying and mining formal exception-handling specifications, as tackled by our previous work. Our key insight is that expected exception-handling behavior may be “conditional” or may need to accommodate “exceptional” cases.

Mesquita, Diego P. P.

DOI: https://doi.org/10.1007/s10664-024-10494-0

IF: 3.762

2024-06-06

Empirical Software Engineering

Abstract:Exception handling (EH) bugs stem from incorrect usage of exception handling mechanisms (EHMs) and often incur severe consequences (e.g., system downtime, data loss, and security risk). Tracking EH bugs is particularly relevant for contemporary systems (e.g., cloud- and AI-based systems), in which the software's sophisticated logic is an additional threat to the correct use of the EHM. On top of that, bug reporters seldom can tag EH bugs — since it may require an encompassing knowledge of the software's EH strategy. Surprisingly, to the best of our knowledge, there is no automated procedure to identify EH bugs from report descriptions.

computer science, software engineering

Suresh Thummalapenta,Tao Xie

DOI: https://doi.org/10.1109/icse.2009.5070548

2009-01-01

Abstract:Programming languages such as Java and C++ provide exception-handling constructs to handle exception conditions. Applications are expected to handle these exception conditions and take necessary recovery actions such as releasing opened database connections. However, exception-handling rules that describe these necessary recovery actions are often not available in practice. To address this issue, we develop a novel approach that mines exception-handling rules as sequence association rules of the form “(FC1c1…FCcn) ∧ FCa ⇒ (FCe1…FCem)”. This rule describes that function call FCa should be followed by a sequence of function calls (FCe1…FCem) when FCa is preceded by a sequence of function calls (FCe1…FCcn). Such form of rules is required to characterize common exception-handling rules. We show the usefulness of these mined rules by applying them on five real-world applications (including 285 KLOC) to detect violations in our evaluation. Our empirical results show that our approach mines 294 real exception-handling rules in these five applications and also detects 160 defects, where 87 defects are new defects that are not found by a previous related approach.

Xiaoxue Ren,Xinyuan Ye,Zhenchang Xing,Xin Xia,Xiwei Xu,Liming Zhu,Jianling Sun

DOI: https://doi.org/10.1145/3324884.3416551

2020-01-01

Abstract:ABSTRACTAPI misuses cause significant problem in software development. Existing methods detect API misuses against frequent API usage patterns mined from codebase. They make a naive assumption that API usage that deviates from the most-frequent API usage is a misuse. However, there is a big knowledge gap between API usage patterns and API usage caveats in terms of comprehensiveness, explainability and best practices. In this work, we propose a novel approach that detects API misuses directly against the API caveat knowledge, rather than API usage patterns. We develop open information extraction methods to construct a novel API-constraint knowledge graph from API reference documentation. This knowledge graph explicitly models two types of API-constraint relations (call-order and condition-checking) and enriches return and throw relations with return conditions and exception triggers. It empowers the detection of three types of frequent API misuses - missing calls, missing condition checking and missing exception handling, while existing detectors mostly focus on only missing calls. As a proof-of-concept, we apply our approach to Java SDK API Specification. Our evaluation confirms the high accuracy of the extracted API-constraint relations. Our knowledge-driven API misuse detector achieves 0.60 (68/113) precision and 0.28 (68/239) recall for detecting Java API misuses in the API misuse benchmark MuBench. This performance is significantly higher than that of existing pattern-based API misused detectors. A pilot user study with 12 developers shows that our knowledge-driven API misuse detection is very promising in helping developers avoid API misuses and debug the bugs caused by API misuses.

Hu-Qiu Liu,Jia-Ju Bai,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1109/apsec.2014.67

2014-01-01

Abstract:Kernel extension functions are provided as interfaces for drivers to manage devices and resources, and there are many implicit rules about their usages. One of the most important rules is that many functions should be called in pairs. That is to say, when an error occurs in a function, the driver should call related functions to handle it and release the acquired resources before returning, and we name these functions between normal execution paths and error handling paths as paired functions. However, many developers are unaware of them, which causes lots of bugs. Therefore, it is highly significant to automatically extract paired functions and detect violations for drivers. This paper proposes an efficient tool named BP-Miner, which can extract paired functions from binary code of driver modules and detect violations for error handling in drivers with extracted paired functions. BP-Miner constructs control flow graph (CFG) based on basic blocks of binary code, and locates potential execution paths to extract paired functions. We have evaluated BP-Miner with Linux drivers 2.6.38 and 3.13.0-rc7. 76 bugs are reported by BP-Miner in 2.6.38 which have been fixed in the current latest version 3.13.0-rc7. BP-Miner spends about 90 minutes handling 3653 module files for 3.13.0-rc7, and 859 violations have been detected with 1167 extracted paired functions. As it works on the binary code, it can be utilized to check close-source drivers.

Chao Liu,Xifeng Yan,Jiawei Han

DOI: https://doi.org/10.1137/1.9781611972764.10

2006-01-01

Abstract:Analyzing the executions of a buggy program is essentially a data mining process: Tracing the data generated during program executions may disclose important patterns and outliers that could eventually reveal the location of software errors. In this paper, we investigate program logic errors, which rarely incur memory access violations but generate incorrect outputs. We show that through mining program control flow abnormality, we could isolate many logic errors without knowing the program semantics. In order to detect the control abnormality, we propose a hypothesis testing-like approach that statistically contrasts the evaluation probability of condition statements between correct and incorrect executions. Based on this contrast, we develop two algorithms that effectively rank functions with respect to their likelihood of containing the hidden error. We evaluated these two algorithms on a set of standard test programs, and the result clearly indicates their effectiveness.

David Lo,Siau-Cheng Khoo,Jiawei Han,Chao Liu

2011-01-01

Abstract:An emerging topic in software engineering and data mining, specification mining tackles software maintenance and reliability issues that cost economies billions of dollars each year. The first unified reference on the subject, Mining Software Specifications: Methodologies and Applications describes recent approaches for mining specifications of software systems. Experts in the field illustrate how to apply state-of-the-art data mining and machine learning techniques to address software engineering concerns. In the first set of chapters, the book introduces a number of studies on mining finite state machines that employ techniques, such as grammar inference, partial order mining, source code model checking, abstract interpretation, and more. The remaining chapters present research on mining temporal rules/patterns, covering techniques that include path-aware static program analyses, lightweight rule/pattern mining, statistical analysis, and other interesting approaches. Throughout the book, the authors discuss how to employ dynamic analysis, static analysis, and combinations of both to mine software specifications. According to the US National Institute of Standards and Technology in 2002, software bugs have cost the US economy 59.5 billion dollars a year. This volume shows how specification mining can help find bugs and improve program understanding, thereby reducing unnecessary financial losses. The book encourages the industry adoption of specification mining techniques and the assimilation of these techniques in standard integrated development environments (IDEs).

Hao Zhong,Hong Mei

DOI: https://doi.org/10.1016/j.jss.2018.03.046

IF: 3.5

2018-01-01

Journal of Systems and Software

Abstract:It has long been a hot research topic to detect and to repair bugs automatically. As a common practice, researchers propose approaches for specific bugs, and their approaches typically are limited in handling the variety among bugs. Recently, researchers start to explore automatic program repair. With predefined repair operators and test cases, test-based repair approaches use search algorithms to generate patches for a bug, until a patch passes all the test cases. To improve the effectiveness to generate patches, Martinez and Monperrus (2013b) proposed an approach that mines repair models from past fixes. Although their approach produces positive results, we argue that it can be feasible to further improve their approach, if we mine repair models for bug categories, instead of all bugs. However, the benefits are still unclear, since existing benchmarks do not classify bugs into categories and existing approaches cannot mine repair models for bug categories. In this paper, we implement a tool, called ExFI, that classifies bugs into categories based on their related exceptions. With its support, we construct a benchmark, in which bug categories are marked. Furthermore, we propose an approach, called MIMo, that mines a repair model for each exception. We compared the general repair model with our mined repair models. Our results show that our mined models are all significantly different from the general model. Outside of the projects where our models are mined, we selected 59 real bugs. For each bug, we used our models and the general model to generate correct repair shapes for these bugs. The results show that for 43 out of 59 bugs, our models found faster a correct shape than the general repair model (Martinez and Monperrus, 2013b), and for 5 bugs, our models were able to find correct shapes that were not found by the compared model. (C) 2018 Elsevier Inc. All rights reserved.

Yao Shi,Soyeon Park,Zuoning Yin,Shan Lu,Yuanyuan Zhou,Wenguang Chen,Weimin Zheng

DOI: https://doi.org/10.1145/1932682.1869474

2010-01-01

ACM SIGPLAN Notices

Abstract:Software bugs, such as concurrency, memory and semantic bugs, can significantly affect system reliability. Although much effort has been made to address this problem, there are still many bugs that cannot be detected, especially concurrency bugs due to the complexity of concurrent programs. Effective approaches for detecting these common bugs are therefore highly desired. This paper presents an invariant-based bug detection tool, DefUse, which can detect not only concurrency bugs (including the previously under-studied order violation bugs), but also memory and semantic bugs. Based on the observation that many bugs appear as violations to programmers' data flow intentions, we introduce three different types of definition-use invariants that commonly exist in both sequential and concurrent programs. We also design an algorithm to automatically extract such invariants from programs, which are then used to detect bugs. Moreover, DefUse uses various techniques to prune false positives and rank error reports. We evaluated DefUse using sixteen real-world applications with twenty real-world concurrency and sequential bugs. Our results show that DefUse can effectively detect 19 of these bugs, including 2 new bugs that were never reported before, with only a few false positives. Our training sensitivity results show that, with the benefit of the pruning and ranking algorithms, DefUse is accurate even with insufficient training.