Mining API Constraints from Library and Client to Detect API Misuses

Hushuang Zcng,Jingxin Chen,Bcijun Shen,Hao Zhong
DOI: https://doi.org/10.1109/apsec53868.2021.00024
2021-01-01
Abstract:Calling Application Programming Interfaces (APIs) shall follow various constraints (e.g., call orders). If these con-straints are violated, API misuses are introduced to code, and such misuses can cause severe bugs. To effectively detect API misuses, most prior approaches mine constraints from client code, and assume that the violations of constraints are potential misuses. However, as client code only illustrates a small portion of API usages, constraints mined from client code are typically incomplete. As a result, when mined constraints are used to detect bugs, many violations of constraints turn out to be false positives. In this paper, our research purpose is to find more misuses and to reduce false positives. As library code contains many details on APIs, we propose an approach that mines API constraints from both client and library code. From client code, our approach builds API usage graphs and uses a frequent subgraph mining algorithm to mine frequent usage patterns as API constraints. From library code, our approach derives various types of constraints with our predefined strategies. With constraints from both sources, our graph matching algorithm can detect API misuses. As a result, our approach takes advantage from both the comprehensiveness and informativeness of library-based constraints and the accuracy of client-based patterns. We compared our approach with MuDetect on the MuBench dataset. Our results show that it significantly improves the detection effectiveness of MuBench from 39.5% to 50.2% of the recall, and from 30.6% to 41.7% of the precision.
What problem does this paper attempt to address?