Xin Xia,Lingfeng Bao,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icsme.2016.67

2016-01-01

Abstract:Due to the complexity of software systems, bugs are inevitable. Software debugging is tedious and time consuming. To help developers perform this crucial task, a number of spectra-based fault localization techniques have been proposed. In general, spectra-based fault localization helps developers to find the location of a bug given its symptoms (e.g., program failures). A previous study by Parnin and Orso however implies that several assumptions made by existing work on spectra-based fault localization do not hold in practice, which hinders the practical usage of these tools. Moreover, a recent study by Xie et al. claims that spectra-based fault localization can potentially "weaken programmers' abilities in fault detection".Unfortunately, these studies are performed either using only 2 bugs from small systems (Parnin and Orso's study) or synthetic bugs injected into toy programs (Xie et al.'s study), only involve students, and use dated spectra-based fault localization tools. Thus, the question whether spectra-based fault localization techniques can help professionals to improve their debugging efficiency in a reasonably large project is still insufficiently answered.In this paper, we perform a more realistic investigation of how professionals can use and benefit from spectra-based fault localization techniques. We perform a user study of spectra-based fault localization with a total of 16 real bugs from 4 reasonably large open-source projects, with 36 professionals, amounting to 80 recorded debugging hours. The 36 professionals are divided into 3 groups, i.e., those that use an accurate fault localization tool, use a mediocre fault localization tool, and do not use any fault localization tool. Our study finds that both the accurate and mediocre spectra-based fault localization tools can help professionals to save their debugging time, and the improvements are statistically significant and substantial. We also discuss implications of our findings to future directions of spectra-based fault localization.

Xiao Xuan,Xiaoqiong Zhao,Ye Wang,Shanping Li

DOI: https://doi.org/10.1587/transinf.2015edl8084

2015-01-01

IEICE Transactions on Information and Systems

Abstract:Bugs in industrial financial systems have not been extensively studied. To address this gap, we focused on the empirical study of bugs in three systems, PMS, beta-Analyzer, and OrderPro. Results showed the 3 most common types of bugs in industrial financial systems to be internal interface (19.00%), algorithm/ method (17.67%), and logic (15.00%).

Xiaoqiong Zhao,Xin Xia,Pavneet Singh Kochhar,David Lo,Shanping Li

DOI: https://doi.org/10.1145/2554850.2555142

2014-01-01

Abstract:Software build process translates source codes into executable programs, packages the programs, generates documents, and distributes products. In this paper, we perform an empirical study to characterize build process bugs. We analyze bugs in build process in 5 open-source systems under Apache namely CXF, Camel, Felix, Struts, and Tuscany. We compare build process bugs and other bugs across 3 different dimensions, i.e., bug severity, bug fix time, and the number of files modified to fix a bug. Our results show that the fraction of build process bugs which are above major severity level is lower than that of other bugs. However, the time effort required to fix a build process bug is around 2.03 times more than that of a non-build process bug, and the number of source files modified to fix a build process bug is around 2.34 times more than that modified for a non-build bug.

Vinay Kabadi,Dezhen Kong,Siyu Xie,Lingfeng Bao,Gede Artha Azriadi Prana,Tien-Duy B. Le,Xuan-Bach D. Le,David Lo

DOI: https://doi.org/10.1109/icsme58846.2023.00017

2023-01-01

Abstract:Automated program repair (APR) has been gaining ground with substantial effort devoted to the area, opening up many challenges and opportunities. One such challenge is that the state-of-the-art repair techniques often resort to incomplete specifications, e.g., test cases that witness buggy behavior, to generate repairs. In practice, bug-exposing test cases are often available when: (1) developers, at the same time of (or after) submitting bug fixes, create the tests to assure the correctness of the fixes, or (2) regression errors occur. The former case – a scenario commonly used for creating popular bug datasets – however, may not be suitable to assess how APR performs in the wild. Since developers already know where and how to fix the bugs, tests created in this case may encapsulate knowledge gained only after bugs are fixed. Thus, more effort is needed to create datasets for more realistically evaluating APR.We address this challenge by creating a dataset focusing on bugs identified via continuous integration (CI) failures – a special case of regression errors – wherein bugs happen when the program after being changed is re-executed on the existing test suite. We argue that CI failures, wherein bug-exposing tests are created before bug fixes and thus assume no prior knowledge of developers on the bugs to be involved, are more realistic for evaluating APR. Toward this end, we curated 102 CI failures from 40 popular real-world software on GitHub. We demonstrate various features and the usefulness of the dataset via an evaluation of five well-known APR techniques, namely GenProg, Kali, Cardumen, RsRepair and Arja. We subsequently discuss several findings and implications for future APR studies. Overall, experiment results show that our dataset is complementary to existing datasets such as Defect4J in realistic evaluations of APR.

Jing Wang,John M. Carroll

DOI: https://doi.org/10.1145/2069618.2069714

2011-01-01

Abstract:ABSTRACTBug fixing is an important collaborative practice of open source software development. Creative collaborative bug fixing---collectively generating new and useful solutions to improve software quality---is important especially when bugs are difficult to fix. We find bug fixing practices are unavoidably creative by studying Mozilla and Python. We characterize their bug fixing process as four common subprocesses, problem identification, preparation, solution generation, and solution evaluation. We discuss the key challenges of creative collaboration during each subprocess, and recommend design implications to enhance creative collaborative bug fixing processes, including support for establishment of common ground, externalization of social networks, awareness of resolving progress, and articulation of design rationale.

Hao Ren,Yanhui Li,Lin Chen,Yuming Zhou,Changhai Nie

DOI: https://doi.org/10.1016/j.infsof.2023.107354

IF: 3.9

2024-01-01

Information and Software Technology

Abstract:Blocking bugs prevents other bugs from being fixed, which is difficult to repair and negatively impacts software quality. During software maintenance, developers usually try to break the blocking relationship between blocking and blocked bugs, e.g., propose a temporary fix. However, to our knowledge, no studies have investigated why and how blocking relations between bugs are breakable. In this study, we aim to construct an empirical analysis to explore breakable blocking bugs (BBBs). Specifically, we employ quantitative and qualitative analysis to study these BBBs from two aspects. One is to investigate the characteristics of these bugs, and the other is to explore why and how developers break the blocking relationship between bugs during software maintenance. We build a dataset on five large-scale open-source projects and classify bugs into three types (BBBs, normal blocking bugs, and other bugs) to compare the differences between BBBs and other types of bugs. We observe that BBBs have higher levels of involvement, take longer to fix, and involve more complex source code than other bugs. Moreover, we summarize four reasons blocking relationships between bugs are broken, i.e., partial association (41.87%), serious influence (26.40%), time pressure (19.73%), and flawed blocking (12.21%), and three measures developers adopt to break these blocking relationships, i.e., quick patch for blocking bugs (41.33%), quick patch for blocked bugs (38.67%), and ignore the blocking relation and fix blocked bugs directly (20.00%). Through these analyses, it is meaningful for software maintainers to have a deeper understanding of the characteristics and repair practices of BBBs, which will help solve these BBBs effectively in the future.

Wei Li,Qingan Li,Yunlong Ming,Weijiao Dai,Shi Ying,Mengting Yuan

DOI: https://doi.org/10.1007/s10664-021-10082-6

IF: 3.762

2022-01-28

Empirical Software Engineering

Abstract:Bug localization, which refers to finding buggy files for a given bug report, is tedious and time-consuming for practical projects with tens of millions of lines of code. Recently, many information retrieval (IR)-based bug localization (IRBL) approaches have been proposed to formulate this problem as a search problem. Despite the excellent performance claimed in the literature, there is hardly any approach adopted in the industrial community to the best of our knowledge. The challenge of adapting IRBL to industrial projects is that the projects have different characteristics compared to open-source projects used in the literatures, which have not been taken into consideration in previous studies. In this paper, we re-implement six state-of-the-art IRBL techniques and evaluate their effectiveness on 10 Huawei projects consisting of 161,967 source code files and 24,437 bug reports in total. Localizing bugs in these projects faces several challenges, including the software product line, the bilingual issue, and the quality of bug reports, etc. We conduct comprehensive experiments to reveal how these factors affect IRBL effectiveness, and modify the data set to test whether some factors could be overcome, if additional information or hints are given. Based on the insights found in our work, we suggest potential improvements on IRBL techniques. This study is also expected to provide empirical evidences for other software tasks which face the same fundamental challenges.

computer science, software engineering

Weiqin Zou,Xin Xia,Weiqiang Zhang,Zhenyu Chen,David Lo

DOI: https://doi.org/10.1109/compsac.2015.57

2015-01-01

Abstract:Bug fixing is one of the most important activities in software development and maintenance. A software project often employs an issue tracking system such as Bugzilla to store and manage their bugs. In the issue tracking system, many bugs are invalid but take unnecessary efforts to identify them. In this paper, we mainly focus on bug fixing rate, i.e., The proportion of the fixed bugs in the reported closed bugs. In particular, we study the characteristics of bug fixing rate and investigate the impact of a reporter's different contribution behaviors to the bug fixing rate. We perform an empirical study on all reported bugs of two large open source software communities Eclipse and Mozilla. We find (1) the bug fixing rates of both projects are not high, (2) there exhibits a negative correlation between a reporter's bug fixing rate and the average time cost to close the bugs he/she reports, (3) the amount of bugs a reporter ever fixed has a strong positive impact on his/her bug fixing rate, (4) reporters' bug fixing rates have no big difference, whether their contribution behaviors concentrate on a few products or across many products, (5) reporters' bug fixing rates tend to increase as time goes on, i.e., Developers become more experienced at reporting bugs.

Tegawende F. Bissyande,Ferdian Thung,Shaowei Wang,David Lo,Lingxiao Jiang,Laurent Reveillere

DOI: https://doi.org/10.1109/csmr.2013.19

2013-01-01

Abstract:To collect software bugs found by users, development teams often set up bug trackers using systems such as Bugzilla. Developers would then fix some of the bugs and commit corresponding code changes into version control systems such as svn or git. Unfortunately, the links between bug reports and code changes are missing for many software projects as the bug tracking and version control systems are often maintained separately. Yet, linking bug reports to fix commits is important as it could shed light into the nature of bug fixing processes and expose patterns in software management. Bug linking solutions, such as ReLink, have been proposed. The demonstration of their effectiveness however faces a number of issues, including a reliability issue with their ground truth datasets as well as the extent of their measurements. We propose in this study a benchmark for evaluating bug linking solutions. This benchmark includes a dataset of about 12,000 bug links from 10 programs. These true links between bug reports and their fixes have been provided during bug fixing processes. We designed a number of research questions, to assess both quantitatively and qualitatively the effectiveness of a bug linking tool. Finally, we apply this benchmark on ReLink to report the strengths and limitations of this bug linking tool.

Hao Ren,Yanhui Li,Lin Chen

DOI: https://doi.org/10.1145/3387904.3389267

2020-01-01

Abstract:Blocking bugs are a severe type of bugs that prevent other bugs from being fixed. As software becomes increasingly complex and large, blocking bugs occur in many large-scale software, especially in software ecosystems. Blocking bugs may have a high negative impact on software development and maintenance. Usually, blocking bugs preventing more bugs should be more concerned. In this paper, we focus on a special type of blocking bugs that block at least two bugs, which we call Critical Blocking Bugs (CBBs). We study CBBs from the following five aspects: the importance, the repair time, the scale of repair, the experience of developers who repair CBBs, and the circumstance why CBBs block multiple bugs. We build a dataset containing five open source projects and classify bugs into three types (i.e., critical blocking bugs, normal blocking bugs and other bugs, which block at least two, just one and zero bugs, respectively) to compare the differences between CBBs and other types of bugs. The experimental results show that CBBs are more important with longer repair time and larger repair scale, and CBBs are concentrated on parts of components of the project. These results highlight that CBBs are different from other types of bugs in many aspects, and we should pay more attention to such bugs in the future software maintenance process.

Xin Xia,David Lo,Xinyu Wang,Xiaohu Yang,Shanping Li,Jianling Sun

DOI: https://doi.org/10.1109/csmr.2013.43

2013-01-01

Abstract:Bug fixing is a time-consuming and costly job which is performed in the whole life cycle of software development and maintenance. For many systems, bugs are managed in bug management systems such as Bugzilla. Generally, the status of a typical bug report in Bugzilla changes from new to assigned, verified and closed. However, some bugs have to be reopened. Reopened bugs increase the software development and maintenance cost, increase the workload of bug fixers, and might even delay the future delivery of a software. Only a few studies investigate the phenomenon of reopened bug reports. In this paper, we evaluate the effectiveness of various supervised learning algorithms to predict if a bug report would be reopened. We choose 7 state-of-the-art classical supervised learning algorithm in machine learning literature, i.e., kNN, SVM, Simple Logistic, Bayesian Network, Decision Table, CART and LWL, and 3 ensemble learning algorithms, i.e., AdaBoost, Bagging and Random Forest, and evaluate their performance in predicting reopened bug reports. The experiment results show that among the 10 algorithms, Bagging and Decision Table (IDTM) achieve the best performance. They achieve accuracy scores of 92.91% and 92.80%, respectively, and reopened bug reports F-Measure scores of 0.735 and 0.732, respectively. These results improve the reopened bug reports F-Measure of the state-of-the-art approaches proposed by Shihab et al. by up to 23.53%.

Wanwangying Ma,Lin Chen,Xiangyu Zhang,Yuming Zhou,Baowen Xu

DOI: https://doi.org/10.1109/icse.2017.42

2017-01-01

Abstract:GitHub, a popular social-software-development platform, has fostered a variety of software ecosystems where projects depend on one another and practitioners interact with each other. Projects within an ecosystem often have complex inter-dependencies that impose new challenges in bug reporting and fixing. In this paper, we conduct an empirical study on cross-project correlated bugs, i.e., causally related bugs reported to different projects, focusing on two aspects: 1) how developers track the root causes across projects, and 2) how the downstream developers coordinate to deal with upstream bugs. Through manual inspection of bug reports collected from the scientific Python ecosystem and an online survey with developers, this study reveals the common practices of developers and the various factors in fixing cross-project bugs. These findings provide implications for future software bug analysis in the scope of ecosystem, as well as shed light on the requirements of issue trackers for such bugs.

Wanwangying Ma,Lin Chen,Xiangyu Zhang,Yang Feng,Zhaogui Xu,Zhifei Chen,Yuming Zhou,Baowen Xu

DOI: https://doi.org/10.1145/3377811.3380442

2020-01-01

Abstract:Software projects are increasingly forming social-technical ecosystems within which individual projects rely on the infrastructures or functional components provided by other projects, leading to complex inter-dependencies. Through inter-project dependencies, a bug in an upstream project may have profound impact on a large number of downstream projects, resulting in cross-project bugs. This emerging type of bugs has brought new challenges in bug fixing due to their unclear influence on downstream projects. In this paper, we present an approach to estimating the impact of a cross-project bug within its ecosystem by identifying the affected downstream modules (classes/methods). Note that a downstream project that uses a buggy upstream function may not be affected as the usage does not satisfy the failure inducing preconditions. For a reported bug with the known root cause function and failure inducing preconditions, we first collect the candidate downstream modules that call the upstream function through an ecosystem-wide dependence analysis. Then, the paths to the call sites of the buggy upstream function are encoded as symbolic constraints. Solving the constraints, together with the failure inducing preconditions, identifies the affected downstream modules. Our evaluation of 31 existing upstream bugs on the scientific Python ecosystem containing 121 versions of 22 popular projects (with a total of 16 millions LOC) shows that the approach is highly effective: from the 25490 candidate downstream modules that invoke the buggy upstream functions, it identifies 1132 modules where the upstream bugs can be triggered, pruning 95.6% of the candidates. The technique has no false negatives and an average false positive rate of 7.9%. Only 49 downstream modules (out of the 1132 we found) were reported before to be affected.

Chuanqi Wang,Yanhui Li,Lin Chen,Wenchin Huang,Yuming Zhou,Baowen Xu

DOI: https://doi.org/10.1016/j.jss.2020.110667

IF: 3.5

2020-01-01

Journal of Systems and Software

Abstract:Background: In modern software systems' maintenance and evolution, how to fix software bugs efficiently and effectively becomes increasingly more essential. A deep understanding of developers'/assignees' familiarity with bugs could help project managers make a proper allotment of maintenance resources. However, to our knowledge, the effects of developer familiarity on bug fixing have not been studied. Aims: Inspired by the understanding of developers'/assignees' familiarity with bugs, we aim to investigate the effects of familiarity on efficiency and effectiveness of bug fixing. Method: Based on evolution history of buggy code lines, we propose three metrics to evaluate the developers'/assignees' familiarity with bugs. Additionally, we conduct an empirical study on 6 well-known Apache Software Foundation projects with more than 9000 confirmed bugs. Results: We observe that (a) familiarity is one of the common factors in cases of bug fixing: the developers are more likely to be assigned to fix the bugs introduced by themselves; (b) familiarity has complex effects on bug fixing: although the developers fix the bugs introduced by themselves more quickly (with high efficiency), they are more likely to introduce future bugs when fixing the current bugs (with worse effectiveness). Conclusion: We put forward the following suggestions: (a) managers should assign some "outsiders" to participate in bug fixing. (b) when developers deal with his own code, managers should assign more maintenance resource (e.g., more inspection) to developers. (C) 2020 Elsevier Inc. All rights reserved.

Yanjie Jiang,Hui Liu,Xiaoqing Luo,Zhihao Zhu,Xiaye Chi,Nan Niu,Yuxia Zhang,Yamin Hu,Pan Bian,Lu Zhang

DOI: https://doi.org/10.1109/tse.2022.3177713

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Bug-related research, e.g., fault localization, program repair, and software testing, relies heavily on high-quality and large-scale software bug repositories. The importance of such repositories is twofold. On one side, real-world bugs and their associated patches may inspire novel approaches for finding, locating, and repairing software bugs. On the other side, the real-world bugs and their patches are indispensable for rigorous and meaningful evaluation of approaches to software testing, fault localization, and program repair. To this end, a number of software bug repositories, e.g., iBUGS and Defects4J, have been constructed recently by mining version control systems and bug tracking systems. However, fully automated construction of bug repositories by simply taking bug-fixing commits from version control systems often results in inaccurate patches that contain many bug-irrelevant changes. Although we may request experts or developers to manually exclude the bug-irrelevant changes (as the authors of Defects4J did), such extensive human intervention makes it difficult to build large-scale bug repositories. To this end, in this paper, we propose an automatic approach, called BugBuilder, to construct bug repositories from version control systems. Different from existing approaches, it automatically extracts complete and concise bug-fixing patches and excludes bug-irrelevant changes. It first detects and excludes software refactorings involved in bug-fixing commits. BugBuilder then enumerates all subsets of the remaining part, and discards invalid subsets by compilation and software testing. If exactly a single subset survives the validation, this subset is taken as the complete and concise bug-fixing patch for the associated bug. In case multiple subsets survive, BugBuilder employs a sequence of heuristics to select the most likely one. Evaluation results on 809 real-world bug-fixing commits in Defects4J suggest that BugBuilder successfully extracted complete and concise bug-fixing patches from forty-three percent of the bug-fixing commits, and its precision (99%) was even higher than human experts. We also built a bug repository, called GrowingBugs, with the proposed approach. The resulting repository serves as evidence of the usefulness of the proposed approach, as well as a publicly available benchmark for bug-related research.

Heyuan Shi,Shijun Chen,Runzhe Wang,Yuhan Chen,Weibo Zhang,Qiang Zhang,Yuheng Shen,Xiaohai Shi,Chao Hu,Yu Jiang

DOI: https://doi.org/10.1145/3691620.3695278

2024-01-01

Abstract:Directed grey-box fuzzing is a widely used automatic testing technique that has helped developers test specific code space in the target program. Although many directed fuzzers are designed to test the Linux kernel, challenges still remain due to the complexity of industrial requirements and deployment environments. In this paper, we collaborate with developers from Alibaba and the OpenAnolis community to conduct an industry practice of directed kernel fuzzing for open-source Linux distribution. We highlight typical challenges in deploying directed kernel fuzzing, including target-related kernel configuration options being disabled, unrelated initial seeds limiting fuzzing startup performance, no support for kernel feature interface fuzzing, independent fuzzer execution limiting fuzzing effectiveness, much manual work to triage and analyze crashes, and hard to integrate into the existing fuzzing framework. We provide solutions to these challenges, which allowed us to discover 11 previously unknown kernel bugs related to cloud-native features, io_uring, and other components in the OpenAnolis Linux distribution.

Haoyu Yang,Chen Wang,Qingkai Shi,Yang Feng,Zhenyu Chen

2014-01-01

Abstract:Bug fix is an important and challenging task in software development and maintenance. Bug fix is also a dangerous change, because it might induce new bugs. It is difficult to decide whether a bug fix is safe in practice. In this paper, we conducted an empirical study on bug inducing analysis to discover the types and features of fault prone bug fixes. We use a classical algorithm to track the location of the code changes introducing the bugs. The change types of the codes will be checked by an automatic tool and whether this change is a bug fix change is recorded. We analyze the statistics to find out what types of change are most prone to induce new bugs when they are intended to fix a bug. Finally, some guidelines are provided to help developers prevent such fault prone bug fixes.

Haibo Wang,Zhuolin Xu,Huaien Zhang,Nikolaos Tsantalis,Shin Hwei Tan

2024-09-23

Abstract:Refactoring is a critical process in software development, aiming at improving the internal structure of code while preserving its external behavior. Refactoring engines are integral components of modern Integrated Development Environments (IDEs) and can automate or semi-automate this process to enhance code readability, reduce complexity, and improve the maintainability of software products. Like traditional software systems, refactoring engines can generate incorrect refactored programs, resulting in unexpected behaviors or even crashes. In this paper, we present the first systematic study of refactoring engine bugs by analyzing bugs arising in three popular refactoring engines (i.e., Eclipse, IntelliJ IDEA, and Netbeans). We analyzed these bugs according to their refactoring types, symptoms, root causes, and triggering conditions. We obtained 12 findings and provided a series of valuable guidelines for future work on refactoring bug detection and debugging. Furthermore, our transferability study revealed 130 new bugs in the latest version of those refactoring engines. Among the 21 bugs we submitted, 10 bugs are confirmed by their developers, and seven of them have already been fixed.

Software Engineering

Yunbo Lyu,Hong Jin Kang,Ratnadira Widyasari,Julia Lawall,David Lo

2024-06-07

Abstract:The SZZ algorithm is used to connect bug-fixing commits to the earlier commits that introduced bugs. This algorithm has many applications and many variants have been devised. However, there are some types of commits that cannot be traced by the SZZ algorithm, referred to as "ghost commits". The evaluation of how these ghost commits impact the SZZ algorithm remains limited. Moreover, these algorithms have been evaluated on datasets created by software engineering researchers from information in bug trackers and version controlled histories. Since Oct 2013, the Linux kernel developers have started labelling bug-fixing patches with the commit identifiers of the corresponding bug-inducing commit(s) as a standard practice. As of v6.1-rc5, 76,046 pairs of bug-fixing patches and bug-inducing commits are available. This provides a unique opportunity to evaluate the SZZ algorithm on a large dataset that has been created and reviewed by project developers, entirely independently of the biases of software engineering researchers. In this paper, we apply six SZZ algorithms to 76,046 pairs of bug-fixing patches and bug-introducing commits from the Linux kernel. Our findings reveal that SZZ algorithms experience a more significant decline in recall on our dataset (13.8%) as compared to prior findings reported by Rosa et al., and the disparities between the individual SZZ algorithms diminish. Moreover, we find that 17.47% of bug-fixing commits are ghost commits. Finally, we propose Tracing-Commit SZZ (TC-SZZ), that traces all commits in the change history of lines modified or deleted in bug-fixing commits. Applying TC-SZZ to all failure cases, excluding ghost commits, we found that TC-SZZ could identify 17.7% of them. Our further analysis found that 34.6% of bug-inducing commits were in the function history, 27.5% in the file history (but not in the function history), and...

Software Engineering

Hui Ding,Wanwangying Ma,Lin Chen,Yuming Zhou,Baowen Xu

DOI: https://doi.org/10.1109/apsec.2017.38

2017-01-01

Abstract:GitHub has fostered complicated and enormous software ecosystems, in which projects depend on and co-evolve with each other. An error in an upstream project may affect its downstream projects through inter-dependencies, forming crossproject bugs. Though the upstream developers should fix the bugs on their side, proposing a workaround, i.e., a temporary solution in the downstream project is a common practice for the downstream developers. In this study, we empirically investigated the characteristics of downstream workarounds in the scientific Python ecosystem. Combining the statistical comparisons and manual inspection, we have the following three main findings. First, in general, the workarounds and the corresponding upstream fixes are significantly different in code size and code structure. Second, there are three kinds of crossproject bugs that the downstream developers usually work around. Last, four types of common patterns are identified from the investigated workarounds. The findings of this study lead to better understanding of cross-project bugs and the practices of developers in software ecosystems.