Kedi Shen,Yun Zhang,Lingfeng Bao,Zhiyuan Wan,Zhuorong Li,Minghui Wu

DOI: https://doi.org/10.1109/ICSE-COMPANION58688.2023.00049

2023-01-01

Abstract:With the rapid development of open source projects, the continuous emergence of vulnerabilities in the project brings great challenges to the security of the project. Security patches are one of the best ways to deal with vulnerabilities, but are not well applied currently. Although there are sites like CVE/NVD that provide information about vulnerabilities, many of the vulnerabilities disclosed by CVE/NVD are not accompanied by security patches. This makes it difficult for developers to apply patches. In the present study, a sorting method based on extracting multidimensional features from auxiliary information in CVE/NVD was proposed. And we made a further step, we proposed VCMATCH, a model for mining semantic information in vulnerability description and code commit messages, which has good recall rate and applicability across projects. On this basis, we established Patchmatch, a tool for helping developers to quickly locate patches. Given a vulnerability, Patchmatch can forecast the implicit patches in the code repository's commits. Patchmatch also has a visual webpage for information statistics and a display web page to help developers manage all kinds of information in the code repository. A demo video of Patchmatch is at https://www.youtube.com/watch?v=nOBSMFtZV8A. Patchmatch is in https://github.com/Sklud1456/patchmatch.

Lingxiao Tang,Chao Ni,Qiao Huang,Lingfeng Bao

DOI: https://doi.org/10.1109/tse.2024.3468296

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:The SZZ algorithm and its variants have been extensively utilized for identifying bug-inducing commits based on bug-fixing commits. However, these algorithms face challenges when there are no deletion lines in the bug-fixing commit. Previous studies have attempted to address this issue by tracing back all lines in the block that encapsulates the added lines. However, this method is too coarse-grained and suffers from low precision. To address this issue, we propose a novel method in this paper called SEM-SZZ, which is based on fine-grained semantic analysis. Initially, we observe that a significant number of bug-inducing commits can be identified by tracing back the unmodified lines near added lines, resulting in improved precision and F1-score. Building on this observation, we conduct a more fine-grained semantic analysis. We begin by performing program slicing to extract the program part near the added lines. Subsequently, we compare the program’s states between the previous version and the current version, focusing on data flow and control flow differences based on the extracted program part. Finally, we extract statements contributing to the bug based on these differences and utilize them to locate bug-inducing commits. We also extend our approach to fit the scenario where the bug-fixing commits contain deleted lines. Experimental results demonstrate that SEM-SZZ outperforms the state-of-the-art methods in identifying bug-inducing commits, regardless of whether the bug-fixing commit contains deleted lines.

Kui Liu,Jingtang Zhang,Li Li,Anil Koyuncu,Dongsun Kim,Chunpeng Ge,Zhe Liu,Jacques Klein,Tegawendé F. Bissyandé

DOI: https://doi.org/10.1145/3579637

IF: 3.685

2023-01-20

ACM Transactions on Software Engineering and Methodology

Abstract:Fix pattern-based patch generation is a promising direction in automated program repair (APR). Notably, it has been demonstrated to produce more acceptable and correct patches than the patches obtained with mutation operators through genetic programming. The performance of pattern-based APR systems, however, depends on the fix ingredients mined from fix changes in development histories. Unfortunately, collecting a reliable set of bug fixes in repositories can be challenging. In this paper, we propose investigating the possibility in an APR scenario of leveraging fix patterns inferred from code changes that address violations detected by static analysis tools. To that end, we build a fix pattern-based APR tool, Avatar , which exploits fix patterns of static analysis violations as ingredients for the patch generation of repairing semantic bugs. Evaluated on four benchmarks (i.e., Defects4J, Bugs.jar, BEARS, and QuixBugs), Avatar presents the potential feasibility of fixing semantic bugs with the fix patterns inferred from the patches for fixing static analysis violations, and can correctly fix 26 semantic bugs when Avatar is implemented with the normal program repair pipeline. We also find that Avatar achieves performance metrics that are comparable to that of the closely-related approaches in the literature. Compared with CoCoNut, Avatar can fix 18 new bugs in Defects4J and 3 new bugs in QuixBugs. When compared with HDRepair, JAID, and SketchFix, Avatar can newly fix 14 Defects4J bugs. In terms of the number of correctly fixed bugs, Avatar is also comparable to the program repair tools with the normal fault localization setting, and presents better performance than most program repair tools. These results imply that Avatar is complementary to current program repair approaches. We further uncover that Avatar can present different bug-fixing performances when it is configured with different fault localization tools, and the stack trace information from the failed executions of test cases can be exploited to improve the bug-fixing performance of Avatar by fixing more bugs with fewer generated patch candidates. Overall, our study highlights the relevance of static bug-finding tools as indirect contributors of fix ingredients for addressing code defects identified with functional test cases (i.e., dynamic information).

computer science, software engineering

Ping Yu,Yijian Wu,Jiahan Peng,Jian Zhang,Peicheng Xie

DOI: https://doi.org/10.1109/saner56733.2023.00059

2023-01-01

Abstract:Automated static analysis tools (ASATs) have become an integrated part of the software development workflow in many projects. While developers benefit from these tools to deliver quality code conforming to the pre-defined static analysis rules, it has been reported that many ASATs are underused. A number of detected violations are overlooked by developers due to false alarms or unactionable alerts. Despite of existing studies on the fixes of static analysis violations, there is still a gap in collecting and understanding the fact that some types of violations are fixed more often and/or more quickly than other types. To fill this gap, we conduct a large-scale empirical study on 56,506,892 violations from 30 active, popular, and high-quality open-source Java projects with long evolution histories. All violations were traced between adjacent revisions before we filtrated the fixed violations out of the closed ones by considering the types of source code changes that closed the violations. We identified the violation types with the highest and lowest fix rates and those that were fixed the most timely and least timely, and further investigated the possible underlying reasons for the differences in fix rate and fix time. Our findings is helpful to characterize and understand developers’ considerations when fixing violations and provide practical implications for developers, tool builders and researchers to optimize the usage and design of ASATs.

Fernanda Madeiral,Thomas Durieux,Victor Sobreira,Marcelo Maia

DOI: https://doi.org/10.48550/arXiv.1807.11286

2018-07-30

Abstract:The characterization of bug datasets is essential to support the evaluation of automatic program repair tools. In a previous work, we manually studied almost 400 human-written patches (bug fixes) from the Defects4J dataset and annotated them with properties, such as repair patterns. However, manually finding these patterns in different datasets is tedious and time-consuming. To address this activity, we designed and implemented PPD, a detector of repair patterns in patches, which performs source code change analysis at abstract-syntax tree level. In this paper, we report on PPD and its evaluation on Defects4J, where we compare the results from the automated detection with the results from the previous manual analysis. We found that PPD has overall precision of 91% and overall recall of 92%, and we conclude that PPD has the potential to detect as many repair patterns as human manual analysis.

Software Engineering

Yilin Yang,Tianxing He,Yang Feng,Shaoying Liu,Baowen Xu

DOI: https://doi.org/10.1007/s10664-021-10087-1

IF: 3.762

2022-01-28

Empirical Software Engineering

Abstract:Many code changes are inherently repetitive, and researchers employ repetitiveness of the code changes to generate bug fix patterns. Automatic Program Repair (APR) can automatically detect and fix bugs, thus helping developers to improve the quality of software products. As a critical component of APR, software bug fix patterns have been revealed by existing studies to be very effective in detecting and fixing bugs in different programming languages (e.g., Java/C++); yet the fix patterns proposed by these studies can not be directly applied to improve Python programs because of syntactic incompatibilities and lack of analysis of dynamic features. In this paper, we proposed a mining approach to identify fix patterns of Python programs by extracting fine-grained bug-fixing code changes. We first collected bug reports from GitHub repository and employed the abstract syntax tree edit distance to cluster similar bug-fixing code changes to generate fix patterns. We then evaluated the effectiveness of these fix patterns by applying them to single-hunk bugs in two benchmarks (BugsInPy and QuixBugs). The results show that 13 out of 101 real bugs can be fixed without human intervention; that is, the generated bug patch is identical or semantically equivalent with developer’s patches. Also, we evaluated the fix patterns in the wild. For each complex bug, 15% of the bug code could be fixed, and 37% of the bug code could be matched by fix patterns.

computer science, software engineering

Ping Yu,Yijian Wu,Xin Peng,Jiahan Peng,Jian Zhang,Peicheng Xie,Wenyun Zhao

DOI: https://doi.org/10.1109/icse48619.2023.00171

2023-01-01

Abstract:Automatic static analysis tools (ASATs) detect source code violations to static analysis rules and are usually used as a guard for source code quality. The adoption of ASATs, however, is often challenged because of several problems such as a large number of false alarms, invalid rule priorities, and inappropriate rule configurations. Research has shown that tracking the history of the violations is a promising way to solve the above problems because the facts of violation fixing may reflect the developers' subjective expectations on the violation detection results. Precisely identifying the revisions that induce or fix a violation is however challenging because of the imprecise matching of violations between code revisions and ignorance of merge commits in the maintenance history. In this paper, we propose ViolationTracker, an approach to precisely matching the violation instances between adjacent revisions and building the life cycle of violations with the identification of inducing, fixing, deleting, and reopening of each violation case. The approach employs code entity anchoring heuristics for violation matching and considers merge commits that used to be ignored in existing research. We evaluate ViolationTracker with a manually-validated dataset that consists of 500 violation instances and 158 threads of 30 violation cases with detailed evolution history from open-source projects. Violation Tracker achieves over 93 % precision and 98 % recall on violation matching, outperforming the state-of-the-art approach, and 99.4 % precision on rebuilding the histories of violation cases. We also show that ViolationTracker is useful to identify actionable violations. A preliminary empirical study reveals the possibility to prioritize static analysis rules according to further analysis on the actionable rates of the rules.

Hao Zhong,Xiaoyin Wang,Hong Mei

DOI: https://doi.org/10.1109/tse.2020.2996975

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Static tools like Findbugs allow their users to manually define bug patterns, so they can detect more types of bugs, but due to the complexity and variety of programs, it is difficult to manually enumerate all bug patterns, especially for those related to API usages or project-specific rules. Therefore, existing bug-detection tools (e.g., Findbugs) based on manual bug patterns are insufficient in detecting many bugs. Meanwhile, with the rapid development of software, many past bug fixes accumulate in software version histories. These bug fixes contain valuable samples of illegal coding practices. The gap between existing bug samples and well-defined bug patterns motivates our research. In the literature, researchers have explored techniques on learning bug signatures from existing bugs, and a bug signature is defined as a set of program elements explaining the cause/effect of the bug. However, due to various limitations, existing approaches cannot analyze past bug fixes in large scale, and to the best of our knowledge, no previously unknown bugs were ever reported by their work. The major challenge to automatically analyze past bug fixes is that, bug-inducing inputs are typically not recorded, and many bug fixes are partial programs that have compilation errors. As a result, for most bugs in the version history, it is infeasible to reproduce them for dynamic analysis or to feed buggy/fixed code directly into static analysis tools which mostly depend on compilable complete programs. In this paper, we propose an approach, called DePa , that extracts bug signatures based on accurate partial-code analysis of bug fixes. With its support, we conduct the first large scale evaluation on 6,048 past bug fixes collected from four popular Apache projects. In particular, we use DePa to infer bug signatures from these fixes, and to check the latest versions of the four projects with the inferred bug signatures. Our results show that DePa detected 27 unique previously unknown bugs in total, including at least one bug from each project. These bugs are not detected by their developers nor other researchers. Among them, three of our reported bugs are already confirmed and repaired by their developers. Furthermore, our results show that the state-of-the-art tools detected only two of our found bugs, and our filtering techniques improve our precision from 25.5 to 51.5 percent.

Guangtai Liang,Qianxiang Wang,Tao Xie,Hong Mei

DOI: https://doi.org/10.1145/2491411.2491422

2013-01-01

Abstract:Lightweight static bug-detection tools such as FindBugs, PMD, Jlint, and Lint4j detect bugs with the knowledge of generic bug patterns (e.g., objects of java.io.InputStream are not closed in time after used). Besides generic bug patterns, different projects under analysis may have some project-specific bug patterns. For example, in a revision of the Xerces project, the class field "fDTDHandler" is dereferenced without proper null-checks, while it could actually be null at runtime. We name such bug patterns directly related to objects instantiated in specific projects as Project-Specific Bug Patterns (PSBPs). Due to lack of such PSBP knowledge, existing tools usually fail in effectively detecting most of this kind of bugs. We name bugs belonging to the same project and sharing the same PSBP as sibling bugs. If some sibling bugs are fixed in a fix revision but some others remain, we treat such fix as an incomplete fix. To address such incomplete fixes, we propose a PSBP-based approach for detecting sibling bugs and implement a tool called Sibling-Bug Detector (SBD). Given a fix revision, SBD first infers the PSBPs implied by the fix revision. Then, based on the inferred PSBPs, SBD detects their related sibling bugs in the same project. To evaluate SBD, we apply it to seven popular open-source projects. Among the 108 warnings reported by SBD, 63 of them have been confirmed as real bugs by the project developers, while two existing popular static detectors (FindBugs and PMD) cannot report most of them.

Han Cui,Menglei Xie,Ting Su,Chengyu Zhang,Shin Hwei Tan

2024-08-25

Abstract:Static code analyzers are widely used to help find program flaws. However, in practice the effectiveness and usability of such analyzers is affected by the problems of false negatives (FNs) and false positives (FPs). This paper aims to investigate the FNs and FPs of such analyzers from a new perspective, i.e., examining the historical issues of FNs and FPs of these analyzers reported by the maintainers, users and researchers in their issue repositories -- each of these issues manifested as a FN or FP of these analyzers in the history and has already been confirmed and fixed by the analyzers' developers. To this end, we conduct the first systematic study on a broad range of 350 historical issues of FNs/FPs from three popular static code analyzers (i.e., PMD, SpotBugs, and SonarQube). All these issues have been confirmed and fixed by the developers. We investigated these issues' root causes and the characteristics of the corresponding issue-triggering programs. It reveals several new interesting findings and implications on mitigating FNs and FPs. Furthermore, guided by some findings of our study, we designed a metamorphic testing strategy to find FNs and FPs. This strategy successfully found 14 new issues of FNs/FPs, 11 of which have been confirmed and 9 have already been fixed by the developers. Our further manual investigation of the studied analyzers revealed one rule specification issue and additional four FNs/FPs due to the weaknesses of the implemented static analysis. We have made all the artifacts (datasets and tools) publicly available at <a class="link-external link-https" href="https://zenodo.org/doi/10.5281/zenodo.11525129" rel="external noopener nofollow">this https URL</a>.

Software Engineering

Jiajun Jiang,Yingfei Xiong,Hongyu Zhang,Qing Gao,Xiangqun Chen

DOI: https://doi.org/10.1145/3213846.3213871

2018-01-01

Abstract:Automated program repair (APR) has great potential to reduce bug-fixing effort and many approaches have been proposed in recent years. APRs are often treated as a search problem where the search space consists of all the possible patches and the goal is to identify the correct patch in the space. Many techniques take a data-driven approach and analyze data sources such as existing patches and similar source code to help identify the correct patch. However, while existing patches and similar code provide complementary information, existing techniques analyze only a single source and cannot be easily extended to analyze both. In this paper, we propose a novel automatic program repair approach that utilizes both existing patches and similar code. Our approach mines an abstract search space from existing patches and obtains a concrete search space by differencing with similar code snippets. Then we search within the intersection of the two search spaces. We have implemented our approach as a tool called SimFix, and evaluated it on the Defects4J benchmark. Our tool successfully fixed 34 bugs. To our best knowledge, this is the largest number of bugs fixed by a single technology on the Defects4J benchmark. Furthermore, as far as we know, 13 bugs fixed by our approach have never been fixed by the current approaches.

Diogo Silveira Mendonça,Marcos Kalinowski

DOI: https://doi.org/10.48550/arXiv.2011.12886

2021-11-19

Abstract:Background: Custom static analysis rules, i.e., rules specific for one or more applications, have been successfully applied to perform corrective and preventive software maintenance. Pattern-Driven Maintenance (PDM) is a method designed to support the creation of such rules during software maintenance. However, as PDM was recently proposed, few maintainers have reported on its usage. Hence, the challenges and skills needed to apply PDM properly are unknown. Aims: In this paper, we investigate the challenges faced by maintainers on applying PDM for creating custom static analysis rules for defect localization. Method: We conducted an observational study on novice maintainers creating custom static analysis rules by applying PDM. The study was divided into three tasks: (i) identifying a defect pattern, (ii) programming a static analysis rule to locate instances of the pattern, and (iii) verifying the located instances. We analyzed the efficiency and acceptance of maintainers on applying PDM and their comments on task challenges. Results: We observed that previous knowledge on debugging, the subject software, and related technologies influenced the performance of maintainers as well as the time to learn the technology involved in rule programming. Conclusions: The results strengthen our confidence that PDM can help maintainers in producing custom static analysis rules for locating defects. However, a proper selection and training of maintainers is needed to apply PDM effectively. Also, using a higher level of abstraction can ease static analysis rule programming for novice maintainers.

Software Engineering

Jinhan Kim,Jongchan Park,Shin Yoo

2023-03-01

Abstract:Software bugs pose an ever-present concern for developers, and patching such bugs requires a considerable amount of costs through complex operations. In contrast, introducing bugs can be an effortless job, in that even a simple mutation can easily break the Program Under Test (PUT). Existing research has considered these two opposed activities largely separately, either trying to automatically generate realistic patches to help developers, or to find realistic bugs to simulate and prevent future defects. Despite the fundamental differences between them, however, we hypothesise that they do not syntactically differ from each other when considered simply as code changes. To examine this assumption systematically, we investigate the relationship between patches and buggy commits, both generated manually and automatically, using a clustering and pattern analysis. A large scale empirical evaluation reveals that up to 70% of patches and faults can be clustered together based on the similarity between their lexical patterns; further, 44% of the code changes can be abstracted into the identical change patterns. Moreover, we investigate whether code mutation tools can be used as Automated Program Repair (APR) tools, and APR tools as code mutation tools. In both cases, the inverted use of mutation and APR tools can perform surprisingly well, or even better, when compared to their original, intended uses. For example, 89% of patches found by SequenceR, a deep learning based APR tool, can also be found by its inversion, i.e., a model trained with faults and not patches. Similarly, real fault coupling study of mutants reveals that TBar, a template based APR tool, can generate 14% and 3% more fault couplings than traditional mutation tools, PIT and Major respectively, when used as a mutation tool.

Software Engineering

Bailin Lu,Wei Dong,Liangze Yin,Li Zhang

DOI: https://doi.org/10.1007/978-3-030-04272-1_4

2018-01-01

Abstract:Many static analysis methods and tools have been developed for program bug detection. They are based on diverse theoretical principles, such as pattern matching, abstract interpretation, model checking and symbolic execution. Unfortunately, none of them can meet most requirements for bug finding. Individual tool always faces high false negatives and/or false positives, which is the main obstacle for using them in practice. A direct and promising way to improve the capability of static analysis is to integrate diverse bug finders. In this paper, we first selected five state-of-the-art C/C++ static analysis tools implemented with different theories. We then evaluated them over different defect types and code structures in detail. To increase the precision and recall for tool integration, we studied how to properly employ machine learning algorithms based on features of programs and tools. Evaluation results show that: (1) the abilities of diverse tools are quite different for defect types and code structures, and their overlaps are quite small; (2) the integration based on machine learning can obviously improve the overall performance of static analysis. Finally, we investigated the defect types and code structures which are still challenging for existing tools. They should be addressed in future research on static analysis.

Naman Jain,Shubham Gandhi,Atharv Sonwane,Aditya Kanade,Nagarajan Natarajan,Suresh Parthasarathy,Sriram Rajamani,Rahul Sharma

2023-07-24

Abstract:Static analysis tools are traditionally used to detect and flag programs that violate properties. We show that static analysis tools can also be used to perturb programs that satisfy a property to construct variants that violate the property. Using this insight we can construct paired data sets of unsafe-safe program pairs, and learn strategies to automatically repair property violations. We present a system called \sysname, which automatically repairs information flow vulnerabilities using this approach. Since information flow properties are non-local (both to check and repair), \sysname also introduces a novel domain specific language (DSL) and strategy learning algorithms for synthesizing non-local repairs. We use \sysname to synthesize strategies for repairing two types of information flow vulnerabilities, unvalidated dynamic calls and cross-site scripting, and show that \sysname successfully repairs several hundred vulnerabilities from open source {\sc JavaScript} repositories, outperforming neural baselines built using {\sc CodeT5} and {\sc Codex}. Our datasets can be downloaded from \url{<a class="link-external link-http" href="http://aka.ms/StaticFixer" rel="external noopener nofollow">this http URL</a>}.

Software Engineering

Matias Martinez,Laurence Duchien,Martin Monperrus

DOI: https://doi.org/10.1109/ICSM.2013.54

2013-09-15

Abstract:A code change pattern represents a kind of recurrent modification in software. For instance, a known code change pattern consists of the change of the conditional expression of an if statement. Previous work has identified different change patterns. Complementary to the identification and definition of change patterns, the automatic extraction of pattern instances is essential to measure their empirical importance. For example, it enables one to count and compare the number of conditional expression changes in the history of different projects. In this paper we present a novel approach for search patterns instances from software history. Our technique is based on the analysis of Abstract Syntax Trees (AST) files within a given commit. We validate our approach by counting instances of 18 change patterns in 6 open-source Java projects.

Software Engineering

Robati Shirzad, Mohammad,Lam, Patrick

DOI: https://doi.org/10.1007/s10664-023-10437-1

IF: 3.762

2024-02-13

Empirical Software Engineering

Abstract:Rust is a relatively new programming language which allows programmers to write programs that have low-level control over resources while still ensuring high-level safety guarantees (for programs written in safe Rust). Rust's ownership framework enables programs to meet these two seemingly-contradictory goals. The Rust compiler's Borrow-Checker component enforces the ownership framework requirements that ensure Rust's safety guarantees. Rust is popular: as of 2022, it has ranked first, for the seventh consecutive year, in Stack Overflow's annual Developer Survey as the most-loved programming language. The number of Rust developers is growing as the need for faster and safer software increases. Yet, to our knowledge, no research has sought to identify the most pervasive bug fix patterns within Rust programs. In this project, we introduce Ruxanne, a tool for analyzing and extracting fix patterns in Rust. Ruxanne implements a novel embedding of Rust code into fixed-sized vectors. Using Ruxanne, we mined the top 18 most-starred Rust projects in GitHub to discover the most common bug fix patterns committed to their repositories. We analyzed 87,726 code changes drawn from 57,214 commits across these 18 projects. After clustering the code changes, and conducting a manual analysis, we identified 20 groups of cross-project bug fix patterns, which we categorize as (1) general patterns and (2) borrow-checker-related patterns. Among the general patterns, the most frequently observed pattern is when the user either adds or removes struct fields. In the case of borrow-checker-related patterns, the most common pattern we encountered is when the user removes a clone() call. We describe all detected patterns and their implications to automated program repair.

computer science, software engineering

Jaechang Nam,Ning Chen

DOI: https://doi.org/10.48550/arXiv.1311.1895

2013-11-11

Abstract:During the life cycle of software development, developers have to fix different kinds of bugs reported by testers or end users. The efficiency and effectiveness of fixing bugs have a huge impact on the reliability of the software as well as the productivity of the development team. Software companies usually spend a large amount of money and human resources on the testing and bug fixing departments. As a result, a better and more reliable way to fix bugs is highly desired by them. In order to achieve such goal, in depth studies on the characteristics of bug fixes from well maintained, highly popular software projects are necessary. In this paper, we study the bug fixing histories extracted from the Eclipse project, a well maintained, highly popular open source project. After analyzing more than 36,000 bugs that belongs to three major kinds of exception types, we are able to reveal some common fix types that are frequently used to fix certain kinds of program exceptions. Our analysis shows that almost all of the exceptions that belong to a certain exception can be fixed by less than ten fix types. Our result implies that most of the bugs in software projects can be and should be fixed by only a few common fix patterns.

Software Engineering

Tamer Abdelaziz,Aya Sedky,Bruno Rossi,Mostafa-Sami M. Mostafa

DOI: https://doi.org/10.48550/arXiv.1906.01419

2019-06-04

Abstract:The validation of design pattern implementations to identify pattern violations has gained more relevance as part of re-engineering processes in order to preserve, extend, reuse software projects in rapid development environments. If design pattern implementations do not conform to their definitions, they are considered a violation. Software aging and the lack of experience of developers are the origins of design pattern violations. It is important to check the correctness of the design pattern implementations against some predefined characteristics to detect and to correct violations, thus, to reduce costs. Currently, several tools have been developed to detect design pattern instances, but there has been little work done in creating an automated tool to identify and validate design pattern violations. In this paper we propose a Design Pattern Violations Identification and Assessment (DPVIA) tool, which has the ability to identify software design pattern violations and report the conformance score of pattern instance implementations towards a set of predefined characteristics for any design pattern definition whether Gang of Four (GoF) design patterns by Gamma et al[1]; or custom pattern by software developer. Moreover, we have verified the validity of the proposed tool using two evaluation experiments and the results were manually checked. Finally, in order to assess the functionality of the proposed tool, it is evaluated with a data-set containing 5,679,964 Lines of Code among 28,669 in 15 open-source projects, with a large and small size of open-source projects that extensively and systematically employing design patterns, to determine design pattern violations and suggest refactoring solutions, thus keeping costs of software evolution. The results can be used by software architects to develop best practices while using design patterns.

Software Engineering

Thu-Trang Nguyen,Xiao-Yi Zhang,Paolo Arcaini,Fuyuki Ishikawa,Hieu Dinh Vo

DOI: https://doi.org/10.1016/j.jss.2024.112152

IF: 3.5

2024-08-28

Journal of Systems and Software

Abstract:Software product line (SPL) systems are widely employed to develop industrial projects. For an SPL system, different products/variants are created by combining different subsets of the system features. Because of the interaction of the different features, a bug in the system could cause failures for some products (failing products), but not for others (passing products); such types of bugs are called variability bugs . Due to their variability characteristics, detecting and fixing bugs in SPL systems is challenging. There are several solutions for localizing buggy statements in these systems. However, there is still a lack of research on automatically fixing these bugs. In this work, we aim to make the first attempt at automatically fixing buggy statements in the source code of SPL systems. This paper proposes two approaches, single-product-based and multi-product-based, to repair the variability bugs in an SPL system to fix the failures of the failing products and not to break the correct behaviors of the passing products. For the single-product-based approach, each failing product is fixed individually, and the obtained patches are then propagated and validated on the other products of the system. For the multi-product-based approach, all the products are repaired simultaneously. The patches are generated and validated by all the sampled products of the system in each repair iteration. Moreover, to improve the repair performance of both approaches, we also introduce several heuristic rules for effectively and efficiently deciding where to fix ( navigating modification points ) and how to fix ( selecting suitable modifications ). These heuristic rules use intermediate validation results of the repaired programs as feedback to refine the fault localization results and evaluate the suitability of the modifications before actually applying and validating them by test execution. Our experimental results on a dataset of 318 variability bugs of five popular SPL systems show that the single-product-based approach is around 20 times better than the multi-product-based approach in the number of correct fixes. Notably, the heuristic rules could improve the performance of both approaches by increasing of 30%–150% the number of correct fixes, and decreasing of 30%–50% the number of attempted modification operations.

computer science, theory & methods, software engineering