ASE 2018 – Author Index |
Contents -
Abstracts -
Authors
|
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Aafer, Yousra |
ASE '18: "Dual-Force: Understanding ..."
Dual-Force: Understanding WebView Malware via Cross-Language Forced Execution
Zhenhao Tang, Juan Zhai, Minxue Pan , Yousra Aafer, Shiqing Ma, Xiangyu Zhang, and Jianhua Zhao (Nanjing University, China; Purdue University, USA) Modern Android malwares tend to use advanced techniques to cover their malicious behaviors. They usually feature multi-staged, condition-guarded and environment-specific payloads. An increasing number of them utilize WebView, particularly the two-way communications between Java and JavaScript, to evade detection and analysis of existing techniques. We propose Dual-Force, a forced execution technique which simultaneously forces both Java and JavaScript code of WebView applications to execute along various paths without requiring any environment setup or providing any inputs manually. As such, the hidden payloads of WebView malwares are forcefully exposed. The technique features a novel execution model that allows forced execution to suppress exceptions and continue execution. Experimental results show that Dual-Force precisely exposes malicious payload in 119 out of 150 WebView malwares. Compared to the state-of-the-art, Dual-Force can expose 23% more malicious behaviors. @InProceedings{ASE18p714, author = {Zhenhao Tang and Juan Zhai and Minxue Pan and Yousra Aafer and Shiqing Ma and Xiangyu Zhang and Jianhua Zhao}, title = {Dual-Force: Understanding WebView Malware via Cross-Language Forced Execution}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {714--725}, doi = {10.1145/3238147.3238221}, year = {2018}, } Publisher's Version |
|
Abdessalem, Raja Ben |
ASE '18: "Testing Autonomous Cars for ..."
Testing Autonomous Cars for Feature Interaction Failures using Many-Objective Search
Raja Ben Abdessalem, Annibale Panichella , Shiva Nejati, Lionel C. Briand, and Thomas Stifter (University of Luxembourg, Luxembourg; Delft University of Technology, Netherlands; IEE, Luxembourg) Complex systems such as autonomous cars are typically built as a composition of features that are independent units of functionality. Features tend to interact and impact one another's behavior in unknown ways. A challenge is to detect and manage feature interactions, in particular, those that violate system requirements, hence leading to failures. In this paper, we propose a technique to detect feature interaction failures by casting this problem into a search-based test generation problem. We define a set of hybrid test objectives (distance functions) that combine traditional coverage-based heuristics with new heuristics specifically aimed at revealing feature interaction failures. We develop a new search-based test generation algorithm, called FITEST, that is guided by our hybrid test objectives. FITEST extends recently proposed many-objective evolutionary algorithms to reduce the time required to compute fitness values. We evaluate our approach using two versions of an industrial self-driving system. Our results show that our hybrid test objectives are able to identify more than twice as many feature interaction failures as two baseline test objectives used in the software testing literature (i.e., coverage-based and failure-based test objectives). Further, the feedback from domain experts indicates that the detected feature interaction failures represent real faults in their systems that were not previously identified based on analysis of the system features and their requirements. @InProceedings{ASE18p143, author = {Raja Ben Abdessalem and Annibale Panichella and Shiva Nejati and Lionel C. Briand and Thomas Stifter}, title = {Testing Autonomous Cars for Feature Interaction Failures using Many-Objective Search}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {143--154}, doi = {10.1145/3238147.3238192}, year = {2018}, } Publisher's Version |
|
Abreu, Rui |
ASE '18-TOOLS: "Lightweight Source Code Monitoring ..."
Lightweight Source Code Monitoring with Triggr
Alim Ozdemir, Ayse Tosun , Hakan Erdogmus, and Rui Abreu (Istanbul Technical University, Turkey; Carnegie Mellon University, USA; University of Lisbon, Portugal) Existing tools for monitoring the quality of codebases modified by multiple developers tend to be centralized and inflexible. These tools increase the visibility of quality by producing effective reports and visualizations when a change is made to the codebase and triggering alerts when undesirable situations occur. However, their configuration is invariably both (a) centrally managed in that individual maintainers cannot define local rules to receive customized feedback when a change occurs in a specific part of the code in which they are particularly interested, and (b) coarse-grained in that analyses cannot be turned on and off below the file level. Triggr, the tool proposed in this paper, addresses these limitations by allowing distributed, customized, and fine-grained monitoring. It is a lightweight re-implementation of our previous tool, CodeAware, which adopts the same paradigm. The tool listens on a codebase’s shared repository using an event-based approach, and can send alerts to subscribed developers based on rules defined locally by them. Triggr is open-source and available at https://github.com/lyzerk/Triggr. A demonstration video can be found at https://youtu.be/qQs9aDwXJjY. @InProceedings{ASE18p864, author = {Alim Ozdemir and Ayse Tosun and Hakan Erdogmus and Rui Abreu}, title = {Lightweight Source Code Monitoring with Triggr}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {864--867}, doi = {10.1145/3238147.3240486}, year = {2018}, } Publisher's Version |
|
Abubakar, Muhammad |
ASE '18: "TRIMMER: Application Specialization ..."
TRIMMER: Application Specialization for Code Debloating
Hashim Sharif, Muhammad Abubakar, Ashish Gehani, and Fareed Zaffar (University of Illinois at Urbana-Champaign, USA; Lahore University of Management Sciences, Pakistan; SRI International, USA) With the proliferation of new hardware architectures and ever-evolving user requirements, the software stack is becoming increasingly bloated. In practice, only a limited subset of the supported functionality is utilized in a particular usage context, thereby presenting an opportunity to eliminate unused features. In the past, program specialization has been proposed as a mechanism for enabling automatic software debloating. In this work, we show how existing program specialization techniques lack the analyses required for providing code simplification for real-world programs. We present an approach that uses stronger analysis techniques to take advantage of constant configuration data, thereby enabling more effective debloating. We developed Trimmer, an application specialization tool that leverages user-provided configuration data to specialize an application to its deployment context. The specialization process attempts to eliminate the application functionality that is unused in the user-defined context. Our evaluation demonstrates Trimmer can effectively reduce code bloat. For 13 applications spanning various domains, we observe a mean binary size reduction of 21% and a maximum reduction of 75%. We also show specialization reduces the surface for code-reuse attacks by reducing the number of exploitable gadgets. For the evaluated programs, we observe a 20% mean reduction in the total gadget count and a maximum reduction of 87%. @InProceedings{ASE18p329, author = {Hashim Sharif and Muhammad Abubakar and Ashish Gehani and Fareed Zaffar}, title = {TRIMMER: Application Specialization for Code Debloating}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {329--339}, doi = {10.1145/3238147.3238160}, year = {2018}, } Publisher's Version |
|
Accioly, Paola |
ASE '18-JFIRST: "Understanding Semi-structured ..."
Understanding Semi-structured Merge Conflict Characteristics in Open-Source Java Projects (Journal-First Abstract)
Paola Accioly, Paulo Borba, and Guilherme Cavalcanti (Federal University of Pernambuco, Brazil) In a collaborative development environment, tasks are commonly assigned to developers working independent from each other. As a result, when trying to integrate these contributions, one might have to deal with conflicting changes. Such conflicts might be detected when merging contributions (merge conflicts), when building the system (build conflicts), or when running tests (semantic conflicts). Regarding such conflicts, previous studies show that they occur frequently, and impair developers’ productivity, as understanding and solving them is a demanding and tedious task that might introduce defects. However, despite the existing evidence in the literature, the structure of changes that lead to conflicts has not been studied yet. Understanding the underlying structure of conflicts, and the involved syntactic language elements, might shed light on how to better avoid them. For example, awareness tools that inform users about ongoing parallel changes such as Syde and Palantír can benefit from knowing the most common conflict patterns to become more efficient. With that aim, in this paper we focus on understanding the underlying structure of merge conflicts. @InProceedings{ASE18p955, author = {Paola Accioly and Paulo Borba and Guilherme Cavalcanti}, title = {Understanding Semi-structured Merge Conflict Characteristics in Open-Source Java Projects (Journal-First Abstract)}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {955--955}, doi = {10.1145/3238147.3241983}, year = {2018}, } Publisher's Version |
|
Aguirre, Nazareno |
ASE '18: "A Genetic Algorithm for Goal-Conflict ..."
A Genetic Algorithm for Goal-Conflict Identification
Renzo Degiovanni, Facundo Molina, Germán Regis, and Nazareno Aguirre (National University of Río Cuarto, Argentina; CONICET, Argentina) Goal-conflict analysis has been widely used as an abstraction for risk analysis in goal-oriented requirements engineering approaches. In this context, where the expected behaviour of the system-to-be is captured in terms of domain properties and goals, identifying combinations of circumstances that may make the goals diverge, i.e., not to be satisfied as a whole, is of most importance. Various approaches have been proposed in order to automatically identify boundary conditions, i.e., formulas capturing goal-divergent situations, but they either apply only to some specific goal expressions, or are affected by scalability issues that make them applicable only to relatively small specifications. In this paper, we present a novel approach to automatically identify boundary conditions, using evolutionary computation. More precisely, we develop a genetic algorithm that, given the LTL formulation of the domain properties and the goals, it searches for formulas that capture divergences in the specification. We exploit a modern LTL satisfiability checker to successfully guide our genetic algorithm to the solutions. We assess our technique on a set of case studies, and show that our genetic algorithm is able to find boundary conditions that cannot be generated by related approaches, and is able to efficiently scale to LTL specifications that other approaches are unable to deal with. @InProceedings{ASE18p520, author = {Renzo Degiovanni and Facundo Molina and Germán Regis and Nazareno Aguirre}, title = {A Genetic Algorithm for Goal-Conflict Identification}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {520--531}, doi = {10.1145/3238147.3238220}, year = {2018}, } Publisher's Version Info |
|
Alizadeh, Vahid |
ASE '18: "Reducing Interactive Refactoring ..."
Reducing Interactive Refactoring Effort via Clustering-Based Multi-objective Search
Vahid Alizadeh and Marouane Kessentini (University of Michigan, USA) Refactoring is nowadays widely adopted in the industry because bad design decisions can be very costly and extremely risky. On the one hand, automated refactoring does not always lead to the desired design. On the other hand, manual refactoring is error-prone, time-consuming and not practical for radical changes. Thus, recent research trends in the field focused on integrating developers feedback into automated refactoring recommendations because developers understand the problem domain intuitively and may have a clear target design in mind. However, this interactive process can be repetitive, expensive, and tedious since developers must evaluate recommended refactorings, and adapt them to the targeted design especially in large systems where the number of possible strategies can grow exponentially. In this paper, we propose an interactive approach combining the use of multi-objective and unsupervised learning to reduce the developer's interaction effort when refactoring systems. We generate, first, using multi-objective search different possible refactoring strategies by finding a trade-off between several conflicting quality attributes. Then, an unsupervised learning algorithm clusters the different trade-off solutions, called the Pareto front, to guide the developers in selecting their region of interests and reduce the number of refactoring options to explore. The feedback from the developer, both at the cluster and solution levels, are used to automatically generate constraints to reduce the search space in the next iterations and focus on the region of developer preferences. We selected 14 active developers to manually evaluate the effectiveness our tool on 5 open source projects and one industrial system. The results show that the participants found their desired refactorings faster and more accurate than the current state of the art. @InProceedings{ASE18p464, author = {Vahid Alizadeh and Marouane Kessentini}, title = {Reducing Interactive Refactoring Effort via Clustering-Based Multi-objective Search}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {464--474}, doi = {10.1145/3238147.3238217}, year = {2018}, } Publisher's Version |
|
Almasri, Nada |
ASE '18-JFIRST: "Automatically Quantifying ..."
Automatically Quantifying the Impact of a Change in Systems (Journal-First Abstract)
Nada Almasri, Luay Tahat, and Bogdan Korel (Gulf University for Science and Technology, Kuwait; Illinois Institute of Technology, USA) Software maintenance is becoming more challenging with the increased complexity of the software and the frequently applied changes. Performing impact analysis before the actual implementation of a change is a crucial task during system maintenance. While many tools and techniques are available to measure the impact of a change at the code level, only a few research work is done to measure the impact of a change at an earlier stage in the development process. Measuring the impact of a change at the model level speeds up the maintenance process allowing early discovery of critical components of the system before applying the actual change at the code level. In this paper, we present model-based impact analysis approach for state-based systems such as telecommunication or embedded systems. The proposed approach uses model dependencies to automatically measure the expected impact for a requested change instead of relying on the expertise of system maintainers, and it generates two impact sets representing the lower bound and the upper bound of the impact. Although it can be extended to other behavioral models, the presented approach mainly addresses extended finite-state machine (EFSM) models. An empirical study is conducted on six EFSM models to investigate the usefulness of the proposed approach. The results show that on average the size of the impact after a single modification (a change in a one EFSM transition) ranges between 14 and 38 % of the total size of the model. For a modification involving multiple transitions, the average size of the impact ranges between 30 and 64 % of the total size of the model. Additionally, we investigated the relationships (correlation) between the structure of the EFSM model, and the size of the impact sets. Upon preliminary analysis of the correlation, the concepts of model density and data density were defined, and it was found that they could be the major factors influencing the sizes of impact sets for models. As a result, these factors can be used to determine the types of models for which the proposed approach is the most appropriate. @InProceedings{ASE18p952, author = {Nada Almasri and Luay Tahat and Bogdan Korel}, title = {Automatically Quantifying the Impact of a Change in Systems (Journal-First Abstract)}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {952--952}, doi = {10.1145/3238147.3241984}, year = {2018}, } Publisher's Version |
|
Arora, Nipun |
ASE '18: "Replay without Recording of ..."
Replay without Recording of Production Bugs for Service Oriented Applications
Nipun Arora, Jonathan Bell, Franjo Ivančić, Gail Kaiser , and Baishakhi Ray (Dropbox, USA; George Mason University, USA; Google, USA; Columbia University, USA) Short time-to-localize and time-to-fix for production bugs is extremely important for any 24x7 service-oriented application (SOA). Debugging buggy behavior in deployed applications is hard, as it requires careful reproduction of a similar environment and workload. Prior approaches for automatically reproducing production failures do not scale to large SOA systems. Our key insight is that for many failures in SOA systems (e.g., many semantic and performance bugs), a failure can automatically be reproduced solely by relaying network packets to replicas of suspect services, an insight that we validated through a manual study of 16 real bugs across five different systems. This paper presents Parikshan, an application monitoring framework that leverages user-space virtualization and network proxy technologies to provide a sandbox “debug” environment. In this “debug” environment, developers are free to attach debuggers and analysis tools without impacting performance or correctness of the production environment. In comparison to existing monitoring solutions that can slow down production applications, Parikshan allows application monitoring at significantly lower overhead. @InProceedings{ASE18p452, author = {Nipun Arora and Jonathan Bell and Franjo Ivančić and Gail Kaiser and Baishakhi Ray}, title = {Replay without Recording of Production Bugs for Service Oriented Applications}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {452--463}, doi = {10.1145/3238147.3238186}, year = {2018}, } Publisher's Version |
|
Arora, Pryanshu |
ASE '18: "Automated Directed Fairness ..."
Automated Directed Fairness Testing
Sakshi Udeshi, Pryanshu Arora, and Sudipta Chattopadhyay (Singapore University of Technology and Design, Singapore; BITS Pilani, India) Fairness is a critical trait in decision making. As machine-learning models are increasingly being used in sensitive application domains (e.g. education and employment) for decision making, it is crucial that the decisions computed by such models are free of unintended bias. But how can we automatically validate the fairness of arbitrary machine-learning models? For a given machine-learning model and a set of sensitive input parameters, our Aeqitas approach automatically discovers discriminatory inputs that highlight fairness violation. At the core of Aeqitas are three novel strategies to employ probabilistic search over the input space with the objective of uncovering fairness violation. Our Aeqitas approach leverages inherent robustness property in common machine-learning models to design and implement scalable test generation methodologies. An appealing feature of our generated test inputs is that they can be systematically added to the training set of the underlying model and improve its fairness. To this end, we design a fully automated module that guarantees to improve the fairness of the model. We implemented Aeqitas and we have evaluated it on six stateof- the-art classifiers. Our subjects also include a classifier that was designed with fairness in mind. We show that Aeqitas effectively generates inputs to uncover fairness violation in all the subject classifiers and systematically improves the fairness of respective models using the generated test inputs. In our evaluation, Aeqitas generates up to 70% discriminatory inputs (w.r.t. the total number of inputs generated) and leverages these inputs to improve the fairness up to 94%. @InProceedings{ASE18p98, author = {Sakshi Udeshi and Pryanshu Arora and Sudipta Chattopadhyay}, title = {Automated Directed Fairness Testing}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {98--108}, doi = {10.1145/3238147.3238165}, year = {2018}, } Publisher's Version |
|
Bacchelli, Alberto |
ASE '18-IDEAS: "Continuous Code Quality: Are ..."
Continuous Code Quality: Are We (Really) Doing That?
Carmine Vassallo , Fabio Palomba, Alberto Bacchelli , and Harald C. Gall (University of Zurich, Switzerland) Continuous Integration (CI) is a software engineering practice where developers constantly integrate their changes to a project through an automated build process. The goal of CI is to provide developers with prompt feedback on several quality dimensions after each change. Indeed, previous studies provided empirical evidence on a positive association between properly following CI principles and source code quality. A core principle behind CI is Continuous Code Quality (also known as CCQ, which includes automated testing and automated code inspection) may appear simple and effective, yet we know little about its practical adoption. In this paper, we propose a preliminary empirical investigation aimed at understanding how rigorously practitioners follow CCQ. Our study reveals a strong dichotomy between theory and practice: developers do not perform continuous inspection but rather control for quality only at the end of a sprint and most of the times only on the release branch. Preprint [https://doi.org/10.5281/zenodo.1341036]. Data and Materials [http://doi.org/10.5281/zenodo.1341015]. @InProceedings{ASE18p790, author = {Carmine Vassallo and Fabio Palomba and Alberto Bacchelli and Harald C. Gall}, title = {Continuous Code Quality: Are We (Really) Doing That?}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {790--795}, doi = {10.1145/3238147.3240729}, year = {2018}, } Publisher's Version ASE '18: "Mining File Histories: Should ..." Mining File Histories: Should We Consider Branches? Vladimir Kovalenko, Fabio Palomba, and Alberto Bacchelli (Delft University of Technology, Netherlands; University of Zurich, Switzerland) Modern distributed version control systems, such as Git, offer support for branching — the possibility to develop parts of software outside the master trunk. Consideration of the repository structure in Mining Software Repository (MSR) studies requires a thorough approach to mining, but there is no well-documented, widespread methodology regarding the handling of merge commits and branches. Moreover, there is still a lack of knowledge of the extent to which considering branches during MSR studies impacts the results of the studies. In this study, we set out to evaluate the importance of proper handling of branches when calculating file modification histories. We analyze over 1,400 Git repositories of four open source ecosystems and compute modification histories for over two million files, using two different algorithms. One algorithm only follows the first parent of each commit when traversing the repository, the other returns the full modification history of a file across all branches. We show that the two algorithms consistently deliver different results, but the scale of the difference varies across projects and ecosystems. Further, we evaluate the importance of accurate mining of file histories by comparing the performance of common techniques that rely on file modification history — reviewer recommendation, change recommendation, and defect prediction — for two algorithms of file history retrieval. We find that considering full file histories leads to an increase in the techniques’ performance that is rather modest. @InProceedings{ASE18p202, author = {Vladimir Kovalenko and Fabio Palomba and Alberto Bacchelli}, title = {Mining File Histories: Should We Consider Branches?}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {202--213}, doi = {10.1145/3238147.3238169}, year = {2018}, } Publisher's Version Info |
|
Bagheri, Hamid |
ASE '18-IDEAS: "An Evolutionary Approach for ..."
An Evolutionary Approach for Analyzing Alloy Specifications
Jianghao Wang, Hamid Bagheri , and Myra B. Cohen (University of Nebraska-Lincoln, USA) Formal methods use mathematical notations and logical reasoning to precisely define a program's specifications, from which we can instantiate valid instances of a system. With these techniques we can perform a multitude of tasks to check system dependability. Despite the existence of many automated tools including ones considered lightweight, they still lack a strong adoption in practice. At the crux of this problem, is scalability and applicability to large real world applications. In this paper we show how to relax the completeness guarantee without much loss, since soundness is maintained. We have extended a popular lightweight analysis, Alloy, with a genetic algorithm. Our new tool, EvoAlloy, works at the level of finite relations generated by Kodkod and evolves the chromosomes based on the failed constraints. In a feasibility study we demonstrate that we can find solutions to a set of specifications beyond the scope where traditional Alloy fails. While small specifications take longer with EvoAlloy, the scalability means we can handle larger specifications. Our future vision is that when specifications are small we can maintain both soundness and completeness, but when this fails, EvoAlloy can switch to its genetic algorithm. @InProceedings{ASE18p820, author = {Jianghao Wang and Hamid Bagheri and Myra B. Cohen}, title = {An Evolutionary Approach for Analyzing Alloy Specifications}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {820--825}, doi = {10.1145/3238147.3240468}, year = {2018}, } Publisher's Version |
|
Bai, Guangdong |
ASE '18: "Break the Dead End of Dynamic ..."
Break the Dead End of Dynamic Slicing: Localizing Data and Control Omission Bug
Yun Lin , Jun Sun, Lyly Tran, Guangdong Bai, Haijun Wang, and Jinsong Dong (National University of Singapore, Singapore; Singapore University of Technology and Design, Singapore; Singapore Institute of Technology, Singapore; Nanyang Technological University, Singapore) Dynamic slicing is a common way of identifying the root cause when a program fault is revealed. With the dynamic slicing technique, the programmers can follow data and control flow along the program execution trace to the root cause. However, the technique usually fails to work on omission bugs, i.e., the faults which are caused by missing executing some code. In many cases, dynamic slicing over-skips the root cause when an omission bug happens, leading the debugging process to a dead end. In this work, we conduct an empirical study on the omission bugs in the Defects4J bug repository. Our study shows that (1) omission bugs are prevalent (46.4%) among all the studied bugs; (2) there are repeating patterns on causes and fixes of the omission bugs; (3) the patterns of fixing omission bugs serve as a strong hint to break the slicing dead end. Based on our findings, we train a neural network model on the omission bugs in Defects4J repository to recommend where to approach when slicing can no long work. We conduct an experiment by applying our approach on 3193 mutated omission bugs which slicing fails to locate. The results show that our approach outperforms random benchmark on breaking the dead end and localizing the mutated omission bugs (63.8% over 2.8%). @InProceedings{ASE18p509, author = {Yun Lin and Jun Sun and Lyly Tran and Guangdong Bai and Haijun Wang and Jinsong Dong}, title = {Break the Dead End of Dynamic Slicing: Localizing Data and Control Omission Bug}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {509--519}, doi = {10.1145/3238147.3238163}, year = {2018}, } Publisher's Version |
|
Bajammal, Mohammad |
ASE '18: "Generating Reusable Web Components ..."
Generating Reusable Web Components from Mockups
Mohammad Bajammal, Davood Mazinanian, and Ali Mesbah (University of British Columbia, Canada) The transformation of a user interface mockup designed by a graphic designer to web components in the final app built by a web developer is often laborious, involving manual and time consuming steps. We propose an approach to automate this aspect of web development by generating reusable web components from a mockup. Our approach employs visual analysis of the mockup, and unsupervised learning of visual cues to create reusable web components (e.g., React components). We evaluated our approach, implemented in a tool called VizMod, on five real-world web mockups, and assessed the transformations and generated components through comparison with web development experts. The results show that VizMod achieves on average 94% precision and 75% recall in terms of agreement with the developers' assessment. Furthermore, the refactorings yielded 22% code reusability, on average. @InProceedings{ASE18p601, author = {Mohammad Bajammal and Davood Mazinanian and Ali Mesbah}, title = {Generating Reusable Web Components from Mockups}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {601--611}, doi = {10.1145/3238147.3238194}, year = {2018}, } Publisher's Version |
|
Bao, Liang |
ASE '18: "AutoConfig: Automatic Configuration ..."
AutoConfig: Automatic Configuration Tuning for Distributed Message Systems
Liang Bao, Xin Liu, Ziheng Xu, and Baoyin Fang (Xidian University, China; University of California at Davis, USA) Distributed message systems (DMSs) serve as the communication backbone for many real-time streaming data processing applications. To support the vast diversity of such applications, DMSs provide a large number of parameters to configure. However, It overwhelms for most users to configure these parameters well for better performance. Although many automatic configuration approaches have been proposed to address this issue, critical challenges still remain: 1) to train a better and robust performance prediction model using a limited number of samples, and 2) to search for a high-dimensional parameter space efficiently within a time constraint. In this paper, we propose AutoConfig -- an automatic configuration system that can optimize producer-side throughput on DMSs. AutoConfig constructs a novel comparison-based model (CBM) that is more robust that the prediction-based model (PBM) used by previous learning-based approaches. Furthermore, AutoConfig uses a weighted Latin hypercube sampling (wLHS) approach to select a set of samples that can provide a better coverage over the high-dimensional parameter space. wLHS allows AutoConfig to search for more promising configurations using the trained CBM. We have implemented AutoConfig on the Kafka platform, and evaluated it using eight different testing scenarios deployed on a public cloud. Experimental results show that our CBM can obtain better results than that of PBM under the same random forests based model. Furthermore, AutoConfig outperforms default configurations by 215.40% on average, and five state-of-the-art configuration algorithms by 7.21%-64.56%. @InProceedings{ASE18p29, author = {Liang Bao and Xin Liu and Ziheng Xu and Baoyin Fang}, title = {AutoConfig: Automatic Configuration Tuning for Distributed Message Systems}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {29--40}, doi = {10.1145/3238147.3238175}, year = {2018}, } Publisher's Version |
|
Baudry, Benoit |
ASE '18-TOOLS: "Descartes: A PITest Engine ..."
Descartes: A PITest Engine to Detect Pseudo-Tested Methods: Tool Demonstration
Oscar Luis Vera-Pérez, Martin Monperrus, and Benoit Baudry (Inria, France; KTH, Sweden) Descartes is a tool that implements extreme mutation operators and aims at finding pseudo-tested methods in Java projects. It leverages the efficient transformation and runtime features of PITest. The demonstration compares Descartes with Gregor, the default mutation engine provided by PITest, in a set of real open source projects. It considers the execution time, number of mutants created and the relationship between the mutation scores produced by both engines. It provides some insights on the main features exposed byDescartes. @InProceedings{ASE18p908, author = {Oscar Luis Vera-Pérez and Martin Monperrus and Benoit Baudry}, title = {Descartes: A PITest Engine to Detect Pseudo-Tested Methods: Tool Demonstration}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {908--911}, doi = {10.1145/3238147.3240474}, year = {2018}, } Publisher's Version Info |
|
Bavota, Gabriele |
ASE '18-IDEAS: "An Empirical Investigation ..."
An Empirical Investigation into Learning Bug-Fixing Patches in the Wild via Neural Machine Translation
Michele Tufano, Cody Watson, Gabriele Bavota , Massimiliano Di Penta, Martin White, and Denys Poshyvanyk (College of William and Mary, USA; University of Lugano, Switzerland; University of Sannio, Italy) Millions of open-source projects with numerous bug fixes are available in code repositories. This proliferation of software development histories can be leveraged to learn how to fix common programming bugs. To explore such a potential, we perform an empirical study to assess the feasibility of using Neural Machine Translation techniques for learning bug-fixing patches for real defects. We mine millions of bug-fixes from the change histories of GitHub repositories to extract meaningful examples of such bug-fixes. Then, we abstract the buggy and corresponding fixed code, and use them to train an Encoder-Decoder model able to translate buggy code into its fixed version. Our model is able to fix hundreds of unique buggy methods in the wild. Overall, this model is capable of predicting fixed patches generated by developers in 9% of the cases. @InProceedings{ASE18p832, author = {Michele Tufano and Cody Watson and Gabriele Bavota and Massimiliano Di Penta and Martin White and Denys Poshyvanyk}, title = {An Empirical Investigation into Learning Bug-Fixing Patches in the Wild via Neural Machine Translation}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {832--837}, doi = {10.1145/3238147.3240732}, year = {2018}, } Publisher's Version |
|
Bell, Jonathan |
ASE '18: "Replay without Recording of ..."
Replay without Recording of Production Bugs for Service Oriented Applications
Nipun Arora, Jonathan Bell, Franjo Ivančić, Gail Kaiser , and Baishakhi Ray (Dropbox, USA; George Mason University, USA; Google, USA; Columbia University, USA) Short time-to-localize and time-to-fix for production bugs is extremely important for any 24x7 service-oriented application (SOA). Debugging buggy behavior in deployed applications is hard, as it requires careful reproduction of a similar environment and workload. Prior approaches for automatically reproducing production failures do not scale to large SOA systems. Our key insight is that for many failures in SOA systems (e.g., many semantic and performance bugs), a failure can automatically be reproduced solely by relaying network packets to replicas of suspect services, an insight that we validated through a manual study of 16 real bugs across five different systems. This paper presents Parikshan, an application monitoring framework that leverages user-space virtualization and network proxy technologies to provide a sandbox “debug” environment. In this “debug” environment, developers are free to attach debuggers and analysis tools without impacting performance or correctness of the production environment. In comparison to existing monitoring solutions that can slow down production applications, Parikshan allows application monitoring at significantly lower overhead. @InProceedings{ASE18p452, author = {Nipun Arora and Jonathan Bell and Franjo Ivančić and Gail Kaiser and Baishakhi Ray}, title = {Replay without Recording of Production Bugs for Service Oriented Applications}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {452--463}, doi = {10.1145/3238147.3238186}, year = {2018}, } Publisher's Version ASE '18: "A Large-Scale Study of Test ..." A Large-Scale Study of Test Coverage Evolution Michael Hilton , Jonathan Bell, and Darko Marinov (Carnegie Mellon University, USA; George Mason University, USA; University of Illinois at Urbana-Champaign, USA) Statement coverage is commonly used as a measure of test suite quality. Coverage is often used as a part of a code review process: if a patch decreases overall coverage, or is itself not covered, then the patch is scrutinized more closely. Traditional studies of how coverage changes with code evolution have examined the overall coverage of the entire program, and more recent work directly examines the coverage of patches (changed statements). We present an evaluation much larger than prior studies and moreover consider a new, important kind of change --- coverage changes of unchanged statements. We present a large-scale evaluation of code coverage evolution over 7,816 builds of 47 projects written in popular languages including Java, Python, and Scala. We find that in large, mature projects, simply measuring the change to statement coverage does not capture the nuances of code evolution. Going beyond considering statement coverage as a simple ratio, we examine how the set of statements covered evolves between project revisions. We present and study new ways to assess the impact of a patch on a project's test suite quality that both separates coverage of the patch from coverage of the non-patch, and separates changes in coverage from changes in the set of statements covered. @InProceedings{ASE18p53, author = {Michael Hilton and Jonathan Bell and Darko Marinov}, title = {A Large-Scale Study of Test Coverage Evolution}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {53--63}, doi = {10.1145/3238147.3238183}, year = {2018}, } Publisher's Version |
|
Ben Fadhel, Ameni |
ASE '18: "Model-Driven Run-Time Enforcement ..."
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Ameni Ben Fadhel, Domenico Bianculli, and Lionel C. Briand (University of Luxembourg, Luxembourg) A Role-based Access Control (RBAC) mechanism prevents unauthorized users to perform an operation, according to authorization policies which are defined on the user’s role within an enterprise. Several models have been proposed to specify complex RBAC policies. However, existing approaches for policy enforcement do not fully support all the types of policies that can be expressed in these models, which hinders their adoption among practitioners. In this paper we propose a model-driven enforcement framework for complex policies captured by GemRBAC+CTX, a comprehensive RBAC model proposed in the literature. We reduce the problem of making an access decision to checking whether a system state (from an RBAC point of view), expressed as an instance of the GemRBAC+CTX model, satisfies the constraints corresponding to the RBAC policies to be enforced at run time. We provide enforcement algorithms for various types of access requests and events, and a prototype tool (MORRO) implementing them. We also show how to integrate MORRO into an industrial Web application. The evaluation results show the applicability of our approach on a industrial system and its scalability with respect to the various parameters characterizing an AC configuration. @InProceedings{ASE18p248, author = {Ameni Ben Fadhel and Domenico Bianculli and Lionel C. Briand}, title = {Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {248--258}, doi = {10.1145/3238147.3238167}, year = {2018}, } Publisher's Version |
|
Berger, Thorsten |
ASE '18: "Tackling Combinatorial Explosion: ..."
Tackling Combinatorial Explosion: A Study of Industrial Needs and Practices for Analyzing Highly Configurable Systems
Mukelabai Mukelabai, Damir Nešić, Salome Maro, Thorsten Berger, and Jan-Philipp Steghöfer (Chalmers University of Technology, Sweden; University of Gothenburg, Sweden; KTH, Sweden) Highly configurable systems are complex pieces of software. To tackle this complexity, hundreds of dedicated analysis techniques have been conceived, many of which able to analyze system properties for all possible system configurations, as opposed to traditional, single-system analyses. Unfortunately, it is largely unknown whether these techniques are adopted in practice, whether they address actual needs, or what strategies practitioners actually apply to analyze highly configurable systems. We present a study of analysis practices and needs in industry. It relied on a survey with 27 practitioners engineering highly configurable systems and follow-up interviews with 15 of them, covering 18 different companies from eight countries. We confirm that typical properties considered in the literature (e.g., reliability) are relevant, that consistency between variability models and artifacts is critical, but that the majority of analyses for specifications of configuration options (a.k.a., variability model analysis) is not perceived as needed. We identified rather pragmatic analysis strategies, including practices to avoid the need for analysis. For instance, testing with experience-based sampling is the most commonly applied strategy, while systematic sampling is rarely applicable. We discuss analyses that are missing and synthesize our insights into suggestions for future research. @InProceedings{ASE18p155, author = {Mukelabai Mukelabai and Damir Nešić and Salome Maro and Thorsten Berger and Jan-Philipp Steghöfer}, title = {Tackling Combinatorial Explosion: A Study of Industrial Needs and Practices for Analyzing Highly Configurable Systems}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {155--166}, doi = {10.1145/3238147.3238201}, year = {2018}, } Publisher's Version Info |
|
Beyer, Dirk |
ASE '18: "Domain-Independent Multi-threaded ..."
Domain-Independent Multi-threaded Software Model Checking
Dirk Beyer and Karlheinz Friedberger (LMU Munich, Germany) Recent development of software aims at massively parallel execution, because of the trend to increase the number of processing units per CPU socket. But many approaches for program analysis are not designed to benefit from a multi-threaded execution and lack support to utilize multi-core computers. Rewriting existing algorithms is difficult and error-prone, and the design of new parallel algorithms also has limitations. An orthogonal problem is the granularity: computing each successor state in parallel seems too fine-grained, so the open question is to find the right structural level for parallel execution. We propose an elegant solution to these problems: Block summaries should be computed in parallel. Many successful approaches to software verification are based on summaries of control-flow blocks, large blocks, or function bodies. Block-abstraction memoization is a successful domain-independent approach for summary-based program analysis. We redesigned the verification approach of block-abstraction memoization starting from its original recursive definition, such that it can run in a parallel manner for utilizing the available computation resources without losing its advantages of being independent from a certain abstract domain. We present an implementation of our new approach for multi-core shared-memory machines. The experimental evaluation shows that our summary-based approach has no significant overhead compared to the existing sequential approach and that it has a significant speedup when using multi-threading. @InProceedings{ASE18p634, author = {Dirk Beyer and Karlheinz Friedberger}, title = {Domain-Independent Multi-threaded Software Model Checking}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {634--644}, doi = {10.1145/3238147.3238195}, year = {2018}, } Publisher's Version ASE '18-TOOLS: "CPA-SymExec: Efficient Symbolic ..." CPA-SymExec: Efficient Symbolic Execution in CPAchecker Dirk Beyer and Thomas Lemberger (LMU Munich, Germany) We present CPA-SymExec, a tool for symbolic execution that is implemented in the open-source, configurable verification framework CPAchecker. Our implementation automatically detects which symbolic facts to track, in order to obtain a small set of constraints that are necessary to decide reachability of a program area of interest. CPA-SymExec is based on abstraction and counterexample-guided abstraction refinement (CEGAR), and uses a constraint-interpolation approach to detect symbolic facts. We show that our implementation can better mitigate the path-explosion problem than symbolic execution without abstraction, by comparing the performance to the state-of-the-art Klee-based symbolic-execution engine Symbiotic and to Klee itself. For the experiments we use two kinds of analysis tasks: one for finding an executable path to a specific location of interest (e.g., if a test vector is desired to show that a certain behavior occurs), and one for confirming that no executable path to a specific location exists (e.g., if it is desired to show that a certain behavior never occurs). CPA-SymExec is released under the Apache 2 license and available (inclusive source code) at https://cpachecker.sosy-lab.org. A demonstration video is available at https://youtu.be/qoBHtvPKtnw. @InProceedings{ASE18p900, author = {Dirk Beyer and Thomas Lemberger}, title = {CPA-SymExec: Efficient Symbolic Execution in CPAchecker}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {900--903}, doi = {10.1145/3238147.3240478}, year = {2018}, } Publisher's Version Video Info |
|
Bianculli, Domenico |
ASE '18: "Model-Driven Run-Time Enforcement ..."
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Ameni Ben Fadhel, Domenico Bianculli, and Lionel C. Briand (University of Luxembourg, Luxembourg) A Role-based Access Control (RBAC) mechanism prevents unauthorized users to perform an operation, according to authorization policies which are defined on the user’s role within an enterprise. Several models have been proposed to specify complex RBAC policies. However, existing approaches for policy enforcement do not fully support all the types of policies that can be expressed in these models, which hinders their adoption among practitioners. In this paper we propose a model-driven enforcement framework for complex policies captured by GemRBAC+CTX, a comprehensive RBAC model proposed in the literature. We reduce the problem of making an access decision to checking whether a system state (from an RBAC point of view), expressed as an instance of the GemRBAC+CTX model, satisfies the constraints corresponding to the RBAC policies to be enforced at run time. We provide enforcement algorithms for various types of access requests and events, and a prototype tool (MORRO) implementing them. We also show how to integrate MORRO into an industrial Web application. The evaluation results show the applicability of our approach on a industrial system and its scalability with respect to the various parameters characterizing an AC configuration. @InProceedings{ASE18p248, author = {Ameni Ben Fadhel and Domenico Bianculli and Lionel C. Briand}, title = {Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {248--258}, doi = {10.1145/3238147.3238167}, year = {2018}, } Publisher's Version |
|
Blanc, Xavier |
ASE '18: "On Adopting Linters to Deal ..."
On Adopting Linters to Deal with Performance Concerns in Android Apps
Sarra Habchi, Xavier Blanc, and Romain Rouvoy (Inria, France; University of Lille, France; University of Bordeaux, France) With millions of applications (apps) distributed through mobile markets, engaging and retaining end-users challenge Android developers to deliver a nearly perfect user experience. As mobile apps run in resource-limited devices, performance is a critical criterion for the quality of experience. Therefore, developers are expected to pay much attention to limit performance bad practices. On the one hand, many studies already identified such performance bad practices and showed that they can heavily impact app performance. Hence, many static analysers, a.k.a. linters, have been proposed to detect and fix these bad practices. On the other hand, other studies have shown that Android developers tend to deal with performance reactively and they rarely build on linters to detect and fix performance bad practices. In this paper, we therefore perform a qualitative study to investigate this gap between research and development community. In particular, we performed interviews with 14 experienced Android developers to identify the perceived benefits and constraints of using linters to identify performance bad practices in Android apps. Our observations can have a direct impact on developers and the research community. Specifically, we describe why and how developers leverage static source code analysers to improve the performance of their apps. On top of that, we bring to light important challenges faced by developers when it comes to adopting static analysis for performance purposes. @InProceedings{ASE18p6, author = {Sarra Habchi and Xavier Blanc and Romain Rouvoy}, title = {On Adopting Linters to Deal with Performance Concerns in Android Apps}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {6--16}, doi = {10.1145/3238147.3238197}, year = {2018}, } Publisher's Version |
|
Borba, Paulo |
ASE '18-JFIRST: "Understanding Semi-structured ..."
Understanding Semi-structured Merge Conflict Characteristics in Open-Source Java Projects (Journal-First Abstract)
Paola Accioly, Paulo Borba, and Guilherme Cavalcanti (Federal University of Pernambuco, Brazil) In a collaborative development environment, tasks are commonly assigned to developers working independent from each other. As a result, when trying to integrate these contributions, one might have to deal with conflicting changes. Such conflicts might be detected when merging contributions (merge conflicts), when building the system (build conflicts), or when running tests (semantic conflicts). Regarding such conflicts, previous studies show that they occur frequently, and impair developers’ productivity, as understanding and solving them is a demanding and tedious task that might introduce defects. However, despite the existing evidence in the literature, the structure of changes that lead to conflicts has not been studied yet. Understanding the underlying structure of conflicts, and the involved syntactic language elements, might shed light on how to better avoid them. For example, awareness tools that inform users about ongoing parallel changes such as Syde and Palantír can benefit from knowing the most common conflict patterns to become more efficient. With that aim, in this paper we focus on understanding the underlying structure of merge conflicts. @InProceedings{ASE18p955, author = {Paola Accioly and Paulo Borba and Guilherme Cavalcanti}, title = {Understanding Semi-structured Merge Conflict Characteristics in Open-Source Java Projects (Journal-First Abstract)}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {955--955}, doi = {10.1145/3238147.3241983}, year = {2018}, } Publisher's Version |
|
Borges Jr., Nataniel P. |
ASE '18-TOOLS: "DroidMate-2: A Platform for ..."
DroidMate-2: A Platform for Android Test Generation
Nataniel P. Borges Jr., Jenny Hotzkow, and Andreas Zeller (Saarland University, Germany) Android applications (apps) represent an ever increasing portion of the software market. Automated test input generators are the state of the art for testing and security analysis. We introduce DroidMate-2 (DM-2), a platform to easily assist both developers and researchers to customize, develop and test new test generators. DM-2 can be used without app instrumentation or operating system modifications, as a test generator on real devices and emulators for app testing or regression testing. Additionally, it provides sensitive resource monitoring or blocking capabilities through a lightweight app instrumentation, out-of-thebox statement coverage measurement through a fully-fledged app instrumentation and native experiment reproducibility. In our experiments we compared DM-2 against DroidBot, a state-of-the-art test generator by measuring statement coverage. Our results show that DM-2 reached 96% of its peak coverage in less than 2/3 of the time needed by DroidBot, allowing for better and more efficient tests. On short runs (5 minutes) DM-2 outperformed DroidBot by 7% while in longer runs (1 hour) this difference increases to 8%. ACM DL Artifact: https://www.doi.org/10.1145/3264864 For the details see: https://github.com/uds-se/droidmate/wiki/ASE-2018:-Data @InProceedings{ASE18p916, author = {Nataniel P. Borges Jr. and Jenny Hotzkow and Andreas Zeller}, title = {DroidMate-2: A Platform for Android Test Generation}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {916--919}, doi = {10.1145/3238147.3240479}, year = {2018}, } Publisher's Version Info |
|
Briand, Lionel C. |
ASE '18: "Model-Driven Run-Time Enforcement ..."
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
Ameni Ben Fadhel, Domenico Bianculli, and Lionel C. Briand (University of Luxembourg, Luxembourg) A Role-based Access Control (RBAC) mechanism prevents unauthorized users to perform an operation, according to authorization policies which are defined on the user’s role within an enterprise. Several models have been proposed to specify complex RBAC policies. However, existing approaches for policy enforcement do not fully support all the types of policies that can be expressed in these models, which hinders their adoption among practitioners. In this paper we propose a model-driven enforcement framework for complex policies captured by GemRBAC+CTX, a comprehensive RBAC model proposed in the literature. We reduce the problem of making an access decision to checking whether a system state (from an RBAC point of view), expressed as an instance of the GemRBAC+CTX model, satisfies the constraints corresponding to the RBAC policies to be enforced at run time. We provide enforcement algorithms for various types of access requests and events, and a prototype tool (MORRO) implementing them. We also show how to integrate MORRO into an industrial Web application. The evaluation results show the applicability of our approach on a industrial system and its scalability with respect to the various parameters characterizing an AC configuration. @InProceedings{ASE18p248, author = {Ameni Ben Fadhel and Domenico Bianculli and Lionel C. Briand}, title = {Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies}, booktitle = {Proc.\ ASE}, publisher = {ACM}, pages = {248--258}, doi = {10.1145/3238147.3238167}, year = {2018}, } Publisher's Version |