More Web Proxy on the site http://driver.im/

research-article

Efficient static checking of library updates

Authors:

Asankhaya SharmaAuthors Info & Claims

ESEC/FSE 2018: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 791 - 796

https://doi.org/10.1145/3236024.3275535

Published: 26 October 2018 Publication History

Abstract

Software engineering practices have evolved to the point where a developer writing a new application today doesn’t start from scratch, but reuses a number of open source libraries and components. These third-party libraries evolve independently of the applications in which they are used, and may not maintain stable interfaces as bugs and vulnerabilities in them are fixed. This in turn causes API incompatibilities in downstream applications which must be manually resolved. Oversight here may manifest in many ways, from test failures to crashes at runtime. To address this problem, we present a static analysis for automatically and efficiently checking if a library upgrade introduces an API incompatibility.

Our analysis does not rely on reported version information from library developers, and instead computes the actual differences between methods in libraries across different versions. The analysis is scalable, enabling real-time diff queries involving arbitrary pairs of library versions. It supports a vulnerability remediation product which suggests library upgrades automatically and is lightweight enough to be part of a continuous integration/delivery (CI/CD) pipeline. To evaluate the effectiveness of our approach, we determine semantic versioning adherence of a corpus of open source libraries taken from Maven Central, PyPI, and RubyGems. We find that on average, 26% of library versions are in violation of semantic versioning. We also analyze a collection of popular open source projects from GitHub to determine if we can automatically update libraries in them without causing API incompatibilities. Our results indicate that we can suggest upgrades automatically for 10% of the libraries.

References

[1]

2014. Why Semantic Versioning Isn’t. https://gist.github.com/jashkenas/ cbd2b088e20279ae2c8e

[2]

Christopher Bogart, Christian Kästner, James Herbsleb, and Ferdian Thung. 2016. How to Break an API: Cost Negotiation and Community Values in Three Software Ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2016). ACM, New York, NY, USA, 109–120.

Digital Library

[3]

Marcel Böhme, Abhik Roychoudhury, and Bruno C. d. S. Oliveira. 2013. Regression Testing of Evolving Programs. Advances in Computers 89 (2013), 53–88.

[4]

Barthelemy Dagenais and Martin P. Robillard. 2009. SemDiff: Analysis and Recommendation Support for API Evolution. In Proceedings of the 31st International Conference on Software Engineering (ICSE ’09). IEEE Computer Society, Washington, DC, USA, 599–602.

Digital Library

[5]

Jeffrey Dean, David Grove, and Craig Chambers. 1995. Optimization of objectoriented programs using static class hierarchy analysis. In European Conference on Object-Oriented Programming. Springer, 77–101.

Digital Library

[6]

Jean-Rémy Falleri, Floréal Morandat, Xavier Blanc, Matias Martinez, and Martin Monperrus. 2014. Fine-grained and accurate source code differencing. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering. ACM, 313–324.

Digital Library

[7]

Darius Foo, Jason Yeo, Ming Yi Ang, and Asankhaya Sharma. 2018. SGL: A domain-specific language for large-scale analysis of open-source code. IEEE Cybersecurity Development, SecDev (2018).

[8]

Johannes Henkel and Amer Diwan. 2005. CatchUp!: Capturing and Replaying Refactorings to Support API Evolution. In Proceedings of the 27th International Conference on Software Engineering (ICSE ’05). ACM, New York, NY, USA, 274–283.

Digital Library

[9]

Susan Horwitz. 1990. Identifying the Semantic and Textual Differences Between Two Versions of a Program. In Proceedings of the ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation (PLDI ’90). ACM, New York, NY, USA, 234–245.

Digital Library

[10]

Daniel Jackson, David A Ladd, et al. 1994. Semantic Diff: A Tool for Summarizing the Effects of Modifications. In ICSM, Vol. 94. 243–252.

Digital Library

[11]

Raula Gaikovina Kula, Daniel M German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. {n. d.}. Do developers update their library dependencies? Empirical Software Engineering ({n. d.}), 1–34.

Digital Library

[12]

Shuvendu K Lahiri, Chris Hawblitzel, Ming Kawaguchi, and Henrique Rebêlo. 2012. Symdiff: A language-agnostic semantic diff tool for imperative programs. In International Conference on Computer Aided Verification. Springer, 712–717.

Digital Library

[13]

Gianluca Mezzetti, Anders Møller, and Martin Toldam Torp. {n. d.}. Type Regression Testing to Detect Breaking Changes in Node.js Libraries. ({n. d.}).

[14]

Samim Mirhosseini and Chris Parnin. 2017. Can automated pull requests encourage software developers to upgrade out-of-date dependencies?. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. IEEE Press, 84–94.

Digital Library

[15]

Eugene W Myers. 1986. An O(ND) difference algorithm and its variations. Algorithmica 1, 1-4 (1986), 251–266.

Digital Library

[16]

S. Raemaekers, A. van Deursen, and J. Visser. 2014. Semantic Versioning versus Breaking Changes: A Study of the Maven Repository. In 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation. 215–224.

Digital Library

[17]

Mojtaba Shahin, Muhammad Ali Babar, and Liming Zhu. 2017. Continuous integration, delivery and deployment: a systematic review on approaches, tools, challenges and practices. IEEE Access 5 (2017), 3909–3943.

[18]

Vijay Sundarespan, Laurie Hendren, Chrislain Razafimahefa, Raja Vallée-Rai, Patrick Lam, Etienne Gagnon, and Charles Godin. 2000. Practical virtual method call resolution for Java. Vol. 35. ACM.

Digital Library

[19]

Mohsen Vakilian, Raluca Sauciuc, J David Morgenthaler, and Vahab Mirrokni. 2015. Automated decomposition of build targets. In Software Engineering (ICSE), 2015 IEEE/ACM 37th IEEE International Conference on, Vol. 1. IEEE, 123–133.

Digital Library

[20]

Zhenchang Xing and Eleni Stroulia. 2005. UMLDiff: An Algorithm for Objectoriented Design Differencing. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE ’05). ACM, New York, NY, USA, 54–65.

Digital Library

[21]

Z. Xing and E. Stroulia. 2007. API-Evolution Support with Diff-CatchUp. IEEE Transactions on Software Engineering 33, 12 (Dec 2007), 818–836.

Digital Library

[22]

Wuu Yang. 1991. Identifying syntactic differences between two programs. Software: Practice and Experience 21, 7 (1991), 739–755.

Digital Library

[23]

Jooyong Yi, Dawei Qi, Shin Hwei Tan, and Abhik Roychoudhury. 2013. Expressing and checking intended changes via software change contracts. In Proceedings of the 2013 International Symposium on Software Testing and Analysis. ACM, 1–11.

Digital Library

Cited By

Monce GCouturou THamdaoui YDegueule TFalleri JBaysal OLinares-Vasquez MMoran KSteinmacher I(2024)Lightweight Syntactic API Usage Analysis with UCovProceedings of the 32nd IEEE/ACM International Conference on Program Comprehension10.1145/3643916.3644415(426-437)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643916.3644415
Jayasuriya DTerragni VDietrich JBlincoe K(2024)Understanding the Impact of APIs Behavioral Breaking Changes on Client ApplicationsProceedings of the ACM on Software Engineering10.1145/36437821:FSE(1238-1261)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643782
Yamaoka ASon TShimari KIshio TMatsumoto K(2024)Comparing Execution Trace Using Merkle- Tree to Detect Backward Incompatibilities2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00071(649-653)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00071
Show More Cited By

Index Terms

Efficient static checking of library updates
1. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Maintaining software
      2. Software evolution
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis

Recommendations

Model-based testing of breaking changes in Node.js libraries
ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Semantic versioning is widely used by library developers to indicate whether updates contain changes that may break existing clients. Especially for dynamic languages like JavaScript, using semantic versioning correctly is known to be difficult, which ...
How Many Web APIs Evolve Following Semantic Versioning?
Web Engineering
Abstract
More and more Web APIs use semantic versioning to represent the impact of changes on clients depending on previous versions. Our goal is to provide insights about the extent to which evolving Web APIs align with semantic versioning rules. In this ...
Semantic versioning and impact of breaking changes in the Maven repository

Backward-incompatible interface changes are widespread in software libraries.Breaking changes have impact on client systems using these software libraries.Software developers do not follow proposed versioning guidelines. Systems that depend on third-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2018: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

October 2018

987 pages

ISBN:9781450355735

DOI:10.1145/3236024

General Chair:
Gary T. Leavens
University of Central Florida, USA
,
Program Chairs:
Alessandro Garcia
PUC-Rio, Brazil
,
Corina S. Păsăreanu
NASA Ames Research Center, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE '18

Sponsor:

SIGSOFT

ESEC/FSE '18: 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

November 4 - 9, 2018

FL, Lake Buena Vista, USA

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
465
Total Downloads

Downloads (Last 12 months)52
Downloads (Last 6 weeks)4

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Monce GCouturou THamdaoui YDegueule TFalleri JBaysal OLinares-Vasquez MMoran KSteinmacher I(2024)Lightweight Syntactic API Usage Analysis with UCovProceedings of the 32nd IEEE/ACM International Conference on Program Comprehension10.1145/3643916.3644415(426-437)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643916.3644415
Jayasuriya DTerragni VDietrich JBlincoe K(2024)Understanding the Impact of APIs Behavioral Breaking Changes on Client ApplicationsProceedings of the ACM on Software Engineering10.1145/36437821:FSE(1238-1261)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643782
Yamaoka ASon TShimari KIshio TMatsumoto K(2024)Comparing Execution Trace Using Merkle- Tree to Detect Backward Incompatibilities2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00071(649-653)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00071
Ivanova EStakhanova NSistany B(2024)Adversarial Analysis of Software Composition Analysis ToolsInformation Security10.1007/978-3-031-75764-8_9(161-182)Online publication date: 17-Oct-2024
https://doi.org/10.1007/978-3-031-75764-8_9
Wang HLiu SZhang LXu CChandra SBlincoe KTonella P(2023)Automatically Resolving Dependency-Conflict Building Failures via Behavior-Consistent Loosening of Library Version ConstraintsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616264(198-210)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616264
Jayasuriya DTerragni VDietrich JOu SBlincoe KJust RFraser G(2023)Understanding Breaking Changes in the WildProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598147(1433-1444)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598147
Zhu CZhang MWu XXu XLi Y(2023)Client-Specific Upgrade Compatibility Checking via Knowledge-Guided DiscoveryACM Transactions on Software Engineering and Methodology10.1145/358256932:4(1-31)Online publication date: 26-May-2023
https://dl.acm.org/doi/10.1145/3582569
Venturini DCogo FPolato IGerosa MWiese I(2023)I Depended on You and You Broke Me: An Empirical Study of Manifesting Breaking Changes in Client PackagesACM Transactions on Software Engineering and Methodology10.1145/357603732:4(1-26)Online publication date: 26-May-2023
https://dl.acm.org/doi/10.1145/3576037
Rombaut BCogo FAdams BHassan A(2023)There’s no Such Thing as a Free Lunch: Lessons Learned from Exploring the Overhead Introduced by the Greenkeeper Dependency Bot in NpmACM Transactions on Software Engineering and Methodology10.1145/352258732:1(1-40)Online publication date: 13-Feb-2023
https://dl.acm.org/doi/10.1145/3522587
He RHe HZhang YZhou M(2023)Automating Dependency Updates in Practice: An Exploratory Study on GitHub DependabotIEEE Transactions on Software Engineering10.1109/TSE.2023.3278129(1-18)Online publication date: 2023
https://doi.org/10.1109/TSE.2023.3278129
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents