Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335418
Gustavo Santos, Anne Etien, N. Anquetil, Stéphane Ducasse, M. T. Valente
During its lifetime, a software system is under continuous maintenance to remain useful. Maintenance can be achieved in activities such as adding new features, fixing bugs, improving the system's structure, or adapting to new APIs. In such cases, developers sometimes perform sequences of code changes in a systematic way. These sequences consist of small code changes (e.g., create a class, then extract a method to this class), which are applied to groups of related code entities (e.g., some of the methods of a class). This paper presents the design and proof-of-concept implementation of a tool called MacroRecorder. This tool records a sequence of code changes, then it allows the developer to generalize this sequence in order to apply it in other code locations. In this paper, we discuss MACRORECORDER's approach that is independent of both development and transformation tools. The evaluation is based on previous work on repetitive code changes related to rearchitecting. MacroRecorder was able to replay 92% of the examples, which consisted in up to seven code entities modified up to 66 times. The generation of a customizable, large-scale transformation operator has the potential to efficiently assist code maintenance.
{"title":"Recording and replaying system specific, source code transformations","authors":"Gustavo Santos, Anne Etien, N. Anquetil, Stéphane Ducasse, M. T. Valente","doi":"10.1109/SCAM.2015.7335418","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335418","url":null,"abstract":"During its lifetime, a software system is under continuous maintenance to remain useful. Maintenance can be achieved in activities such as adding new features, fixing bugs, improving the system's structure, or adapting to new APIs. In such cases, developers sometimes perform sequences of code changes in a systematic way. These sequences consist of small code changes (e.g., create a class, then extract a method to this class), which are applied to groups of related code entities (e.g., some of the methods of a class). This paper presents the design and proof-of-concept implementation of a tool called MacroRecorder. This tool records a sequence of code changes, then it allows the developer to generalize this sequence in order to apply it in other code locations. In this paper, we discuss MACRORECORDER's approach that is independent of both development and transformation tools. The evaluation is based on previous work on repetitive code changes related to rearchitecting. MacroRecorder was able to replay 92% of the examples, which consisted in up to seven code entities modified up to 66 times. The generation of a customizable, large-scale transformation operator has the potential to efficiently assist code maintenance.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131311772","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335411
Daniela Steidl, F. Deißenböck
Overly long methods hamper the maintainability of software - they are hard to understand and to change, but also difficult to test, reuse, and profile. While technically there are many opportunities to refactor long methods, little is known about their origin and their evolution. It is unclear how much effort should be spent to refactor them and when this effort is spent best. To obtain a maintenance strategy, we need a better understanding of how software systems and their methods evolve. This paper presents an empirical case study on method growth in Java with nine open source and one industry system. We show that most methods do not increase their length significantly; in fact, about half of them remain unchanged after the initial commit. Instead, software systems grow by adding new methods rather than by modifying existing methods.
{"title":"How do Java methods grow?","authors":"Daniela Steidl, F. Deißenböck","doi":"10.1109/SCAM.2015.7335411","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335411","url":null,"abstract":"Overly long methods hamper the maintainability of software - they are hard to understand and to change, but also difficult to test, reuse, and profile. While technically there are many opportunities to refactor long methods, little is known about their origin and their evolution. It is unclear how much effort should be spent to refactor them and when this effort is spent best. To obtain a maintenance strategy, we need a better understanding of how software systems and their methods evolve. This paper presents an empirical case study on method growth in Java with nine open source and one industry system. We show that most methods do not increase their length significantly; in fact, about half of them remain unchanged after the initial commit. Instead, software systems grow by adding new methods rather than by modifying existing methods.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"37 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132850307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335410
Csaba Faragó, Péter Hegedüs, R. Ferenc
It is a well-known phenomena that the source code of software systems erodes during development, which results in higher maintenance costs in the long term. But can we somehow narrow down where exactly this erosion happens? Is it possible to infer the future erosion based on past code changes? Do modifications performed on frequently changing code have worse effect on software maintainability than those affecting less frequently modified code? In this study we investigated these questions and the results indicate that code churn indeed increases the pace of code erosion. We calculated cumulative code churn values and maintainability changes for every version control commit operation of three open-source and one proprietary software system. With the help of Wilcoxon rank test we compared the cumulative code churn values of the files in commits resulting maintainability increase with those of decreasing the maintainability. In the case of three systems the test showed very strong significance and in one case it resulted in strong significance (p-values 0.00235, 0.00436, 0.00018 and 0.03616). These results support our preliminary assumption that modifying high-churn code is more likely to decrease the overall maintainability of a software system, which can be thought of as the generalization of the already known phenomena that code churn results in higher number of defects.
{"title":"Cumulative code churn: Impact on maintainability","authors":"Csaba Faragó, Péter Hegedüs, R. Ferenc","doi":"10.1109/SCAM.2015.7335410","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335410","url":null,"abstract":"It is a well-known phenomena that the source code of software systems erodes during development, which results in higher maintenance costs in the long term. But can we somehow narrow down where exactly this erosion happens? Is it possible to infer the future erosion based on past code changes? Do modifications performed on frequently changing code have worse effect on software maintainability than those affecting less frequently modified code? In this study we investigated these questions and the results indicate that code churn indeed increases the pace of code erosion. We calculated cumulative code churn values and maintainability changes for every version control commit operation of three open-source and one proprietary software system. With the help of Wilcoxon rank test we compared the cumulative code churn values of the files in commits resulting maintainability increase with those of decreasing the maintainability. In the case of three systems the test showed very strong significance and in one case it resulted in strong significance (p-values 0.00235, 0.00436, 0.00018 and 0.03616). These results support our preliminary assumption that modifying high-churn code is more likely to decrease the overall maintainability of a software system, which can be thought of as the generalization of the already known phenomena that code churn results in higher number of defects.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124848427","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335415
M. Ghanavati, A. Andrzejak
Memory leaks are tedious to detect and require significant debugging effort to be reproduced and localized. In particular, many of such bugs escape classical testing processes used in software development. One of the reasons is that unit and integration tests run too short for leaks to manifest via memory bloat or degraded performance. Moreover, many of such defects are environment-sensitive and not triggered by a test suite. Consequently, leaks are frequently discovered in the production scenario, causing elevated costs. In this paper we propose an approach for automated diagnosis of memory leaks during the development phase. Our technique is based on regression testing and exploits existing test suites. The key idea is to compare object (de-)allocation statistics (collected during unit/integration test executions) between a previous and the current software version. By grouping these statistics according to object creation sites we can detect anomalies and pinpoint the potential root causes of memory leaks. Such diagnosis can be completed before a visible memory bloat occurs, and in time proportional to the execution of test suite. We evaluate our approach using real leaks found in 7 Java applications. Results show that our approach has sufficient detection accuracy and is effective in isolating the leaky allocation site: true defect locations rank relatively high in the lists of suspicious code locations if the tests trigger the leak pattern. Our prototypical system imposes an acceptable instrumentation and execution overhead for practical memory leak detection even in large software projects.
{"title":"Automated memory leak diagnosis by regression testing","authors":"M. Ghanavati, A. Andrzejak","doi":"10.1109/SCAM.2015.7335415","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335415","url":null,"abstract":"Memory leaks are tedious to detect and require significant debugging effort to be reproduced and localized. In particular, many of such bugs escape classical testing processes used in software development. One of the reasons is that unit and integration tests run too short for leaks to manifest via memory bloat or degraded performance. Moreover, many of such defects are environment-sensitive and not triggered by a test suite. Consequently, leaks are frequently discovered in the production scenario, causing elevated costs. In this paper we propose an approach for automated diagnosis of memory leaks during the development phase. Our technique is based on regression testing and exploits existing test suites. The key idea is to compare object (de-)allocation statistics (collected during unit/integration test executions) between a previous and the current software version. By grouping these statistics according to object creation sites we can detect anomalies and pinpoint the potential root causes of memory leaks. Such diagnosis can be completed before a visible memory bloat occurs, and in time proportional to the execution of test suite. We evaluate our approach using real leaks found in 7 Java applications. Results show that our approach has sufficient detection accuracy and is effective in isolating the leaky allocation site: true defect locations rank relatively high in the lists of suspicious code locations if the tests trigger the leak pattern. Our prototypical system imposes an acceptable instrumentation and execution overhead for practical memory leak detection even in large software projects.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"AES-20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126548434","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335425
Gergõ Balogh, Attila Szabolics, Árpád Beszédes
The graphical representations of software (code visualization in particular) may provide both professional programmers and students learning only the basics with support in program comprehension. Among the numerous proposed approaches, our research applies the city metaphor for the visualisation of such code elements as classes, functions, or attributes by the tool CodeMetropolis. It uses the game engine of Minecraft for the graphics, and is able to visualize various properties of the code based on structural metrics. In this work, we present our approach to integrate our visualization tool into the Eclipse IDE environment. Previously, only standalone usage was possible, but with this new version the users can invoke the visualization directly from the IDE, and all the analysis is performed in the background. The new version of the tool now includes an Eclipse plug-in and a Minecraft modification in addition to the analysis and visualization modules which have also been extended with some new features. Possible use cases and a detailed scenario are presented.
{"title":"CodeMetropolis: Eclipse over the city of source code","authors":"Gergõ Balogh, Attila Szabolics, Árpád Beszédes","doi":"10.1109/SCAM.2015.7335425","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335425","url":null,"abstract":"The graphical representations of software (code visualization in particular) may provide both professional programmers and students learning only the basics with support in program comprehension. Among the numerous proposed approaches, our research applies the city metaphor for the visualisation of such code elements as classes, functions, or attributes by the tool CodeMetropolis. It uses the game engine of Minecraft for the graphics, and is able to visualize various properties of the code based on structural metrics. In this work, we present our approach to integrate our visualization tool into the Eclipse IDE environment. Previously, only standalone usage was possible, but with this new version the users can invoke the visualization directly from the IDE, and all the analysis is performed in the background. The new version of the tool now includes an Eclipse plug-in and a Minecraft modification in addition to the analysis and visualization modules which have also been extended with some new features. Possible use cases and a detailed scenario are presented.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"76 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117321861","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335414
Hengyang Yu, Xiaohua Shi, Wei Feng
Unnecessary references in managed languages, such as Java and C#, often cause memory leaks without any immediate symptoms. These leaks become manifest when the program has been running for a long time (usually several hours, days or even weeks). Garbage collectors cannot handle this situation, since it only reclaims objects that have no external references to them. Consequently, when the number of leaked objects becomes large, garbage collection frequency increases and program performance degrades. Ultimately, the program will crash. This paper introduces LeakTracer, a tool that helps diagnose memory leaks in managed languages. The core of LeakTracer is the use of a novel leak predictor, which not only considers object size and staleness as a whole to predict leaked objects, but also carefully adjusts their contributions to the leak possibility of an object, according to the careful observation of activities of common objects during their lifetimes. We have implemented LeakTracer in two parts: (1) an online object events tracker in the Apache Harmony DRL virtual machine, and (2) an offline analyzer embedding our predictor. We have successfully used LeakTracer to find leaks in several real-world programs, and our case studies show that leak predictor can pinpoint leaked objects with high accuracy.
{"title":"LeakTracer: Tracing leaks along the way","authors":"Hengyang Yu, Xiaohua Shi, Wei Feng","doi":"10.1109/SCAM.2015.7335414","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335414","url":null,"abstract":"Unnecessary references in managed languages, such as Java and C#, often cause memory leaks without any immediate symptoms. These leaks become manifest when the program has been running for a long time (usually several hours, days or even weeks). Garbage collectors cannot handle this situation, since it only reclaims objects that have no external references to them. Consequently, when the number of leaked objects becomes large, garbage collection frequency increases and program performance degrades. Ultimately, the program will crash. This paper introduces LeakTracer, a tool that helps diagnose memory leaks in managed languages. The core of LeakTracer is the use of a novel leak predictor, which not only considers object size and staleness as a whole to predict leaked objects, but also carefully adjusts their contributions to the leak possibility of an object, according to the careful observation of activities of common objects during their lifetimes. We have implemented LeakTracer in two parts: (1) an online object events tracker in the Apache Harmony DRL virtual machine, and (2) an offline analyzer embedding our predictor. We have successfully used LeakTracer to find leaks in several real-world programs, and our case studies show that leak predictor can pinpoint leaked objects with high accuracy.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134383456","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335421
K. Banerjee, C. Mandal, D. Sarkar
A compiler is a computer program which translates a source code into a target code, often with an objective to reduce the execution time and/or save critical resources. However, an error in the design or in the implementation of a compiler may result in software bugs in the target code obtained from that compiler. Translation validation is a formal verification approach for compilers whereby, each individual translation is followed by a validation phase which verifies that the target code produced correctly implements the source code. In this paper, we present a tool for translation validation of optimizing transformations of programs; the original and the transformed programs are modeled as Finite State Machines with Datapath having Arrays (FSMDAs) and a symbolic value propagation (SVP) based equivalence checking strategy is applied over this model to determine the correctness of the applied transformations. The tool has been demonstrated to handle uniform and non-uniform code motions, including code motions across loops, along with transformations which result in modification of control structures of programs. Moreover, arithmetic transformations such as, associative, commutative, distributive transformations, expression simplification, constant folding, etc., are also supported.
{"title":"A translation validation framework for symbolic value propagation based equivalence checking of FSMDAs","authors":"K. Banerjee, C. Mandal, D. Sarkar","doi":"10.1109/SCAM.2015.7335421","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335421","url":null,"abstract":"A compiler is a computer program which translates a source code into a target code, often with an objective to reduce the execution time and/or save critical resources. However, an error in the design or in the implementation of a compiler may result in software bugs in the target code obtained from that compiler. Translation validation is a formal verification approach for compilers whereby, each individual translation is followed by a validation phase which verifies that the target code produced correctly implements the source code. In this paper, we present a tool for translation validation of optimizing transformations of programs; the original and the transformed programs are modeled as Finite State Machines with Datapath having Arrays (FSMDAs) and a symbolic value propagation (SVP) based equivalence checking strategy is applied over this model to determine the correctness of the applied transformations. The tool has been demonstrated to handle uniform and non-uniform code motions, including code motions across loops, along with transformations which result in modification of control structures of programs. Moreover, arithmetic transformations such as, associative, commutative, distributive transformations, expression simplification, constant folding, etc., are also supported.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125316317","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335397
M. Brandtner, P. Leitner, H. Gall
Continuous integration of source code changes, for example, via pull-request driven contribution channels, has become standard in many software projects. However, the decision to integrate source code changes into a release is complex and has to be taken by a software manager. In this work, we identify a set of three pragmatic recipes plus variations to support the decision making of integrating code contributions into a release. These recipes cover the isolation of source code changes, contribution of test code, and the linking of commits to issues. We analyze the development history of 21 open-source software projects, to evaluate whether, and to what extent, those recipes are followed in open-source projects. The results of our analysis showed that open-source projects largely follow recipes on a compliance level of > 75%. Hence, we conclude that the identified recipes plus variations can be seen as wide-spread relevant best-practices for source code integration.
{"title":"Intent, tests, and release dependencies: Pragmatic recipes for source code integration","authors":"M. Brandtner, P. Leitner, H. Gall","doi":"10.1109/SCAM.2015.7335397","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335397","url":null,"abstract":"Continuous integration of source code changes, for example, via pull-request driven contribution channels, has become standard in many software projects. However, the decision to integrate source code changes into a release is complex and has to be taken by a software manager. In this work, we identify a set of three pragmatic recipes plus variations to support the decision making of integrating code contributions into a release. These recipes cover the isolation of source code changes, contribution of test code, and the linking of commits to issues. We analyze the development history of 21 open-source software projects, to evaluate whether, and to what extent, those recipes are followed in open-source projects. The results of our analysis showed that open-source projects largely follow recipes on a compliance level of > 75%. Hence, we conclude that the identified recipes plus variations can be seen as wide-spread relevant best-practices for source code integration.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130452420","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-11-23DOI: 10.1109/SCAM.2015.7335412
Md. Sami Uddin, Varun Gaur, C. Gutwin, C. Roy
Code clone visualizations (CCVs) are graphical representations of clone detection results provided by various state-of-the-art command line and graphical analysis tools. In order to properly analyze and manipulate code clones within a target system, these visualizations must be easily and efficiently comprehensible. We conducted an eye-tracking study with 20 participants (expert, intermediate, and novice) to assess how well people can comprehend visualizations such as Scatter plots, Treemaps, and Hierarchical Dependency Graphs provided by VisCad, a recent clone visualization tool. The goals of the study were to find out what elements of the visualizations (e.g., colors, shapes, object positions) are most important for comprehension, and to identify common usage patterns for different groups. Our results help us understand how developers with different levels of expertise explore and navigate through the visualizations while performing specific tasks. Distinctive patterns of eye movements for different visualizations were found depending on the expertise of the participants. Color, shape and position information were found to play vital roles in comprehension of CCVs. Our results provide recommendations that can improve the implementation of visualization techniques in VisCad and other clone visualization systems.
{"title":"On the comprehension of code clone visualizations: A controlled study using eye tracking","authors":"Md. Sami Uddin, Varun Gaur, C. Gutwin, C. Roy","doi":"10.1109/SCAM.2015.7335412","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335412","url":null,"abstract":"Code clone visualizations (CCVs) are graphical representations of clone detection results provided by various state-of-the-art command line and graphical analysis tools. In order to properly analyze and manipulate code clones within a target system, these visualizations must be easily and efficiently comprehensible. We conducted an eye-tracking study with 20 participants (expert, intermediate, and novice) to assess how well people can comprehend visualizations such as Scatter plots, Treemaps, and Hierarchical Dependency Graphs provided by VisCad, a recent clone visualization tool. The goals of the study were to find out what elements of the visualizations (e.g., colors, shapes, object positions) are most important for comprehension, and to identify common usage patterns for different groups. Our results help us understand how developers with different levels of expertise explore and navigate through the visualizations while performing specific tasks. Distinctive patterns of eye movements for different visualizations were found depending on the expertise of the participants. Color, shape and position information were found to play vital roles in comprehension of CCVs. Our results provide recommendations that can improve the implementation of visualization techniques in VisCad and other clone visualization systems.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115138586","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2015-09-01DOI: 10.1109/SCAM.2015.7335423
Stephan Renatus, Corrie Bartelheimer, Jörn Eichler
Testing tools for application security have become an integral part of secure development life-cycles. Despite their ability to spot important software weaknesses, the high number of findings require rigorous prioritization. Most testing tools provide generic ratings to support prioritization. Unfortunately, ratings from established tools lack context information especially with regard to the security requirements of respective components or source code. Thus experts often spend a great deal of time re-assessing the prioritization provided by these tools. This paper introduces our lightweight tool AVUS that adjusts context-free ratings of software weaknesses according to a user-defined security model. We also present a first evaluation applying AVUS to a well-known open source project and the findings of a popular, commercially available application security testing tool.
{"title":"Improving prioritization of software weaknesses using security models with AVUS","authors":"Stephan Renatus, Corrie Bartelheimer, Jörn Eichler","doi":"10.1109/SCAM.2015.7335423","DOIUrl":"https://doi.org/10.1109/SCAM.2015.7335423","url":null,"abstract":"Testing tools for application security have become an integral part of secure development life-cycles. Despite their ability to spot important software weaknesses, the high number of findings require rigorous prioritization. Most testing tools provide generic ratings to support prioritization. Unfortunately, ratings from established tools lack context information especially with regard to the security requirements of respective components or source code. Thus experts often spend a great deal of time re-assessing the prioritization provided by these tools. This paper introduces our lightweight tool AVUS that adjusts context-free ratings of software weaknesses according to a user-defined security model. We also present a first evaluation applying AVUS to a well-known open source project and the findings of a popular, commercially available application security testing tool.","PeriodicalId":192232,"journal":{"name":"2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129756557","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: