Microcontrollers are usually supplied with hardware manuals, where information that requires special attention is emphasized as cautions. Currently, the process of verifying these cautions is performed manually as there is no single tool that can directly handle this task. This research aims at automating the verification process for these cautions as much as possible. Firstly, we investigate two sections which have a considerable number of required cautions in the hardware manual of a popular microcontroller to obtain the typical cautions of microcontrollers. Secondly, we analyze and categorize these cautions into several groups. Subsequently, we propose a semi-automatic approach which uses the assertion-based method and integrates two existing static program analysis tools (i.e., Cobra and Eva plugin of Frama-C) to verify the cautions. To show the applicability of this approach, we conduct two experiments with a benchmark source code and an industrial source code provided by Aisin comCruise Co., Ltd.. The results show that this approach is capable of detecting all violations in the benchmark program and only misses one expected violation in the industrial project.
{"title":"Integrating Static Program Analysis Tools for Verifying Cautions of Microcontroller","authors":"Thuy Nguyen, Toshiaki Aoki, Takashi Tomita, Junpei Endo","doi":"10.1109/APSEC48747.2019.00021","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00021","url":null,"abstract":"Microcontrollers are usually supplied with hardware manuals, where information that requires special attention is emphasized as cautions. Currently, the process of verifying these cautions is performed manually as there is no single tool that can directly handle this task. This research aims at automating the verification process for these cautions as much as possible. Firstly, we investigate two sections which have a considerable number of required cautions in the hardware manual of a popular microcontroller to obtain the typical cautions of microcontrollers. Secondly, we analyze and categorize these cautions into several groups. Subsequently, we propose a semi-automatic approach which uses the assertion-based method and integrates two existing static program analysis tools (i.e., Cobra and Eva plugin of Frama-C) to verify the cautions. To show the applicability of this approach, we conduct two experiments with a benchmark source code and an industrial source code provided by Aisin comCruise Co., Ltd.. The results show that this approach is capable of detecting all violations in the benchmark program and only misses one expected violation in the industrial project.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"89 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114488798","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00062
Jingquan Ge, Neng Gao, Chenyang Tu, Ji Xiang, Zeyi Liu
With the popularity of smart devices such as mobile phones and tablets, the security problem of the widely used ARMv8-A processor has received more and more attention. Flush+Reload and Flush+Flush cache attacks have become two of the most important security threats due to their low noise and high resolution. In order to resist Flush+Reload and Flush+Flush attacks, researchers proposed many defense methods. However, these existing methods have various shortcomings. The runtime defense methods using hardware performance counters cannot detect attacks fast enough, effectively detect Flush+Flush or avoid a high false positive rate. Static code analysis schemes are powerless for obfuscation techniques. The approaches of permanently reducing the resolution can only be utilized on browser products and cannot be applied in the system. In this paper, we design two more secure collaborative APIs—flush operation API and high resolution time API—which can resist Flush+Reload and Flush+Flush attacks. When the flush operation API is called, the high resolution time API temporarily reduces its resolution and automatically restores. Moreover, the flush operation API also has the ability to detect and handle suspected Flush+Reload and Flush+Flush attacks. The attack and performance comparison experiments prove that the two APIs we designed are safer and the performance losses are acceptable.
{"title":"More Secure Collaborative APIs Resistant to Flush+Reload and Flush+Flush Attacks on ARMv8-A","authors":"Jingquan Ge, Neng Gao, Chenyang Tu, Ji Xiang, Zeyi Liu","doi":"10.1109/APSEC48747.2019.00062","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00062","url":null,"abstract":"With the popularity of smart devices such as mobile phones and tablets, the security problem of the widely used ARMv8-A processor has received more and more attention. Flush+Reload and Flush+Flush cache attacks have become two of the most important security threats due to their low noise and high resolution. In order to resist Flush+Reload and Flush+Flush attacks, researchers proposed many defense methods. However, these existing methods have various shortcomings. The runtime defense methods using hardware performance counters cannot detect attacks fast enough, effectively detect Flush+Flush or avoid a high false positive rate. Static code analysis schemes are powerless for obfuscation techniques. The approaches of permanently reducing the resolution can only be utilized on browser products and cannot be applied in the system. In this paper, we design two more secure collaborative APIs—flush operation API and high resolution time API—which can resist Flush+Reload and Flush+Flush attacks. When the flush operation API is called, the high resolution time API temporarily reduces its resolution and automatically restores. Moreover, the flush operation API also has the ability to detect and handle suspected Flush+Reload and Flush+Flush attacks. The attack and performance comparison experiments prove that the two APIs we designed are safer and the performance losses are acceptable.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"104 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115162777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00067
Anand Tirkey, R. Mohapatra, L. Kumar
Android OS being the popular choice of majority users also faces the constant risk of breach of confidentiality, integrity and availability (CIA). Effective mitigation efforts needs to identified in order to protect and uphold the CIA triad model, within the android ecosystem. In this paper, we propose a novel method of android malware classification using Object-Oriented Software Metrics and machine learning algorithms. First, android apps are decompiled and Object-Oriented Metrics are obtained. VirusTotal service is used to tag an app either as malware or benign. Object-Oriented Metrics and malware tag are clubbed together into a dataset. Eighty different machine-learned models are trained over five thousand seven hundred and seventy four android apps. We evaluate the performance and stability of these models using it's malware classification accuracy and AUC (area under ROC curve) values. Our method yields an accuracy and AUC of 99.83% and 1.0 respectively.
{"title":"Anatomizing Android Malwares","authors":"Anand Tirkey, R. Mohapatra, L. Kumar","doi":"10.1109/APSEC48747.2019.00067","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00067","url":null,"abstract":"Android OS being the popular choice of majority users also faces the constant risk of breach of confidentiality, integrity and availability (CIA). Effective mitigation efforts needs to identified in order to protect and uphold the CIA triad model, within the android ecosystem. In this paper, we propose a novel method of android malware classification using Object-Oriented Software Metrics and machine learning algorithms. First, android apps are decompiled and Object-Oriented Metrics are obtained. VirusTotal service is used to tag an app either as malware or benign. Object-Oriented Metrics and malware tag are clubbed together into a dataset. Eighty different machine-learned models are trained over five thousand seven hundred and seventy four android apps. We evaluate the performance and stability of these models using it's malware classification accuracy and AUC (area under ROC curve) values. Our method yields an accuracy and AUC of 99.83% and 1.0 respectively.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116142477","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00042
Meiling Zhou, Jie Chen, Haiyang Hu, JiaCheng Yu, Zhongjin Li, Hua Hu
With the continuous expansion of the software market and the updating of the maturity of the software development process, the performance requirements of software users are becoming increasingly prominent. Performance issues are essentially related to the source code. For solving the same problem, different programmers may write completely different "correct" code with the same functionality but have different performance. Most online judge system on programming make use of automated grading systems, usually rely on test results to quantify the correctness and performance for the submitted source code. However, traditional dynamic testing takes a lot of time, and the discovery of performance problems is usually after the fact even for those small scale programs. Therefore, we proposed DeepTLE which is used to effectively predict the performance of submitted source code before it runs. DeepTLE can automatically learn the semantic and structural features of the source code. In order to verify the effect of our approach, we applied it to the source code collected from the program competition website to predict if the source code would be time limit exceed or not without running its test cases. Experiment results show that our method can save 96% of the time cost compared to the dynamic testing, and the accuracy of the prediction reaches 82%.
{"title":"DeepTLE: Learning Code-Level Features to Predict Code Performance before It Runs","authors":"Meiling Zhou, Jie Chen, Haiyang Hu, JiaCheng Yu, Zhongjin Li, Hua Hu","doi":"10.1109/APSEC48747.2019.00042","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00042","url":null,"abstract":"With the continuous expansion of the software market and the updating of the maturity of the software development process, the performance requirements of software users are becoming increasingly prominent. Performance issues are essentially related to the source code. For solving the same problem, different programmers may write completely different \"correct\" code with the same functionality but have different performance. Most online judge system on programming make use of automated grading systems, usually rely on test results to quantify the correctness and performance for the submitted source code. However, traditional dynamic testing takes a lot of time, and the discovery of performance problems is usually after the fact even for those small scale programs. Therefore, we proposed DeepTLE which is used to effectively predict the performance of submitted source code before it runs. DeepTLE can automatically learn the semantic and structural features of the source code. In order to verify the effect of our approach, we applied it to the source code collected from the program competition website to predict if the source code would be time limit exceed or not without running its test cases. Experiment results show that our method can save 96% of the time cost compared to the dynamic testing, and the accuracy of the prediction reaches 82%.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125424724","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00024
Konrad Fögen, H. Lichter
Combinatorial robustness testing is an approach to generate separate test inputs for positive and negative test scenarios. The test model is enriched with semantic information to distinguish valid from invalid values and value combinations. Unfortunately, it is easy to create over-constrained models and invalid values or invalid value combinations do not appear in the final test suite. In this paper, we extend previous work on manual repair and develop a technique to semi-automatically repair over-constrained models. The technique is evaluated with benchmark models and the results indicate a small computational overhead.
{"title":"Semi-Automatic Repair of Over-Constrained Models for Combinatorial Robustness Testing","authors":"Konrad Fögen, H. Lichter","doi":"10.1109/APSEC48747.2019.00024","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00024","url":null,"abstract":"Combinatorial robustness testing is an approach to generate separate test inputs for positive and negative test scenarios. The test model is enriched with semantic information to distinguish valid from invalid values and value combinations. Unfortunately, it is easy to create over-constrained models and invalid values or invalid value combinations do not appear in the final test suite. In this paper, we extend previous work on manual repair and develop a technique to semi-automatically repair over-constrained models. The technique is evaluated with benchmark models and the results indicate a small computational overhead.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"73 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121885560","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00030
Ammar Lanui, T. Chiew
Testing is a vital activity in software development. The ISO/IEC has defined a standard for system and software quality models called ISO/IEC 25010:2011 to be a guideline and scope for testing any applications. Testing of mobile applications according to this standard, however, is more challenging than other types of software. The diversity of Android devices and various versions of Android operating system, for example, has created a large fragmentation of the Android platform. This fragmentation hinders testing of Android applications especially in relation to portability and compatibility. Existing solutions are either neglecting portability and compatibility issues or lack flexibility in fulfilling needs of the different organizations. We propose a cloud testing model to address the fragmentation of Android platform and provide automated application testing services on the actual devices. The model can be configured in the public, private or hybrid setups to suit individual organizations' needs and budget. A prototype was built based on the model. 10 Android testers used the prototype and the Android Emulator to perform mobile application testing. Results show that the model has the potential to manage the challenging portability and compatibility testing on the Android platform in a flexible and scalable manner.
{"title":"A Cloud-Based Solution for Testing Applications' Compatibility and Portability on Fragmented Android Platform","authors":"Ammar Lanui, T. Chiew","doi":"10.1109/APSEC48747.2019.00030","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00030","url":null,"abstract":"Testing is a vital activity in software development. The ISO/IEC has defined a standard for system and software quality models called ISO/IEC 25010:2011 to be a guideline and scope for testing any applications. Testing of mobile applications according to this standard, however, is more challenging than other types of software. The diversity of Android devices and various versions of Android operating system, for example, has created a large fragmentation of the Android platform. This fragmentation hinders testing of Android applications especially in relation to portability and compatibility. Existing solutions are either neglecting portability and compatibility issues or lack flexibility in fulfilling needs of the different organizations. We propose a cloud testing model to address the fragmentation of Android platform and provide automated application testing services on the actual devices. The model can be configured in the public, private or hybrid setups to suit individual organizations' needs and budget. A prototype was built based on the model. 10 Android testers used the prototype and the Android Emulator to perform mobile application testing. Results show that the model has the potential to manage the challenging portability and compatibility testing on the Android platform in a flexible and scalable manner.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132762767","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00064
Hui Zhao, F. Mallet, L. Apvrille
The design flaws and attacks on Cyber-Physical Systems (CPSs) can lead to severe consequences. Thus, security and safety (S&S) issues should be taken into account with functional design as early as possible during the developing process. However, it's rare to see "one-size-fits-all" modeling language and/or design tool. One way to solve this issue is to integrate different nature models into one model system, but this requires a unified semantic among modeling languages. We explore a model-based approach for systems engineering that facilitates the composition of several heterogeneous artifacts (called views) into a sound and consistent system model. Rather than trying to extend either SysML or SysML-sec into more expressive languages to add the missing features, we extract proper subsets of both languages to build a view adequate for conducting a security and safety analysis of Capella (SysML-based) functional models. Our language is generic enough to extract proper subsets of languages and combine them to build views for different experts. Moreover, it maintains a global consistency between the different views.
{"title":"A Language-Based Multi-View Approach for Combining Functional and Security Models","authors":"Hui Zhao, F. Mallet, L. Apvrille","doi":"10.1109/APSEC48747.2019.00064","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00064","url":null,"abstract":"The design flaws and attacks on Cyber-Physical Systems (CPSs) can lead to severe consequences. Thus, security and safety (S&S) issues should be taken into account with functional design as early as possible during the developing process. However, it's rare to see \"one-size-fits-all\" modeling language and/or design tool. One way to solve this issue is to integrate different nature models into one model system, but this requires a unified semantic among modeling languages. We explore a model-based approach for systems engineering that facilitates the composition of several heterogeneous artifacts (called views) into a sound and consistent system model. Rather than trying to extend either SysML or SysML-sec into more expressive languages to add the missing features, we extract proper subsets of both languages to build a view adequate for conducting a security and safety analysis of Capella (SysML-based) functional models. Our language is generic enough to extract proper subsets of languages and combine them to build views for different experts. Moreover, it maintains a global consistency between the different views.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134514871","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00046
Tasuku Nakagawa, Yoshiki Higo, Junnosuke Matsumoto, S. Kusumoto
A code clone (in short, clone) is a code fragment that is identical or similar to other code fragments in source code. The presence of clone is known as bad smell, which is phenomena of source code to be refactored. A motivation of refactoring (merging) clones is to reduce the size of source code. An existing study proposed a technique to estimate reduced lines of code by merging clones; however, there are two issues in the existing technique: (1) the existing technique does not consider the refactorability of clones in spite that it is difficult or even impossible to merge some clones due to the limitation of programming languages; (2) in the case that multiple clones are overlapping, the existing technique only considers one of them can be merged. Due to the above issues, estimated reducible LoC is occasionally different from the actual number. Consequently, in this research, we propose a new technique to calculate a reducible LoC. The proposed technique is free from the two issues, and it calculates a reducible LoC fully automatically. The proposed technique performs a loop processing of (a) detecting clones, (b) merging them, (c) compiling the edited source files, and (d) testing them. After finishing the loop, reducible LoC is calculated from the edited source files. This paper also includes comparison results of the proposed technique and the existing one. In the comparisons, we confirmed that a reducible LoC which was calculated with considering refactorability is 25% of a reducible LoC which was estimated without considering refactorability. We also confirmed that the proposed technique was able to merge clones that were not counted in the existing technique.
{"title":"How Compact Will My System Be? A Fully-Automated Way to Calculate LoC Reduced by Clone Refactoring","authors":"Tasuku Nakagawa, Yoshiki Higo, Junnosuke Matsumoto, S. Kusumoto","doi":"10.1109/APSEC48747.2019.00046","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00046","url":null,"abstract":"A code clone (in short, clone) is a code fragment that is identical or similar to other code fragments in source code. The presence of clone is known as bad smell, which is phenomena of source code to be refactored. A motivation of refactoring (merging) clones is to reduce the size of source code. An existing study proposed a technique to estimate reduced lines of code by merging clones; however, there are two issues in the existing technique: (1) the existing technique does not consider the refactorability of clones in spite that it is difficult or even impossible to merge some clones due to the limitation of programming languages; (2) in the case that multiple clones are overlapping, the existing technique only considers one of them can be merged. Due to the above issues, estimated reducible LoC is occasionally different from the actual number. Consequently, in this research, we propose a new technique to calculate a reducible LoC. The proposed technique is free from the two issues, and it calculates a reducible LoC fully automatically. The proposed technique performs a loop processing of (a) detecting clones, (b) merging them, (c) compiling the edited source files, and (d) testing them. After finishing the loop, reducible LoC is calculated from the edited source files. This paper also includes comparison results of the proposed technique and the existing one. In the comparisons, we confirmed that a reducible LoC which was calculated with considering refactorability is 25% of a reducible LoC which was estimated without considering refactorability. We also confirmed that the proposed technique was able to merge clones that were not counted in the existing technique.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"73 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114805664","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00076
Minghao Chen, Xiaojun Wan
Code comments help program developers understand programs, read and navigate source code, thus resulting in more efficient software maintenance. Unfortunately, many codes are not commented adequately, or the code comments are missing. So developers have to spend additional time in reading source code. In this paper, we propose a new approach to automatically generating comments for source codes. Following the intuition behind the traditional sequence-to-sequence (Seq2Seq) model for machine translation, we propose a tree-to-sequence (Tree2Seq) model for code comment generation, which leverages an encoder to capture the structure information of source code. More importantly, code classification is involved as an auxiliary task for aiding the Tree2Seq model. We build a multi-task learning model to achieve this goal. We evaluate our models on a benchmark dataset with automatic metrics like BLEU, ROUGE, and METEOR. Experimental results show that our proposed Tree2Seq model outperforms traditional Seq2Seq model with attention, and our proposed multi-task learning model outperforms the state-of-the-art approaches by a substantial margin.
{"title":"Neural Comment Generation for Source Code with Auxiliary Code Classification Task","authors":"Minghao Chen, Xiaojun Wan","doi":"10.1109/APSEC48747.2019.00076","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00076","url":null,"abstract":"Code comments help program developers understand programs, read and navigate source code, thus resulting in more efficient software maintenance. Unfortunately, many codes are not commented adequately, or the code comments are missing. So developers have to spend additional time in reading source code. In this paper, we propose a new approach to automatically generating comments for source codes. Following the intuition behind the traditional sequence-to-sequence (Seq2Seq) model for machine translation, we propose a tree-to-sequence (Tree2Seq) model for code comment generation, which leverages an encoder to capture the structure information of source code. More importantly, code classification is involved as an auxiliary task for aiding the Tree2Seq model. We build a multi-task learning model to achieve this goal. We evaluate our models on a benchmark dataset with automatic metrics like BLEU, ROUGE, and METEOR. Experimental results show that our proposed Tree2Seq model outperforms traditional Seq2Seq model with attention, and our proposed multi-task learning model outperforms the state-of-the-art approaches by a substantial margin.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"80 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114979094","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-12-01DOI: 10.1109/APSEC48747.2019.00011
Sharifah Mashita Syed-Mohamad, Nur Asyraf Md Akhir
Pull-based software development is a distributed development model that offers an opportunity to review a pull request before it gets merged into the main repository. A pull request addresses new features, bug fixing, and maintenance issues submitted by both integrators or contributors. It appears that many empirical studies are conducted to discover how pull request evaluation is done, and to our knowledge, limited research exists for assessing release readiness of pull requests. Studies also reported that the failure rate of pull-requests rapidly increases when there are many forks created. It is therefore, questions worth exploring are whether the code review really contributing to the code quality, and how to determine the release readiness of pull requests? In our previous work, test and defect coverage-based analytics model (TDCAM) has been proven to be suitable to determine the readiness of releases for software that is rapidly evolving, in which this is also a characteristic of pull-based software development. In this paper, the TDCAM has been extended to include pull request coverage indicators. The proposed model, namely as SoReady and the visualization analysis presented herein has enabled five developers in a commercial setting to make informed and evidence-based decisions regarding the test status of each pull request and overall reliability of an open source software through a prototype dashboard.
{"title":"SoReady: An Extension of the Test and Defect Coverage-Based Analytics Model for Pull-Based Software Development","authors":"Sharifah Mashita Syed-Mohamad, Nur Asyraf Md Akhir","doi":"10.1109/APSEC48747.2019.00011","DOIUrl":"https://doi.org/10.1109/APSEC48747.2019.00011","url":null,"abstract":"Pull-based software development is a distributed development model that offers an opportunity to review a pull request before it gets merged into the main repository. A pull request addresses new features, bug fixing, and maintenance issues submitted by both integrators or contributors. It appears that many empirical studies are conducted to discover how pull request evaluation is done, and to our knowledge, limited research exists for assessing release readiness of pull requests. Studies also reported that the failure rate of pull-requests rapidly increases when there are many forks created. It is therefore, questions worth exploring are whether the code review really contributing to the code quality, and how to determine the release readiness of pull requests? In our previous work, test and defect coverage-based analytics model (TDCAM) has been proven to be suitable to determine the readiness of releases for software that is rapidly evolving, in which this is also a characteristic of pull-based software development. In this paper, the TDCAM has been extended to include pull request coverage indicators. The proposed model, namely as SoReady and the visualization analysis presented herein has enabled five developers in a commercial setting to make informed and evidence-based decisions regarding the test status of each pull request and overall reliability of an open source software through a prototype dashboard.","PeriodicalId":325642,"journal":{"name":"2019 26th Asia-Pacific Software Engineering Conference (APSEC)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132236511","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: