Darius Foo
ABSTRACT
Software engineering practices have evolved to the point where a developer writing a new application today doesn’t start from scratch, but reuses a number of open source libraries and components. These third-party libraries evolve independently of the applications in which they are used, and may not maintain stable interfaces as bugs and vulnerabilities in them are fixed. This in turn causes API incompatibilities in downstream applications which must be manually resolved. Oversight here may manifest in many ways, from test failures to crashes at runtime. To address this problem, we present a static analysis for automatically and efficiently checking if a library upgrade introduces an API incompatibility.
Our analysis does not rely on reported version information from library developers, and instead computes the actual differences between methods in libraries across different versions. The analysis is scalable, enabling real-time diff queries involving arbitrary pairs of library versions. It supports a vulnerability remediation product which suggests library upgrades automatically and is lightweight enough to be part of a continuous integration/delivery (CI/CD) pipeline. To evaluate the effectiveness of our approach, we determine semantic versioning adherence of a corpus of open source libraries taken from Maven Central, PyPI, and RubyGems. We find that on average, 26% of library versions are in violation of semantic versioning. We also analyze a collection of popular open source projects from GitHub to determine if we can automatically update libraries in them without causing API incompatibilities. Our results indicate that we can suggest upgrades automatically for 10% of the libraries.
- 2014. Why Semantic Versioning Isn’t. https://gist.github.com/jashkenas/ cbd2b088e20279ae2c8eGoogle Scholar
- Christopher Bogart, Christian Kästner, James Herbsleb, and Ferdian Thung. 2016. How to Break an API: Cost Negotiation and Community Values in Three Software Ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2016). ACM, New York, NY, USA, 109–120. Google ScholarDigital Library
- Marcel Böhme, Abhik Roychoudhury, and Bruno C. d. S. Oliveira. 2013. Regression Testing of Evolving Programs. Advances in Computers 89 (2013), 53–88.Google ScholarCross Ref
- Barthelemy Dagenais and Martin P. Robillard. 2009. SemDiff: Analysis and Recommendation Support for API Evolution. In Proceedings of the 31st International Conference on Software Engineering (ICSE ’09). IEEE Computer Society, Washington, DC, USA, 599–602. Google ScholarDigital Library
- Jeffrey Dean, David Grove, and Craig Chambers. 1995. Optimization of objectoriented programs using static class hierarchy analysis. In European Conference on Object-Oriented Programming. Springer, 77–101. Google ScholarDigital Library
- Jean-Rémy Falleri, Floréal Morandat, Xavier Blanc, Matias Martinez, and Martin Monperrus. 2014. Fine-grained and accurate source code differencing. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering. ACM, 313–324. Google ScholarDigital Library
- Darius Foo, Jason Yeo, Ming Yi Ang, and Asankhaya Sharma. 2018. SGL: A domain-specific language for large-scale analysis of open-source code. IEEE Cybersecurity Development, SecDev (2018).Google Scholar
- Johannes Henkel and Amer Diwan. 2005. CatchUp!: Capturing and Replaying Refactorings to Support API Evolution. In Proceedings of the 27th International Conference on Software Engineering (ICSE ’05). ACM, New York, NY, USA, 274–283. Google ScholarDigital Library
- Susan Horwitz. 1990. Identifying the Semantic and Textual Differences Between Two Versions of a Program. In Proceedings of the ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation (PLDI ’90). ACM, New York, NY, USA, 234–245. Google ScholarDigital Library
- Daniel Jackson, David A Ladd, et al. 1994. Semantic Diff: A Tool for Summarizing the Effects of Modifications.. In ICSM, Vol. 94. 243–252. Google ScholarDigital Library
- Raula Gaikovina Kula, Daniel M German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. {n. d.}. Do developers update their library dependencies? Empirical Software Engineering ({n. d.}), 1–34. Google ScholarDigital Library
- Shuvendu K Lahiri, Chris Hawblitzel, Ming Kawaguchi, and Henrique Rebêlo. 2012. Symdiff: A language-agnostic semantic diff tool for imperative programs. In International Conference on Computer Aided Verification. Springer, 712–717. Google ScholarDigital Library
- Gianluca Mezzetti, Anders Møller, and Martin Toldam Torp. {n. d.}. Type Regression Testing to Detect Breaking Changes in Node.js Libraries. ({n. d.}).Google Scholar
- Samim Mirhosseini and Chris Parnin. 2017. Can automated pull requests encourage software developers to upgrade out-of-date dependencies?. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. IEEE Press, 84–94. Google ScholarDigital Library
- Eugene W Myers. 1986. An O(ND) difference algorithm and its variations. Algorithmica 1, 1-4 (1986), 251–266.Google ScholarDigital Library
- S. Raemaekers, A. van Deursen, and J. Visser. 2014. Semantic Versioning versus Breaking Changes: A Study of the Maven Repository. In 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation. 215–224. Google ScholarDigital Library
- Mojtaba Shahin, Muhammad Ali Babar, and Liming Zhu. 2017. Continuous integration, delivery and deployment: a systematic review on approaches, tools, challenges and practices. IEEE Access 5 (2017), 3909–3943.Google Scholar
- Vijay Sundarespan, Laurie Hendren, Chrislain Razafimahefa, Raja Vallée-Rai, Patrick Lam, Etienne Gagnon, and Charles Godin. 2000. Practical virtual method call resolution for Java. Vol. 35. ACM. Google ScholarDigital Library
- Mohsen Vakilian, Raluca Sauciuc, J David Morgenthaler, and Vahab Mirrokni. 2015. Automated decomposition of build targets. In Software Engineering (ICSE), 2015 IEEE/ACM 37th IEEE International Conference on, Vol. 1. IEEE, 123–133. Google ScholarDigital Library
- Zhenchang Xing and Eleni Stroulia. 2005. UMLDiff: An Algorithm for Objectoriented Design Differencing. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE ’05). ACM, New York, NY, USA, 54–65. Google ScholarDigital Library
- Z. Xing and E. Stroulia. 2007. API-Evolution Support with Diff-CatchUp. IEEE Transactions on Software Engineering 33, 12 (Dec 2007), 818–836. Google ScholarDigital Library
- Wuu Yang. 1991. Identifying syntactic differences between two programs. Software: Practice and Experience 21, 7 (1991), 739–755. Google ScholarDigital Library
- Jooyong Yi, Dawei Qi, Shin Hwei Tan, and Abhik Roychoudhury. 2013. Expressing and checking intended changes via software change contracts. In Proceedings of the 2013 International Symposium on Software Testing and Analysis. ACM, 1–11. Google ScholarDigital Library
Index Terms
- Efficient static checking of library updates
Recommendations
Model-based testing of breaking changes in Node.js libraries
ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringSemantic versioning is widely used by library developers to indicate whether updates contain changes that may break existing clients. Especially for dynamic languages like JavaScript, using semantic versioning correctly is known to be difficult, which ...
Semantic versioning and impact of breaking changes in the Maven repository
Backward-incompatible interface changes are widespread in software libraries.Breaking changes have impact on client systems using these software libraries.Software developers do not follow proposed versioning guidelines. Systems that depend on third-...
Comments