Sat 27 Mar 2021
Moscow, Russia Everywhere!
The First International Conference on Code Quality (ICCQ) was a one-day computer science event organized in cooperation with the IEEE Russia Section C Chapter and focused on static analysis, program verification, bug detection, and software maintenance.
Watch all presentations on YouTube and subscribe to our channel so that you don’t miss the next event!
The Proceedings of ICCQ was published by IEEE Xplore.
Keynote
Anders Møller
Aarhus University
Anders Møller is professor at Aarhus University and manager
of Center for Advanced Software Analysis.
He has received a Consolidator Grant from the European Research Council (ERC),
the Danish Elite Research Prize 2020,
and six times a Distinguished Paper Award from ACM SIGSOFT or SIGPLAN.
He is currently associate editor of ACM TOPLAS and
ACM TOSEM.
His main research area is program analysis, specifically for JavaScript.
Steering Committee
Zhang Yuxin (Chair)
CTO of Huawei Cloud
Yevgeny Kolbin
CEO of SberCloud
Program Committee
Sergey Zykov (Chair)
HSE
And in alphabetical order:
Anastasios Antoniadis
University of Athens
Julia Belyakova
Northeastern University
Aysu Betin-Can
Middle East Technical University
Laura M. Castro
Universidade da Coruña
Kiko Fernandez-Reyes
Uppsala University
Alexander Gerasimov
Huawei RRI
Christian Hammer
University of Potsdam
Mats Heimdahl
University of Minnesota
Robert Hirschfeld
University of Potsdam
Hugh Leather
University of Edinburgh
Brandon Lucia
Carnegie Mellon University
Alex Potanin
Victoria University of Wellington
Johannes Späth
University of Paderborn
Giancarlo Succi
Innopolis University
Yulei Sui
University of Technology Sydney
Jubi Taneja
University of Utah
Zheng Wang
University of Leeds
Program
Subscribe to our YouTube channel.
10:00 (Moscow time)
Yegor Bugayenko
Opening
10:15
Zhang Yuxin
Steering Welcome Speech
10:30
Sergey Zykov
PC Welcome Speech
10:45
Anders Møller
Keynote: Preventing Failures Caused by Breaking Changes in JavaScript Libraries
11:30
Veselin Raychev
Invited Paper: Learning to find bugs and code quality problems - what worked and what not?
12:00 Coffee Break
12:30
Péter Hegedűs
Balázs Mosolygó
Towards a Prototype Based Explainable JavaScript Vulnerability Prediction Model
13:00
Christina Peterson
An Efficient Dynamic Analysis Tool for Checking Durable Linearizability
13:30
Sriteja Kummita
Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON
14:00 Lunch
14:30
Ekaterina Garmash
Exploring the Effect of NULL Usage in Source Code
15:00
Muntazir Fadhel
Striffs: Architectural Component Diagrams for Code Reviews
15:30
Tiago Espinha Gasiba
Samra Hodzic
Raising Security Awareness using Cybersecurity Challenges in Embedded Programming Courses
16:00 Closing
All 11 videos are in this playlist.
Keynotes and Invited Talks
Preventing Failures Caused by Breaking Changes in JavaScript Libraries
Anders Møller
JavaScript libraries often evolve, and breaking changes can cause failures in the applications that use the libraries. With the extensive use of libraries in modern JavaScript software development and the dynamic nature of the language, this is a major concern for the application developers. How can we automatically detect whether a library update contains breaking changes? Once the breaking changes have been identified, how can we automatically find the locations in the application code that may be affected? And is it possible to automatically patch the application code to become compatible with the new version of the library? This talk presents some recent work that addresses these challenges by the use of novel program analysis techniques.
Learning to find bugs and code quality problems - what worked and what not?
Veselin Raychev
The recent growth of open source repositories and deep learning models brought big promises for the next generation of programming tools that can automate or significantly improve the software development process. Yet, such tools are still rare and the machine learning components in them are not always apparent to their users. The current most useful techniques in machine learning for code are also not coming from the organizations such as Microsoft, Google, DeepMind, Facebook, OpenAI or nVidia that invested the most in deep neural techniques such as huge neural networks. This probably means that either many of these coding problems are significantly different from other hot topics in deep learning such as image processing or that it is much more difficult to collect datasets that would result in similarly successful tools. In this work, we study the results in the literature on the topic and discuss ways to address these shortcomings.
Accepted Papers
We received 23 submissions. 6 papers were desk-rejected. Each paper received at least three reviews from PC members. 6 papers were accepted (25% acceptance ratio):
Towards a Prototype Based Explainable JavaScript Vulnerability Prediction Model
Balázs Mosolygó,
Norbert Vándor,
Gábor Antal,
Péter Hegedűs
and
Rudolf Ferenc
Security has become a central and unavoidable aspect of today’s software development. Practitioners and researchers have proposed many code analysis tools and techniques to mitigate security risks. These tools apply static and dynamic analysis or, more recently, machine learning. Machine learning models can achieve impressive results in finding and forecasting possible security issues in programs. However, there are at least two areas where most of the current approaches fall short of developer demands: explainability and granularity of predictions. In this paper, we propose a novel and simple yet, promising approach to identify potentially vulnerable source code in JavaScript programs. The model improves the state-of-the-art in terms of explainability and prediction granularity as it gives results at the level of individual source code lines, which is fine-grained enough for developers to take immediate actions. Additionally, the model explains each predicted line (i.e., provides the most similar vulnerable line from the training set) using a prototype-based approach. In a study of 186 real-world and confirmed JavaScript vulnerability fixes of 91 projects, the approach could flag 60% of the known vulnerable lines on average by marking only 10% of the code-base, but in certain cases the model identified 100% of the vulnerable code lines while flagging only 8.72% of the code-base.
An Efficient Dynamic Analysis Tool for Checking Durable Linearizability
Christina Peterson
and Damian Dechev
Designing efficient and correct durable data structures is indispensable because Non-Volatile Memory (NVM) is positioned as a successor to DRAM due to its energy efficiency and reliability. The challenge with ensuring correctness for efficient durable data structures is that caches and registers are expected to remain volatile, and the explicit cache line flush and barrier instructions are expensive. As a result cache line flushes and barriers are used sparingly, leading to potential inconsistencies in the recoverable state of the data structure. Crash consistency tools are available to ensure recoverability to a consistent state, but these tools are not able to check correctness of data structure semantics. Furthermore, the formal logic proposed to verify correctness conditions such as durable linearizability involve labor intensive mechanical proofs using a theorem prover. In this paper, we present the first dynamic analysis tool that checks durable linearizability at runtime. Our proposed tool, VSV-D, uses a vector space analysis to achieve a worst-case 𝑂(𝑛2) time complexity. We extend the analysis to transactional correctness to enable VSV-D to check durable transactional data structures. Our experimental evaluation applies VSV-D to check the correctness of a large variety of durable data structures including log-free data structures, link-free data structures, Romulus, OneFile, PMDK, and PETRA.
Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON
Sriteja Kummita,
Goran Piskachev,
Johannes Spaeth
and Eric Bodden
As one of the most popular programming languages, Python has become a relevant target language for static analysis tools. The primary data structure for performing an inter-procedural static analysis is callgraph (CG), which links call sites to potential call targets in a program. There exists multiple algorithms for constructing callgraphs, tailored to specific languages. However, comparatively few implementations target Python. Moreover, there is still lack of empirical evidence as to how these few algorithms perform in terms of precision and recall. This paper thus presents eval_CG, an extensible framework for comparative analysis of Python callgraphs. We conducted two experiments which run the CG algorithms on different Python programming constructs and real-world applications. In both experiments, we evaluate three CG generation frameworks namely, Code2flow, Pyan, and Wala. We record precision, recall, and running time, and identify sources of unsoundness of each framework. Our evaluation shows that none of the current CG construction frameworks produce a sound CG. Moreover, the static CGs contain many spurious edges. Code2flow is also comparatively slow. Hence, further research is needed to support CG generation for Python programs
Exploring the Effect of NULL Usage in Source Code
Ekaterina Garmash and Anton Cheshkov
In this paper we propose to use causal inference (CI) to reason about code smells, or anti-patterns. CI provides methods to estimate the magnitude of effect of certain interventions on the studied system of variables based on observational data only. We would like to estimate the average effect of using a certain pattern on some code quality characteristic. If code quality characteristic systematically deteriorates when a certain pattern is used, it can serve as confirmation that it is in fact an anti-pattern. In the present study, we narrow down the scope and focus on one notorious case of code smells, the usage of NULL. We investigate the effect of using a selection of NULL-based patterns on code complexity metrics. The experiments on open source Java code show preliminary confirmation that NULL is in fact an anti-pattern under certain conditions. We come to a conclusion that in order to fully answer the research question, a better underlying model of the code development process is needed. Moreover, in order to confirm the detrimental effect of patterns, one should investigate their effect on a more diverse set of code characteristics, in addition to code complexity metrics.
Striffs: Architectural Component Diagrams for Code Reviews
Muntazir Fadhel
and
Emil Sekerinski
Despite recent advancements in automated code quality and defect finding tools, developers spend a significant amount of time completing code reviews. Code understandability is a key contributor to this phenomenon, since engineers need to understand both microscopic and macroscopic level details of the code under review. Existing tools for code reviews including diffing, inline commenting and syntax highlighting provide limited support for the macroscopic understanding needs of reviewers. When reviewing code for architectural and design quality, such tools do not enable reviewers to understand the code from a top-down lens which the original architects of the code would have likely used to design the system. To overcome these limitations and to complement existing approaches, we introduce structure diff (striff) diagrams. Striffs provide reviewers with an architectural understanding of the incoming code in relation to the existing system, allowing reviewers to gain a more complete view of the scope and impact of the proposed code changes in a code review.
Raising Security Awareness using Cybersecurity Challenges in Embedded Programming Courses
Tiago Espinha Gasiba,
Samra Hodzic,
Ulrike Lechner
and
Maria Pinto-Albuquerque
Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers’ awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia, and can even potentially be included in official teaching curricula. One major finding is an indicator of the lack of awareness of secure coding by undergraduates. Finally, we compare our results with previous work done in the industry and extract advice for practitioners.
Partners
Academia:
Ivannikov Institute for System Programming of the RAS
Moscow Institute of Physics and Technology
Not-for-profit:
RUSSOFT,
a non-profit union of software companies
SECR,
a famous Russian software conference
Industry:
Huawei,
a global provider of ICT infrastructure and smart devices
SberCloud,
a cloud platform of Sberbank Group
Yandex,
a Russian intelligent technology company
Kaspersky,
a multinational cybersecurity and anti-virus provider
Interested in joining and helping us make ICCQ even better? Click here.
Organizers
These people were making ICCQ’21:
Yegor
Bugayenko (Chair)
If you are interested in helping us and joining the team of organizers, please email team@iccq.ru.