The First International Conference on Code Quality

Photo of ICCQ Proceedings

Sat 27 Mar 2021
Moscow, Russia Everywhere!

The First International Conference on Code Quality (ICCQ) was a one-day computer science event organized in cooperation with the IEEE Russia Section C Chapter and focused on static analysis, program verification, bug detection, and software maintenance.

Watch all presentations on YouTube and subscribe to our channel so that you don’t miss the next event!

The Proceedings of ICCQ were published by IEEE Xplore.


anders møller Anders Møller
Aarhus University
Anders Møller is professor at Aarhus University and manager of Center for Advanced Software Analysis. He has received a Consolidator Grant from the European Research Council (ERC), the Danish Elite Research Prize 2020, and six times a Distinguished Paper Award from ACM SIGSOFT or SIGPLAN. He is currently associate editor of ACM TOPLAS and ACM TOSEM. His main research area is program analysis, specifically for JavaScript.

Steering Committee

zhang yuxin Zhang Yuxin (Chair)
CTO of Huawei Cloud

yevgeny kolbin Yevgeny Kolbin
CEO of SberCloud

Program Committee

sergey zykov Sergey Zykov (Chair)

And in alphabetical order:

anastasios antoniadis Anastasios Antoniadis
University of Athens

julia belyakova Julia Belyakova
Northeastern University

aysu betin-can Aysu Betin-Can
Middle East Technical University

magiel bruntink Magiel Bruntink

laura m. castro Laura M. Castro
Universidade da Coruña

yufei ding Yufei Ding

umar farooq Umar Farooq

kiko fernandez-reyes Kiko Fernandez-Reyes
Uppsala University

alexander gerasimov Alexander Gerasimov
Huawei RRI

ben hardekopf Ben Hardekopf

christian hammer Christian Hammer
University of Potsdam

mats heimdahl Mats Heimdahl
University of Minnesota

robert hirschfeld Robert Hirschfeld
University of Potsdam

hugh leather Hugh Leather
University of Edinburgh

brandon lucia Brandon Lucia
Carnegie Mellon University

petr maj Petr Maj

pens palsberg Jens Palsberg

alexander petrenko Alexander K. Petrenko

alex potanin Alex Potanin
Victoria University of Wellington

vladimir rubanov Vladimir Rubanov
Huawei RRI

malavika samak Malavika Samak

aaron smith Aaron Smith

johannes späth Johannes Späth
University of Paderborn

yulei sui Giancarlo Succi
Innopolis University

yulei sui Yulei Sui
University of Technology Sydney

jubi taneja Jubi Taneja
University of Utah

qianxiang wang Qianxiang Wang

zheng wang Zheng Wang
University of Leeds

david west David West
Object Guild BV

Keynotes and Invited Talks

Preventing Failures Caused by Breaking Changes in JavaScript Libraries youtube icon Anders Møller

JavaScript libraries often evolve, and breaking changes can cause failures in the applications that use the libraries. With the extensive use of libraries in modern JavaScript software development and the dynamic nature of the language, this is a major concern for the application developers. How can we automatically detect whether a library update contains breaking changes? Once the breaking changes have been identified, how can we automatically find the locations in the application code that may be affected? And is it possible to automatically patch the application code to become compatible with the new version of the library? This talk presents some recent work that addresses these challenges by the use of novel program analysis techniques.

Learning to find bugs and code quality problems - what worked and what not? youtube icon pdf icon Veselin Raychev

The recent growth of open source repositories and deep learning models brought big promises for the next generation of programming tools that can automate or significantly improve the software development process. Yet, such tools are still rare and the machine learning components in them are not always apparent to their users. The current most useful techniques in machine learning for code are also not coming from the organizations such as Microsoft, Google, DeepMind, Facebook, OpenAI or nVidia that invested the most in deep neural techniques such as huge neural networks. This probably means that either many of these coding problems are significantly different from other hot topics in deep learning such as image processing or that it is much more difficult to collect datasets that would result in similarly successful tools. In this work, we study the results in the literature on the topic and discuss ways to address these shortcomings.

Accepted Papers

We received 23 submissions. 6 papers were desk-rejected. Each paper received at least three reviews from PC members. 6 papers were accepted (25% acceptance ratio):

Towards a Prototype Based Explainable JavaScript Vulnerability Prediction Model youtube icon pdf icon Balázs Mosolygó, Norbert Vándor, Gábor Antal, Péter Hegedűs and Rudolf Ferenc

Security has become a central and unavoidable aspect of today’s software development. Practitioners and researchers have proposed many code analysis tools and techniques to mitigate security risks. These tools apply static and dynamic analysis or, more recently, machine learning. Machine learning models can achieve impressive results in finding and forecasting possible security issues in programs. However, there are at least two areas where most of the current approaches fall short of developer demands: explainability and granularity of predictions. In this paper, we propose a novel and simple yet, promising approach to identify potentially vulnerable source code in JavaScript programs. The model improves the state-of-the-art in terms of explainability and prediction granularity as it gives results at the level of individual source code lines, which is fine-grained enough for developers to take immediate actions. Additionally, the model explains each predicted line (i.e., provides the most similar vulnerable line from the training set) using a prototype-based approach. In a study of 186 real-world and confirmed JavaScript vulnerability fixes of 91 projects, the approach could flag 60% of the known vulnerable lines on average by marking only 10% of the code-base, but in certain cases the model identified 100% of the vulnerable code lines while flagging only 8.72% of the code-base.

An Efficient Dynamic Analysis Tool for Checking Durable Linearizability youtube icon pdf icon Christina Peterson and Damian Dechev

Designing efficient and correct durable data structures is indispensable because Non-Volatile Memory (NVM) is positioned as a successor to DRAM due to its energy efficiency and reliability. The challenge with ensuring correctness for efficient durable data structures is that caches and registers are expected to remain volatile, and the explicit cache line flush and barrier instructions are expensive. As a result cache line flushes and barriers are used sparingly, leading to potential inconsistencies in the recoverable state of the data structure. Crash consistency tools are available to ensure recoverability to a consistent state, but these tools are not able to check correctness of data structure semantics. Furthermore, the formal logic proposed to verify correctness conditions such as durable linearizability involve labor intensive mechanical proofs using a theorem prover. In this paper, we present the first dynamic analysis tool that checks durable linearizability at runtime. Our proposed tool, VSV-D, uses a vector space analysis to achieve a worst-case 𝑂(𝑛2) time complexity. We extend the analysis to transactional correctness to enable VSV-D to check durable transactional data structures. Our experimental evaluation applies VSV-D to check the correctness of a large variety of durable data structures including log-free data structures, link-free data structures, Romulus, OneFile, PMDK, and PETRA.

Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON youtube icon pdf icon Sriteja Kummita, Goran Piskachev, Johannes Spaeth and Eric Bodden

As one of the most popular programming languages, Python has become a relevant target language for static analysis tools. The primary data structure for performing an inter-procedural static analysis is callgraph (CG), which links call sites to potential call targets in a program. There exists multiple algorithms for constructing callgraphs, tailored to specific languages. However, comparatively few implementations target Python. Moreover, there is still lack of empirical evidence as to how these few algorithms perform in terms of precision and recall. This paper thus presents eval_CG, an extensible framework for comparative analysis of Python callgraphs. We conducted two experiments which run the CG algorithms on different Python programming constructs and real-world applications. In both experiments, we evaluate three CG generation frameworks namely, Code2flow, Pyan, and Wala. We record precision, recall, and running time, and identify sources of unsoundness of each framework. Our evaluation shows that none of the current CG construction frameworks produce a sound CG. Moreover, the static CGs contain many spurious edges. Code2flow is also comparatively slow. Hence, further research is needed to support CG generation for Python programs

Exploring the Effect of NULL Usage in Source Code youtube icon pdf icon Ekaterina Garmash and Anton Cheshkov

In this paper we propose to use causal inference (CI) to reason about code smells, or anti-patterns. CI provides methods to estimate the magnitude of effect of certain interventions on the studied system of variables based on observational data only. We would like to estimate the average effect of using a certain pattern on some code quality characteristic. If code quality characteristic systematically deteriorates when a certain pattern is used, it can serve as confirmation that it is in fact an anti-pattern. In the present study, we narrow down the scope and focus on one notorious case of code smells, the usage of NULL. We investigate the effect of using a selection of NULL-based patterns on code complexity metrics. The experiments on open source Java code show preliminary confirmation that NULL is in fact an anti-pattern under certain conditions. We come to a conclusion that in order to fully answer the research question, a better underlying model of the code development process is needed. Moreover, in order to confirm the detrimental effect of patterns, one should investigate their effect on a more diverse set of code characteristics, in addition to code complexity metrics.

Striffs: Architectural Component Diagrams for Code Reviews youtube icon pdf icon Muntazir Fadhel and Emil Sekerinski

Despite recent advancements in automated code quality and defect finding tools, developers spend a significant amount of time completing code reviews. Code understandability is a key contributor to this phenomenon, since engineers need to understand both microscopic and macroscopic level details of the code under review. Existing tools for code reviews including diffing, inline commenting and syntax highlighting provide limited support for the macroscopic understanding needs of reviewers. When reviewing code for architectural and design quality, such tools do not enable reviewers to understand the code from a top-down lens which the original architects of the code would have likely used to design the system. To overcome these limitations and to complement existing approaches, we introduce structure diff (striff) diagrams. Striffs provide reviewers with an architectural understanding of the incoming code in relation to the existing system, allowing reviewers to gain a more complete view of the scope and impact of the proposed code changes in a code review.

Raising Security Awareness using Cybersecurity Challenges in Embedded Programming Courses youtube icon pdf icon Tiago Espinha Gasiba, Samra Hodzic, Ulrike Lechner and Maria Pinto-Albuquerque

Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers’ awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia, and can even potentially be included in official teaching curricula. One major finding is an indicator of the lack of awareness of secure coding by undergraduates. Finally, we compare our results with previous work done in the industry and extract advice for practitioners.



hse Higher School of Economics

isp Ivannikov Institute for System Programming of the RAS

msu Moscow State University

mipt Moscow Institute of Physics and Technology


russoft RUSSOFT, a non-profit union of software companies

secr SECR, a famous Russian software conference


huawei Huawei, a global provider of ICT infrastructure and smart devices

sbercloud SberCloud, a cloud platform of Sberbank Group

yandex Yandex, a Russian intelligent technology company

kaspersky Kaspersky, a multinational cybersecurity and anti-virus provider


These people were making ICCQ’21:

yegor bugayenko Yegor

sergey belov Sergey

sergei prokhorov Sergei

jeff zhu Jeff