ICCQ: International Conference on Code Quality

Sat 27 Mar 2021
~~Moscow, Russia~~ Everywhere!

The First International Conference on Code Quality (ICCQ) was a one-day computer science event organized in cooperation with the IEEE Russia Section C Chapter and focused on static analysis, program verification, bug detection, and software maintenance.

Watch all presentations on YouTube and subscribe to our channel so that you don’t miss the next event!

The Proceedings of ICCQ were published by IEEE Xplore.

Keynote

Anders Møller
Aarhus University
Anders Møller is professor at Aarhus University and manager of Center for Advanced Software Analysis. He has received a Consolidator Grant from the European Research Council (ERC), the Danish Elite Research Prize 2020, and six times a Distinguished Paper Award from ACM SIGSOFT or SIGPLAN. He is currently associate editor of ACM TOPLAS and ACM TOSEM. His main research area is program analysis, specifically for JavaScript.

Steering Committee

Zhang Yuxin (Chair)
CTO of Huawei Cloud

Yevgeny Kolbin
CEO of SberCloud

Program Committee

Sergey Zykov (Chair)
HSE

And in alphabetical order:

Anastasios Antoniadis
University of Athens

Julia Belyakova
Northeastern University

Aysu Betin-Can
Middle East Technical University

Magiel Bruntink
SIG

Laura M. Castro
Universidade da Coruña

Yufei Ding
UCSB

Umar Farooq
UCR

Kiko Fernandez-Reyes
Uppsala University

Alexander Gerasimov
Huawei RRI

Ben Hardekopf
UCSB

Christian Hammer
University of Potsdam

Mats Heimdahl
University of Minnesota

Robert Hirschfeld
University of Potsdam

Hugh Leather
University of Edinburgh

Brandon Lucia
Carnegie Mellon University

Petr Maj
FIT CTU

pens palsberg Jens Palsberg
UCLA

alexander petrenko Alexander K. Petrenko
ISP RAS

Alex Potanin
Victoria University of Wellington

Vladimir Rubanov
Huawei RRI

Malavika Samak
MIT

Aaron Smith
Microsoft

Johannes Späth
University of Paderborn

yulei sui Giancarlo Succi
Innopolis University

Yulei Sui
University of Technology Sydney

Jubi Taneja
University of Utah

Qianxiang Wang
Huawei

Zheng Wang
University of Leeds

David West
Object Guild BV

Keynotes and Invited Talks

Preventing Failures Caused by Breaking Changes in JavaScript Libraries Anders Møller

JavaScript libraries often evolve, and breaking changes can cause failures in the applications that use the libraries. With the extensive use of libraries in modern JavaScript software development and the dynamic nature of the language, this is a major concern for the application developers. How can we automatically detect whether a library update contains breaking changes? Once the breaking changes have been identified, how can we automatically find the locations in the application code that may be affected? And is it possible to automatically patch the application code to become compatible with the new version of the library? This talk presents some recent work that addresses these challenges by the use of novel program analysis techniques.

Learning to find bugs and code quality problems - what worked and what not? Veselin Raychev

The recent growth of open source repositories and deep learning models brought big promises for the next generation of programming tools that can automate or significantly improve the software development process. Yet, such tools are still rare and the machine learning components in them are not always apparent to their users. The current most useful techniques in machine learning for code are also not coming from the organizations such as Microsoft, Google, DeepMind, Facebook, OpenAI or nVidia that invested the most in deep neural techniques such as huge neural networks. This probably means that either many of these coding problems are significantly different from other hot topics in deep learning such as image processing or that it is much more difficult to collect datasets that would result in similarly successful tools. In this work, we study the results in the literature on the topic and discuss ways to address these shortcomings.

Accepted Papers

We received 23 submissions. 6 papers were desk-rejected. Each paper received at least three reviews from PC members. 6 papers were accepted (25% acceptance ratio):

Towards a Prototype Based Explainable JavaScript Vulnerability Prediction Model Balázs Mosolygó, Norbert Vándor, Gábor Antal, Péter Hegedűs and Rudolf Ferenc

Security has become a central and unavoidable aspect of today’s software development. Practitioners and researchers have proposed many code analysis tools and techniques to mitigate security risks. These tools apply static and dynamic analysis or, more recently, machine learning. Machine learning models can achieve impressive results in finding and forecasting possible security issues in programs. However, there are at least two areas where most of the current approaches fall short of developer demands: explainability and granularity of predictions. In this paper, we propose a novel and simple yet, promising approach to identify potentially vulnerable source code in JavaScript programs. The model improves the state-of-the-art in terms of explainability and prediction granularity as it gives results at the level of individual source code lines, which is fine-grained enough for developers to take immediate actions. Additionally, the model explains each predicted line (i.e., provides the most similar vulnerable line from the training set) using a prototype-based approach. In a study of 186 real-world and confirmed JavaScript vulnerability fixes of 91 projects, the approach could flag 60% of the known vulnerable lines on average by marking only 10% of the code-base, but in certain cases the model identified 100% of the vulnerable code lines while flagging only 8.72% of the code-base.

An Efficient Dynamic Analysis Tool for Checking Durable Linearizability Christina Peterson and Damian Dechev

Designing efficient and correct durable data structures is indispensable because Non-Volatile Memory (NVM) is positioned as a successor to DRAM due to its energy efficiency and reliability. The challenge with ensuring correctness for efficient durable data structures is that caches and registers are expected to remain volatile, and the explicit cache line flush and barrier instructions are expensive. As a result cache line flushes and barriers are used sparingly, leading to potential inconsistencies in the recoverable state of the data structure. Crash consistency tools are available to ensure recoverability to a consistent state, but these tools are not able to check correctness of data structure semantics. Furthermore, the formal logic proposed to verify correctness conditions such as durable linearizability involve labor intensive mechanical proofs using a theorem prover. In this paper, we present the first dynamic analysis tool that checks durable linearizability at runtime. Our proposed tool, VSV-D, uses a vector space analysis to achieve a worst-case 𝑂(𝑛²) time complexity. We extend the analysis to transactional correctness to enable VSV-D to check durable transactional data structures. Our experimental evaluation applies VSV-D to check the correctness of a large variety of durable data structures including log-free data structures, link-free data structures, Romulus, OneFile, PMDK, and PETRA.

Qualitative and Quantitative Analysis of Callgraph Algorithms for PYTHON Sriteja Kummita, Goran Piskachev, Johannes Spaeth and Eric Bodden

As one of the most popular programming languages, Python has become a relevant target language for static analysis tools. The primary data structure for performing an inter-procedural static analysis is callgraph (CG), which links call sites to potential call targets in a program. There exists multiple algorithms for constructing callgraphs, tailored to specific languages. However, comparatively few implementations target Python. Moreover, there is still lack of empirical evidence as to how these few algorithms perform in terms of precision and recall. This paper thus presents eval_CG, an extensible framework for comparative analysis of Python callgraphs. We conducted two experiments which run the CG algorithms on different Python programming constructs and real-world applications. In both experiments, we evaluate three CG generation frameworks namely, Code2flow, Pyan, and Wala. We record precision, recall, and running time, and identify sources of unsoundness of each framework. Our evaluation shows that none of the current CG construction frameworks produce a sound CG. Moreover, the static CGs contain many spurious edges. Code2flow is also comparatively slow. Hence, further research is needed to support CG generation for Python programs

Exploring the Effect of NULL Usage in Source Code Ekaterina Garmash and Anton Cheshkov

In this paper we propose to use causal inference (CI) to reason about code smells, or anti-patterns. CI provides methods to estimate the magnitude of effect of certain interventions on the studied system of variables based on observational data only. We would like to estimate the average effect of using a certain pattern on some code quality characteristic. If code quality characteristic systematically deteriorates when a certain pattern is used, it can serve as confirmation that it is in fact an anti-pattern. In the present study, we narrow down the scope and focus on one notorious case of code smells, the usage of NULL. We investigate the effect of using a selection of NULL-based patterns on code complexity metrics. The experiments on open source Java code show preliminary confirmation that NULL is in fact an anti-pattern under certain conditions. We come to a conclusion that in order to fully answer the research question, a better underlying model of the code development process is needed. Moreover, in order to confirm the detrimental effect of patterns, one should investigate their effect on a more diverse set of code characteristics, in addition to code complexity metrics.

Striffs: Architectural Component Diagrams for Code Reviews Muntazir Fadhel and Emil Sekerinski

Despite recent advancements in automated code quality and defect finding tools, developers spend a significant amount of time completing code reviews. Code understandability is a key contributor to this phenomenon, since engineers need to understand both microscopic and macroscopic level details of the code under review. Existing tools for code reviews including diffing, inline commenting and syntax highlighting provide limited support for the macroscopic understanding needs of reviewers. When reviewing code for architectural and design quality, such tools do not enable reviewers to understand the code from a top-down lens which the original architects of the code would have likely used to design the system. To overcome these limitations and to complement existing approaches, we introduce structure diff (striff) diagrams. Striffs provide reviewers with an architectural understanding of the incoming code in relation to the existing system, allowing reviewers to gain a more complete view of the scope and impact of the proposed code changes in a code review.

Raising Security Awareness using Cybersecurity Challenges in Embedded Programming Courses Tiago Espinha Gasiba, Samra Hodzic, Ulrike Lechner and Maria Pinto-Albuquerque

Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers’ awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia, and can even potentially be included in official teaching curricula. One major finding is an indicator of the lack of awareness of secure coding by undergraduates. Finally, we compare our results with previous work done in the industry and extract advice for practitioners.