Loading…

Will Dependency Conflicts Affect My Program's Semantics?

Java projects are often built on top of various third-party libraries. If multiple versions of a library exist on the classpath, JVM will only load one version and shadow the others, which we refer to as dependency conflicts . This would give rise to semantic conflict (SC) issues, if the library API...

Full description

Saved in:

Bibliographic Details
Published in:	IEEE transactions on software engineering 2022-07, Vol.48 (7), p.2295-2316
Main Authors:	Wang, Ying, Wu, Rongxin, Wang, Chao, Wen, Ming, Liu, Yepang, Cheung, Shing-Chi, Yu, Hai, Xu, Chang, Zhu, Zhiliang
Format:	Article
Language:	English
Subjects:	Compilers Computer science empirical study Java Libraries Open source software Runtime Semantics Signatures test generation Testing Third-party libraries
Citations:	Items that this one cites Items that cite this one
Online Access:	Get full text
Tags:	Add Tag No Tags, Be the first to tag this record!

cited_by	cdi_FETCH-LOGICAL-c291t-9e3ec699b96262142fe18f571cd39577640712bef23d839c667e6b8b1773796f3
cites	cdi_FETCH-LOGICAL-c291t-9e3ec699b96262142fe18f571cd39577640712bef23d839c667e6b8b1773796f3
container_end_page	2316
container_issue	7
container_start_page	2295
container_title	IEEE transactions on software engineering
container_volume	48
creator	Wang, Ying Wu, Rongxin Wang, Chao Wen, Ming Liu, Yepang Cheung, Shing-Chi Yu, Hai Xu, Chang Zhu, Zhiliang
description	Java projects are often built on top of various third-party libraries. If multiple versions of a library exist on the classpath, JVM will only load one version and shadow the others, which we refer to as dependency conflicts . This would give rise to semantic conflict (SC) issues, if the library APIs referenced by a project have identical method signatures but inconsistent semantics across the loaded and shadowed versions of libraries. SC issues are difficult for developers to diagnose in practice, since understanding them typically requires domain knowledge. Although adapting the existing test generation technique for dependency conflict issues, Riddle , to detect SC issues is feasible, its effectiveness is greatly compromised. This is mainly because Riddle randomly generates test inputs, while the SC issues typically require specific arguments in the tests to be exposed. To address that, we conducted an empirical study of 316 real SC issues to understand the characteristics of such specific arguments in the test cases that can capture the SC issues. Inspired by our empirical findings, we propose an automated testing technique Sensor , which synthesizes test cases using ingredients from the project under test to trigger inconsistent behaviors of the APIs with the same signatures in conflicting library versions. Our evaluation results show that Sensor is effective and useful: it achieved a Precision Precision of 0.898 and a Recall Recall of 0.725 on open-source projects and a Precision Precision of 0.821 on industrial projects; it detected 306 semantic conflict issues in 50
doi_str_mv	10.1109/TSE.2021.3057767
format	article
fullrecord	<record><control><sourceid>proquest_ieee_</sourceid><recordid>TN_cdi_ieee_primary_9350237</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9350237</ieee_id><sourcerecordid>2689807684</sourcerecordid><originalsourceid>FETCH-LOGICAL-c291t-9e3ec699b96262142fe18f571cd39577640712bef23d839c667e6b8b1773796f3</originalsourceid><addsrcrecordid>eNo9kM9LAzEQhYMoWKt3wcuCB09bJ0k3yZyktPUHVBRa8Rh204ls2e7WZHvof-8uLZ7e5Xszj4-xWw4jzgEfV8v5SIDgIwmZ1kqfsQFHianMBJyzAQCaNMsMXrKrGDcAPZUNmPkuqyqZ0Y7qNdXukEyb2lela2My8Z5cm7wfks_Q_IR8-xCTJW3zui1dfLpmFz6vIt2ccsi-nuer6Wu6-Hh5m04WqRPI2xRJklOIBSqhBB8LT9z4THO3ltgPHYPmoiAv5NpIdEppUoUpuNZSo_JyyO6Pd3eh-d1TbO2m2Ye6e2mFMmhAKzPuKDhSLjQxBvJ2F8ptHg6Wg-392M6P7f3Yk5-ucneslET0j6PMQEgt_wD5j16E</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2689807684</pqid></control><display><type>article</type><title>Will Dependency Conflicts Affect My Program's Semantics?</title><source>IEEE Xplore (Online service)</source><creator>Wang, Ying ; Wu, Rongxin ; Wang, Chao ; Wen, Ming ; Liu, Yepang ; Cheung, Shing-Chi ; Yu, Hai ; Xu, Chang ; Zhu, Zhiliang</creator><creatorcontrib>Wang, Ying ; Wu, Rongxin ; Wang, Chao ; Wen, Ming ; Liu, Yepang ; Cheung, Shing-Chi ; Yu, Hai ; Xu, Chang ; Zhu, Zhiliang</creatorcontrib><description><![CDATA[Java projects are often built on top of various third-party libraries. If multiple versions of a library exist on the classpath, JVM will only load one version and shadow the others, which we refer to as dependency conflicts . This would give rise to semantic conflict (SC) issues, if the library APIs referenced by a project have identical method signatures but inconsistent semantics across the loaded and shadowed versions of libraries. SC issues are difficult for developers to diagnose in practice, since understanding them typically requires domain knowledge. Although adapting the existing test generation technique for dependency conflict issues, Riddle , to detect SC issues is feasible, its effectiveness is greatly compromised. This is mainly because Riddle randomly generates test inputs, while the SC issues typically require specific arguments in the tests to be exposed. To address that, we conducted an empirical study of 316 real SC issues to understand the characteristics of such specific arguments in the test cases that can capture the SC issues. Inspired by our empirical findings, we propose an automated testing technique Sensor , which synthesizes test cases using ingredients from the project under test to trigger inconsistent behaviors of the APIs with the same signatures in conflicting library versions. Our evaluation results show that Sensor is effective and useful: it achieved a <inline-formula><tex-math notation="LaTeX">Precision</tex-math> <mml:math><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>i</mml:mi><mml:mi>s</mml:mi><mml:mi>i</mml:mi><mml:mi>o</mml:mi><mml:mi>n</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq1-3057767.gif"/> </inline-formula> of 0.898 and a <inline-formula><tex-math notation="LaTeX">Recall</tex-math> <mml:math><mml:mrow><mml:mi>R</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>a</mml:mi><mml:mi>l</mml:mi><mml:mi>l</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq2-3057767.gif"/> </inline-formula> of 0.725 on open-source projects and a <inline-formula><tex-math notation="LaTeX">Precision</tex-math> <mml:math><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>i</mml:mi><mml:mi>s</mml:mi><mml:mi>i</mml:mi><mml:mi>o</mml:mi><mml:mi>n</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq3-3057767.gif"/> </inline-formula> of 0.821 on industrial projects; it detected 306 semantic conflict issues in 50 projects, 70.4 percent of which had been confirmed as real bugs, and 84.2 percent of the confirmed issues have been fixed quickly.]]></description><identifier>ISSN: 0098-5589</identifier><identifier>EISSN: 1939-3520</identifier><identifier>DOI: 10.1109/TSE.2021.3057767</identifier><identifier>CODEN: IESEDJ</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Compilers ; Computer science ; empirical study ; Java ; Libraries ; Open source software ; Runtime ; Semantics ; Signatures ; test generation ; Testing ; Third-party libraries</subject><ispartof>IEEE transactions on software engineering, 2022-07, Vol.48 (7), p.2295-2316</ispartof><rights>Copyright IEEE Computer Society 2022</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c291t-9e3ec699b96262142fe18f571cd39577640712bef23d839c667e6b8b1773796f3</citedby><cites>FETCH-LOGICAL-c291t-9e3ec699b96262142fe18f571cd39577640712bef23d839c667e6b8b1773796f3</cites><orcidid>0000-0002-8024-1781 ; 0000-0002-4648-3795 ; 0000-0002-6299-4704 ; 0000-0001-8147-8126 ; 0000-0001-8645-4326 ; 0000-0001-5588-9618 ; 0000-0002-3508-7172</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9350237$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27924,27925,54796</link.rule.ids></links><search><creatorcontrib>Wang, Ying</creatorcontrib><creatorcontrib>Wu, Rongxin</creatorcontrib><creatorcontrib>Wang, Chao</creatorcontrib><creatorcontrib>Wen, Ming</creatorcontrib><creatorcontrib>Liu, Yepang</creatorcontrib><creatorcontrib>Cheung, Shing-Chi</creatorcontrib><creatorcontrib>Yu, Hai</creatorcontrib><creatorcontrib>Xu, Chang</creatorcontrib><creatorcontrib>Zhu, Zhiliang</creatorcontrib><title>Will Dependency Conflicts Affect My Program's Semantics?</title><title>IEEE transactions on software engineering</title><addtitle>TSE</addtitle><description><![CDATA[Java projects are often built on top of various third-party libraries. If multiple versions of a library exist on the classpath, JVM will only load one version and shadow the others, which we refer to as dependency conflicts . This would give rise to semantic conflict (SC) issues, if the library APIs referenced by a project have identical method signatures but inconsistent semantics across the loaded and shadowed versions of libraries. SC issues are difficult for developers to diagnose in practice, since understanding them typically requires domain knowledge. Although adapting the existing test generation technique for dependency conflict issues, Riddle , to detect SC issues is feasible, its effectiveness is greatly compromised. This is mainly because Riddle randomly generates test inputs, while the SC issues typically require specific arguments in the tests to be exposed. To address that, we conducted an empirical study of 316 real SC issues to understand the characteristics of such specific arguments in the test cases that can capture the SC issues. Inspired by our empirical findings, we propose an automated testing technique Sensor , which synthesizes test cases using ingredients from the project under test to trigger inconsistent behaviors of the APIs with the same signatures in conflicting library versions. Our evaluation results show that Sensor is effective and useful: it achieved a <inline-formula><tex-math notation="LaTeX">Precision</tex-math> <mml:math><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>i</mml:mi><mml:mi>s</mml:mi><mml:mi>i</mml:mi><mml:mi>o</mml:mi><mml:mi>n</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq1-3057767.gif"/> </inline-formula> of 0.898 and a <inline-formula><tex-math notation="LaTeX">Recall</tex-math> <mml:math><mml:mrow><mml:mi>R</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>a</mml:mi><mml:mi>l</mml:mi><mml:mi>l</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq2-3057767.gif"/> </inline-formula> of 0.725 on open-source projects and a <inline-formula><tex-math notation="LaTeX">Precision</tex-math> <mml:math><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>i</mml:mi><mml:mi>s</mml:mi><mml:mi>i</mml:mi><mml:mi>o</mml:mi><mml:mi>n</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq3-3057767.gif"/> </inline-formula> of 0.821 on industrial projects; it detected 306 semantic conflict issues in 50 projects, 70.4 percent of which had been confirmed as real bugs, and 84.2 percent of the confirmed issues have been fixed quickly.]]></description><subject>Compilers</subject><subject>Computer science</subject><subject>empirical study</subject><subject>Java</subject><subject>Libraries</subject><subject>Open source software</subject><subject>Runtime</subject><subject>Semantics</subject><subject>Signatures</subject><subject>test generation</subject><subject>Testing</subject><subject>Third-party libraries</subject><issn>0098-5589</issn><issn>1939-3520</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><recordid>eNo9kM9LAzEQhYMoWKt3wcuCB09bJ0k3yZyktPUHVBRa8Rh204ls2e7WZHvof-8uLZ7e5Xszj4-xWw4jzgEfV8v5SIDgIwmZ1kqfsQFHianMBJyzAQCaNMsMXrKrGDcAPZUNmPkuqyqZ0Y7qNdXukEyb2lela2My8Z5cm7wfks_Q_IR8-xCTJW3zui1dfLpmFz6vIt2ccsi-nuer6Wu6-Hh5m04WqRPI2xRJklOIBSqhBB8LT9z4THO3ltgPHYPmoiAv5NpIdEppUoUpuNZSo_JyyO6Pd3eh-d1TbO2m2Ye6e2mFMmhAKzPuKDhSLjQxBvJ2F8ptHg6Wg-392M6P7f3Yk5-ucneslET0j6PMQEgt_wD5j16E</recordid><startdate>20220701</startdate><enddate>20220701</enddate><creator>Wang, Ying</creator><creator>Wu, Rongxin</creator><creator>Wang, Chao</creator><creator>Wen, Ming</creator><creator>Liu, Yepang</creator><creator>Cheung, Shing-Chi</creator><creator>Yu, Hai</creator><creator>Xu, Chang</creator><creator>Zhu, Zhiliang</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><scope>K9.</scope><orcidid>https://orcid.org/0000-0002-8024-1781</orcidid><orcidid>https://orcid.org/0000-0002-4648-3795</orcidid><orcidid>https://orcid.org/0000-0002-6299-4704</orcidid><orcidid>https://orcid.org/0000-0001-8147-8126</orcidid><orcidid>https://orcid.org/0000-0001-8645-4326</orcidid><orcidid>https://orcid.org/0000-0001-5588-9618</orcidid><orcidid>https://orcid.org/0000-0002-3508-7172</orcidid></search><sort><creationdate>20220701</creationdate><title>Will Dependency Conflicts Affect My Program's Semantics?</title><author>Wang, Ying ; Wu, Rongxin ; Wang, Chao ; Wen, Ming ; Liu, Yepang ; Cheung, Shing-Chi ; Yu, Hai ; Xu, Chang ; Zhu, Zhiliang</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c291t-9e3ec699b96262142fe18f571cd39577640712bef23d839c667e6b8b1773796f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Compilers</topic><topic>Computer science</topic><topic>empirical study</topic><topic>Java</topic><topic>Libraries</topic><topic>Open source software</topic><topic>Runtime</topic><topic>Semantics</topic><topic>Signatures</topic><topic>test generation</topic><topic>Testing</topic><topic>Third-party libraries</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Wang, Ying</creatorcontrib><creatorcontrib>Wu, Rongxin</creatorcontrib><creatorcontrib>Wang, Chao</creatorcontrib><creatorcontrib>Wen, Ming</creatorcontrib><creatorcontrib>Liu, Yepang</creatorcontrib><creatorcontrib>Cheung, Shing-Chi</creatorcontrib><creatorcontrib>Yu, Hai</creatorcontrib><creatorcontrib>Xu, Chang</creatorcontrib><creatorcontrib>Zhu, Zhiliang</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE/IET Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Health & Medical Complete (Alumni)</collection><jtitle>IEEE transactions on software engineering</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Wang, Ying</au><au>Wu, Rongxin</au><au>Wang, Chao</au><au>Wen, Ming</au><au>Liu, Yepang</au><au>Cheung, Shing-Chi</au><au>Yu, Hai</au><au>Xu, Chang</au><au>Zhu, Zhiliang</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Will Dependency Conflicts Affect My Program's Semantics?</atitle><jtitle>IEEE transactions on software engineering</jtitle><stitle>TSE</stitle><date>2022-07-01</date><risdate>2022</risdate><volume>48</volume><issue>7</issue><spage>2295</spage><epage>2316</epage><pages>2295-2316</pages><issn>0098-5589</issn><eissn>1939-3520</eissn><coden>IESEDJ</coden><abstract><![CDATA[Java projects are often built on top of various third-party libraries. If multiple versions of a library exist on the classpath, JVM will only load one version and shadow the others, which we refer to as dependency conflicts . This would give rise to semantic conflict (SC) issues, if the library APIs referenced by a project have identical method signatures but inconsistent semantics across the loaded and shadowed versions of libraries. SC issues are difficult for developers to diagnose in practice, since understanding them typically requires domain knowledge. Although adapting the existing test generation technique for dependency conflict issues, Riddle , to detect SC issues is feasible, its effectiveness is greatly compromised. This is mainly because Riddle randomly generates test inputs, while the SC issues typically require specific arguments in the tests to be exposed. To address that, we conducted an empirical study of 316 real SC issues to understand the characteristics of such specific arguments in the test cases that can capture the SC issues. Inspired by our empirical findings, we propose an automated testing technique Sensor , which synthesizes test cases using ingredients from the project under test to trigger inconsistent behaviors of the APIs with the same signatures in conflicting library versions. Our evaluation results show that Sensor is effective and useful: it achieved a <inline-formula><tex-math notation="LaTeX">Precision</tex-math> <mml:math><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>i</mml:mi><mml:mi>s</mml:mi><mml:mi>i</mml:mi><mml:mi>o</mml:mi><mml:mi>n</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq1-3057767.gif"/> </inline-formula> of 0.898 and a <inline-formula><tex-math notation="LaTeX">Recall</tex-math> <mml:math><mml:mrow><mml:mi>R</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>a</mml:mi><mml:mi>l</mml:mi><mml:mi>l</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq2-3057767.gif"/> </inline-formula> of 0.725 on open-source projects and a <inline-formula><tex-math notation="LaTeX">Precision</tex-math> <mml:math><mml:mrow><mml:mi>P</mml:mi><mml:mi>r</mml:mi><mml:mi>e</mml:mi><mml:mi>c</mml:mi><mml:mi>i</mml:mi><mml:mi>s</mml:mi><mml:mi>i</mml:mi><mml:mi>o</mml:mi><mml:mi>n</mml:mi></mml:mrow></mml:math><inline-graphic xlink:href="yu-ieq3-3057767.gif"/> </inline-formula> of 0.821 on industrial projects; it detected 306 semantic conflict issues in 50 projects, 70.4 percent of which had been confirmed as real bugs, and 84.2 percent of the confirmed issues have been fixed quickly.]]></abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TSE.2021.3057767</doi><tpages>22</tpages><orcidid>https://orcid.org/0000-0002-8024-1781</orcidid><orcidid>https://orcid.org/0000-0002-4648-3795</orcidid><orcidid>https://orcid.org/0000-0002-6299-4704</orcidid><orcidid>https://orcid.org/0000-0001-8147-8126</orcidid><orcidid>https://orcid.org/0000-0001-8645-4326</orcidid><orcidid>https://orcid.org/0000-0001-5588-9618</orcidid><orcidid>https://orcid.org/0000-0002-3508-7172</orcidid></addata></record>
fulltext	fulltext
identifier	ISSN: 0098-5589
ispartof	IEEE transactions on software engineering, 2022-07, Vol.48 (7), p.2295-2316
issn	0098-5589 1939-3520
language	eng
recordid	cdi_ieee_primary_9350237
source	IEEE Xplore (Online service)
subjects	Compilers Computer science empirical study Java Libraries Open source software Runtime Semantics Signatures test generation Testing Third-party libraries
title	Will Dependency Conflicts Affect My Program's Semantics?
url	http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-30T13%3A55%3A26IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Will%20Dependency%20Conflicts%20Affect%20My%20Program's%20Semantics?&rft.jtitle=IEEE%20transactions%20on%20software%20engineering&rft.au=Wang,%20Ying&rft.date=2022-07-01&rft.volume=48&rft.issue=7&rft.spage=2295&rft.epage=2316&rft.pages=2295-2316&rft.issn=0098-5589&rft.eissn=1939-3520&rft.coden=IESEDJ&rft_id=info:doi/10.1109/TSE.2021.3057767&rft_dat=%3Cproquest_ieee_%3E2689807684%3C/proquest_ieee_%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c291t-9e3ec699b96262142fe18f571cd39577640712bef23d839c667e6b8b1773796f3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2689807684&rft_id=info:pmid/&rft_ieee_id=9350237&rfr_iscdi=true