A Systematic Evaluation of Static API-Misuse Detectors

Application Programming Interfaces (APIs) often have usage constraints, such as restrictions on call order or call conditions. API misuses, i.e., violations of these constraints, may lead to software crashes, bugs, and vulnerabilities. Though researchers developed many API-misuse detectors over the...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on software engineering 2019-12, Vol.45 (12), p.1170-1188
Main Authors: Amann, Sven, Nguyen, Hoan Anh, Nadi, Sarah, Nguyen, Tien N., Mezini, Mira
Format: Article
Language:English
Subjects:
API-misuse detection
Application programming interface
benchmark
Benchmark testing
Classification
Computer bugs
Crashes
Detectors
misuse classification
MUBench
Sensors
survey
Systematics
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Application Programming Interfaces (APIs) often have usage constraints, such as restrictions on call order or call conditions. API misuses, i.e., violations of these constraints, may lead to software crashes, bugs, and vulnerabilities. Though researchers developed many API-misuse detectors over the last two decades, recent studies show that API misuses are still prevalent. Therefore, we need to understand the capabilities and limitations of existing detectors in order to advance the state of the art. In this paper, we present the first-ever qualitative and quantitative evaluation that compares static API-misuse detectors along the same dimensions, and with original author validation. To accomplish this, we develop MUC, a classification of API misuses, and MUBENCHPIPE, an automated benchmark for detector comparison, on top of our misuse dataset, MUBENCH. Our results show that the capabilities of existing detectors vary greatly and that existing detectors, though capable of detecting misuses, suffer from extremely low precision and recall. A systematic root-cause analysis reveals that, most importantly, detectors need to go beyond the naive assumption that a deviation from the most-frequent usage corresponds to a misuse and need to obtain additional usage examples to train their models. We present possible directions towards more-powerful API-misuse detectors.
ISSN:0098-5589
1939-3520
DOI:10.1109/TSE.2018.2827384