检索结果-内蒙古大学图书馆

35th IEEE International Symposium on software Reliability engineering, ISSRE 2024

作者： Wang, Jian Liu, Shangqing Xie, Xiaofei Siow, Jingkai Liu, Kui Li, Yi Singapore Management University Singapore Nanyang Technological University Singapore Software Engineering Application Technology Laboratory Huawei China

ISBN: (纸本)9798350353884

Automated Program Repair (APR) presents the promising momentum of releasing developers from the burden of manual debugging tasks by automatically fixing bugs in various ways. Recent advances in deep learning inspire many works in employing deep learning techniques to fixing buggy programs. However, several challenges remain unaddressed: (1) state-of-the-art fault localization techniques often require additional artifacts, such as bug-triggering test cases or bug reports. These artifacts are not always available in the early development phases;(2) Sequence-to-Sequence model-based APR often requires additional contexts with high quality to generate patches. Yet, it is challenging to identify high-quality contexts that are not common in *** this paper, with the redundancy assumption in program repair, we propose a dual deep learning-based APR tool, RATCHET, for localizing (RATCHET-FL) and repairing (Ratchet-PG) buggy programs. Ratchet-FL localizes buggy statements based on the feature learned by a simple BiLSTM model from the code, without any bug-triggering test cases or bug reports. Ratchet-PG relies on our proposed retrieval augmented transformer to learn the historical patches and generate patches for fixing bugs. We evaluate the effectiveness of Ratchet with in-the-lab DrRepair dataset and in-the-wild dataset Ratchet-DS (curated in this work). Our experimental results show that Ratchet outperforms state-of-the-art deep learning approaches on fault localization with 39.8-96.4% accuracy and patch generation with 18.4-46.4% repair accuracy. © 2024 IEEE.

关键词： Program debugging

来源：评论

学校读者我要写书评

暂无评论

Dual Prompt-Based Few-Shot Learning for Automated Vulnerability Patch Localization 31

Dual Prompt-Based Few-Shot Learning for Automated Vulnerabil...

引用

31st IEEE International Conference on software Analysis, Evolution and Reengineering, SANER 2024

作者： Zhang, Junwei Hu, Xing Bao, Lingfeng Xia, Xin Li, Shanping Zhejiang University The State Key Laboratory of Blockchain and Data Security Hangzhou China Software Engineering Application Technology Lab Huawei China

ISBN: (纸本)9798350330663

Vulnerabilities are disclosed with corresponding patches so that users can remediate them in time. However, there are instances where patches are not released with the disclosed vulnerabilities, causing hidden dangers, especially if dependent software remains uninformed about the affected code repository. Hence, it is crucial to automatically locate security patches for disclosed vulnerabilities among a multitude of commits. Despite the promising performance of existing learning-based localization approaches, they still suffer from the following limitations: (1) They cannot perform well in data scarcity scenarios. Most neural models require extensive datasets to capture the semantic correlations between the vulnerability description and code commits, while the number of disclosed vulnerabilities with patches is limited. (2) They struggle to capture the deep semantic correlations between the vulnerability description and code commits due to inherent differences in semantics and characters between code changes and commit messages. It is difficult to use one model to capture the semantic correlations between vulnerability descriptions and code commits. To mitigate these two limitations, in this paper, we propose a novel security patch localization approach named Prom VPat, which utilizes the dual prompt tuning channel to capture the semantic correlation between vulnerability descriptions and commits, especially in data scarcity (i.e., few-shot) scenarios. We first input the commit message and code changes with the vulnerability description into the prompt generator to generate two new inputs with prompt templates. Then, we adopt a pre-trained language model (i.e., PLM) as the encoder, utilize the prompt tuning method to fine-tune the encoder, and generate two correlation probabilities as the semantic features. In addition, we extract 26 handcrafted features from the vulnerability descriptions and the code commits. Finally, we utilize the attention mechanism to fuse the

关键词： Semantics

来源：评论

学校读者我要写书评

暂无评论

Investigating White-Box Attacks for On-Device Models 24

Investigating White-Box Attacks for On-Device Models

引用

44th ACM/IEEE International Conference on software engineering, ICSE 2024

作者： Zhou, Mingyi Gao, Xiang Wu, Jing Liu, Kui Sun, Hailong Li, Li Monash University MelbourneVIC Australia Beihang University Beijing China Huawei Software Engineering Application Technology Lab China Beihang University Beijing China Yunnan Key Laboratory of Software Engineering China

ISBN: (纸本)9798400702174

Numerous mobile apps have leveraged deep learning capabilities. However, on-device models are vulnerable to attacks as they can be easily extracted from their corresponding mobile apps. Although the structure and parameters information of these models can be accessed, existing on-device attacking approaches only generate black-box attacks (i.e., indirect white-box attacks), which are less effective and efficient than white-box strategies. This is because mobile deep learning (DL) frameworks like TensorFlow Lite (TFLite) do not support gradient computing (referred to as non-debuggable models), which is necessary for white-box attacking algorithms. Thus, we argue that existing findings may underestimate the harm-fulness of on-device attacks. To validate this, we systematically analyze the difficulties of transforming the on-device model to its debuggable version and propose a Reverse engineering framework for On-device Models (REOM), which automatically reverses the compiled on-device TFLite model to its debuggable version, enabling attackers to launch white-box attacks. Our empirical results show that our approach is effective in achieving automated transformation (i.e., 92.6%) among 244 TFLite models. Compared with previous attacks using surrogate models, REOM enables attackers to achieve higher attack success rates (10.23%→89.03%) with a hun-dred times smaller attack perturbations (1.0→0.01). Our findings emphasize the need for developers to carefully consider their model deployment strategies, and use white-box methods to evaluate the vulnerability of on-device models. Our artifacts11https://***/zhoumingyi/REOM are available. © 2024 ACM.

关键词： Deep learning

来源：评论

学校读者我要写书评

暂无评论

Practical Program Repair via Preference-based Ensemble Strategy 24

Practical Program Repair via Preference-based Ensemble Strat...

引用

46th IEEE/ACM International Conference on software engineering, ICSE 2024

作者： Zhong, Wenkang Xu, Tongtong Li, Chuanyi Ge, Jidong Liu, Kui Bissyandé, Tegawendé F. Luo, Bin Ng, Vincent National Key Laboratory for Novel Software Technology Nanjing University Nanjing China Huawei Software Engineering Application Technology Lab Hangzhou China University of Luxembourg Luxembourg Human Language Technology Research Institute University of Texas at Dallas RichardsonTX United States

ISBN: (纸本)9798400702174

To date, over 40 Automated Program Repair (APR) tools have been designed with varying bug-fixing strategies, which have been demonstrated to have complementary performance in terms of being effective for different bug classes. Intuitively, it should be feasible to improve the overall bug-fixing performance of APR via assembling existing tools. Unfortunately, simply invoking all available APR tools for a given bug can result in unacceptable costs on APR execution as well as on patch validation (via expensive testing). Therefore, while assembling existing tools is appealing, it requires an efficient strategy to reconcile the need to fix more bugs and the requirements for practicality. In light of this problem, we propose a Preference-based Ensemble Program Repair framework (P-EPR), which seeks to effectively rank APR tools for repairing different bugs. P-EPR is the first non-learning-based APR ensemble method that is novel in its exploitation of repair patterns as a major source of knowledge for ranking APR tools and its reliance on a dynamic update strategy that enables it to immediately exploit and benefit from newly derived repair results. Experimental results show that P-EPR outperforms existing strategies significantly both in flexibility and effectiveness. © 2024 IEEE Computer Society. All rights reserved.

关键词： Well testing

来源：评论

学校读者我要写书评

暂无评论

PS3: Precise Patch Presence Test Based on Semantic Symbolic Signature 24

PS3: Precise Patch Presence Test Based on Semantic Symbolic ...

引用

44th ACM/IEEE International Conference on software engineering, ICSE 2024

作者： Zhan, Qi Hu, Xing Li, Zhiyang Xia, Xin Lo, David Li, Shanping Zhejiang University The State Key Laboratory of Blockchain and Data Security Hangzhou China Zhejiang University Hangzhou China Software Engineering Application Technology Lab Huawei China Singapore Management University Singapore

ISBN: (纸本)9798400702174

During software development, vulnerabilities have posed a significant threat to users. Patches are the most effective way to combat vulnerabilities. In a large-scale software system, testing the presence of a security patch in every affected binary is crucial to ensure system security. Identifying whether a binary has been patched for a known vulnerability is challenging, as there may only be small differences between patched and vulnerable versions. Existing approaches mainly focus on detecting patches that are compiled in the same compiler options. However, it is common for developers to compile programs with very different compiler options in different situations, which causes inaccuracy for existing methods. In this paper, we propose a new approach named PS3, referring to precise patch presence test based on semantic-level symbolic signature. PS3 exploits symbolic emulation to extract signatures that are stable under different compiler options. Then PS3 can precisely test the presence of the patch by comparing the signatures between the reference and the target at semantic level. To evaluate the effectiveness of our approach, we constructed a dataset consisting of 3,631 (CVE, binary) pairs of 62 recent CVEs in four C/C++ projects. The experimental results show that PS3 achieves scores of 0.82, 0.97, and 0.89 in terms of precision, recall, and F1 score, respectively. PS3 outperforms the state-of-the-art baselines by improving 33% in terms of F1 score and remains stable in different compiler options. © 2024 ACM.

关键词： software design

来源：评论

学校读者我要写书评

暂无评论

Deep Assessment of Code Review Generation Approaches: Beyond Lexical Similarity

arXiv

引用

arXiv 2025年

作者： Jiang, Yanjie Liu, Hui Chen, Tianyi Fan, Fu Dong, Chunhao Liu, Kui Zhang, Lu Peking University China Beijing Institute of Technology China Huawei Software Engineering Application Technology Lab China

Code review is a standard practice for ensuring the quality of software projects, and recent research has focused extensively on automated code review. While significant advancements have been made in generating code reviews, the automated assessment of these reviews remains less explored, with existing approaches and metrics often proving inaccurate. Current metrics, such as BLEU, primarily rely on lexical similarity between generated and reference reviews. However, such metrics tend to underestimate reviews that articulate the expected issues in ways different from the references. In this paper, we explore how semantic similarity between generated and reference reviews can enhance the automated assessment of code reviews. We first present a benchmark called GradedReviews, which is constructed by collecting real-world code reviews from open-source projects, generating reviews using state-of-the-art approaches, and manually assessing their quality. We then evaluate existing metrics for code review assessment using this benchmark, revealing their limitations. To address these limitations, we propose two novel semantic-based approaches for assessing code reviews. The first approach involves converting both the generated review and its reference into digital vectors using a deep learning model and then measuring their semantic similarity through Cosine similarity. The second approach generates a prompt based on the generated review and its reference, submits this prompt to ChatGPT, and requests ChatGPT to rate the generated review according to explicitly defined criteria. Our evaluation on the GradedReviews benchmark indicates that the proposed semantic-based approaches significantly outperform existing state-of-the-art metrics in assessing generated code review, improving the correlation coefficient between the resulting scores and human scores from 0.22 to 0.47. © 2025, CC BY.

关键词： Semantics

来源：评论

学校读者我要写书评

暂无评论

Code Change Intention, Development Artifact and History Vulnerability: Putting Them Together for Vulnerability Fix Detection by LLM

arXiv

引用

arXiv 2025年

作者： Yang, Xu Zhu, Wenhan Pacheco, Michael Zhou, Jiayuan Wang, Shaowei Hu, Xing Liu, Kui University of Manitoba WinnipegMB Canada Huawei Canada Canada Zhejiang University Hangzhou China Huawei Software Engineering Application Technology Lab Hangzhou China

Detecting vulnerability fix commits in open-source software is crucial for maintaining software security. To help OSS identify vulnerability fix commits, several automated approaches are developed. However, existing approaches like VulFixMiner and CoLeFunDa, focus solely on code changes, neglecting essential context from development artifacts. Tools like Vulcurator, which integrates issue reports, fail to leverage semantic associations between different development artifacts (e.g., pull requests and history vulnerability fixes). Moreover, they miss vulnerability fixes in tangled commits and lack explanations, limiting practical use. Hence to address those limitations, we propose LLM4VFD, a novel framework that leverages Large Language Models (LLMs) enhanced with Chain-of-Thought reasoning and In-Context Learning to improve the accuracy of vulnerability fix detection. LLM4VFD comprises three components: (1) Code Change Intention, which analyzes commit summaries, purposes, and implications using Chain-of-Thought reasoning;(2) Development Artifact, which incorporates context from related issue reports and pull requests;(3) Historical Vulnerability, which retrieves similar past vulnerability fixes to enrich context. More importantly, on top of the prediction, LLM4VFD also provides a detailed analysis and explanation to help security experts understand the rationale behind the decision. We evaluated LLM4VFD against state-of-the-art techniques, including Pre-trained Language Model-based approaches and vanilla LLMs, using a newly collected dataset, BigVulFixes. Experimental results demonstrate that LLM4VFD significantly outperforms the best-performed existing approach by 68.1%–145.4%. Furthermore, We conducted a user study with security experts, showing that the analysis generated by LLM4VFD improves the efficiency of vulnerability fix identification. © 2025, CC BY.

关键词： Open source software

来源：评论

学校读者我要写书评

暂无评论

Ratchet: Retrieval Augmented Transformer for Program Repair

Ratchet: Retrieval Augmented Transformer for Program Repair

引用

International Symposium on software Reliability engineering (ISSRE)

作者： Jian Wang Shangqing Liu Xiaofei Xie Jingkai Siow Kui Liu Yi Li Singapore Management University Singapore Nanyang Technological University Singapore Software Engineering Application Technology Laboratory Huawei China

ISBN: (数字)9798350353884

ISBN: (纸本)9798350353891

Automated Program Repair (APR) presents the promising momentum of releasing developers from the burden of manual debugging tasks by automatically fixing bugs in various ways. Recent advances in deep learning inspire many works in employing deep learning techniques to fixing buggy programs. However, several challenges remain unaddressed: (1) state-of-the-art fault localization techniques often require additional artifacts, such as bug-triggering test cases or bug reports. These artifacts are not always available in the early development phases; (2) Sequence-to-Sequence model-based APR often requires additional contexts with high quality to generate patches. Yet, it is challenging to identify high-quality contexts that are not common in *** this paper, with the redundancy assumption in program repair, we propose a dual deep learning-based APR tool, RATCHET, for localizing (RATCHET-FL) and repairing (Ratchet-PG) buggy programs. Ratchet-FL localizes buggy statements based on the feature learned by a simple BiLSTM model from the code, without any bug-triggering test cases or bug reports. Ratchet-PG relies on our proposed retrieval augmented transformer to learn the historical patches and generate patches for fixing bugs. We evaluate the effectiveness of Ratchet with in-the-lab DrRepair dataset and in-the-wild dataset Ratchet-DS (curated in this work). Our experimental results show that Ratchet outperforms state-of-the-art deep learning approaches on fault localization with 39.8-96.4% accuracy and patch generation with 18.4-46.4% repair accuracy.

关键词：

来源：评论

学校读者我要写书评

暂无评论

Ppt4j: Patch Presence Test for Java Binaries 24

Ppt4j: Patch Presence Test for Java Binaries

引用

44th ACM/IEEE International Conference on software engineering, ICSE 2024

作者： Pan, Zhiyuan Hu, Xing Xia, Xin Zhan, Xian Lo, David Yang, Xiaohu Zhejiang University The State Key Laboratory of Blockchain and Data Security Hangzhou China Huawei Software Engineering Application Technology Lab Hangzhou China The Hong Kong Polytechnic University Hong Kong School of Computing and Information Systems Singapore Management University Singapore

ISBN: (纸本)9798400702174

The number of vulnerabilities reported in open source software has increased substantially in recent years. Security patches provide the necessary measures to protect software from attacks and vulnerabilities. In practice, it is difficult to identify whether patches have been integrated into software, especially if we only have binary files. Therefore, the ability to test whether a patch is applied to the target binary, a.k.a. patch presence test, is crucial for practitioners. However, it is challenging to obtain accurate semantic information from patches, which could lead to incorrect results. In this paper, we propose a new patch presence test framework named Ppt4j (Patch Presence Test forJava Binaries). Ppt4j is designed for open-source Java libraries. It takes Java binaries (i.e. bytecode files) as input, extracts semantic information from patches, and uses feature-based techniques to identify patch lines in the binaries. To evaluate the effectiveness of our proposed approach Ppt4j, we construct a dataset with binaries that include 110 vulnerabilities. The results show that Ppt4j achieves an F1 score of 98.5% with reasonable efficiency, improving the baseline by 14.2%. Furthermore, we conduct an in-the-wild evaluation of Ppt4j on JetBrains IntelliJ IDEA. The results suggest that a third-party library included in the software is not patched for two CVEs, and we have reported this potential security problem to the vendor. © 2024 ACM.

关键词： Open source software

来源：评论

学校读者我要写书评

暂无评论

A Survey on Modern Code Review: Progresses, Challenges and Opportunities

arXiv

引用

arXiv 2024年

作者： Yang, Zezhou Gao, Cuiyun Guo, Zhaoqiang Li, Zhenhao Liu, Kui Xia, Xin Zhou, Yuming Harbin Institute of Technology Shenzhen China Software Engineering Application Technology Lab Huawei Hangzhou China State Key Laboratory for Novel Software Technology Nanjing University Nanjing China

Over the past decade, modern code review (MCR) has been deemed as a crucial practice of software quality assurance, which is applied to improve software quality and transfer development knowledge within a software team. Despite its importance, MCR is often a complicated and time-consuming activity for practitioners. In recent years, many studies that are dedicated to the comprehension and the improvement of MCR have been explored so that the MCR activity can be carried out more conveniently and efficiently. To provide researchers and practitioners a clear understanding of the current research status on MCR, this paper conducts a systematic literature review of the past years. Given the collected 231 surveyed papers, this paper makes the following five contributions: First, we analyze the research trends of related MCR studies. Second, we provide a taxonomy for the current MCR, encompassing both Improvement Techniques and Understanding Studies. Third, we present the concrete research progress of each novel MCR methodology and prototype tool. Fourth, we exploit the main empirical insights from empirical study and user study that are helpful to improve MCR. Finally, we sum up unsolved challenges and outline several possible research opportunities in the future. Copyright © 2024, The Authors. All rights reserved.

关键词： Computer software selection and evaluation

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：