检索结果-内蒙古大学图书馆

arXiv 2025年

作者： Yang, Xu Zhu, Wenhan Pacheco, Michael Zhou, Jiayuan Wang, Shaowei Hu, Xing Liu, Kui University of Manitoba WinnipegMB Canada Huawei Canada Canada Zhejiang University Hangzhou China Huawei Software Engineering Application Technology Lab Hangzhou China

Detecting vulnerability fix commits in open-source software is crucial for maintaining software security. To help OSS identify vulnerability fix commits, several automated approaches are developed. However, existing approaches like VulFixMiner and CoLeFunDa, focus solely on code changes, neglecting essential context from development artifacts. Tools like Vulcurator, which integrates issue reports, fail to leverage semantic associations between different development artifacts (e.g., pull requests and history vulnerability fixes). Moreover, they miss vulnerability fixes in tangled commits and lack explanations, limiting practical use. Hence to address those limitations, we propose LLM4VFD, a novel framework that leverages Large Language Models (LLMs) enhanced with Chain-of-Thought reasoning and In-Context Learning to improve the accuracy of vulnerability fix detection. LLM4VFD comprises three components: (1) Code Change Intention, which analyzes commit summaries, purposes, and implications using Chain-of-Thought reasoning;(2) Development Artifact, which incorporates context from related issue reports and pull requests;(3) Historical Vulnerability, which retrieves similar past vulnerability fixes to enrich context. More importantly, on top of the prediction, LLM4VFD also provides a detailed analysis and explanation to help security experts understand the rationale behind the decision. We evaluated LLM4VFD against state-of-the-art techniques, including Pre-trained Language Model-based approaches and vanilla LLMs, using a newly collected dataset, BigVulFixes. Experimental results demonstrate that LLM4VFD significantly outperforms the best-performed existing approach by 68.1%–145.4%. Furthermore, We conducted a user study with security experts, showing that the analysis generated by LLM4VFD improves the efficiency of vulnerability fix identification. © 2025, CC BY.

关键词： Open source software

来源：评论

学校读者我要写书评

暂无评论

A Survey on Modern Code Review: Progresses, Challenges and Opportunities

arXiv

引用

arXiv 2024年

作者： Yang, Zezhou Gao, Cuiyun Guo, Zhaoqiang Li, Zhenhao Liu, Kui Xia, Xin Zhou, Yuming Harbin Institute of Technology Shenzhen China Software Engineering Application Technology Lab Huawei Hangzhou China State Key Laboratory for Novel Software Technology Nanjing University Nanjing China

Over the past decade, modern code review (MCR) has been deemed as a crucial practice of software quality assurance, which is applied to improve software quality and transfer development knowledge within a software team. Despite its importance, MCR is often a complicated and time-consuming activity for practitioners. In recent years, many studies that are dedicated to the comprehension and the improvement of MCR have been explored so that the MCR activity can be carried out more conveniently and efficiently. To provide researchers and practitioners a clear understanding of the current research status on MCR, this paper conducts a systematic literature review of the past years. Given the collected 231 surveyed papers, this paper makes the following five contributions: First, we analyze the research trends of related MCR studies. Second, we provide a taxonomy for the current MCR, encompassing both Improvement Techniques and Understanding Studies. Third, we present the concrete research progress of each novel MCR methodology and prototype tool. Fourth, we exploit the main empirical insights from empirical study and user study that are helpful to improve MCR. Finally, we sum up unsolved challenges and outline several possible research opportunities in the future. Copyright © 2024, The Authors. All rights reserved.

关键词： Computer software selection and evaluation

来源：评论

学校读者我要写书评

暂无评论

Identify and Update Test Cases when Production Code Changes: A Transformer-Based Approach 23

Identify and Update Test Cases when Production Code Changes:...

引用

Proceedings of the 38th IEEE/ACM International Conference on Automated software engineering

作者： Xing Hu Zhuang Liu Xin Xia Zhongxin Liu Tongtong Xu Xiaohu Yang School of Software Technology Zhejiang University Ningbo China College of Computer Science and Technology Zhejiang University Hangzhou China Software Engineering Application Technology Lab Huawei Hangzhou China

ISBN: (纸本)9798350329964

software testing is one of the most essential parts of the software lifecycle and requires a substantial amount of time and effort. During the software evolution, test cases should coevolve with the production code. However, the co-evolution of test cases often fails due to tight project schedules and other reasons. Obsolete test cases improve the cost of software maintenance and may fail to reveal faults and even lead to future bugs. Therefore, it is essential to detect and update these obsolete test cases in time. In this paper, we propose a novel approach Ceprot (Co-Evolution of Production-Test Code) to identify outdated test cases and update them automatically according to changes in the production code. Ceprot consists of two stages, i.e., obsolete test identification and updating. Specifically, given a production code change and a corresponding test case, Ceprot first identifies whether the test case should be updated. If the test is identified as obsolete, Ceprot will update it to a new version of test case. To evaluate the effectiveness of the two stages, we construct two datasets. Our dataset focuses on method-level production code changes and updates on their obsolete test cases. The experimental results show that Ceprot can effectively identify obsolete test cases with precision and recall of 98.3% and 90.0%, respectively. In addition, test cases generated by Ceprot are identical to the ground truth for 12.3% of samples that are identified as obsolete by Ceprot. We also conduct dynamic evaluation and human evaluation to measure the effectiveness of the updated test cases by Ceprot. 48.0% of updated test cases can be compiled and the average coverage of updated cases is 34.2% which achieves 89% coverage improvement over the obsolete tests. We believe that this study can motivate the co-evolution of production and test code.

关键词： test code maintenance

来源：评论

学校读者我要写书评

暂无评论

Dual Prompt-Based Few-Shot Learning for Automated Vulnerability Patch Localization

Dual Prompt-Based Few-Shot Learning for Automated Vulnerabil...

引用

IEEE International Conference on software Analysis, Evolution and Reengineering (SANER)

作者： Junwei Zhang Xing Hu Lingfeng Bao Xin Xia Shanping Li The State Key Laboratory of Blockchain and Data Security Zhejiang University Hangzhou China Software Engineering Application Technology Lab Huawei China

ISBN: (数字)9798350330663

ISBN: (纸本)9798350330670

Vulnerabilities are disclosed with corresponding patches so that users can remediate them in time. However, there are instances where patches are not released with the disclosed vulnerabilities, causing hidden dangers, especially if dependent software remains uninformed about the affected code repository. Hence, it is crucial to automatically locate security patches for disclosed vulnerabilities among a multitude of commits. Despite the promising performance of existing learning-based localization approaches, they still suffer from the following limitations: (1) They cannot perform well in data scarcity scenarios. Most neural models require extensive datasets to capture the semantic correlations between the vulnerability description and code commits, while the number of disclosed vulnerabilities with patches is limited. (2) They struggle to capture the deep semantic correlations between the vulnerability description and code commits due to inherent differences in semantics and characters between code changes and commit messages. It is difficult to use one model to capture the semantic correlations between vulnerability descriptions and code commits. To mitigate these two limitations, in this paper, we propose a novel security patch localization approach named Prom VPat, which utilizes the dual prompt tuning channel to capture the semantic correlation between vulnerability descriptions and commits, especially in data scarcity (i.e., few-shot) scenarios. We first input the commit message and code changes with the vulnerability description into the prompt generator to generate two new inputs with prompt templates. Then, we adopt a pre-trained language model (i.e., PLM) as the encoder, utilize the prompt tuning method to fine-tune the encoder, and generate two correlation probabilities as the semantic features. In addition, we extract 26 handcrafted features from the vulnerability descriptions and the code commits. Finally, we utilize the attention mechanism to fuse the

关键词： Location awareness Codes Correlation Semantics PROM Feature extraction software

来源：评论

学校读者我要写书评

暂无评论

Distinguishing LLM-generated from Human-written Code by Contrastive Learning

arXiv

引用

arXiv 2024年

作者： Xu, Xiaodan Ni, Chao Guo, Xinrong Liu, Shaoxuan Wang, Xiaoya Liu, Kui Yang, Xiaohu State Key Laboratory of Blockchain and Data Security Zhejiang University Hangzhou China Software Engineering Application Technology Lab Huawei Hangzhou China

Large language models (LLMs), such as ChatGPT released by OpenAI, have attracted significant attention from both industry and academia due to their demonstrated ability to generate high-quality content for various tasks. Despite the impressive capabilities of LLMs, there are growing concerns regarding their potential risks in various fields, such as news, education, and software engineering. Recently, several commercial and open-source LLM-generated content detectors have been proposed, which, however, are primarily designed for detecting natural language content without considering the specific characteristics of program code. This paper aims to fill this gap by proposing a novel ChatGPT-generated code detector, CodeGPTSensor, based on a contrastive learning framework and a semantic encoder built with UniXcoder. To assess the effectiveness of CodeGPTSensor on differentiating ChatGPT-generated code from human-written code, we first curate a large-scale Human and Machine comparison Corpus (HMCorp), which includes 550K pairs of human-written and ChatGPT-generated code (i.e., 288K Python code pairs and 222K Java code pairs). Based on the HMCorp dataset, our qualitative and quantitative analysis of the characteristics of ChatGPT-generated code reveals the challenge and opportunity of distinguishing ChatGPT-generated code from human-written code with their representative features. Our experimental results indicate that CodeGPTSensor can effectively identify ChatGPT-generated code, outperforming all selected baselines. Copyright © 2024, The Authors. All rights reserved.

关键词： Contrastive Learning

来源：评论

学校读者我要写书评

暂无评论

Investigating White-Box Attacks for On-Device Models

Investigating White-Box Attacks for On-Device Models

引用

International Conference on software engineering (ICSE)

作者： Mingyi Zhou Xiang Gao Jing Wu Kui Liu Hailong Sun Li Li Monash University Melbourne VIC Australia Beihang University Beijing China Huawei Software Engineering Application Technology Lab China Beihang University Beijing Yunnan Key Laboratory of Software Engineering China

ISBN: (数字)9798400702174

ISBN: (纸本)9798350382143

Numerous mobile apps have leveraged deep learning capabilities. However, on-device models are vulnerable to attacks as they can be easily extracted from their corresponding mobile apps. Although the structure and parameters information of these models can be accessed, existing on-device attacking approaches only generate black-box attacks (i.e., indirect white-box attacks), which are less effective and efficient than white-box strategies. This is because mobile deep learning (DL) frameworks like TensorFlow Lite (TFLite) do not support gradient computing (referred to as non-debuggable models), which is necessary for white-box attacking algorithms. Thus, we argue that existing findings may underestimate the harm-fulness of on-device attacks. To validate this, we systematically analyze the difficulties of transforming the on-device model to its debuggable version and propose a Reverse engineering framework for On-device Models (REOM), which automatically reverses the compiled on-device TFLite model to its debuggable version, enabling attackers to launch white-box attacks. Our empirical results show that our approach is effective in achieving automated transformation (i.e., 92.6%) among 244 TFLite models. Compared with previous attacks using surrogate models, REOM enables attackers to achieve higher attack success rates (10.23%→89.03%) with a hun-dred times smaller attack perturbations (1.0→0.01). Our findings emphasize the need for developers to carefully consider their model deployment strategies, and use white-box methods to evaluate the vulnerability of on-device models. Our artifacts 1 1 https://***/zhoumingyi/REOM are available.

关键词： Deep learning Analytical models Computational modeling Atmospheric modeling Reverse engineering Transforms Mobile applications

来源：评论

学校读者我要写书评

暂无评论

Investigating White-Box Attacks for On-Device Models

arXiv

引用

arXiv 2024年

作者： Zhou, Mingyi Liu, Kui Gao, Xiang Sun, Hailong Wu, Jing Li, Li Monash University MelbourneVIC Australia Huawei Software Engineering Application Technology Lab China Beihang University Beijing China Beihang University Beijing Yunnan Key Laboratory of Software Engineering China

Numerous mobile apps have leveraged deep learning capabilities. However, on-device models are vulnerable to attacks as they can be easily extracted from their corresponding mobile apps. Although the structure and parameters information of these models can be accessed, existing on-device attacking approaches only generate black-box attacks (i.e., indirect white-box attacks), which are less effective and efficient than white-box strategies. This is because mobile deep learning (DL) frameworks like TensorFlow Lite (TFLite) do not support gradient computing (referred to as non-debuggable models), which is necessary for white-box attacking algorithms. Thus, we argue that existing findings may underestimate the harmfulness of on-device attacks. To validate this, we systematically analyze the difficulties of transforming the on-device model to its debuggable version and propose a Reverse engineering framework for On-device Models (REOM), which automatically reverses the compiled on-device TFLite model to its debuggable version, enabling attackers to launch white-box attacks. Our empirical results show that our approach is effective in achieving automated transformation (i.e., 92.6%) among 244 TFLite models. Compared with previous attacks using surrogate models, REOM enables attackers to achieve higher attack success rates (10.23%→89.03%) with a hundred times smaller attack perturbations (1.0→0.01). Our findings emphasize the need for developers to carefully consider their model deployment strategies, and use white-box methods to evaluate the vulnerability of on-device models. Our artifacts 1 are available. Copyright © 2024, The Authors. All rights reserved.

关键词： Deep learning

来源：评论

学校读者我要写书评

暂无评论

Ratchet: Retrieval Augmented Transformer for Program Repair

Ratchet: Retrieval Augmented Transformer for Program Repair

引用

International Symposium on software Reliability engineering (ISSRE)

作者： Jian Wang Shangqing Liu Xiaofei Xie Jingkai Siow Kui Liu Yi Li Singapore Management University Singapore Nanyang Technological University Singapore Software Engineering Application Technology Laboratory Huawei China

ISBN: (数字)9798350353884

ISBN: (纸本)9798350353891

Automated Program Repair (APR) presents the promising momentum of releasing developers from the burden of manual debugging tasks by automatically fixing bugs in various ways. Recent advances in deep learning inspire many works in employing deep learning techniques to fixing buggy programs. However, several challenges remain unaddressed: (1) state-of-the-art fault localization techniques often require additional artifacts, such as bug-triggering test cases or bug reports. These artifacts are not always available in the early development phases; (2) Sequence-to-Sequence model-based APR often requires additional contexts with high quality to generate patches. Yet, it is challenging to identify high-quality contexts that are not common in *** this paper, with the redundancy assumption in program repair, we propose a dual deep learning-based APR tool, RATCHET, for localizing (RATCHET-FL) and repairing (Ratchet-PG) buggy programs. Ratchet-FL localizes buggy statements based on the feature learned by a simple BiLSTM model from the code, without any bug-triggering test cases or bug reports. Ratchet-PG relies on our proposed retrieval augmented transformer to learn the historical patches and generate patches for fixing bugs. We evaluate the effectiveness of Ratchet with in-the-lab DrRepair dataset and in-the-wild dataset Ratchet-DS (curated in this work). Our experimental results show that Ratchet outperforms state-of-the-art deep learning approaches on fault localization with 39.8-96.4% accuracy and patch generation with 18.4-46.4% repair accuracy.

关键词：

来源：评论

学校读者我要写书评

暂无评论

Faster or Slower? Performance Mystery of Python Idioms Unveiled with Empirical Evidence

arXiv

引用

arXiv 2023年

作者： Zhang, Zejun Xing, Zhenchang Xia, Xin Xu, Xiwei Zhu, Liming Lu, Qinghua Australian National University Australia Software Engineering Application Technology Lab Huawei China Data61 CSIRO Australia

The usage of Python idioms is popular among Python developers in a formative study of 101 Python idiom performance related questions on Stack Overflow, we find that developers often get confused about the performance impact of Python idioms and use anecdotal toy code or rely on personal project experience which is often contradictory in performance outcomes. There has been no large-scale, systematic empirical evidence to reconcile these performance debates. In the paper, we create a large synthetic dataset with 24,126 pairs of nonidiomatic and functionally-equivalent idiomatic code for the nine unique Python idioms identified in [1], and reuse a large real-project dataset of 54,879 such code pairs provided in [1]. We develop a reliable performance measurement method to compare the speedup or slowdown by idiomatic code against non-idiomatic counterpart, and analyze the performance discrepancies between the synthetic and real-project code, the relationships between code features and performance changes, and the root causes of performance changes at the bytecode level. We summarize our findings as some actionable suggestions for using Python idioms. Copyright © 2023, The Authors. All rights reserved.

关键词： Python

来源：评论

学校读者我要写书评

暂无评论

Green Federated Learning over Cloud-RAN with Limited Fronthaul and Quantized Neural Networks 3

Green Federated Learning over Cloud-RAN with Limited Frontha...

引用

3rd IEEE International Mediterranean Conference on Communications and Networking, MeditCom 2023

作者： Wang, Jiali Mao, Yijie Wang, Ting Shi, Yuanming Shanghai Key Lab. of Trustworthy Computing East China Normal University MoE Engineering Research Center of Software/Hardware Co-Design Technology and Application China China

ISBN: (纸本)9798350333732

In this paper, we investigate a green federated learning (FL) framework over cloud radio access network (Cloud-RAN) system that comprises a server, multiple devices and remote radio heads (RRHs). Each device utilizes quantized neural networks (QNNs) and sends quantized model parameters to the server to save energy consumption via RRHs. The server aggregates all the signals to update the global model parameters and broadcasts the updated parameters to the selected devices. In this context, we propose an energy consumption model for the QNN training and communication model over Cloud-RAN. We develop an energy minimization problem based on the proposed energy model. We jointly design fronthaul rate allocation, device transmit power, and precision level of QNNs while ensuring target accuracy, transmit power budget and limited fronthaul capacity. Guided by the convergence analysis, we adopt alternative optimization method to solve the energy minimization problem. The simulation outcomes demonstrate that the FL framework suggested can considerably diminish energy usage in comparison to other traditional methods. This has immense potential in realizing a sustainable and eco-friendly FL over Cloud-RAN. © 2023 IEEE.

关键词： Radio access networks

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：