SCG News

Harvesting the Wisdom of the Crowd to Infer Method Nullness in Java

Manuel Leuenberger, Haidar Osman, Mohammad Ghafari, and Oscar Nierstrasz. Harvesting the Wisdom of the Crowd to Infer Method Nullness in Java. In Proceedings of the 17th International Working Conference on Source Code Analysis and Manipulation, SCAM 2017, 2017. Details.


Null pointer exceptions are common bugs in Java projects. Previous research has shown that dereferencing the results of method calls is the main source of these bugs, as developers do not anticipate that some methods return null. To make matters worse, we find that whether a method returns null or not (nullness), is rarely documented. We argue that method nullness is a vital piece of information that can help developers avoid this category of bugs. This is especially important for external APIs where developers may not even have access to the code. In this paper, we study the method nullness of Apache Lucene, the de facto standard library for text processing in Java. Particularly, we investigate how often the result of each Lucene method is checked against null in Lucene clients. We call this measure method nullability, which can serve as a proxy for method nullness. Analyzing Lucene internal and external usage, we find that most methods are never checked for null. External clients check more methods than Lucene checks internally. Manually inspecting our dataset reveals that some null checks are unnecessary. We present an IDE plugin that complements existing documentation and makes up for missing documentation regard- ing method nullness and generates nullness annotations, so that static analysis can pinpoint potentially missing or unnecessary null checks.

Posted by scg at 15 August 2017, 5:15 pm comment link

KOWALSKI: Collecting API Clients in Easy Mode

Manuel Leuenberger, Haidar Osman, Mohammad Ghafari, and Oscar Nierstrasz. KOWALSKI: Collecting API Clients in Easy Mode. In Proceedings of the 33rd International Conference on Software Maintenance and Evolution, ICSME 2017, 2017. Details.


Understanding API usage is important for upstream and downstream developers. However, compiling a dataset of API clients is often a tedious task, especially since one needs many clients to draw a representative picture of the API usage. In this paper, we present KOWALSKI, a tool that takes the name of an API, then finds and downloads client binaries by exploiting the Maven dependency management system. As a case study, we collect clients of Apache Lucene, the de facto standard for full-text search, analyze the binaries, and create a typed call graph that allows developers to identify hotspots in the API. A video demonstrating how KOWALSKI is used for this experiment can be found at

Posted by scg at 15 August 2017, 5:15 pm comment link

An Extensive Analysis of Efficient Bug Prediction Configurations

Haidar Osman, Mohammad Ghafari, Oscar Nierstrasz, and Mircea Lungu. An Extensive Analysis of Efficient Bug Prediction Configurations. In Proceedings of the The 13th International Conference on Predictive Models and Data Analytics in Software Engineering, PROMISE 2017, 2017. Details.


Background: Bug prediction helps developers steer maintenance activities towards the buggy parts of a software. There are many design aspects to a bug predictor, each of which has several options, i.e. software metrics, machine learning model, and response variable. Aims: These design decisions should be judiciously made because an improper choice in any of them might lead to wrong, misleading, or even useless results. We argue that bug prediction configurations are intertwined and thus need to be evaluated in their entirety, in contrast to the common practice in the field where each aspect is investigated in isolation. Method: We use a cost-aware evaluation scheme to evaluate 60 different bug prediction configuration combinations on five open source Java projects. Results: We find out that the best choices for building a cost-effective bug predictor are change metrics mixed with source code metrics as independent variables, Random Forest as the machine learning model, and the number of bugs as the response variable. Combining these configuration options results in the most efficient bug predictor across all subject systems. Conclusions: We demonstrate a strong evidence for the interplay among bug prediction configurations and provide concrete guidelines for researchers and practitioners on how to build and evaluate efficient bug predictors.

Posted by scg at 14 August 2017, 3:15 pm comment link

Call for PhD candidates in the Software Composition Group, U Bern

Applications are invited for PhD candidates at the Software Composition Group, University of Bern, Switzerland.

The Software Composition Group carries out research in software engineering and programming languages, with a view to enabling software evolution. The SCG is led by Prof. Oscar Nierstrasz and is part of the Institute of Computer Science at the University of Bern.

Applicants will contribute to the ongoing SNSF project, “Agile Software Analysis”, and towards the planned successor project:

The candidate must have a MSc in Computer Science (equivalent to a Swiss MSc), should demonstrate strong programming skills, and have research interests in several of the following areas:

  • software evolution
  • program understanding
  • dynamic analysis
  • static analysis
  • software modeling
  • model-driven engineering
  • secure software engineering
  • programming language design
  • domain specific languages
  • virtual machine technology

Salaries follow the scale defined by the Swiss National Science Foundation for doctoral students. Female candidates are especially welcome to apply. To apply, please send an email including your research statement and your CV, with at least two references, to Prof. Oscar Nierstrasz (, by October 1, 2017.

Posted by scg at 14 August 2017, 1:41 pm comment link

Security Smells in Android

Mohammad Ghafari, Pascal Gadient, and Oscar Nierstrasz. Security Smells in Android. In 17th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), 2017. To appear. Details.


The ubiquity of smartphones, and their very broad capabilities and usage, make the security of these devices tremendously important. Unfortunately, despite all progress in security and privacy mechanisms, vulnerabilities continue to proliferate.Research has shown that many vulnerabilities are due to insecure programming practices. However, each study has often dealt with a specific issue, making the results less actionable for practitioners.To promote secure programming practices, we have reviewed related research, and identified avoidable vulnerabilities in Android-run devices and the security code smells that indicate their presence. In particular, we explain the vulnerabilities, their corresponding smells, and we discuss how they could be eliminated or mitigated during development. Moreover, we develop a lightweight static analysis tool and discuss the extent to which it successfully detects several vulnerabilities in about 46000 apps hosted by the official Android market.

Posted by scg at 7 August 2017, 4:15 am comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by scg on 14 August 2017