on the use of static analysis to safeguard recursive dependency resolution
TRANSCRIPT
On the Use of Static Analysis to Safeguard Recursive Dependency ResolutionKamil JezekNTIS - New Technologies for Information SocietyUniversity of West BohemiaCzech Republic, Plzen
Jens DietrichMassey UniversityPalmerston North, New Zealand
Agenda
● Problem of automatic library resolution
● Examples from open-source
● Approach to discover problems
● Quantification on experiment
Problem: Automatic Library Resolution
Source code
Automatically resolved libraries = error prone
Problem Classification
● Missing dependencies (1)
● Inconsistent dependencies (2)
● Redundant dependencies (3)
● Duplicated dependencies (4)
Source code
(1)
(2)
(4)
(3)
Comparison of Resolution Processes
Problem Manual Automatic
Missing dependencies yes yes
Inconsistent dependencies yes yes
Redundant dependencies rare yes
Duplicated dependencies very rare frequent
Research Question
Do these problems occur in practice?
Target Platform
Following examples and approach for Java and Maven
Example 1: Apache Roller
Apache Roller links to two httpcore versions
Impact on Apache Roller
Method releaseConnection() invoked by
Spring-web missing in httpcore 4.1
Example 2: Apache Commons-io
Commons-io is distributed in two packages
Impact on Apache Commons-IO
Maven Central Repository
org.apache.commons used by 542 projects
commons-io used by 293 projects
Approach: API Reconstruction
class HttpPost { void releaseConnection(...) { … } void reset(...) { … } }
class HttpComponents...Executor {
private RemoteInvocationResult doExecuteRequest(...) {...postMethod.releaseConnection();
}
}
API usageAdded in v4.2API
Approach: API Verification
>≥<≤=≠
?API usageAPI
Added in v4.2
Experiment: Questions
How many programs contain static errors?
How many caused by duplicated libraries?
Dataset: Qualitas Corpus
111 Java open-source programs in 661 versions
– Hibernate, Spring, Apache Roller, ...
72 Maven projects versions divided into 1902 Maven modules
Methodology
Maven Enforcer Plugin
Byte-code analysis
Duplicities
API incomp.
MatchingResult
Number of Discovered Problems
367 (about 20%) modules contain duplicated dependencies
Problem Number of Modules
Missing classes 38
Redundant libraries 213
Incompatible classes 49
Duplicated classes 38
Problems Caused by Duplication
Two projects: sitegraph, showcase
Duplicated libraries:
commons-io:1.0 and commons-io:1.3.2
Detail of Problem
Problem in class: org.apache.commons.io.IOUtils
Methods not contained in v 1.0
copy, lineIterator, readLines, write, writeLines
But actually invoked
Conclusion
• Detected problem with automatic dependency resolution
• Introduced static byte-code analysis
• Performed experiment on Qualita Corpus
• Discovered a lot of problems
• Two examples directly caused by library duplication
Thank you for your attention
Contact us
Kamil Jezek: [email protected]
Jens Dietrich: [email protected]