SlideShare a Scribd company logo

Dependency Bugs The Dark Side Of Variability, Reuse, and Modularity

Andrzej Wasowski
Andrzej Wasowski

This document discusses dependency bugs in ROS (Robot Operating System), an open-source robotics middleware. The authors define dependency bugs and analyze their prevalence and impact based on a study of over 100 bugs reports. They find that 53% of ROS packages are affected by dependency bugs, which attract more discussion than other bugs. While each dependency bug may seem simple to fix, together they represent a significant and ongoing problem due to the complex web of dependencies in ROS. The document calls for more work to reduce the occurrence of these bugs.

1 of 13
Download to read offline
Anders Fischer-Nielsen Larsen, Zhoulai Fu IT University of Copenhagen Ting Su ETH Zurich Andrzej W ˛asowski IT University of Copenhagen @AndrzejWasowski Dependency Bugs The Dark Side Of Variability, Reuse, and Modularity c Andrzej W ˛asowski, IT University of Copenhagen 1
c Andrzej W ˛asowski, IT University of Copenhagen 2
Phantom? Menace? Unbelievably complex IT systems (low-level embedded sw, control, mechatronics, complex AI, unclear behavioral logics, concurrent, distributed, split between hardware-software-cloud, idiosyncratic) Community priorities: Innovation & Demonstration vs long term use Enjoyment: Testing, quality, documentation are boring. We use ROS for fun Meritocracy: The barrier of entry should be low. Most ROS users hold no CS degree 455 repositories in the official distribution, each containing several packages. Uncountable on GitHub. Alami. Dittrich. W ˛asowski. Influencers of quality assur- ance in an open source community. CHASE 2018 c Andrzej W ˛asowski, IT University of Copenhagen 3
Cloning is recognized as a harmful practice, cred- ited for decreasing code quality and multiplying maintenance problems. A bug found in one clone can exist in other clones, thus, it needs to be fixed multiple times. Even just locating all cloned code may be nontrivial. Unintentional parallel devel- opment of the same functionality in different forks increases implementation and test costs. Finally, merging diverged code forks is very laborious. Software Reuse is our response to the attack of the clones, including Variability Management and Product Line Engineering Modularity (Component Based Development) Configurable components Stefan Stanciulescu. Sandro Schulze. Andrzej W ˛asowski. Forked and integrated variants in an open-source firmware project. ICSME 2015 c Andrzej W ˛asowski, IT University of Copenhagen 4
. . . an open-source, meta-operating system for your robot. It provides the services you would expect from an operating system, including hardware abstraction, low-level device control, implementation of commonly-used functionality, message-passing between pro- cesses, and package management. It also provides tools and libraries for obtaining, build- ing, writing, and running code across multiple computers. communication middleware with uniform API 100s integrated HW drivers & SW components separates logics and algos from HW infrastructure for test, simulation, logging more tutorials than you can read; active friendly community Linux, Python, C++, C, Java c Andrzej W ˛asowski, IT University of Copenhagen 5
package build script ... catkin_package( ... DEPENDS boost ... include_directories(SYSTEM ${Boost_INCLUDE_DIR}) ... target_link_libraries(ur10_moveit_plugin ... ${Boost_LIBRARIES} ... install(TARGETS ur5_moveit_plugin ur10_moveit_plugin ... CMakeLists.txt compile&link with boost install ur5_moveit_plugin install ur10_moveit_plugin a package manifest used for installation ... <run_depend>boost</run_depend> ... specification of exported libraries <library path="lib/libur10_moveit_plugin"> ... <library path="lib/libur5_moveit_plugin"> ... plugin.xml package.xml includes export libur10_moveit_plugin export libur10_moveit_plugin runtime dependency boost libraryTwo different bugs!Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The Forgotten Case of the Dependency Bugs. ICSE SEIP’20 c Andrzej W ˛asowski, IT University of Copenhagen 6
Dependency Bugs Extracted by qualitative analysis of bugs in the ROS Prestudy on 9 + 20 cases, study 455 repos → 118 have issues labeled ’bug’ Sample 50/50 with/without the term ’bug’, both positive and negative candidates A definition = a discriminating conditions. You need both positive and negative cases! Qualitatively analyze 100 cases, iteratively, with group discussions Final check on all 95 remaining positive cases in ROS Melodic Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The Forgotten Case of the Dependency Bugs. ICSE SEIP’20 c Andrzej W ˛asowski, IT University of Copenhagen 7
c Andrzej W ˛asowski, IT University of Copenhagen 8
Dependency bugs appear silly, easy to fix, especially to package authors They are rarely experienced by the authors of the package They are unbelievably complex for newcomers and new users Researchers do not like them (Who likes the Sith?) Its other people’s plumbing kinda problem They are the price for having a flexible, composable, modular and configurable system Perhaps an acceptable price... (?) Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The Forgotten Case of the Dependency Bugs. ICSE SEIP’20 c Andrzej W ˛asowski, IT University of Copenhagen 9
Named must be your fear before banish it you can Heterogeneous: dependency specs come from different tech spaces (1+ package management systems, prog. language infrastructure, OS, DB, etc.) Independent (also organizationally independent) individuals control them Temporal: All these sources modify them at a different speeds, time cycles A dep. bug linter is not difficult to build due to complex inference algorithms, but due of difficulties in gathering and abstracting all necessary info continuously An analyzer designed from PL semantics perspective has no chance to find dep bugs. The PL lacks info about the build context. c Andrzej W ˛asowski, IT University of Copenhagen 10
How pervasive are dependency bugs? Estimated accuracy of a simplistic classifier for issues 54% on positive cases, 88% on negative cases (tag "bug" + substring "depend") 53% packages affected by dependency bugs (based on the issue discussions) 30% contributors are affected by dependency problems or use time solving them Conditioned to contributors to affected packages, the above rises to 60% Dependency bugs attract a lot of discussion from multiple contributors, in fact the majority of the team. c Andrzej W ˛asowski, IT University of Copenhagen 11
How expensive are dependency bugs? Average discussion of dependency bug includes 4 ± 4.09 comments in ROS Baseline: The average discussion of any bug includes 2.92 ± 3.42 comments in ROS Dependency bugs attract more discussion than other issues Dependency issues are often solved by senior members for junior members Discussion of dependency issues are common outside GitHub (on ROS-answers and Stack Overflow) c Andrzej W ˛asowski, IT University of Copenhagen 12
Conclusion Dependency bugs are a special kind of feature interaction bugs Dependency bugs are a special kind of variability bugs Relatively simple, simplistic The ratio of annoyance to simplicity is unbelievably high They diminish the value produced by this community Eradicatable? Can we get rid of them? Are you the next Jedi to fight them? c Andrzej W ˛asowski, IT University of Copenhagen 13

Recommended

Dnasec
DnasecDnasec
Dnasec
Zied Houaneb
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Ids
amiable_indian
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
LicensingLive! - SafeNet
 
110015978_WirelessChannelsInInceOS
110015978_WirelessChannelsInInceOS110015978_WirelessChannelsInInceOS
110015978_WirelessChannelsInInceOS
Tejas Unnikrishnan
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systems
Olli-Pekka Niemi
 
What is Software Engineering Research Good For?
What is Software Engineering Research Good For?What is Software Engineering Research Good For?
What is Software Engineering Research Good For?
Andrzej Wasowski
 
Reproducible Science and Deep Software Variability
Reproducible Science and Deep Software VariabilityReproducible Science and Deep Software Variability
Reproducible Science and Deep Software Variability
University of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Finding Resource Manipulation Bugs in Linux Code
Finding Resource Manipulation Bugs in Linux CodeFinding Resource Manipulation Bugs in Linux Code
Finding Resource Manipulation Bugs in Linux Code
Andrzej Wasowski
 

Recommended

Dnasec
DnasecDnasec
Dnasec
Zied Houaneb
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Ids
amiable_indian
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
LicensingLive! - SafeNet
 
110015978_WirelessChannelsInInceOS
110015978_WirelessChannelsInInceOS110015978_WirelessChannelsInInceOS
110015978_WirelessChannelsInInceOS
Tejas Unnikrishnan
 
Dismantling intrusion prevention_systems
Dismantling intrusion prevention_systemsDismantling intrusion prevention_systems
Dismantling intrusion prevention_systems
Olli-Pekka Niemi
 
What is Software Engineering Research Good For?
What is Software Engineering Research Good For?What is Software Engineering Research Good For?
What is Software Engineering Research Good For?
Andrzej Wasowski
 
Reproducible Science and Deep Software Variability
Reproducible Science and Deep Software VariabilityReproducible Science and Deep Software Variability
Reproducible Science and Deep Software Variability
University of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Finding Resource Manipulation Bugs in Linux Code
Finding Resource Manipulation Bugs in Linux CodeFinding Resource Manipulation Bugs in Linux Code
Finding Resource Manipulation Bugs in Linux Code
Andrzej Wasowski
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Tools and Methods for Continuously Expanding Software Applications
Tools and Methods for Continuously Expanding Software ApplicationsTools and Methods for Continuously Expanding Software Applications
Tools and Methods for Continuously Expanding Software Applications
InfinIT - Innovationsnetværket for it
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
Michel Wermelinger
 
01.intro
01.intro01.intro
01.intro
Philip Johnson
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebula Project
 
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
Maurice Dawson
 
Variability, Bugs, and Cognition
Variability, Bugs, and CognitionVariability, Bugs, and Cognition
Variability, Bugs, and Cognition
Andrzej Wasowski
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg
Alexander Serebrenik
 
Ijetr012045
Ijetr012045Ijetr012045
Ijetr012045
ER Publication.org
 
Bringin the web to researchers
Bringin the web to researchersBringin the web to researchers
Bringin the web to researchers
Peter Sefton
 
Beyond the journal: How Open Infrastructure can Accelerate Open Science
Beyond the journal: How Open Infrastructure can Accelerate Open ScienceBeyond the journal: How Open Infrastructure can Accelerate Open Science
Beyond the journal: How Open Infrastructure can Accelerate Open Science
Collaborative Knowledge Foundation
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
Giacomo De Liberali
 
Analyzing Big Data's Weakest Link (hint: it might be you)
Analyzing Big Data's Weakest Link (hint: it might be you)Analyzing Big Data's Weakest Link (hint: it might be you)
Analyzing Big Data's Weakest Link (hint: it might be you)
HPCC Systems
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Dependency check
Dependency checkDependency check
Dependency check
David Karlsen
 
Mit3041– open source system
Mit3041– open source systemMit3041– open source system
Mit3041– open source system
smumbahelp
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 

More Related Content

Similar to Dependency Bugs The Dark Side Of Variability, Reuse, and Modularity

Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Tools and Methods for Continuously Expanding Software Applications
Tools and Methods for Continuously Expanding Software ApplicationsTools and Methods for Continuously Expanding Software Applications
Tools and Methods for Continuously Expanding Software Applications
InfinIT - Innovationsnetværket for it
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
Michel Wermelinger
 
01.intro
01.intro01.intro
01.intro
Philip Johnson
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebula Project
 
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
Maurice Dawson
 
Variability, Bugs, and Cognition
Variability, Bugs, and CognitionVariability, Bugs, and Cognition
Variability, Bugs, and Cognition
Andrzej Wasowski
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg
Alexander Serebrenik
 
Ijetr012045
Ijetr012045Ijetr012045
Ijetr012045
ER Publication.org
 
Bringin the web to researchers
Bringin the web to researchersBringin the web to researchers
Bringin the web to researchers
Peter Sefton
 
Beyond the journal: How Open Infrastructure can Accelerate Open Science
Beyond the journal: How Open Infrastructure can Accelerate Open ScienceBeyond the journal: How Open Infrastructure can Accelerate Open Science
Beyond the journal: How Open Infrastructure can Accelerate Open Science
Collaborative Knowledge Foundation
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
Giacomo De Liberali
 
Analyzing Big Data's Weakest Link (hint: it might be you)
Analyzing Big Data's Weakest Link (hint: it might be you)Analyzing Big Data's Weakest Link (hint: it might be you)
Analyzing Big Data's Weakest Link (hint: it might be you)
HPCC Systems
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Dependency check
Dependency checkDependency check
Dependency check
David Karlsen
 
Mit3041– open source system
Mit3041– open source systemMit3041– open source system
Mit3041– open source system
smumbahelp
 

Similar to Dependency Bugs The Dark Side Of Variability, Reuse, and Modularity (20)

Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Tools and Methods for Continuously Expanding Software Applications
Tools and Methods for Continuously Expanding Software ApplicationsTools and Methods for Continuously Expanding Software Applications
Tools and Methods for Continuously Expanding Software Applications
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
Using Formal Concept Analysis to Construct and Visualise Hierarchies of Socio...
 
01.intro
01.intro01.intro
01.intro
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
 
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
TECHNOLOGY ENHANCED LEARNING WITH OPEN SOURCE SOFTWARE FOR SCIENTISTS AND ENG...
 
Variability, Bugs, and Cognition
Variability, Bugs, and CognitionVariability, Bugs, and Cognition
Variability, Bugs, and Cognition
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg
 
Ijetr012045
Ijetr012045Ijetr012045
Ijetr012045
 
Bringin the web to researchers
Bringin the web to researchersBringin the web to researchers
Bringin the web to researchers
 
Beyond the journal: How Open Infrastructure can Accelerate Open Science
Beyond the journal: How Open Infrastructure can Accelerate Open ScienceBeyond the journal: How Open Infrastructure can Accelerate Open Science
Beyond the journal: How Open Infrastructure can Accelerate Open Science
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Analyzing Big Data's Weakest Link (hint: it might be you)
Analyzing Big Data's Weakest Link (hint: it might be you)Analyzing Big Data's Weakest Link (hint: it might be you)
Analyzing Big Data's Weakest Link (hint: it might be you)
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Dependency check
Dependency checkDependency check
Dependency check
 
Mit3041– open source system
Mit3041– open source systemMit3041– open source system
Mit3041– open source system
 

Recently uploaded

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative AnalysisOdoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Envertis Software Solutions
 
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
ssuserad3af4
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Mobile app Development Services | Drona Infotech
Mobile app Development Services | Drona InfotechMobile app Development Services | Drona Infotech
Mobile app Development Services | Drona Infotech
Drona Infotech
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Top 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptxTop 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptx
devvsandy
 

Recently uploaded (20)

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative AnalysisOdoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
 
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Mobile app Development Services | Drona Infotech
Mobile app Development Services | Drona InfotechMobile app Development Services | Drona Infotech
Mobile app Development Services | Drona Infotech
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Top 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptxTop 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptx
 

Dependency Bugs The Dark Side Of Variability, Reuse, and Modularity

  • 1. Anders Fischer-Nielsen Larsen, Zhoulai Fu IT University of Copenhagen Ting Su ETH Zurich Andrzej W ˛asowski IT University of Copenhagen @AndrzejWasowski Dependency Bugs The Dark Side Of Variability, Reuse, and Modularity c Andrzej W ˛asowski, IT University of Copenhagen 1
  • 2. c Andrzej W ˛asowski, IT University of Copenhagen 2
  • 3. Phantom? Menace? Unbelievably complex IT systems (low-level embedded sw, control, mechatronics, complex AI, unclear behavioral logics, concurrent, distributed, split between hardware-software-cloud, idiosyncratic) Community priorities: Innovation & Demonstration vs long term use Enjoyment: Testing, quality, documentation are boring. We use ROS for fun Meritocracy: The barrier of entry should be low. Most ROS users hold no CS degree 455 repositories in the official distribution, each containing several packages. Uncountable on GitHub. Alami. Dittrich. W ˛asowski. Influencers of quality assur- ance in an open source community. CHASE 2018 c Andrzej W ˛asowski, IT University of Copenhagen 3
  • 4. Cloning is recognized as a harmful practice, cred- ited for decreasing code quality and multiplying maintenance problems. A bug found in one clone can exist in other clones, thus, it needs to be fixed multiple times. Even just locating all cloned code may be nontrivial. Unintentional parallel devel- opment of the same functionality in different forks increases implementation and test costs. Finally, merging diverged code forks is very laborious. Software Reuse is our response to the attack of the clones, including Variability Management and Product Line Engineering Modularity (Component Based Development) Configurable components Stefan Stanciulescu. Sandro Schulze. Andrzej W ˛asowski. Forked and integrated variants in an open-source firmware project. ICSME 2015 c Andrzej W ˛asowski, IT University of Copenhagen 4
  • 5. . . . an open-source, meta-operating system for your robot. It provides the services you would expect from an operating system, including hardware abstraction, low-level device control, implementation of commonly-used functionality, message-passing between pro- cesses, and package management. It also provides tools and libraries for obtaining, build- ing, writing, and running code across multiple computers. communication middleware with uniform API 100s integrated HW drivers & SW components separates logics and algos from HW infrastructure for test, simulation, logging more tutorials than you can read; active friendly community Linux, Python, C++, C, Java c Andrzej W ˛asowski, IT University of Copenhagen 5
  • 6. package build script ... catkin_package( ... DEPENDS boost ... include_directories(SYSTEM ${Boost_INCLUDE_DIR}) ... target_link_libraries(ur10_moveit_plugin ... ${Boost_LIBRARIES} ... install(TARGETS ur5_moveit_plugin ur10_moveit_plugin ... CMakeLists.txt compile&link with boost install ur5_moveit_plugin install ur10_moveit_plugin a package manifest used for installation ... <run_depend>boost</run_depend> ... specification of exported libraries <library path="lib/libur10_moveit_plugin"> ... <library path="lib/libur5_moveit_plugin"> ... plugin.xml package.xml includes export libur10_moveit_plugin export libur10_moveit_plugin runtime dependency boost libraryTwo different bugs!Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The Forgotten Case of the Dependency Bugs. ICSE SEIP’20 c Andrzej W ˛asowski, IT University of Copenhagen 6
  • 7. Dependency Bugs Extracted by qualitative analysis of bugs in the ROS Prestudy on 9 + 20 cases, study 455 repos → 118 have issues labeled ’bug’ Sample 50/50 with/without the term ’bug’, both positive and negative candidates A definition = a discriminating conditions. You need both positive and negative cases! Qualitatively analyze 100 cases, iteratively, with group discussions Final check on all 95 remaining positive cases in ROS Melodic Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The Forgotten Case of the Dependency Bugs. ICSE SEIP’20 c Andrzej W ˛asowski, IT University of Copenhagen 7
  • 8. c Andrzej W ˛asowski, IT University of Copenhagen 8
  • 9. Dependency bugs appear silly, easy to fix, especially to package authors They are rarely experienced by the authors of the package They are unbelievably complex for newcomers and new users Researchers do not like them (Who likes the Sith?) Its other people’s plumbing kinda problem They are the price for having a flexible, composable, modular and configurable system Perhaps an acceptable price... (?) Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The Forgotten Case of the Dependency Bugs. ICSE SEIP’20 c Andrzej W ˛asowski, IT University of Copenhagen 9
  • 10. Named must be your fear before banish it you can Heterogeneous: dependency specs come from different tech spaces (1+ package management systems, prog. language infrastructure, OS, DB, etc.) Independent (also organizationally independent) individuals control them Temporal: All these sources modify them at a different speeds, time cycles A dep. bug linter is not difficult to build due to complex inference algorithms, but due of difficulties in gathering and abstracting all necessary info continuously An analyzer designed from PL semantics perspective has no chance to find dep bugs. The PL lacks info about the build context. c Andrzej W ˛asowski, IT University of Copenhagen 10
  • 11. How pervasive are dependency bugs? Estimated accuracy of a simplistic classifier for issues 54% on positive cases, 88% on negative cases (tag "bug" + substring "depend") 53% packages affected by dependency bugs (based on the issue discussions) 30% contributors are affected by dependency problems or use time solving them Conditioned to contributors to affected packages, the above rises to 60% Dependency bugs attract a lot of discussion from multiple contributors, in fact the majority of the team. c Andrzej W ˛asowski, IT University of Copenhagen 11
  • 12. How expensive are dependency bugs? Average discussion of dependency bug includes 4 ± 4.09 comments in ROS Baseline: The average discussion of any bug includes 2.92 ± 3.42 comments in ROS Dependency bugs attract more discussion than other issues Dependency issues are often solved by senior members for junior members Discussion of dependency issues are common outside GitHub (on ROS-answers and Stack Overflow) c Andrzej W ˛asowski, IT University of Copenhagen 12
  • 13. Conclusion Dependency bugs are a special kind of feature interaction bugs Dependency bugs are a special kind of variability bugs Relatively simple, simplistic The ratio of annoyance to simplicity is unbelievably high They diminish the value produced by this community Eradicatable? Can we get rid of them? Are you the next Jedi to fight them? c Andrzej W ˛asowski, IT University of Copenhagen 13