research-article

POLLUX: safely upgrading dependent application libraries

Authors:

Rahul PurandareAuthors Info & Claims

FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

Pages 290 - 300

https://doi.org/10.1145/2950290.2950345

Published: 01 November 2016 Publication History

Abstract

Software evolution in third-party libraries across version upgrades can result in addition of new functionalities or change in existing APIs. As a result, there is a real danger of impairment of backward compatibility. Application developers, therefore, must keep constant vigil over library enhancements to ensure application consistency, i.e., application retains its semantic behavior across library upgrades. In this paper, we present the design and implementation of POLLUX, a framework to detect application-affecting changes across two versions of the same dependent non-adversarial library binary, and provide feedback on whether the application developer should link to the newer version or not. POLLUX leverages relevant application test cases to drive execution through both versions of the concerned library binary, records all concrete effects on the environment, and compares them to determine semantic similarity across the same API invocation for the two library versions. Our evaluation with 16 popular, open-source library binaries shows that POLLUX is accurate with no false positives and works across compiler optimizations.

References

[1]

Capstone. https://github.com/aquynh/capstone.

[2]

Catch. https://github.com/philsquared/Catch.

[3]

Curl. https://github.com/curl/curl.

[4]

DevIL. https://github.com/DentonW/DevIL.

[5]

Docker. https://www.docker.com/.

[6]

dropbox/json11. https://github.com/dropbox/json11.

[7]

Eigen. https://bitbucket.org/eigen/eigen/.

[8]

Fit. https://github.com/pfultz2/Fit.

[9]

GSL - GNU Scientific Library. https://github.com/ampl/gsl.

[10]

HTTP parser. https://github.com/nodejs/http −parser.

[11]

libarchive. https://github.com/libarchive/libarchive.

[12]

libtorrent. https://github.com/arvidn/libtorrent.

[13]

libxml violates the zlib interface and crashes. https://mail.gnome.org/archives/xml/2010 − January/msg00035.html.

[14]

Onion. https://github.com/davidmoreno/onion.

[15]

OpenSSH Patches Critical Flaw That Could Leak Private Crypto Keys. http://www.openssh.com/txt/release−7.1p2.

[16]

PEGTL. https://github.com/ColinH/PEGTL.

[17]

Phoenix Compiler and Shared Source Common Language Infrastructure. http://research.microsoft.com/en−us/ collaboration/focus/cs/phoenix.aspx.

[18]

Pin - A Dynamic Binary Instrumentation Tool. https://software.intel.com/en −us/articles/ pin −a−dynamic−binary−instrumentation−tool.

[19]

Pin 2.11 User Guide. https://software.intel.com/sites/landingpage/ pintool/docs/49306/Pin/html/.

[20]

Sørensen-Dice coefficient. https://en.wikipedia.org/ wiki/S%C3%B8rensen%E2%80%93Dice_coefficient.

[21]

spdlog. https://github.com/gabime/spdlog.

[22]

The Heartbleed Bug. http://heartbleed.com/.

[23]

Valijson. https://github.com/tristanpenman/valijson.

[24]

Winamp crashes at launch. http://forums.winamp.com/ showthread.php?t=374649.

[25]

zlib. https://github.com/madler/zlib.

[26]

B ALAKRISHNAN, G., G RUIAN, R., R EPS, T., AND T EITELBAUM, T. CodeSurfer/x86—A Platform for Analyzing x86 Executables. In CC’05.

Digital Library

[27]

B OURQUIN, M., K ING, A., AND R OBBINS, E. BinSlayer: Accurate Comparison of Binary Executables. In PPREW ’13.

Digital Library

[28]

B RUMLEY, D., J AGER, I., A VGERINOS, T., AND S CHWARTZ, E. J. BAP: A Binary Analysis Platform. In CAV’11.

Digital Library

[29]

B USINGE, J., S EREBRENIK, A., AND VAN DEN B RAND, M. An Empirical Study of the Evolution of Eclipse Third-party Plug-ins. In IWPSE-EVOL ’10.

Digital Library

[30]

C ABALLERO, J., P OOSANKAM, P., M C C AMANT, S., B ABI ´ C, D., AND S ONG, D. Input Generation via Decomposition and Re-stitching: Finding Bugs in Malware. In CCS ’10.

Digital Library

[31]

C OSTA, M., C ASTRO, M., Z HOU, L., Z HANG, L., AND P EINADO, M. Bouncer: Securing Software by Blocking Bad Input. In SOSP ’07.

Digital Library

[32]

D ULLIEN, T., AND R OLLES, R. Graph-based comparison of Executable Objects. In SSTIC ’05.

[33]

E GELE, M., W OO, M., C HAPMAN, P., AND B RUMLEY, D. Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components. In Security ’14.

Digital Library

[34]

F LAKE, H. Structural Comparison of Executable Objects. In DIMVA ’04.

[35]

G AO, D., R EITER, M., AND S ONG, D. BinHunt: Automatically Finding Semantic Differences in Binary Programs. In ICICS ’08.

[36]

K INDER, J. Static Analysis of x86 Executables. PhD thesis, TU Darmstadt, 2010.

[37]

K INDER, J., AND V EITH, H. Jakstab: A Static Analysis Platform for Binaries. In CAV ’08.

Digital Library

[38]

M ARTIGNONI, L., M C C AMANT, S., P OOSANKAM, P., S ONG, D., AND M ANIATIS, P. Path-exploration Lifting: Hi-fi Tests for Lo-fi Emulators. In ASPLOS ’12.

Digital Library

[39]

M ILEVA, Y. M., D ALLMEIER, V., B URGER, M., AND Z ELLER, A. Mining Trends of Library Usage. In IWPSE-Evol ’09.

Digital Library

[40]

N AGARAJANA, V., G UPTA, R., Z HANG, X., M ADOU, M., AND D E S UTTER, B. Matching Control Flow of Program Versions. In ICSM ’07.

[41]

R AEMAEKERS, S., VAN D EURSEN, A., AND V ISSER, J. Measuring software library stability through historical version analysis. In ICSM 2012.

[42]

R AEMAEKERS, S., VAN D EURSEN, A., AND V ISSER, J. Semantic Versioning Versus Breaking Changes: A Study of the Maven Repository. In SCAM ’14.

Digital Library

[43]

S EO, H., S ADOWSKI, C., E LBAUM, S., A FTANDILIAN, E., AND B OWDIDGE, R. Programmers’ Build Errors: A Case Study (at Google). In ICSE 2014.

[44]

T EYTON, C., F ALLERI, J., P ALYART, M., AND B LANC, X. A Study of Library Migrations in Java. Journal of Software: Evolution and Process, 2014.

Digital Library

[45]

T HAKUR, A., L IM, J., L AL, A., B URTON, A., D RISCOLL, E., E LDER, M., A NDERSEN, T., AND R EPS, T. Directed Proof Generation for Machine Code. In CAV’10.

Digital Library

[46]

T IFFANY B AO, J. B., AND W OO, M. ByteWeight: Learning to Recognize Functions in Binary Code. In Security ’14.

Cited By

Zhong HMeng NRoychoudhury APaiva AAbreu RStorey M(2024)Compiler-directed Migrating API Callsite of Client CodeProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639084(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639084
Lamothe MGuéhéneuc YShang W(2021)A Systematic Review of API Evolution LiteratureACM Computing Surveys10.1145/347013354:8(1-36)Online publication date: 4-Oct-2021
https://dl.acm.org/doi/10.1145/3470133
Singh SSarangi S(2020)SoftMonProceedings of the 17th International Conference on Mining Software Repositories10.1145/3379597.3387444(397-408)Online publication date: 29-Jun-2020
https://dl.acm.org/doi/10.1145/3379597.3387444
Show More Cited By

Index Terms

POLLUX: safely upgrading dependent application libraries
1. Software and its engineering

Recommendations

One implementation of the system for application version tracking and automatic updating
SE '08: Proceedings of the IASTED International Conference on Software Engineering

This paper presents the implementation of a system aimed at keeping track of application versions (mostly Java applications). The system is used to track where each version of an application is installed. Each application version has its own version tag ...
Discover Digital Libraries: Theory and Practice
Digital Libraries

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

November 2016

1156 pages

ISBN:9781450342186

DOI:10.1145/2950290

General Chair:
Thomas Zimmermann
Microsoft Research, USA
,
Program Chairs:
Jane Cleland-Huang
University of Notre Dame, USA
,
Zhendong Su
University of California at Davis, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

FSE'16

Sponsor:

SIGSOFT

FSE'16: 24nd ACM SIGSOFT International Symposium on the Foundations of Software Engineering

November 13 - 18, 2016

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
366
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)1

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhong HMeng NRoychoudhury APaiva AAbreu RStorey M(2024)Compiler-directed Migrating API Callsite of Client CodeProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639084(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639084
Lamothe MGuéhéneuc YShang W(2021)A Systematic Review of API Evolution LiteratureACM Computing Surveys10.1145/347013354:8(1-36)Online publication date: 4-Oct-2021
https://dl.acm.org/doi/10.1145/3470133
Singh SSarangi S(2020)SoftMonProceedings of the 17th International Conference on Mining Software Repositories10.1145/3379597.3387444(397-408)Online publication date: 29-Jun-2020
https://dl.acm.org/doi/10.1145/3379597.3387444
Patra JDixit PPradel MChaudron MCrnkovic IChechik MHarman M(2018)ConflictJSProceedings of the 40th International Conference on Software Engineering10.1145/3180155.3180184(741-751)Online publication date: 27-May-2018
https://dl.acm.org/doi/10.1145/3180155.3180184
Gyori ALegunsen OHariri FMarinov D(2018)Evaluating Regression Test Selection Opportunities in a Very Large Open-Source Ecosystem2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE.2018.00022(112-122)Online publication date: Oct-2018
https://doi.org/10.1109/ISSRE.2018.00022

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten