Visible to the public An Empirical Study on API-Misuse Bugs in Open-Source C Programs

TitleAn Empirical Study on API-Misuse Bugs in Open-Source C Programs
Publication TypeConference Paper
Year of Publication2019
AuthorsGu, Zuxing, Wu, Jiecheng, Liu, Jiaxiang, Zhou, Min, Gu, Ming
Conference Name2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)
KeywordsAPI misuse, API-misuse bugs, API-misuse detection, API-misuse detectors, APIMU4C, APIs, application program interfaces, application programming interface, application programming interfaces, benchmark, Benchmark testing, bug detection, C code, C language, compositionality, Computer bugs, Detectors, empirical study, fix patterns, Libraries, Open Source Software, open-source C programs, program debugging, program diagnostics, pubcrawl, public domain software, resilience, Resiliency, security of data, security vulnerabilities, static analysis, static analysis detectors, usage statistics
AbstractToday, large and complex software is developed with integrated components using application programming interfaces (APIs). Correct usage of APIs in practice presents a challenge due to implicit constraints, such as call conditions or call orders. API misuse, i.e., violation of these constraints, is a well-known source of bugs, some of which can cause serious security vulnerabilities. Although researchers have developed many API-misuse detectors over the last two decades, recent studies show that API misuses are still prevalent. In this paper, we provide a comprehensive empirical study on API-misuse bugs in open-source C programs. To understand the nature of API misuses in practice, we analyze 830 API-misuse bugs from six popular programs across different domains. For all the studied bugs, we summarize their root causes, fix patterns and usage statistics. Furthermore, to understand the capabilities and limitations of state-of-the-art static analysis detectors for API-misuse detection, we develop APIMU4C, a dataset of API-misuse bugs in C code based on our empirical study results, and evaluate three widely-used detectors on it qualitatively and quantitatively. We share all the findings and present possible directions towards more powerful API-misuse detectors.
Citation Keygu_empirical_2019