Dependency Bugs The Dark Side Of Variability, Reuse, and Modularity
1. Anders Fischer-Nielsen Larsen, Zhoulai Fu
IT University of Copenhagen
Ting Su
ETH Zurich
Andrzej W ˛asowski
IT University of Copenhagen
@AndrzejWasowski
Dependency
Bugs
The Dark Side
Of Variability, Reuse, and Modularity
c Andrzej W ˛asowski, IT University of Copenhagen 1
2. c Andrzej W ˛asowski, IT University of Copenhagen 2
3. Phantom?
Menace?
Unbelievably complex IT systems
(low-level embedded sw, control,
mechatronics, complex AI, unclear
behavioral logics, concurrent,
distributed, split between
hardware-software-cloud, idiosyncratic)
Community priorities: Innovation &
Demonstration vs long term use
Enjoyment: Testing, quality,
documentation are boring. We use
ROS for fun
Meritocracy: The barrier of entry
should be low. Most ROS users hold
no CS degree
455 repositories in the official
distribution, each containing several
packages. Uncountable on GitHub.
Alami. Dittrich. W ˛asowski. Influencers of quality assur-
ance in an open source community. CHASE 2018
c Andrzej W ˛asowski, IT University of Copenhagen 3
4. Cloning is recognized as a harmful practice, cred-
ited for decreasing code quality and multiplying
maintenance problems. A bug found in one clone
can exist in other clones, thus, it needs to be fixed
multiple times. Even just locating all cloned code
may be nontrivial. Unintentional parallel devel-
opment of the same functionality in different forks
increases implementation and test costs. Finally,
merging diverged code forks is very laborious.
Software Reuse is our response to the attack of
the clones, including
Variability Management and Product Line
Engineering
Modularity (Component Based Development)
Configurable components
Stefan Stanciulescu. Sandro Schulze. Andrzej W ˛asowski. Forked and
integrated variants in an open-source firmware project. ICSME 2015
c Andrzej W ˛asowski, IT University of Copenhagen 4
5. . . . an open-source, meta-operating system for your robot. It provides the services you
would expect from an operating system, including hardware abstraction, low-level device
control, implementation of commonly-used functionality, message-passing between pro-
cesses, and package management. It also provides tools and libraries for obtaining, build-
ing, writing, and running code across multiple computers.
communication
middleware
with uniform
API
100s
integrated
HW drivers
& SW
components
separates
logics and
algos from
HW
infrastructure
for test,
simulation,
logging
more tutorials
than you can
read; active
friendly
community
Linux, Python,
C++, C, Java
c Andrzej W ˛asowski, IT University of Copenhagen 5
6. package build script
...
catkin_package( ...
DEPENDS boost ...
include_directories(SYSTEM
${Boost_INCLUDE_DIR}) ...
target_link_libraries(ur10_moveit_plugin ...
${Boost_LIBRARIES} ...
install(TARGETS
ur5_moveit_plugin
ur10_moveit_plugin ...
CMakeLists.txt
compile&link
with boost
install
ur5_moveit_plugin
install
ur10_moveit_plugin
a package manifest
used for installation
...
<run_depend>boost</run_depend>
...
specification of exported libraries
<library
path="lib/libur10_moveit_plugin">
...
<library
path="lib/libur5_moveit_plugin">
...
plugin.xml
package.xml includes
export
libur10_moveit_plugin
export
libur10_moveit_plugin
runtime dependency
boost libraryTwo different bugs!Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The Forgotten Case of the Dependency Bugs. ICSE SEIP’20
c Andrzej W ˛asowski, IT University of Copenhagen 6
7. Dependency Bugs
Extracted by qualitative analysis of bugs in the ROS
Prestudy on 9 + 20 cases, study 455 repos → 118 have issues labeled ’bug’
Sample 50/50 with/without the term ’bug’, both positive and negative candidates
A definition = a discriminating conditions. You need both positive and negative cases!
Qualitatively analyze 100 cases, iteratively, with group discussions
Final check on all 95 remaining positive cases in ROS Melodic
Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The Forgotten Case of the Dependency Bugs. ICSE SEIP’20
c Andrzej W ˛asowski, IT University of Copenhagen 7
8. c Andrzej W ˛asowski, IT University of Copenhagen 8
9. Dependency bugs appear silly, easy to fix,
especially to package authors
They are rarely experienced by the authors of
the package
They are unbelievably complex for newcomers
and new users
Researchers do not like them
(Who likes the Sith?)
Its other people’s plumbing kinda problem
They are the price for having a flexible,
composable, modular and configurable
system
Perhaps an acceptable price... (?)
Anders Fischer-Nielsen. Zhoulai Fu. Ting Su. Andrzej W ˛asowski. The
Forgotten Case of the Dependency Bugs. ICSE SEIP’20
c Andrzej W ˛asowski, IT University of Copenhagen 9
10. Named must be your fear before banish it you can
Heterogeneous: dependency specs come from different tech spaces (1+ package
management systems, prog. language infrastructure, OS, DB, etc.)
Independent (also organizationally independent) individuals control them
Temporal: All these sources modify them at a different speeds, time cycles
A dep. bug linter is not difficult to build due to complex inference algorithms,
but due of difficulties in gathering and abstracting all necessary info continuously
An analyzer designed from PL semantics perspective has no chance to find dep bugs.
The PL lacks info about the build context.
c Andrzej W ˛asowski, IT University of Copenhagen 10
11. How pervasive are dependency bugs?
Estimated accuracy of a simplistic classifier for issues
54% on positive cases, 88% on negative cases (tag "bug" + substring "depend")
53% packages affected by
dependency bugs (based on
the issue discussions)
30% contributors are
affected by dependency
problems or use time
solving them
Conditioned to contributors
to affected packages, the
above rises to 60%
Dependency bugs attract a
lot of discussion from
multiple contributors, in fact
the majority of the team.
c Andrzej W ˛asowski, IT University of Copenhagen 11
12. How expensive are dependency bugs?
Average discussion of dependency bug includes 4 ± 4.09
comments in ROS
Baseline: The average discussion of any bug includes 2.92 ± 3.42
comments in ROS
Dependency bugs attract more discussion than other issues
Dependency issues are often solved by senior members for
junior members
Discussion of dependency issues are common outside GitHub
(on ROS-answers and Stack Overflow)
c Andrzej W ˛asowski, IT University of Copenhagen 12
13. Conclusion
Dependency bugs are a special kind of feature interaction bugs
Dependency bugs are a special kind of variability bugs
Relatively simple, simplistic
The ratio of annoyance to simplicity is unbelievably high
They diminish the value produced by this community
Eradicatable? Can we get rid of them?
Are you the next Jedi to fight them?
c Andrzej W ˛asowski, IT University of Copenhagen 13