Identifying some important success factors in adopting agile software development practices

Agile software development (ASD) is an emerging approach in software engineering, initially advocated by a group of 17 software professionals who practice a set of “lightweight” methods, and share a common set of values of software development. In this paper, we advance the state-of-the-art of the research in this area by conducting a survey-based ex-post-facto study for identifying factors from the perspective of the ASD practitioners that will influence the success of projects that adopt ASD practices. In this paper, we describe a hypothetical success factors framework we developed to address our research question, the hypotheses we conjectured, the research methodology, the data analysis techniques we used to validate the hypotheses, and the results we obtained from data analysis. The study was conducted using an unprecedentedly large-scale survey-based methodology, consisting of respondents who practice ASD and who had experience practicing plan-driven software development in the past. The study indicates that nine of the 14 hypothesized factors have statistically significant relationship with “Success”. The important success factors that were found are: customer satisfaction, customer collaboration, customer commitment, decision time, corporate culture, control, personal characteristics, societal culture, and training and learning.     

Data mining source code for locating software bugs: A case study in telecommunication industry

In a large software system knowing which files are most likely to be fault-prone is valuable information for project managers. They can use such information in prioritizing software testing and allocating resources accordingly. However, our experience shows that it is difficult to collect and analyze fine-grained test defects in a large and complex software system. On the other hand, previous research has shown that companies can safely use cross-company data with nearest neighbor sampling to predict their defects in case they are unable to collect local data. In this study we analyzed 25 projects of a large telecommunication system. To predict defect proneness of modules we trained models on publicly available Nasa MDP data. In our experiments we used static call graph based ranking (CGBR) as well as nearest neighbor sampling for constructing method level defect predictors. Our results suggest that, for the analyzed projects, at least 70% of the defects can be detected by inspecting only (i) 6% of the code using a Naïve Bayes model, (ii) 3% of the code using CGBR framework.     

一种软件缺陷模式自定制方法

软件缺陷是导致软件不可靠的根本原因,提高软件可靠性的关键在于减少软件缺陷。基于缺陷模式的代码分析技术根据预先设定好的缺陷模式对待测代码进行缺陷分析,这种缺陷分析具有使用简单、查找速度快等优点,是近年来静态代码分析技术中发展比较迅速的新技术。但是目前基于这种分析技术的大多数工具并没有为用户提供足够易用、高效的扩展方式以扩充其缺陷检测能力。本文出了一种支持用户定制语法相关缺陷模式的测试方法及系统,该方法能够让用户根据实际情况需要对缺陷模式进行定制,目的是检测程序代码中是否包含语法相关的缺陷。     

Defect propagation at the project-level: results and a post-hoc analysis on inspection efficiency

Inspections are increasingly utilized to enhance software quality. While the effectiveness of inspections in uncovering defects is widely accepted, there is a lack of research that takes a more holistic approach by considering defect counts from initial phases of the development process (requirements, design, and coding) and examining defect propagation where defect counts are aggregated to the project-level (i.e., application-level). Using inspection data collected from a large software development firm, this paper investigates the extent of defect propagation at the project-level during early lifecycle phases. I argue that defect propagation can be observed from the relationship between defects in the prior phase and the defects in the subsequent phase. Both Ordinary Least Squares and 3-Stage Least Squares analyses support the hypotheses on defect propagation. Moreover, results show that the inspection efficiency (defects per unit inspection time) decreases as the software product progresses from requirements to design to coding. A post-hoc analysis revealed further insights into inspection efficiency. In each phase, as the inspection time increased, efficiency reached an optimal point and then dropped off. In addition, a project’s inspection efficiency generally tends to remain stable from one phase to another. These insights offer managers means to assess inspections, their efficiency, and make adjustments to the time allotted to inspect project’s artifacts in both the current and the subsequent phase. Implications for managers and future research directions are discussed.     

软件缺陷模式的研究

软件缺陷是导致软件不可靠的根本原因,提高软件可靠性的关键在于减少软件缺陷,那么如何利用积累的缺陷数据提高软件可靠性?结合软件缺陷和模式的概念提出了软件缺陷模式的定义。通过分析积累的软件缺陷数据对缺陷模式的所属分类进行了划分,在此基础上进一步给出了软件需求分析、设计和编码各阶段的软件缺陷模式。最后阐述了在软件开发过程和测试过程中缺陷模式的应用,为如何利用缺陷数据来提高软件可靠性提供了思路。     

Ensuring the Integrity of Embedded Software with Static Code Analysis

With embedded software becoming increasingly pervasive and critical to our society, developers must ensure that their software code performs as intended and doesn't fail. Static code analysis is key in controlling code quality even before unit testing. It doesn't replace other verification and validation steps but helps remove certain defect types that otherwise wouldn't be found. This article provides an overview on static code analysis and insight on how to best use it.     

On the value of static analysis for fault detection in software

No single software fault-detection technique is capable of addressing all fault-detection concerns. Similarly to software reviews and testing, static analysis tools (or automated static analysis) can be used to remove defects prior to release of a software product. To determine to what extent automated static analysis can help in the economic production of a high-quality product, we have analyzed static analysis faults and test and customer-reported failures for three large-scale industrial software systems developed at Nortel Networks. The data indicate that automated static analysis is an affordable means of software fault detection. Using the orthogonal defect classification scheme, we found that automated static analysis is effective at identifying assignment and checking faults, allowing the later software production phases to focus on more complex, functional, and algorithmic faults. A majority of the defects found by automated static analysis appear to be produced by a few key types of programmer errors and some of these types have the potential to cause security vulnerabilities. Statistical analysis results indicate the number of automated static analysis faults can be effective for identifying problem modules. Our results indicate static analysis tools are complementary to other fault-detection techniques for the economic production of a high-quality software product.     

航天嵌入式软件代码逻辑分析

为提高航天嵌入式软件的测试质量、确保航天型号任务的圆满完成,对航天嵌入式软件代码审查重要内容之一的代码逻辑分析进行了研究.通过对软件缺陷的机理、缺陷查找过程、缺陷暴露过程、以及缺陷引发后果的分析,结合多年软件测试工程实践经验的总结,提出了场景分析法、时序分析法、假想故障追源法等10种主要的代码逻辑分析方法.开展了代码逻辑分析方法的应用分析、代码审查与其它测试手段之间的对比分析,通过分析,给出了代码审查的工程适用性说明.研究成果已在航天型号软件第三方评测中全面推广应用,实践数据表明,应用效果良好,使代码审查的缺陷发现率由业界公认的30％～70％提升至90％以上.相关分析方法和分析思路对动态测试设计以及软件缺陷自动化检测工具的研发均具有一定的参考作用.     

CODAS:一个易扩展的静态代码缺陷分析服务

利用静态代码缺陷分析技术对软件进行早期缺陷检测,是提高软件质量的重要途径。静态代码缺陷分析工具(如FINDBUGS,JLINT,ESC/JAVA,PMD,COVERITY等)已经被证实可以成功地识别出大量的软件潜在缺陷[1-3]。然而,这类工具在可用性和有效性方面的不足严重限制了它们的进一步广泛使用。可用性不足包括a)每个独立缺陷检测工具只擅于检测特定类型的缺陷,需要配合使用才能全面检测缺陷;b)每个缺陷检测工具的安装、配置和运行占用了用户大量的时间、精力。有效性不足包括静态缺陷分析结果往往存在大量误报,并且会包括许多不重要的(不会引起程序员修复行为的)缺陷报告。为了解决上述问题,提出并构建了一个易扩展的"静态代码缺陷分析"服务(Code Defect Analysis Service,CODAS)。CODAS基于一个高度可扩展的架构设计,对多个独立的缺陷检测工具进行了封装和集成,并对缺陷检测报告进行了有效汇总和排序,从而充分发挥了各个独立工具的优势,大大提升了静态缺陷分析工具的可用性和有效性。     

面向智能计算框架的即时缺陷预测

作为人工智能工程化的实现工具,智能计算框架已在近年来被广泛应用,其可靠性对于人工智能的有效实现至关重要.然而,智能计算框架的可靠性保障具有挑战性,一方面,智能计算框架代码迭代迅速、测试困难;另一方面,与传统软件不同,智能计算框架涉及大量张量计算,其代码规范缺乏软件工程理论指导.为了解决这一问题,现有的工作主要使用模糊测试手段实现缺陷定位,然而,这类方法只能实现特定类型缺陷的精准定位,却难以即时地在开发过程中引导开发者关注软件质量.因此,将国内外常见的智能计算框架(TensorFlow,百度飞桨等)作为研究对象,选取多种变更特征构建数据集,在代码提交级别对智能计算框架进行即时缺陷预测.另外,在此基础上使用LDA主题建模技术挖掘代码和代码提交信息作为新的特征,并使用随机森林进行预测.结果发现AUC-ROC平均值为0.77,且语义信息可以略微提升预测性能.最后,使用可解释机器学习方法 SHAP分析各特征属性对模型预测输出的影响,发现:(1)基本特征对于模型的影响符合传统软件开发规律;(2)代码和提交信息中的语义特征对模型的预测结果有重要影响;(3)不同系统中的不同特征对模型预测输出的贡献度排...     

Empirical Test Observations in Client-Server Systems

Formal statistical analysis of defect databases for two commercial client-server products for disparate applications - C-language parsing and geophysical modeling - tests the hypothesis that defects in the graphical client mask more important underlying defects in the computational server. It also quantifies the benefit of continued testing after delivery in terms of reduced software defect densities apparent to end users.     

基于组件技术的ERP系统的设计与实现

传统的ERP软件是以事务处理驱动的、被动的软件，重复开发现象严重，代码重用率低，开发效率不高，系统维护的工作量大。21世纪的企业ERP软件必须是策略导向的、主动的软件。文章以ERP系统中供应链管理为例研究了基于组件的企业ERP开发方法。     

What Types of Defects Are Really Discovered in Code Reviews?

Research on code reviews has often focused on defect counts instead of defect types, which offers an imperfect view of code review benefits. In this paper, we classified the defects of nine industrial (C/C++) and 23 student (Java) code reviews, detecting 388 and 371 defects, respectively. First, we discovered that 75 percent of defects found during the review do not affect the visible functionality of the software. Instead, these defects improved software evolvability by making it easier to understand and modify. Second, we created a defect classification consisting of functional and evolvability defects. The evolvability defect classification is based on the defect types found in this study, but, for the functional defects, we studied and compared existing functional defect classifications. The classification can be useful for assigning code review roles, creating checklists, assessing software evolvability, and building software engineering tools. We conclude that, in addition to functional defects, code reviews find many evolvability defects and, thus, offer additional benefits over execution-based quality assurance methods that cannot detect evolvability defects. We suggest that code reviews may be most valuable for software products with long life cycles as the value of discovering evolvability defects in them is greater than for short life cycle systems.     

软件项目的同行评审

软件评审是软件项目中重要的环节,与软件测试共同构建了软件开发的保障体系.列出了发现错误的时间与软件成本和开发风险的关系,分析了同行评审的种类和对象,指出了可行的评审过程,并总结了项目开发过程中评审容易出现的错误.通过同行评审,能够及早识别并消除缺陷,让软件交得更易维护,通过对这些错误的分类和统计,发现共同的缺陷类型和修...     

基于混合注意力机制的软件缺陷预测方法

软件缺陷预测技术用于定位软件中可能存在缺陷的代码模块,从而辅助开发人员进行测试与修复。传统的软件缺陷特征为基于软件规模、复杂度和语言特点等人工提取的静态度量元信息。然而,静态度量元特征无法直接捕捉程序上下文中的缺陷信息,从而影响了软件缺陷预测的性能。为了充分利用程序上下文中的语法语义信息,论文提出了一种基于混合注意力机制的软件缺陷预测方法 DP-MHA(Defect Prediction via Mixed Attention Mechanism)。DP-MHA首先从程序模块中提取基于AST树的语法语义序列并进行词嵌入编码和位置编码,然后基于多头注意力机制自学习上下文语法语义信息,最后利用全局注意力机制提取关键的语法语义特征,用于构建软件缺陷预测模型并识别存在潜在缺陷的代码模块。为了验证DP-MHA的有效性,论文选取了六个Apache的开源Java数据集,与经典的基于RF的静态度量元方法、基于RBM+RF、DBN+RF无监督学习方法和基于CNN和RNN深度学习方法进行对比,实验结果表明,DP-MHA在F1值分别提升了16.6%、34.3%、26.4%、7.1%、4.9%。     

Using static symbolic execution to detect buffer overflows

Buffer overrun remains one of the main sources of errors and vulnerabilities in the C/C++ source code. To detect such kind of defects, static analysis is widely used. In this paper, we propose a path-sensitive static analysis based on symbolic execution with state merging. For buffers with compile-time-known sizes, we present an interprocedural path- and context-sensitive overrun detection algorithm that finds program points satisfying a proposed error definition. The described approach was implemented in the Svace static analyzer without significant loss of performance. On Android 5.0.2, these detectors generated 351 warnings, 64% of which were true positives. In addition, we describe a prototype of an intraprocedural heap buffer overflow detector and present an example of a defect found by this detector.     

代码覆盖测试技术在MODE-S应答机中的应用

代码覆盖测试技术可用于结构覆盖测试和程序复杂度分析,代码覆盖测试技术可用于测试用例设计,提高软件测试效率,指导编写高质量的程序代码,代码覆盖是软件测试的底线.代码覆盖测试技术及方法的研究,为软件覆盖测试提供了理论依据.在Mode-S应答机项目中应用TRACE覆盖测试技术,确保了产品满足适航软件标准RTCA/DO-178B LEVEL B的要求.     

开源CC++静态软件缺陷检测工具实证研究

软件静态缺陷检测是软件安全领域中的一个研究热点.随着使用C/C++语言编写的软件规模和复杂度的逐渐提高, 软件迭代速度的逐渐加快, 由于静态软件缺陷检测不需要运行目标代码即可发现其中潜藏的缺陷, 因而在工业界和学术界受到了更广泛的关注.近年来涌现大量使用软件静态分析技术的检测工具, 并在不同领域的软件项目中发挥了不可忽视的作用, 但是开发者仍然对静态缺陷检测工具缺乏信心.高误报率是C/C++静态缺陷检测工具难以普及的首要原因.因此, 我们选择现有较为完善的开源C/C++静态缺陷检测工具, 在Juliet基准测试集和37个良好维护的开源软件项目上对特定类型缺陷的检测效果进行了深入研究, 结合检测工具的具体实现归纳了导致静态缺陷检测工具产生误报的关键原因.同时, 我们通过研究静态缺陷检测工具的版本迁移轨迹, 总结出了当下静态分析工具的发展方向和未来趋势, 有助未来静态分析技术的优化和发展, 从而实现静态缺陷检测工具的普及应用.     

面向缺陷分析的软件库挖掘方法综述

缺陷分析是软件工程领域内一个重要的课题,软件开发过程中的历史信息（缺陷记录、各个版本的源代码等）为缺陷分析这一课题提供了很有价值的经验数据。如何有效地利用这些数据进行缺陷分析,是软件库挖掘研究所面临的挑战。本文从统计方法和程序分析方法两个主要方面介绍了软件开发的历史信息是如何被用来进行缺陷分析的。     

基于软件度量的Solidity智能合约缺陷预测方法

随着区块链技术的兴起,智能合约安全问题被越来越多的研究者和企业重视,目前已有一些针对智能合约缺陷检测技术的研究.软件缺陷预测技术是软件缺陷检测技术的有效补充,能够优化测试资源分配,提高软件测试效率.然而,目前还没有针对智能合约的软件缺陷预测研究.针对这一问题,提出了面向Solidity智能合约的缺陷预测方法.首先,设计了一组针对Solidity智能合约特有的变量、函数、结构和Solidity语言特性的度量元集(smart contract-Solidity, SC-Sol度量元集),并将其与重点考虑面向对象特征的度量元集(code complexity and features of object-oriented program, COOP度量元集)组合为COOP-SC-Sol度量元集.然后,从Solidity智能合约代码中提取相关度量元信息,并结合缺陷检测结果,构建Solidity智能合约缺陷数据集.在此基础上,应用了7种回归模型和6种分类模型进行Solidity智能合约的缺陷预测,以验证不同度量元集和不同模型在缺陷数量和倾向性预测上的性能差异.实验结果表明,相对于COOP度量元集...