{"title":"From First Patch to Long-Term Contributor: Evaluating Onboarding Recommendations for OSS Newcomers","authors":"Asif Kamal Turzo;Sayma Sultana;Amiangshu Bosu","doi":"10.1109/TSE.2025.3550881","DOIUrl":"10.1109/TSE.2025.3550881","url":null,"abstract":"Attracting and retaining a steady stream of new contributors is crucial to ensuring the long-term survival of open-source software (OSS) projects. However, there are two key research gaps regarding recommendations for onboarding new contributors to OSS projects. First, most of the existing recommendations are based on a limited number of projects, which raises concerns about their generalizability. If a recommendation yields conflicting results in a different context, it could hinder a newcomer's onboarding process rather than help them. Second, it's unclear whether these recommendations also apply to experienced contributors. If certain recommendations are specific to newcomers, continuing to follow them after their initial contributions are accepted could hinder their chances of becoming long-term contributors. To address these gaps, we conducted a two-stage mixed-method study. In the first stage, we conducted a Systematic Literature Review (SLR) and identified 15 task-related actionable recommendations that newcomers to OSS projects can follow to improve their odds of successful onboarding. In the second stage, we conduct a large-scale empirical study of five Gerrit-based projects and 1,155 OSS projects from GitHub to assess whether those recommendations assist newcomers’ successful onboarding. Our results suggest that four recommendations positively correlate with newcomers’ first patch acceptance in most contexts. Four recommendations are context-dependent, and four indicate significant negative associations for most projects. Our results also found three newcomer-specific recommendations, which OSS joiners should abandon at non-newcomer status to increase their odds of becoming long-term contributors.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 4","pages":"1303-1318"},"PeriodicalIF":6.5,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143618264","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Is Hyper-Parameter Optimization Different for Software Analytics?","authors":"Rahul Yedida;Tim Menzies","doi":"10.1109/TSE.2025.3550103","DOIUrl":"10.1109/TSE.2025.3550103","url":null,"abstract":"Yes. SE data can have “smoother” boundaries between classes (compared to traditional AI data sets). To be more precise, the magnitude of the second derivative of the loss function found in SE data is typically much smaller. A new hyper-parameter optimizer, called <monospace>SMOOTHIE</monospace>, can exploit this idiosyncrasy of SE data. We compare <monospace>SMOOTHIE</monospace> and a state-of-the-art AI hyper-parameter optimizer on three tasks: (a) GitHub issue lifetime prediction (b) detecting static code warnings false alarm; (c) defect prediction. For completeness, we also show experiments on some standard AI datasets. <monospace>SMOOTHIE</monospace> runs faster and predicts better on the SE data–but ties on non-SE data with the AI tool. Hence we conclude that SE data can be different to other kinds of data; and those differences mean that we should use different kinds of algorithms for our data. To support open science and other researchers working in this area, all our scripts and datasets are available on-line at <uri>https://github.com/yrahul3910/smoothness-hpo/</uri>.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 6","pages":"1629-1644"},"PeriodicalIF":6.5,"publicationDate":"2025-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143599362","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chenghao Li;Yifei Wu;Wenbo Shen;Rui Chang;Chengwei Liu;Yang Liu
{"title":"Demystifying Rust Unstable Features at Ecosystem Scale: Evolution, Propagation, and Mitigation","authors":"Chenghao Li;Yifei Wu;Wenbo Shen;Rui Chang;Chengwei Liu;Yang Liu","doi":"10.1109/TSE.2025.3550160","DOIUrl":"10.1109/TSE.2025.3550160","url":null,"abstract":"Rust programming language is gaining popularity rapidly in building reliable and secure systems due to its security guarantees and outstanding performance. To provide extra functionalities, the Rust compiler introduces Rust unstable features (RUFs) to extend compiler functionality, syntax, and standard library support. However, their inherent instability poses significant challenges, including potential removal that can lead to large-scale compilation failures across the entire ecosystem. While our original study provided the first ecosystem-wide analysis of RUF usage and impacts, this extended study builds upon our prior work to further explore RUF evolution, propagation, and mitigation. We introduce novel techniques for extracting and matching RUF APIs across compiler versions and find that proportion of RUF APIs has increased from 3% to 15%. Our analysis of 590K package versions and 140M transitive dependencies reveals that the Rust ecosystem uses 1,000 different RUFs, and 44% of package versions are affected by RUFs, causing compiling failures for 12% of package versions. Additionally, we also extend our analysis outside the ecosystem and find that popular Rust applications also rely heavily on RUFs. To mitigate the impacts of RUFs, we propose a mitigation technique integrated into the build process without requiring developer intervention. Our audit algorithm can systematically adjust dependencies and compiler versions to resolve RUF-induced compilation failures, successfully recovering 91% of compilation failures caused by RUFs. We believe our techniques, findings, and tools can help to stabilize the Rust compiler, ultimately enhancing the security and reliability of the ecosystem.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 4","pages":"1284-1302"},"PeriodicalIF":6.5,"publicationDate":"2025-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143599363","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mian Qin;Yuxia Zhang;Minghui Zhou;Zhe Wang;Haoyang Li;Hui Liu
{"title":"Developers’ Views on Commercial Involvement in OSS: A Survey From Three Projects","authors":"Mian Qin;Yuxia Zhang;Minghui Zhou;Zhe Wang;Haoyang Li;Hui Liu","doi":"10.1109/TSE.2025.3568056","DOIUrl":"10.1109/TSE.2025.3568056","url":null,"abstract":"Given the well-established merits of open source software (OSS), many profit-oriented companies actively participate in OSS communities, making significant contributions. Existing studies have predominantly focused on several advanced and specific questions regarding this phenomenon, mainly from the companies’ perspective, such as companies’ domination and withdrawal. A more basic and comprehensive understanding is missing, i.e., how OSS developers perceive such corporate engagement. Individual developers, including both volunteers and developers assigned by companies, are directly impacted by and have personal experiences with the consequences of commercial participation in OSS projects. This paper aims to bridge this gap by amplifying the voices of individual developers and providing valuable insights that have the potential to enhance companies’ participation in OSS projects. We conducted a survey involving developers from three OSS projects, i.e., Rust, OpenStack, and the Linux kernel, focusing on their attitudes and expectations regarding corporate involvement. We received 84 meaningful responses and analyzed their open-ended responses through thematic analysis. The results suggest that regardless of whether developers were paid or voluntary contributors, a prevailing attitude emerged – 67.9% of developers expressed a positive view of companies’ participation in OSS. The key idea behind their positive attitudes is perceiving commercial participation as a win-win for both the OSS community and companies. The Rust community remains more neutral when compared with the other two communities. We also surveyed and analyzed developers’ expectations of companies’ better participation, which can shed light on how OSS ecosystems can sustainably evolve with the companies involved.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 6","pages":"1818-1837"},"PeriodicalIF":6.5,"publicationDate":"2025-03-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143926960","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chih-Duo Hong;Anthony W. Lin;Philipp Rümmer;Rupak Majumdar
{"title":"Probabilistic Bisimulation for Parameterized Anonymity and Uniformity Verification","authors":"Chih-Duo Hong;Anthony W. Lin;Philipp Rümmer;Rupak Majumdar","doi":"10.1109/TSE.2025.3567423","DOIUrl":"10.1109/TSE.2025.3567423","url":null,"abstract":"Bisimulation is crucial for verifying process equivalence in probabilistic systems. This paper presents a novel logical framework for analyzing bisimulation in probabilistic parameterized systems, namely, infinite families of finite-state probabilistic systems. Our framework is built upon the first-order theory of regular structures, which provides a decidable logic for reasoning about these systems. We show that essential properties like anonymity and uniformity can be encoded and verified within this framework in a manner aligning with the principles of deductive software verification, where systems, properties, and proofs are expressed in a unified decidable logic. By integrating language inference techniques, we achieve full automation in synthesizing candidate bisimulation proofs for anonymity and uniformity. We demonstrate the efficacy of our approach by addressing several challenging examples, including cryptographic protocols and randomized algorithms that were previously beyond the reach of fully automated methods.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 6","pages":"1801-1817"},"PeriodicalIF":6.5,"publicationDate":"2025-03-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143926961","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Xiaoli Zhang;Yiqiao Song;Yuefeng Du;Chengjun Cai;Hongbing Cheng;Ke Xu;Qi Li
{"title":"SmartUpdater: Enabling Transparent, Automated, and Secure Maintenance of Stateful Smart Contracts","authors":"Xiaoli Zhang;Yiqiao Song;Yuefeng Du;Chengjun Cai;Hongbing Cheng;Ke Xu;Qi Li","doi":"10.1109/TSE.2025.3548730","DOIUrl":"10.1109/TSE.2025.3548730","url":null,"abstract":"Smart contracts in the Ethereum system are stored tamper-resistant, complicating necessary maintenance for offering new functionalities or fixing security vulnerabilities. Previous contract maintenance approaches mainly focus on logic modification using delegatecall-based patterns. While popular, they fail to handle data state updates (like storage layout changes), leading to impracticality and security risks in real-world applications. To address these challenges, this paper introduces SmartUpdater, a novel toolchain designed for transparent, automated, and secure maintenance of stateful smart contracts. SmartUpdater employs a hyperproxy-based contract maintenance pattern, where the hyperproxy serves as a constant entry and ensures that any state/logic modifications remain transparent to end users. SmartUpdater automates the maintenance process in terms of development streamlining, gas cost efficiency, and state migration verifiability. In extensive evaluations, we show that SmartUpdater can reduce gas consumption in contract maintenance compared with actual maintenance approaches. The evaluations point out the potential of SmartUpdater to significantly simplify the maintenance process for developers.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 4","pages":"1266-1283"},"PeriodicalIF":6.5,"publicationDate":"2025-03-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143570486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Relationship Between Model-Based Decision-Making and the Comprehension Performance of Source Code With Confusing Patterns","authors":"Yuichi Sugiyama;Shuji Morisaki;Asako Toyama;Kentaro Katahira","doi":"10.1109/TSE.2025.3566537","DOIUrl":"10.1109/TSE.2025.3566537","url":null,"abstract":"<bold>Background</b>: Confusing source code requires deliberate comprehension. Recent psychology studies have characterized individual decision-making differences as model-free (fast and automatic) and model-based (slow and deliberative) decision-making. A framework has been proposed to estimate an individual differences in the degree of model-based control. <bold>Aims</b>: This study investigates the correlation of the degree of model-based control and the comprehension performance of confusing source code and compares the correlation of comprehension performance between the degree of model-based control and developer skills reported in previous studies. <bold>Method</b>: We conducted an observational study using source code with and without confusing code patterns. We measured the degree of model-based control for each participant. <bold>Results</b>: Multiple regression analysis on the results of 91 software engineers showed that the degree of model-based control has a positive correlation with the percentage of correct answers for questions about source code with confusing code patterns with statistical significance. <bold>Conclusion</b>: In source code reviews, refactoring, and enhancement development, the appropriate developer assignment criteria using developer attributes differ between source code with and without confusing code patterns.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 6","pages":"1783-1800"},"PeriodicalIF":6.5,"publicationDate":"2025-03-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10985862","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143909829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"SecureFalcon: Are We There Yet in Automated Software Vulnerability Detection With LLMs?","authors":"Mohamed Amine Ferrag;Ammar Battah;Norbert Tihanyi;Ridhi Jain;Diana Maimuţ;Fatima Alwahedi;Thierry Lestable;Narinderjit Singh Thandi;Abdechakour Mechri;Merouane Debbah;Lucas C. Cordeiro","doi":"10.1109/TSE.2025.3548168","DOIUrl":"10.1109/TSE.2025.3548168","url":null,"abstract":"Software vulnerabilities can cause numerous problems, including crashes, data loss, and security breaches. These issues greatly compromise quality and can negatively impact the market adoption of software applications and systems. Traditional bug-fixing methods, such as static analysis, often produce false positives. While bounded model checking, a form of Formal Verification (FV), can provide more accurate outcomes compared to static analyzers, it demands substantial resources and significantly hinders developer productivity. Can Machine Learning (ML) achieve accuracy comparable to FV methods and be used in popular instant code completion frameworks in near real-time? In this paper, we introduce <monospace>SecureFalcon</monospace>, an innovative model architecture with only 121 million parameters derived from the Falcon-40B model and explicitly tailored for classifying software vulnerabilities. To achieve the best performance, we trained our model using two datasets, namely the FormAI dataset and the FalconVulnDB. The FalconVulnDB is a combination of recent public datasets, namely the SySeVR framework, Draper VDISC, Bigvul, Diversevul, SARD Juliet, and ReVeal datasets. These datasets contain the top 25 most dangerous software weaknesses, such as CWE-119, CWE-120, CWE-476, CWE-122, CWE-190, CWE-121, CWE-78, CWE-787, CWE-20, and CWE-762. <monospace>SecureFalcon</monospace> achieves 94% accuracy in binary classification and up to 92% in multiclassification, with instant CPU inference times. It outperforms existing models such as BERT, RoBERTa, CodeBERT, and traditional ML algorithms, promising to push the boundaries of software vulnerability detection and instant code completion frameworks.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 4","pages":"1248-1265"},"PeriodicalIF":6.5,"publicationDate":"2025-03-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143569515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Bo Wang;Chong Chen;Junjie Chen;Bowen Xu;Chen Ye;Youfang Lin;Guoliang Dong;Jun Sun
{"title":"A Comprehensive Study of OOP-Related Bugs in C++ Compilers","authors":"Bo Wang;Chong Chen;Junjie Chen;Bowen Xu;Chen Ye;Youfang Lin;Guoliang Dong;Jun Sun","doi":"10.1109/TSE.2025.3566490","DOIUrl":"10.1109/TSE.2025.3566490","url":null,"abstract":"Modern C++, a programming language characterized by its extensive use of object-oriented programming (OOP) features, is widely used for system programming. However, C++ compilers often struggle to correctly handle these sophisticated OOP features, resulting in numerous high-profile compiler bugs that can lead to crashes or miscompilation. Despite the significance of OOP-related bugs, existing studies largely overlook OOP features, hindering their ability to discover such bugs. To assist both compiler fuzzer designers and compiler developers, we conduct a comprehensive study of the compiler bugs caused by incorrectly handling C++ OOP-related features. First, we systematically extract 788 OOP-related C++ compiler bugs from GCC and LLVM. Second, derived from the core concepts of OOP and C++, we manually identified a two-level taxonomy of the OOP-related features leading to compiler bugs, which consists of 6 primary categories (e.g., <italic>Abstraction & Encapsulation</i>, <italic>Inheritance</i>, and <italic>Runtime Polymorphism</i>), along with 17 secondary categories (e.g., <italic>Constructors & Destructors</i> and <italic>Multiple Inheritance</i>). Third, we systematically analyze the root causes, symptoms, fixes, options, and C++ standard versions of these bugs. Our analysis yields 13 key findings, highlighting that features related to the construction and destruction of objects lead to the highest number of bugs, crashes are the most frequent symptom, and while the average time from bug introduction to discovery is 1856 days, fixing the bug once discovered takes only 174 days on average. Additionally, more than half of the bugs can be triggered without any compiler options. These findings offer valuable insights not only for developing new compiler testing approaches but also for improving language design and compiler engineering. Inspired by these findings, we developed a proof-of-concept compiler fuzzer OOPFuzz, specifically targeting OOP-related bugs in C++ compilers. We applied it against the newest release versions of GCC and LLVM. In about 3 hours, it detected 9 bugs, of which 3 have been confirmed by the developers, including a bug of LLVM that had persisted for 13 years. The results indicate our taxonomy and analysis provide valuable insights for future research in compiler testing.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 6","pages":"1762-1782"},"PeriodicalIF":6.5,"publicationDate":"2025-03-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143909828","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jun Lyu;Shanshan Li;Bohan Liu;He Zhang;Guoping Rong;Chenxing Zhong;Xiaodong Liu
{"title":"Detecting Build Dependency Errors by Dynamic Analysis of Build Execution Against Declaration","authors":"Jun Lyu;Shanshan Li;Bohan Liu;He Zhang;Guoping Rong;Chenxing Zhong;Xiaodong Liu","doi":"10.1109/TSE.2025.3566225","DOIUrl":"10.1109/TSE.2025.3566225","url":null,"abstract":"Incompletely declared build dependencies in <sc>MAKE</small>-based build scripts can result in incorrect or inefficient incremental builds and parallel builds for C/C++ projects. In this sense, developing <sc>MAKE</small>-based build scripts (<italic>e</i>.<italic>g</i>., Makefile) is a nontrivial task, since practitioners need to manually enumerate the dependencies between the parts involved in one build, which may result in serious dependency errors such as missing dependencies or redundant dependencies. To tackle this challenge, the software engineering community has invested considerable effort in dependency error detection. However, due to issues such as incomplete or even missing static dependencies (<italic>i</i>.<italic>e</i>., dependencies by users declared in Makefile), existing solutions either miss certain critical dependency errors or consume significant time when parsing build dependencies, posing a major challenge to ensure both detection effectiveness and efficiency. We propose a novel approach called BuildChecker to detect the above two critical types of dependency errors in <sc>MAKE</small> dependencies that leverages a dynamically generated build execution-declaration model to improve error detection performance and reduce detection time. We evaluate BuildChecker with state-of-the-art tools (Mkcheck, Buildfs, VeriBuild, and VirtualBuild) on 30 projects. The experimental results show that BuildChecker is able to detect a total of 13,579 dependency errors with only 29 false positives, fewer than all the state-of-the-art tools. In terms of detection efficiency, BuildChecker outperforms Buildfs by 1.38 times and Mkcheck by 66.24 times. All dependency errors had been submitted to the practitioners and maintainers of these projects. At the time of writing this article, we received responses from the maintainers of four projects, who confirmed our error reports and fixes. BuildChecker demonstrates a great potential to support practitioners effectively detect build dependency errors.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 6","pages":"1745-1761"},"PeriodicalIF":6.5,"publicationDate":"2025-03-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143901419","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}