-
Notifications
You must be signed in to change notification settings - Fork 65
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #271 from gdrosos/master
Add FSE'24 seminar
- Loading branch information
Showing
1 changed file
with
42 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
title: Bloat beneath Python's Scales: A Fine-Grained Inter-Project Dependency Analysis | ||
presenter: Georgios Drosos, ETH Zurich | ||
date: 2024-07-03 | ||
time: 18:00 | ||
category: seminars | ||
|
||
Modern programming languages promote software reuse via package managers that facilitate the integration | ||
of inter-dependent software libraries. Software reuse comes with the challenge of dependency bloat, which | ||
refers to unneeded and excessive code incorporated into a project through reused libraries. Such bloat exhibits | ||
security risks and maintenance costs, increases storage requirements, and slows down load times. | ||
|
||
In this work, | ||
we conduct a large-scale, fine-grained analysis to understand bloated dependency code in the PyPI ecosystem. | ||
Our analysis is the first to focus on different granularity levels, including bloated dependencies, bloated files, | ||
and bloated methods. This allows us to identify the specific parts of a library that contribute to the bloat. To do | ||
so, we analyze the source code of 1,302 popular Python projects and their 3,232 transitive dependencies. For | ||
each project, we employ a state-of-the-art static analyzer and incrementally construct the fine-grained project | ||
dependency graph (FPDG), a representation that captures all inter-project dependencies at method-level. | ||
Our reachability analysis on the FPDG enables the assessment of bloated dependency code in terms of several | ||
aspects, including its prevalence in the PyPI ecosystem, its relation to software vulnerabilities, its root causes, | ||
and developer perception. | ||
|
||
Our key finding suggests that PyPI exhibits significant resource underutilization: | ||
more than 50% of dependencies are bloated. This rate gets worse when considering bloated dependency code | ||
at a more subtle level, such as bloated files and bloated methods. Our fine-grained analysis also indicates | ||
that there are numerous vulnerabilities that reside in bloated areas of utilized packages (15% of the defects | ||
existing in PyPI). Other major observations suggest that bloated code primarily stems from omissions during | ||
code refactoring processes and that developers are willing to debloat their code: Out of the 36 submitted pull | ||
requests, developers accepted and merged 30, removing a total of 35 bloated dependencies. We believe that | ||
our findings can help researchers and practitioners come up with new debloating techniques and development | ||
practices to detect and avoid bloated code, ensuring that dependency resources are utilized efficiently. | ||
|
||
#### Biography | ||
|
||
Georgios Drosos is currently a Direct Doctorate student studying Computer Science at ETH Zurich. | ||
His academic journey began at the Athens University of Economics and Business (AUEB), | ||
where he earned his Bachelor’s Degree in 2022 from the Department of Management Science and Technology, | ||
majoring in Software Engineering and Data Science. | ||
Since 2021, Georgios has been a member of the Business Analytics Laboratory. | ||
During his involvement with the lab, | ||
he worked as Research Software Engineer on the FASTEN and SecOPERA Research Projects. | ||
His research interests involve Software Testing, Software Ecosystems and Program Analysis. |