@article{morrison_pandita_xiao_chillarege_williams_2018, title={Are Vulnerabilities Discovered and Resolved like Other Defects?}, DOI={10.1145/3180155.3182553}, abstractNote={Context: Software defect data has long been used to drive software development process improvement. If security defects (i.e.,vulnerabilities) are discovered and resolved by different software development practices than non-security defects, the knowledge of that distinction could be applied to drive process improvement.}, journal={PROCEEDINGS 2018 IEEE/ACM 40TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING (ICSE)}, author={Morrison, Patrick J. and Pandita, Rahul and Xiao, Xusheng and Chillarege, Ram and Williams, Laurie}, year={2018}, pages={498–498} }
 @inproceedings{xiao_li_xie_tillmann_2013, title={Characteristic studies of loop problems for structural test generation via symbolic execution}, booktitle={2013 28th ieee/acm international conference on automated software engineering (ase)}, author={Xiao, X. S. and Li, S. H. and Xie, T. and Tillmann, N.}, year={2013}, pages={246–256} }
 @article{xiao_thummalapenta_xie_2012, title={Advances on improving automation in developer testing}, volume={85}, journal={Advances in computers, vol 85}, author={Xiao, X. S. and Thummalapenta, S. and Xie, T.}, year={2012}, pages={165–212} }
 @inproceedings{pandita_xiao_zhong_xie_oney_paradkar_2012, title={Inferring method specifications from natural language API descriptions}, DOI={10.1109/icse.2012.6227137}, abstractNote={Application Programming Interface (API) documents are a typical way of describing legal usage of reusable software libraries, thus facilitating software reuse. However, even with such documents, developers often overlook some documents and build software systems that are inconsistent with the legal usage of those libraries. Existing software verification tools require formal specifications (such as code contracts), and therefore cannot directly verify the legal usage described in natural language text in API documents against code using that library. However, in practice, most libraries do not come with formal specifications, thus hindering tool-based verification. To address this issue, we propose a novel approach to infer formal specifications from natural language text of API documents. Our evaluation results show that our approach achieves an average of 92% precision and 93% recall in identifying sentences that describe code contracts from more than 2500 sentences of API documents. Furthermore, our results show that our approach has an average 83% accuracy in inferring specifications from over 1600 sentences describing code contracts.}, booktitle={2012 34th international conference on software engineering (icse)}, author={Pandita, R. and Xiao, X. S. and Zhong, H. and Xie, T. and Oney, S. and Paradkar, A.}, year={2012}, pages={815–825} }
 @inproceedings{xiao_tillmann_fahndrich_halleux_moskal_2012, title={User-aware privacy control via extended static-information-flow analysis}, booktitle={2012 proceedings of the 27th ieee/acm international conference on automated software engineering (ase)}, author={Xiao, X. S. and Tillmann, N. and Fahndrich, M. and Halleux, J. and Moskal, M.}, year={2012}, pages={80–89} }
 @inproceedings{xiao_xie_tillmann_halleux_2011, title={Covana: Precise identification of problems in Pex}, DOI={10.1145/1985793.1985976}, abstractNote={Achieving high structural coverage is an important goal of software testing. Instead of manually producing test inputs that achieve high structural coverage, testers or developers can employ tools built based on automated test-generation approaches, such as Pex, to automatically generate such test inputs. Although these tools can easily generate test inputs that achieve high structural coverage for simple programs, when applied on complex programs in practice, these tools face various problems, such as the problems of dealing with method calls to external libraries or generating method-call sequences to produce desired object states. Since these tools are currently not powerful enough to deal with these various problems in testing complex programs, we propose cooperative developer testing, where developers provide guidance to help tools achieve higher structural coverage. In this demo, we present Covana, a tool that precisely identifies and reports problems that prevent Pex from achieving high structural coverage. Covana identifies problems primarily by determining whether branch statements containing not-covered branches have data dependencies on problem candidates.}, booktitle={2011 33rd International Conference on Software Engineering (ICSE)}, author={Xiao, X. S. and Xie, T. and Tillmann, N. and Halleux, J.}, year={2011}, pages={1004–1006} }
 @inproceedings{xiao_xie_tillmann_halleux_2011, title={Precise identification of problems for structural test generation}, DOI={10.1145/1985793.1985876}, abstractNote={An important goal of software testing is to achieve at least high structural coverage. To reduce the manual efforts of producing such high-covering test inputs, testers or developers can employ tools built based on automated structural test-generation approaches. Although these tools can easily achieve high structural coverage for simple programs, when they are applied on complex programs in practice, these tools face various problems, such as (1) the external-method-call problem (EMCP), where tools cannot deal with method calls to external libraries; (2) the object-creation problem (OCP), where tools fails to generate method-call sequences to produce desirable object states. Since these tools currently could not be powerful enough to deal with these problems in testing complex programs in practice, we propose cooperative developer testing, where developers provide guidance to help tools achieve higher structural coverage. To reduce the efforts of developers in providing guidance to tools, in this paper, we propose a novel approach, called Covana, which precisely identifies and reports problems that prevent the tools from achieving high structural coverage primarily by determining whether branch statements containing notcovered branches have data dependencies on problem candidates. We provide two techniques to instantiate Covana to identify EMCPs and OCPs. Finally, we conduct evaluations on two open source projects to show the effectiveness of Covana in identifying EMCPs and OCPs.}, booktitle={2011 33rd International Conference on Software Engineering (ICSE)}, author={Xiao, X. S. and Xie, T. and Tillmann, N. and Halleux, J.}, year={2011}, pages={611–620} }
 @inproceedings{xiao_2011, title={Problem identification for structural test generation: First step towards cooperative developer testing}, booktitle={2011 33rd International Conference on Software Engineering (ICSE)}, author={Xiao, X. S.}, year={2011}, pages={1179–1181} }