Application Programming Interfaces (APIs) often have usage constraints, such as restrictions on call order or call conditions. API misuses, i.e., violations of these constraints, may lead to software crashes, bugs, and vulnerabilities. Though researchers developed many API-misuse detectors over the last two decades, recent studies show that API misuses are still prevalent. Therefore, we need to understand the capabilities and limitations of existing detectors in order to advance the state of the art. In this paper, we present the first-ever qualitative and quantitative evaluation that compares static API-misuse detectors along the same dimensions, and with original author validation. To accomplish this, we develop MuC, a classification of API misuses, and MuBenchPipe, an automated benchmark for detector comparison, on top of our misuse dataset, MuBench. Our results show that the capabilities of existing detectors vary greatly and that existing detectors, though capable of detecting misuses, suffer from extremely low precision and recall. A systematic root-cause analysis reveals that, most importantly, detectors need to go beyond the naive assumption that a deviation from the most-frequent usage corresponds to a misuse and need to obtain additional usage examples to train their models. We present possible directions towards more-powerful API-misuse detectors.

中文翻译：

---

静态 API 滥用检测器的系统评估

应用程序编程接口 (API) 通常具有使用限制，例如对调用顺序或调用条件的限制。API 滥用，即违反这些约束，可能会导致软件崩溃、错误和漏洞。尽管研究人员在过去二十年中开发了许多 API 滥用检测器，但最近的研究表明 API 滥用仍然很普遍。因此，我们需要了解现有检测器的能力和局限性，以推进最先进的技术。在本文中，我们提出了有史以来第一个定性和定量评估，它比较了相同维度的静态 API 滥用检测器，并与原作者进行了验证。为了实现这一目标，我们在滥用数据集的基础上开发了 MuC（一种 API 滥用分类）和 MuBenchPipe（一种用于检测器比较的自动化基准），木台。我们的结果表明，现有检测器的能力差异很大，现有检测器虽然能够检测误用，但精度和召回率极低。系统的根本原因分析表明，最重要的是，检测器需要超越幼稚的假设，即偏离最频繁的使用对应于误用，并且需要获得额外的使用示例来训练他们的模型。我们提出了更强大的 API 滥用检测器的可能方向。检测器需要超越幼稚的假设，即偏离最常用的使用对应于误用，并且需要获得额外的使用示例来训练他们的模型。我们提出了更强大的 API 滥用检测器的可能方向。检测器需要超越幼稚的假设，即偏离最常用的使用对应于误用，并且需要获得额外的使用示例来训练他们的模型。我们提出了更强大的 API 滥用检测器的可能方向。