Preprocessors support the diversification of software products with #ifdefs,but also require additional effort from developers to maintain and understandvariable code. We conjecture that #ifdefs cause developers to produce morevulnerable code because they are required to reason about multiple featuressimultaneously and maintain complex mental models of dependencies ofconfigurable code. We extracted a variational call graph across all configurations of the Linuxkernel, and used configuration complexity metrics to compare vulnerable andnon-vulnerable functions considering their vulnerability history. Our goal wasto learn about whether we can observe a measurable influence of configurationcomplexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have highervariability than non-vulnerable ones and are also constrained by fewerconfiguration options. This suggests that developers are inclined to noticefunctions appear in frequently-compiled product variants. We aim to raisedevelopers' awareness to address variability more systematically, sinceconfiguration complexity is an important, but often ignored aspect of softwareproduct lines.
展开▼