Human Attention During Localization of Memory Bugs in C Programs

This paper presents a study of human visual attention during localization of memory bugs in C. Human visual attention refers to the mechanical processes by which we selectively process and prioritize information. Visual attention is important to study because it is central to what information people (who are sighted) use to solve a particular problem. Meanwhile, memory bugs are among the most common types of bugs in C programs that manifest as a variety of program faults. In this paper, we study human visual attention while people attempt to locate memory bugs in code. We recruit 21 programmers to locate between one and eight memory bugs in three C programs for 1.5-2 hours each. In total we collected observations of 31 hours of programmer effort. The bugs in our study cover memory leaks, overflows, and double frees, which are among the most common memory bugs. We analyze the task outcomes in terms of success rate and related factors, patterns of visual attention overall such as what lines and functions are read, and finally we explore differences of visual attention patterns during success versus failure cases.

💡 Research Summary

This paper presents a controlled empirical study investigating the visual attention patterns of programmers during the static localization of memory bugs in C programs. The research aims to understand how developers allocate their visual focus when searching for common memory errors such as leaks, buffer overflows, and double frees, and whether distinct patterns correlate with successful bug discovery.

The study recruited 21 proficient C programmers. Each participant worked for 1.5 to 2 hours in a lab setting, attempting to locate between one and eight real-world memory bugs extracted from three popular open-source C projects: OpenSSL, Redis, and Sway. During the task, participants read bug reports and the corresponding source code without executing it. Their visual attention was meticulously recorded using eye-tracking hardware, capturing metrics like fixations (pauses on a specific point), regressions (re-reading movements), and scanpaths (sequences of eye movements).

The analysis was structured around three research questions (RQs). For RQ1 (Task Outcomes), the study established a baseline of participant performance, measuring success rates, time spent, and self-reported confidence. This provided context for the difficulty of the tasks and the skill variation among participants.

RQ2 (General Attention Patterns) examined the overall strategies programmers employed. A key finding was the extreme concentration of attention: 75% of all fixations were on just 25% of the functions they looked at. This indicates that bug localization is not a uniform scan but a targeted, investigative process where programmers quickly focus on suspicious areas. The analysis also detailed general scanning behaviors, such as the order in which functions and lines were read.

The core contribution of the paper lies in RQ3 (Attention Patterns in Success vs. Failure). By comparing the eye-tracking data of successful and unsuccessful bug localization attempts, the study revealed significant differences. Successful bug locators exhibited a pattern of intensive and recursive validation: they spent significantly more total fixation time on the buggy line, revisited it more frequently, and had a higher regression rate overall. Their scanpaths were also “denser,” meaning the average distance between successive fixations was shorter, suggesting they were closely examining and comparing adjacent lines of code. Crucially, the data showed that unsuccessful participants often fixated on the correct buggy line as well, but failed to allocate sufficient sustained attention or cognitive processing to recognize it as faulty. Their visits to the buggy line were shorter and less frequent.

In conclusion, this research provides a quantitative, fine-grained account of the visual-cognitive processes underlying memory bug localization. It demonstrates that successful debugging is associated with a specific attentional signature characterized by focused, repetitive, and detailed inspection of key code regions, rather than merely laying eyes on the problematic code. These insights have direct implications for designing more intelligent developer tools (e.g., IDEs that highlight areas receiving intense or recursive attention) and for improving pedagogical approaches to debugging by emphasizing meta-cognitive strategies for systematic search and validation.