Pith. sign in

REVIEW 2 major objections 5 minor 85 references

CodeTracer traces a malicious code completion back to the poisoned fine-tuning examples that caused it, using only the fine-tuning corpus and the reported miscompletion.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-10 13:45 UTC pith:ZHPPBRTN

load-bearing objection Solid, practical forensic pipeline for code-completion backdoors that actually works under the no-gradient constraint and beats a large baseline suite. the 2 major comments →

arxiv 2607.08011 v1 pith:ZHPPBRTN submitted 2026-07-09 cs.CR cs.AIcs.IRcs.LG

Beware What You Autocomplete: Forensic Attribution of Backdoored Code Completions

classification cs.CR cs.AIcs.IRcs.LG
keywords code completionbackdoor attackspoisoning forensicsLLM attributionbehavioral fingerprintfine-tuning datacode security
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Code completion models can be quietly poisoned during fine-tuning so that, under specific triggers, they emit unsafe code. Existing defenses often miss sophisticated backdoors, leaving operators without a way to find the root cause after the fact. This paper establishes that a forensic pipeline called CodeTracer can attribute a reported malicious completion to the responsible fine-tuning examples by extracting a structured behavioral fingerprint, retrieving a shortlist of semantically similar training snippets, and using an external LLM to decide which of them encode the same unsafe logic. The method needs no gradients, no attacker knowledge, and no full retraining. If it works, developers and service providers can audit and clean poisoned datasets after a backdoor has already manifested, restoring trust without discarding the entire model.

Core claim

Under realistic post-deployment constraints—access only to the fine-tuning corpus and a user-reported miscompletion event—CodeTracer recovers the backdoored training examples responsible for a malicious completion with consistently low false-negative rates (at most 0.03) across three vulnerability classes and ten poisoning strategies, while keeping false-positive rates near zero and remaining effective against adaptive attacks that deliberately target its own stages.

What carries the argument

CodeTracer’s three-stage pipeline: (1) an external LLM extracts a structured behavioral fingerprint (issue type, canonical form, normalized semantics, variants, transformations) from the miscompletion; (2) a code encoder retrieves the top-K most similar function-level snippets from the fine-tuning corpus; (3) the same LLM performs fine-grained semantic comparison of the fingerprint against each candidate and labels matches as responsible backdoors.

Load-bearing premise

Users honestly report genuine miscompletion events and do not submit fabricated or false-flag reports that would cause the pipeline to blame clean data.

What would settle it

Run the full CodeTracer pipeline on a held-out fine-tuning set that contains known backdoored examples for the jinja2, requests, and socket cases; if the false-negative rate rises above 0.10 for any of the ten attacks or the adaptive variants, the central accuracy claim is falsified.

Watch this falsifier — get emailed when new claim-graph text bears on it.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 5 minor

Summary. The paper introduces CodeTracer, a three-stage post-deployment forensic framework that attributes a reported malicious code completion (miscompletion event) back to the responsible poisoned fine-tuning examples. Given only the fine-tuning corpus and the prompt+completion pair, it (1) extracts a structured behavioral fingerprint via an external LLM, (2) narrows the search space by function-level embedding retrieval with UniXcoder and max cosine similarity (Eq. 1), and (3) uses LLM-based semantic comparison against the fingerprint to label candidates. Experiments cover three vulnerability classes (jinja2, requests, socket), eight standard plus two adaptive backdoor attacks, sixteen baselines, ablations, multi-attacker/multi-hop/noisy-report settings, and scale-up to 8 M clean examples. Reported results show FNR ≤ 0.03, near-zero FPR, large ASR reductions after removal of traced examples, and robustness under the authors’ own adaptive attacks.

Significance. If the empirical claims hold, the work supplies a practical, gradient-free forensic capability that is currently missing for code-completion models. Preventive defenses are shown to be weak against stealthy payloads; a reliable post-hoc attribution tool would let providers audit and clean fine-tuning corpora without full retraining. Strengths include the breadth of the evaluation (ten attacks, three cases, sixteen baselines, adaptive and multi-hop settings), explicit ablations of each pipeline stage, and the realistic threat model that assumes only the corpus and a reported miscompletion. The honest-report premise is a genuine scope limit already acknowledged in the Limitations section and shared with the cited forensics literature; it does not invalidate the measured performance under that premise.

major comments (2)
  1. Section 3 and Limitations: the entire pipeline is conditioned on honest, true-positive miscompletion reports. Fabricated reports would cause CodeTracer to attribute blame to clean data. While the authors correctly flag this and note that the same assumption appears in prior forensics work, the manuscript should quantify the risk more carefully—e.g., by measuring how many clean examples are flagged when a deliberately false or noisy report is supplied, and by discussing concrete human-in-the-loop filters beyond a one-sentence suggestion.
  2. Section 4.2 / Eq. (1) and Table 9: the claim that function-level max-similarity retrieval recovers nearly all responsible examples rests on an empirical axiom that is only partially stress-tested. Table 9 shows FNR rising to 0.05–0.09 when top-K drops to 250; the adaptive embedding-perturbation attack (Appendix E, Table 15) is the only direct attempt to break the embedding stage. A short additional experiment that systematically varies function length, padding volume, or multi-function payloads would make the recall guarantee more convincing.
minor comments (5)
  1. Algorithm 1 appears twice in the appendix (identical copies). Remove the duplicate.
  2. Tables 3 and 4 report FPR/DACC as fractions over 80 000; the absolute counts are useful but the tables become hard to scan. Consider moving the raw counts to an appendix or using scientific notation for the denominators.
  3. Figure 5 caption and axis labels are readable, yet the TROJAN panel uses a different N scale (280–2240) without an explicit note in the main text; a one-sentence clarification would help.
  4. Prompt 1 and Prompt 2 are given in full; a short note on temperature / decoding settings used for the external LLM would improve reproducibility.
  5. A few typographical inconsistencies remain (e.g., “CodeTracer” sometimes rendered without the space after the period in running text; “jinja2” vs. “Jinja2”). A light copy-edit pass would clean these.

Circularity Check

0 steps flagged

No circularity: CodeTracer is an empirical forensic pipeline whose accuracy claims are measured against independently constructed ground-truth poisoned sets, not derived by construction from fitted parameters or self-referential definitions.

full rationale

The paper presents a three-stage engineering method (fingerprint extraction via external LLM, embedding-based scope narrowing with UniXcoder, and LLM-based attribution) and evaluates it empirically. Performance numbers (FNR ≤ 0.03, near-zero FPR, ASR reduction after removal) are obtained by comparing the method’s output set B against the known set of poisoned examples that the authors themselves injected under ten published attack strategies. There is no mathematical derivation claiming to predict a quantity from first principles; the “prediction” is simply the forensic label returned by Prompt 2, which is then scored against ground truth. Self-citations (e.g., to Yan et al. 2024 for the threat model and attack suite, or to Zhang et al. for baseline forensic methods) supply experimental settings and comparison points; they do not define the accuracy metric or force the reported FNR by construction. Ablations, adaptive attacks, multi-attacker, multi-hop, and noisy-report experiments further test the pipeline rather than tautologically restate its inputs. The honest-report assumption is a scope limitation, not a circular step. Consequently the central claim is an ordinary empirical result and carries zero circularity under the stated criteria.

Axiom & Free-Parameter Ledger

3 free parameters · 4 axioms · 2 invented entities

The central empirical claim rests on standard ML evaluation practice plus three domain assumptions (honest user reports, clean pre-trained base model, attacker limited to fine-tuning data) and a small set of free hyper-parameters (top-K, external LLM choice). No new physical entities are postulated; the 'fingerprint' is an engineered data structure, not an ontological invention.

free parameters (3)
  • top-K retrieval size = 500
    Default K=500; ablation shows performance degrades for K=250 and remains stable for larger K. Chosen by hand to balance recall and cost.
  • number of poisoned examples N = 20 (default)
    Default N=20 (140 for TROJAN); varied in {40,80,160,320} for sensitivity. Fixed by experimental design rather than fit to a loss.
  • external LLM choice = GPT-4.1
    Default GPT-4.1; ablated across GPT-4o, GPT-5 variants and Llama-3.1-70B. Performance is robust but absolute numbers depend on the chosen model.
axioms (4)
  • domain assumption Users honestly report genuine miscompletion events; false-flag reports are excluded.
    Stated in Section 3 and Limitations; the entire evaluation pipeline is conditioned on true-positive reports.
  • domain assumption The pre-trained base model is clean; only fine-tuning data may be poisoned.
    Threat model (Section 3) following Yan et al. 2024; required for the forensic target to be inside the fine-tuning corpus.
  • domain assumption An external LLM can reliably judge semantic equivalence of unsafe code logic given a structured fingerprint.
    Core of Stage 3 (Prompt 2); validated empirically across multiple LLMs but remains an unproven capability assumption.
  • ad hoc to paper Function-level (or fixed-length) partitioning plus max cosine similarity recovers the responsible examples with high recall.
    Eq. (1) and Stage 2 design choice; justified by ablation but not derived from first principles.
invented entities (2)
  • structured behavioral fingerprint (JSON schema with issue_type, canonical_form, etc.) no independent evidence
    purpose: Compact, attacker-agnostic signature of the unsafe logic extracted from a miscompletion.
    Engineered data structure defined in Section 4.1 and Appendix A; no independent existence outside the method.
  • CodeTracer three-stage pipeline no independent evidence
    purpose: End-to-end forensic attribution under no-gradient, post-deployment constraints.
    The method itself; evaluated but not an ontological claim.

pith-pipeline@v1.1.0-grok45 · 29827 in / 2712 out tokens · 33093 ms · 2026-07-10T13:45:29.990570+00:00 · methodology

0 comments
read the original abstract

Large language models have enabled powerful code completion systems that assist developers by predicting subsequent lines of code. However, these models remain vulnerable to backdoor attacks, where malicious fine-tuning data covertly implants unsafe behaviors. Despite advances in defensive techniques, adaptive and sophisticated backdoor attacks still evade detection and mitigation. We present CodeTracer, a forensic framework that traces malicious code completions back to the backdoor fine-tuning data responsible for them. Operating under realistic post-deployment constraints, CodeTracer relies solely on the fine-tuning corpus and the reported miscompletion event. It extracts a structured behavioral fingerprint from the compromised output, narrows the search to semantically relevant code samples, and employs LLM-based reasoning to attribute unsafe logic to specific backdoor data. Extensive evaluations across three representative vulnerability cases and ten backdoor attacks, along with sixteen competitive baselines, demonstrate that CodeTracer consistently achieves high forensic accuracy, low false identification rates, and strong robustness against adaptive attacks.

Figures

Figures reproduced from arXiv: 2607.08011 by Anjun Gao, Minghong Fang, Yueyang Quan, Zhuqing Liu.

Figure 1
Figure 1. Figure 1: (a) The service provider fine-tunes a code completion model on a dataset containing [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Example of a miscompletion event. A More explanations of the fields issue type: It identifies the vulnerability class being captured (e.g., unsafe template render￾ing, insecure network binding). canonical form: It provides a normalized exploit template that abstracts away surface syntax and variable naming. normalized semantics: It describes the core security-relevant behavior in plain language, explaining… view at source ↗
Figure 5
Figure 5. Figure 5: Impact of different numbers of backdoored examples [PITH_FULL_IMAGE:figures/full_fig_p018_5.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

85 extracted references · 85 canonical work pages · 11 internal anchors

  1. [1]

    USENIX Security Symposium , year=

    An LLM-Assisted Easy-to-Trigger backdoor attack on code completion models: Injecting disguised vulnerabilities against strong detection , author=. USENIX Security Symposium , year=

  2. [2]

    NDSS , year=

    Beagle: Forensics of deep learning backdoor attack for better defense , author=. NDSS , year=

  3. [3]

    NeurIPS , year=

    Tracing Back the Malicious Clients in Poisoning Attacks to Federated Learning , author=. NeurIPS , year=

  4. [4]

    ACL , year=

    Backdooring neural code search , author=. ACL , year=

  5. [5]

    ACM Transactions on Software Engineering and Methodology , year=

    Poison attack and poison detection on deep source code processing models , author=. ACM Transactions on Software Engineering and Methodology , year=

  6. [7]

    CCS , year=

    Identifying a training-set attack's target using renormalized influence estimation , author=. CCS , year=

  7. [8]

    IEEE Symposium on Security and Privacy , year=

    Who Taught the Lie? Responsibility Attribution for Poisoned Knowledge in Retrieval-Augmented Generation , author=. IEEE Symposium on Security and Privacy , year=

  8. [9]

    USENIX Security Symposium , year=

    Patcher: Post-Hoc Patching of Backdoored Large Language Models , author=. USENIX Security Symposium , year=

  9. [10]

    Philosophical Transactions of the Royal Society A , year=

    Large language models as tax attorneys: a case study in legal capabilities emergence , author=. Philosophical Transactions of the Royal Society A , year=

  10. [11]

    Electronic notes in theoretical computer science , year=

    A comparative study of industrial static analysis tools , author=. Electronic notes in theoretical computer science , year=

  11. [12]

    ICSE , year=

    Tracking down software bugs using automatic anomaly detection , author=. ICSE , year=

  12. [13]

    SANER , year=

    Would static analysis tools help developers with code reviews? , author=. SANER , year=

  13. [15]

    Nature Reviews Physics , year=

    Science in the age of large language models , author=. Nature Reviews Physics , year=

  14. [16]

    ACM Transactions on Software Engineering and Methodology , year=

    Large language models for software engineering: A systematic literature review , author=. ACM Transactions on Software Engineering and Methodology , year=

  15. [17]

    NeurIPS , year=

    Language models are few-shot learners , author=. NeurIPS , year=

  16. [21]

    Qwen Technical Report

    Qwen technical report , author=. arXiv preprint arXiv:2309.16609 , year=

  17. [22]

    Gemma: Open Models Based on Gemini Research and Technology

    Gemma: Open models based on gemini research and technology , author=. arXiv preprint arXiv:2403.08295 , year=

  18. [23]

    ICSE-FoSE , year=

    Large language models for software engineering: Survey and open problems , author=. ICSE-FoSE , year=

  19. [24]

    KDD , year=

    Pythia: Ai-assisted code completion system , author=. KDD , year=

  20. [25]

    NeurIPS , year=

    Crosscodeeval: A diverse and multilingual benchmark for cross-file code completion , author=. NeurIPS , year=

  21. [26]

    PLDI , year=

    Code completion with statistical language models , author=. PLDI , year=

  22. [27]

    ICSE , year=

    When code completion fails: A case study on real-world completions , author=. ICSE , year=

  23. [28]

    StarCoder: may the source be with you!

    Starcoder: may the source be with you! , author=. arXiv preprint arXiv:2305.06161 , year=

  24. [29]

    WizardCoder: Empowering Code Large Language Models with Evol-Instruct

    WizardCoder: Empowering Code Large Language Models with Evol-Instruct , author=. arXiv preprint arXiv:2306.08568 , year=

  25. [30]

    IEEE Transactions on Software Engineering , year=

    Stealthy backdoor attack for code models , author=. IEEE Transactions on Software Engineering , year=

  26. [31]

    IEEE Symposium on Security and Privacy , year=

    Trojanpuzzle: Covertly poisoning code-suggestion models , author=. IEEE Symposium on Security and Privacy , year=

  27. [32]

    Computer Standards & Interfaces , year=

    Large language models for code completion: A systematic literature review , author=. Computer Standards & Interfaces , year=

  28. [33]

    NAACL-HLT , year=

    Bert: Pre-training of deep bidirectional transformers for language understanding , author=. NAACL-HLT , year=

  29. [34]

    ICLR , year=

    Codegen: An open large language model for code with multi-turn program synthesis , author=. ICLR , year=

  30. [35]

    OpenAI blog , year=

    Language models are unsupervised multitask learners , author=. OpenAI blog , year=

  31. [36]

    ICSE , year=

    Language models for code completion: A practical evaluation , author=. ICSE , year=

  32. [37]

    ASE , year=

    Multi-task learning based pre-trained language model for code completion , author=. ASE , year=

  33. [38]

    USENIX Security Symposium , year=

    You autocomplete me: Poisoning vulnerabilities in neural code completion , author=. USENIX Security Symposium , year=

  34. [41]

    NeurIPS , year=

    Contextcite: Attributing model generation to context , author=. NeurIPS , year=

  35. [42]

    USENIX Security Symposium , year=

    TracLLM: A Generic Framework for Attributing Long Context LLMs , author=. USENIX Security Symposium , year=

  36. [44]

    arXiv preprint , year=

    A Conversational Paradigm for Program Synthesis , author=. arXiv preprint , year=

  37. [45]

    ICML , year=

    Which agent causes task failures and when? on automated failure attribution of llm multi-agent systems , author=. ICML , year=

  38. [46]

    USENIX Security Symposium , year=

    Poison forensics: Traceback of data poisoning attacks in neural networks , author=. USENIX Security Symposium , year=

  39. [47]

    The Web Conference , year=

    Traceback of poisoning attacks to retrieval-augmented generation , author=. The Web Conference , year=

  40. [48]

    ICLR , year=

    OpenRCA: Can large language models locate the root cause of software failures? , author=. ICLR , year=

  41. [49]

    Statistics and computing , year=

    A tutorial on spectral clustering , author=. Statistics and computing , year=

  42. [50]

    Knowledge and information systems , year=

    Top 10 algorithms in data mining , author=. Knowledge and information systems , year=

  43. [51]

    ICSE , year=

    An LLM-Based Agent-Oriented Approach for Automated Code Design Issue Localization , author=. ICSE , year=

  44. [52]

    Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=

    Unixcoder: Unified cross-modal pre-training for code representation , author=. Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=

  45. [53]

    URL https://codeql.github.com/

    CodeQL. URL https://codeql.github.com/

  46. [54]

    URL https://semgrep.dev/

    Semgrep. URL https://semgrep.dev/

  47. [55]

    GPT-4 Technical Report

    Josh Achiam, Steven Adler, Sandhini Agarwal, Lama Ahmad, Ilge Akkaya, Florencia Leoni Aleman, Diogo Almeida, Janko Altenschmidt, Sam Altman, Shyamal Anadkat, et al. Gpt-4 technical report. arXiv preprint arXiv:2303.08774, 2023

  48. [56]

    Trojanpuzzle: Covertly poisoning code-suggestion models

    Hojjat Aghakhani, Wei Dai, Andre Manoel, Xavier Fernandes, Anant Kharkar, Christopher Kruegel, Giovanni Vigna, David Evans, Ben Zorn, and Robert Sim. Trojanpuzzle: Covertly poisoning code-suggestion models. In IEEE Symposium on Security and Privacy, 2024

  49. [57]

    PaLM 2 Technical Report

    Rohan Anil, Andrew M Dai, Orhan Firat, Melvin Johnson, Dmitry Lepikhin, Alexandre Passos, Siamak Shakeri, Emanuel Taropa, Paige Bailey, Zhifeng Chen, et al. Palm 2 technical report. arXiv preprint arXiv:2305.10403, 2023

  50. [58]

    An llm-based agent-oriented approach for automated code design issue localization

    Fraol Batole, David OBrien, Tien Nguyen, Robert Dyer, and Hridesh Rajan. An llm-based agent-oriented approach for automated code design issue localization. In ICSE, 2025

  51. [59]

    Language models are few-shot learners

    Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. Language models are few-shot learners. In NeurIPS, 2020

  52. [60]

    Beagle: Forensics of deep learning backdoor attack for better defense

    Siyuan Cheng, Guanhong Tao, Yingqi Liu, Shengwei An, Xiangzhe Xu, Shiwei Feng, Guangyu Shen, Kaiyuan Zhang, Qiuling Xu, Shiqing Ma, et al. Beagle: Forensics of deep learning backdoor attack for better defense. In NDSS, 2023

  53. [61]

    Contextcite: Attributing model generation to context

    Benjamin Cohen-Wang, Harshay Shah, Kristian Georgiev, and Aleksander Madry. Contextcite: Attributing model generation to context. In NeurIPS, 2024

  54. [62]

    Bert: Pre-training of deep bidirectional transformers for language understanding

    Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. Bert: Pre-training of deep bidirectional transformers for language understanding. In NAACL-HLT, 2019

  55. [63]

    The Llama 3 Herd of Models

    Abhimanyu Dubey, Abhinav Jauhri, Abhinav Pandey, Abhishek Kadian, Ahmad Al-Dahle, Aiesha Letman, Akhil Mathur, Alan Schelten, Amy Yang, Angela Fan, et al. The llama 3 herd of models. arXiv preprint arXiv:2407.21783, 2024

  56. [64]

    A comparative study of industrial static analysis tools

    P \"a r Emanuelsson and Ulf Nilsson. A comparative study of industrial static analysis tools. In Electronic notes in theoretical computer science, 2008

  57. [65]

    Patcher: Post-hoc patching of backdoored large language models

    Anjun Gao, Yueyang Quan, Yufei Xia, Zhuqing Liu, and Minghong Fang. Patcher: Post-hoc patching of backdoored large language models. In USENIX Security Symposium, 2026

  58. [66]

    Enabling Large Language Models to Generate Text with Citations

    Tianyu Gao, Howard Yen, Jiatong Yu, and Danqi Chen. Enabling large language models to generate text with citations. arXiv preprint arXiv:2305.14627, 2023

  59. [67]

    Unixcoder: Unified cross-modal pre-training for code representation

    Daya Guo, Shuai Lu, Nan Duan, Yanlin Wang, Ming Zhou, and Jian Yin. Unixcoder: Unified cross-modal pre-training for code representation. In Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp.\ 7212--7225, 2022

  60. [68]

    Identifying a training-set attack's target using renormalized influence estimation

    Zayd Hammoudeh and Daniel Lowd. Identifying a training-set attack's target using renormalized influence estimation. In CCS, 2022

  61. [69]

    Tracking down software bugs using automatic anomaly detection

    Sudheendra Hangal and Monica S Lam. Tracking down software bugs using automatic anomaly detection. In ICSE, 2002

  62. [70]

    Large language models for code completion: A systematic literature review

    Rasha Ahmad Husein, Hala Aburajouh, and Cagatay Catal. Large language models for code completion: A systematic literature review. In Computer Standards & Interfaces, 2025

  63. [71]

    Language models for code completion: A practical evaluation

    Maliheh Izadi, Jonathan Katzy, Tim Van Dam, Marc Otten, Razvan Mihai Popescu, and Arie Van Deursen. Language models for code completion: A practical evaluation. In ICSE, 2024

  64. [72]

    Tracing back the malicious clients in poisoning attacks to federated learning

    Yuqi Jia, Minghong Fang, Hongbin Liu, Jinghuai Zhang, and Neil Zhenqiang Gong. Tracing back the malicious clients in poisoning attacks to federated learning. In NeurIPS, 2025

  65. [73]

    Poison attack and poison detection on deep source code processing models

    Jia Li, Zhuo Li, HuangZhao Zhang, Ge Li, Zhi Jin, Xing Hu, and Xin Xia. Poison attack and poison detection on deep source code processing models. In ACM Transactions on Software Engineering and Methodology, 2024

  66. [74]

    Multi-task learning based pre-trained language model for code completion

    Fang Liu, Ge Li, Yunfei Zhao, and Zhi Jin. Multi-task learning based pre-trained language model for code completion. In ASE, 2020

  67. [75]

    WebGPT: Browser-assisted question-answering with human feedback

    Reiichiro Nakano, Jacob Hilton, Suchir Balaji, Jeff Wu, Long Ouyang, Christina Kim, Christopher Hesse, Shantanu Jain, Vineet Kosaraju, William Saunders, et al. Webgpt: Browser-assisted question-answering with human feedback. arXiv preprint arXiv:2112.09332, 2021

  68. [76]

    Codegen: An open large language model for code with multi-turn program synthesis

    Erik Nijkamp, Bo Pang, Hiroaki Hayashi, Lifu Tu, Huan Wang, Yingbo Zhou, Silvio Savarese, and Caiming Xiong. Codegen: An open large language model for code with multi-turn program synthesis. In ICLR, 2023

  69. [77]

    Would static analysis tools help developers with code reviews? In SANER, 2015

    Sebastiano Panichella, Venera Arnaoudova, Massimiliano Di Penta, and Giuliano Antoniol. Would static analysis tools help developers with code reviews? In SANER, 2015

  70. [78]

    Language models are unsupervised multitask learners

    Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei, Ilya Sutskever, et al. Language models are unsupervised multitask learners. In OpenAI blog, 2019

  71. [79]

    Utrace: Poisoning forensics for private collaborative learning

    Evan Rose, Hidde Lycklama, Harsh Chaudhari, Anwar Hithnawi, and Alina Oprea. Utrace: Poisoning forensics for private collaborative learning. arXiv preprint arXiv:2409.15126, 2024

  72. [80]

    Code Llama: Open Foundation Models for Code

    Baptiste Roziere, Jonas Gehring, Fabian Gloeckle, Sten Sootla, Itai Gat, Xiaoqing Ellen Tan, Yossi Adi, Jingyu Liu, Romain Sauvestre, Tal Remez, et al. Code llama: Open foundation models for code. arXiv preprint arXiv:2308.12950, 2023

  73. [81]

    You autocomplete me: Poisoning vulnerabilities in neural code completion

    Roei Schuster, Congzheng Song, Eran Tromer, and Vitaly Shmatikov. You autocomplete me: Poisoning vulnerabilities in neural code completion. In USENIX Security Symposium, 2021

  74. [82]

    Poison forensics: Traceback of data poisoning attacks in neural networks

    Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, and Ben Y Zhao. Poison forensics: Traceback of data poisoning attacks in neural networks. In USENIX Security Symposium, 2022

  75. [83]

    Backdooring neural code search

    Weisong Sun, Yuchen Chen, Guanhong Tao, Chunrong Fang, Xiangyu Zhang, Quanjun Zhang, and Bin Luo. Backdooring neural code search. In ACL, 2023

  76. [84]

    A tutorial on spectral clustering

    Ulrike Von Luxburg. A tutorial on spectral clustering. In Statistics and computing, 2007

  77. [85]

    AttnTrace: Contextual Attribution of Prompt Injection and Knowledge Corruption

    Yanting Wang, Runpeng Geng, Ying Chen, and Jinyuan Jia. Attntrace: Attention-based context traceback for long-context llms. arXiv preprint arXiv:2508.03793, 2025 a

  78. [86]

    Tracllm: A generic framework for attributing long context llms

    Yanting Wang, Wei Zou, Runpeng Geng, and Jinyuan Jia. Tracllm: A generic framework for attributing long context llms. In USENIX Security Symposium, 2025 b

  79. [87]

    Top 10 algorithms in data mining

    Xindong Wu, Vipin Kumar, J Ross Quinlan, Joydeep Ghosh, Qiang Yang, Hiroshi Motoda, Geoffrey J McLachlan, Angus Ng, Bing Liu, Philip S Yu, et al. Top 10 algorithms in data mining. In Knowledge and information systems, 2008

  80. [88]

    Openrca: Can large language models locate the root cause of software failures? In ICLR, 2025

    Junjielong Xu, Qinan Zhang, Zhiqing Zhong, Shilin He, Chaoyun Zhang, Qingwei Lin, Dan Pei, Pinjia He, Dongmei Zhang, and Qi Zhang. Openrca: Can large language models locate the root cause of software failures? In ICLR, 2025

Showing first 80 references.