ABSTRACT
The JavaScript programming language is widely used for web programming and, increasingly, for general purpose computing. As such, improving the correctness, security and performance of JavaScript applications has been the driving force for research in type systems, static analysis and compiler techniques for this language. Many of these techniques aim to reign in some of the most dynamic features of the language, yet little seems to be known about how programmers actually utilize the language or these features. In this paper we perform an empirical study of the dynamic behavior of a corpus of widely-used JavaScript programs, and analyze how and why the dynamic features are used. We report on the degree of dynamism that is exhibited by these JavaScript programs and compare that with assumptions commonly made in the literature and accepted industry benchmark suites.
- Christopher Anderson. Type Inference for JavaScript. PhD thesis, Department of Computing, Imperial College London, March 2006.Google Scholar
- Christopher Anderson and Sophia Drossopoulou. BabyJ: From object based to class based programming via types. Electr. Notes Theor. Comput. Sci., 82(7), 2003.Google Scholar
- Christopher Anderson and Paola Giannini. Type checking for JavaScript. Electr. Notes Theor. Comput. Sci., 138(2), 2005. Google Scholar
Digital Library
- Brad Calder, Dirk Grunwald, and Benjamin Zorn. Quantifying behavioral differences between c and c++ programs. Journal of Programming Languages, (4), 1994.Google Scholar
- Craig Chambers, Dave Ungar, and Erin Lee. An efficient implementation of SELF a dynamically-typed object-oriented language based on prototypes. SIGPLAN Not., 24(10):49--70, 1989. Google Scholar
Digital Library
- Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for JavaScript. In Programming Language Design and Implementation, (PLDI), 2009. Google Scholar
Digital Library
- Bruno Dufour, Karel Driesen, Laurie J. Hendren, and Clark Verbrugge. Dynamic metrics for java. In Proceedings of the Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA), 2003. Google Scholar
Digital Library
- Ben Feinstein and Daniel Peck. Caffeinemonkey: Automated collection, detection and analysis of malicious JavaScript. In Black Hat USA 2007, Las Vegas, NV, USA, 2007.Google Scholar
- Michael Furr, Jong hoon An, Jeffrey Foster, and Michael Hicks. Static type inference for ruby. In Symposium on Applied Computing (SAC), 2009. Google Scholar
Digital Library
- Andreas Gal, Brendan Eich, Mike Shaver, David Anderson, David Mandelin, Mohammad R. Haghighat, Blake Kaplan, Graydon Hoare, Boris Zbarsky, Jason Orendorff, Jesse Ruderman, Edwin W. Smith, Rick Reitmaier, Michael Bebenita, Mason Chang, and Michael Franz. Trace-based just-in-time type specialization for dynamic languages. In Conference on Programming Language Design and Implementation (PLDI), 2009. Google Scholar
Digital Library
- C.D. Garret, Jeff Dean, David Grove, and Craig Chambers. Measurement and application of dynamic receiver class distributions. Univ of Washington, 1994.Google Scholar
- Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for ajax intrusion detection. In International Conference on World Wide Web (WWW), 2009. Google Scholar
Digital Library
- Phillip Heidegger and Peter Thiemann. Recency types for dynamically-typed, object-based languages. In Foundations of Object Oriented Languages (FOOL), 2009.Google Scholar
- Alex Holkner and James Harland. Evaluating the dynamic behaviour of Python applications. In Australasian Computer Science Conference (ACSC), 2009. Google Scholar
Digital Library
- Daniel Ingalls, Krzysztof Palacz, Stephen Uhler, Antero Taivalsaari, and Tommi Mikkonen. The lively kernel a self-supporting system on a web page. In Self-Sustaining Systems, 2008. Google Scholar
Digital Library
- ECMA International. ECMA-262: ECMAScript Language Specification. ECMA (European Association for Standardizing Information and Communication Systems), Geneva, Switzerland, third edition, December 1999.Google Scholar
- Dongseok Jang and Kwang-Moo Choe. Points-to analysis for JavaScript. In Symposium on Applied Computing (SAC), 2009. Google Scholar
Digital Library
- Simon Holm Jensen, Anders Møller, and Peter Thiemann. Type analysis for JavaScript. In Static Analysis Symposium (SAS), 2009. Google Scholar
Digital Library
- Sylvain Lebresne, Gregor Richards, Johan Ostlund, Tobias Wrigstad, and Jan Vitek. Understanding the dynamics of JavaScript. In Workshop on Script to Program Evolution (STOP), 2009. Google Scholar
Digital Library
- Florian Loitsch and Manuel Serrano. Hop client-side compilation. In Symposium on Trends on Functional Languages, 2007.Google Scholar
- Sergio Maffeis, John C. Mitchell, and Ankur Taly. Isolating JavaScript with filters, rewriting, and wrappers. In European Symposium on Research in Computer Security (ESORICS), 2009. Google Scholar
Digital Library
- Paruj Ratanaworabhan, Benjamin Livshits, and Benjamin Zorn. JSMeter: Comparing the behavior of JavaScript benchmarks with real web applications. In USENIX Conference on Web Application Development (WebApps), June 2010. Google Scholar
Digital Library
- Ewan D. Tempero, James Noble, and Hayden Melton. How do java programs use inheritance? an empirical study of inheritance in java software. In European Conference on Object-Oriented Programming (ECOOP), 2008. Google Scholar
Digital Library
- Peter Thiemann. Towards a type system for analyzing JavaScript programs. In European Symposium on Programming (ESOP), 2005. Google Scholar
Digital Library
- Sam Tobin-Hochstadt and Matthias Felleisen. The design and implementation of Typed Scheme. In POPL, pages 395--406, New York, NY, USA, 2008. ACM. Google Scholar
Digital Library
- Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Network and Distributed System Security Symposium (NDSS), 2007.Google Scholar
- Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. JavaScript instrumentation for browser security. In Symposium on Principles of Programming Languages (POPL), 2007. Google Scholar
Digital Library
- Chuan Yue and Haining Wang. Characterizing insecure JavaScript practices on the web. In 18th International World Wide Web Conference, pages 961--961, April 2009. Google Scholar
Digital Library
Index Terms
An analysis of the dynamic behavior of JavaScript programs
Recommendations
Analysis of JavaScript Programs: Challenges and Research Trends
JavaScript has been a de facto standard language for client-side web programs, and now it is expanding its territory to general purpose programs. In this article, we classify the client-side JavaScript research for the last decade or so into six topics: ...
An analysis of the dynamic behavior of JavaScript programs
PLDI '10The JavaScript programming language is widely used for web programming and, increasingly, for general purpose computing. As such, improving the correctness, security and performance of JavaScript applications has been the driving force for research in ...
Blended analysis for JavaScript: a practical framework to analyze dynamic features
SPLASH '12: Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanityThe inherent dynamism of JavaScript (e.g., runtime code generation, prototyping, and function variadicity) renders static analyses inadequate. To address this shortcoming, we analyze JavaScript programs by means of blended analysis, a technique ...







Comments