skip to main content
research-article

Race detection for web applications

Published:11 June 2012Publication History
Skip Abstract Section

Abstract

Modern web pages are becoming increasingly full-featured, and this additional functionality often requires greater use of asynchrony. Unfortunately, this asynchrony can trigger unexpected concurrency errors, even though web page scripts are executed sequentially.

We present the first formulation of a happens-before relation for common web platform features. Developing this relation was a non-trivial task, due to complex feature interactions and browser differences. We also present a logical memory access model for web applications that abstracts away browser implementation details.

Based on the above, we implemented WebRacer, the first dynamic race detector for web applications. WebRacer is implemented atop the production-quality WebKit engine, enabling testing of full-featured web sites. WebRacer can also simulate certain user actions, exposing more races.

We evaluated WebRacer by testing a large set of Fortune 100 company web sites. We discovered many harmful races, and also gained insights into how developers handle asynchrony in practice.

References

  1. HTML5 DOM tree. http://dev.w3.org/html5/spec/Overview.html#dom-trees.Google ScholarGoogle Scholar
  2. Timeout specification. http://www.whatwg.org/specs/web-apps/current-work/multipage/timers.html#dom-windowtimers-settimeout.Google ScholarGoogle Scholar
  3. WebKit. http://www.webkit.org/.Google ScholarGoogle Scholar
  4. Shay Artzi, Julian Dolby, Simon Holm Jensen, Anders Møller, and Frank Tip. A Framework for Automated Testing of JavaScript Web Applications. In ICSE, May 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Document Object Model (DOM) Level 3 Events Specification. http://www.w3.org/TR/DOM-Level-3-Events/.Google ScholarGoogle Scholar
  6. ECMA. ECMAScript Language Specification, 5th edition, 2009. ECMA-262.Google ScholarGoogle Scholar
  7. Cormac Flanagan and Stephen N. Freund. FastTrack: efficient and precise dynamic race detection. In PLDI, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Salvatore Guarnieri and V. Benjamin Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In USENIX Security Symposium, pages 151--168, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Zef Hemel and Eelco Visser. Declaratively programming the mobile web with Mobl. In OOPSLA, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. HTML5 specification. http://www.w3.org/TR/html5/.Google ScholarGoogle Scholar
  11. James Ide, Ratislav Bodik, and Doug Kimelman. Concurrency concerns in rich Internet applications. In Workshop on Exploiting Concurrency Efficiently and Correctly (EC2), 2009.Google ScholarGoogle Scholar
  12. Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. An empirical study of privacy-violating information flows in JavaScript web applications. In ACM Conference on Computer and Communications Security, pages 270--283, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Simon Holm Jensen, Magnus Madsen, and Anders Møller. Modeling the HTML DOM and browser API in static analysis of JavaScript web applications. In ESEC/FSE, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Simon Holm Jensen, Anders Møller, and Peter Thiemann. Interprocedural Analysis with Lazy Propagation. In SAS, 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Olav Junker Kjaer. Timing and synchronization in JavaScript. http://dev.opera.com/articles/view/timing-and-synchronization-in-javascript/. Accessed 03-November-2011.Google ScholarGoogle Scholar
  16. Leslie Lamport. Time, clocks, and the ordering of events in a distributed system. Commun. ACM, 21:558--565, July 1978. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Mozilla Developer Network. https://developer.mozilla.org/.Google ScholarGoogle Scholar
  18. Leo A. Meyerovich, Arjun Guha, Jacob Baskin, Gregory H. Cooper, Michael Greenberg, Aleks Bromfield, and Shriram Krishnamurthi. Flapjax: a programming language for Ajax applications. In OOPSLA, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Mozilla Developer Network. Avoiding intermittent oranges. https://developer.mozilla.org/en/QA/Avoiding_intermittent_oranges. Accessed 18-October-2011.Google ScholarGoogle Scholar
  20. Robert O'Callahan, December 2010. Personal communication.Google ScholarGoogle Scholar
  21. Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and Shriram Krishnamurthi. ADsafety: Type-based verification of JavaScript sandboxing. In USENIX Security Symposium, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. An analysis of the dynamic behavior of javascript programs. SIGPLAN Not., 45:1--12, June 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Henri Sivonen. HTML5 script execution changes in Firefox 4. http://hsivonen.iki.fi/script-execution/. Accessed 05-November-2011.Google ScholarGoogle Scholar
  24. Steve Souders. Even Faster Web Sites: Performance Best Practices for Web Developers. O'Reilly Media, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Yunhui Zheng, Tao Bao, and Xiangyu Zhang. Statically locating web application bugs caused by asynchronous calls. In WWW, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Race detection for web applications

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM SIGPLAN Notices
                  ACM SIGPLAN Notices  Volume 47, Issue 6
                  PLDI '12
                  June 2012
                  534 pages
                  ISSN:0362-1340
                  EISSN:1558-1160
                  DOI:10.1145/2345156
                  Issue’s Table of Contents
                  • cover image ACM Conferences
                    PLDI '12: Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation
                    June 2012
                    572 pages
                    ISBN:9781450312059
                    DOI:10.1145/2254064

                  Copyright © 2012 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 11 June 2012

                  Check for updates

                  Qualifiers

                  • research-article

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!