skip to main content
research-article

Static analysis of event-driven Node.js JavaScript applications

Published:23 October 2015Publication History
Skip Abstract Section

Abstract

Many JavaScript programs are written in an event-driven style. In particular, in server-side Node.js applications, operations involving sockets, streams, and files are typically performed in an asynchronous manner, where the execution of listeners is triggered by events. Several types of programming errors are specific to such event-based programs (e.g., unhandled events, and listeners that are registered too late). We present the event-based call graph, a program representation that can be used to detect bugs related to event handling. We have designed and implemented three analyses for constructing event-based call graphs. Our results show that these analyses are capable of detecting problems reported on StackOverflow. Moreover, we show that the number of false positives reported by the analysis on a suite of small Node.js applications is manageable.

References

  1. E. Andreasen and A. Møller. Determinacy in Static Analysis for jQuery. In Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. S. Artzi, J. Dolby, S. H. Jensen, A. Møller, and F. Tip. A Framework for Automated Testing of JavaScript Web Applications. In Proc. 33rd International Conference on Software Engineering (ICSE), 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. S. Artzi, J. Dolby, F. Tip, and M. Pistoia. Fault Localization for Dynamic Web Applications. In IEEE Transactions on Software Engineering, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. M. Cantelon, M. Harter, T. Holowaychuk, and N. Rajlich. Node.js in Action. Manning Publications, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. R. Dahl. Node.js online documentation, 2014.Google ScholarGoogle Scholar
  6. A. Feldthaus and A. Møller. Semi-Automatic Rename Refactoring for JavaScript. In Proc. ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. A. Feldthaus, T. Millstein, A. Møller, M. Schäfer, and F. Tip. Tool-supported Refactoring for JavaScript. In Proc. ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. M. Felleisen, R. B. Findler, and M. Flatt. Semantics Engineering with PLT Redex. The MIT Press, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. S. Guarnieri and B. Livshits. GateKeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In Proceedings of the Usenix Security Symposium, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. A. Guha, C. Saftoiu, and S. Krishnamurthi. The Essence of JavaScript. In Proc. 24th European Conference on Objectoriented Programming (ECOOP), 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. S. Hong, Y. Park, and M. Kim. Detecting Concurrency Errors in Client-Side JavaScript Web Applications. In Proc. of 17th International Conference on Software Testing, Verification and Validation (ICST), 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. S. H. Jensen, A. Møller, and P. Thiemann. Type Analysis for JavaScript. In Proc. 16th International Static Analysis Symposium (SAS), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. S. H. Jensen, M. Madsen, and A. Møller. Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications. In Proc. 8th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. S. H. Jensen, P. Jonsson, and A. Møller. Remedying the Eval That Men Do. In Proc. International Symposium on Software Testing and Analysis (ISSTA), 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. R. Jhala and R. Majumdar. Interprocedural Analysis of Asynchronous Programs. In Proc. 34th Symposium on Principles of Programming Languages (POPL), 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. J. B. Kam and J. D. Ullman. Monotone Data Flow Analysis Frameworks. Acta Informatica, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. V. Kashyap, J. Sarracino, J. Wagner, B. Wiedermann, and B. Hardekopf. Type Refinement for Static Analysis of JavaScript. In Proc. 9th Symposium on Dynamic Languages, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. V. Kashyap, K. Dewey, E. Kuefner, J. Wagner, K. Gibbons, J. Sarracino, B. Wiedermann, and B. Hardekopf. JSAI: A Static Analysis Platform for JavaScript. In Proc. 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. B. S. Lerner, M. J. Carroll, D. P. Kimmel, H. Q.-D. L. Vallee, and S. Krishnamurthi. Modeling and reasoning about dom events. In Proc. 3rd USENIX Conference on Web Application Development, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. M. Lutz. Learning Python. O’Reilly, 5 edition, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. Madsen and E. Andreasen. String Analysis for Dynamic Field Access. In Proc. 23rd International Conference on Compiler Construction (CC), 2014.Google ScholarGoogle ScholarCross RefCross Ref
  22. M. Madsen and A. Møller. Sparse Dataflow Analysis with Pointers and Reachability. In Proc. 21st International Static Analysis Symposium (SAS), 2014.Google ScholarGoogle ScholarCross RefCross Ref
  23. M. Madsen, B. Livshits, and M. Fanning. Practical Static Analysis of JavaScript Applications in the Presence of Frameworks and Libraries. In Proc. European Software Engineering Conference and the Symposium on the Foundations of Software Engineering (ESEC/FSE), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. L. Mauborgne and X. Rival. Trace Partitioning in Abstract Interpretation based Static Analyzers. In Proc. 14th European Symposium on Programming (ESOP), 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. F. Meawad, G. Richards, F. Morandat, and J. Vitek. Eval Begone!: Semi-automated Removal of Eval from JavaScript Programs. In Proc. ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. A. Møller and M. Schwarz. Automated Detection of Client-State Manipulation Vulnerabilities. Transactions on Software Engineering and Methodology, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. E. Mutlu, S. Tasiran, and B. Livshits. I Know It When I See It: Observable Races in JavaScript Applications. In 8th Workshop on Dynamic Languages and Applications., 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. B. Petrov, M. Vechev, M. Sridharan, and J. Dolby. Race Detection for Web Applications. In Proc. 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. V. Raychev, M. Vechev, and M. Sridharan. Effective Race Detection for Event-driven Programs. In Proc. of 27th European Conference on Object-oriented Programming (ECOOP), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. T. Reps, S. Horwitz, and M. Sagiv. Precise Interprocedural Dataflow Analysis via Graph Reachability. In Proc. 22nd Symposium on Principles of Programming Languages (POPL), 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. M. Schaefer, M. Sridharan, J. Dolby, and F. Tip. Effective Smart Completion for JavaScript. Technical Report RC25359, IBM Research, 2013.Google ScholarGoogle Scholar
  32. D. Thomas, A. Hunt, and C. Fowler. Programming Ruby 1.9 & 2.0: The Pragmatic Programmer’’s Guide. Pragmatic Bookshelf, 4 edition, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. O. Tripp, M. Pistoia, P. Cousot, R. Cousot, and S. Guarnieri. Andromeda: Accurate and Scalable Security Analysis of Web Applications. In Proc. 16th International Conference on Fundamental Approaches to Software Engineering (FASE), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Y. Zheng, T. Bao, and X. Zhang. Statically Locating Web Application Bugs Caused by Asynchronous Calls. In Proc. 20th International Conference on World Wide Web, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Introduction Motivating Examples StackOverflow Question 19167407 StackOverflow Question 19081270 Limitations of Current Static Analyses Language Design Choices Syntax of _ Runtime of _ Semantics of _ Other Event Features Beyond Call Graphs Event-Based Call Graphs Bug Finding Analysis Framework Evaluation Implementation Research Questions Q1: Finding and Understanding Bugs Q2: Precision and Performance Discussion JavaScript in the Browser Environment Other Languages Related Work ConclusionGoogle ScholarGoogle Scholar

Index Terms

  1. Static analysis of event-driven Node.js JavaScript applications

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 50, Issue 10
      OOPSLA '15
      October 2015
      953 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2858965
      • Editor:
      • Andy Gill
      Issue’s Table of Contents
      • cover image ACM Conferences
        OOPSLA 2015: Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications
        October 2015
        953 pages
        ISBN:9781450336895
        DOI:10.1145/2814270

      Copyright © 2015 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 23 October 2015

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!