Presentation is loading. Please wait.

Presentation is loading. Please wait.

Challenges in Pointer Analysis of JavaScript

Published byHilary Foster Modified over 6 years ago

Similar presentations

Presentation on theme: "Challenges in Pointer Analysis of JavaScript"— Presentation transcript:

1 Challenges in Pointer Analysis of JavaScript
Ben Livshits MSR

2 JavaScript leads the pack as most popular programming language
Area man says: JavaScript leads the pack as most popular programming language

3 Two Issues in JavaScript Pointer Analysis

4 1is distributed Gulfstream
JavaScript programs on the web are streaming Fully static analysis pointer analysis is not possible, calling for a hybrid approach Setting: analyzing pages before they reach the browser

5 2is distributed Use analysis
JavaScript programs interop with a set of reach APIs such as the DOM We need to understand these APIs for analysis to be useful Setting: analyzing Win8 apps written in JavaScript

6 Gulfstream Staged Static Analysis for Streaming JavaScript Applications, Salvatore Guarnieri, Ben Livshits, WebApps 2009

7 Whole program analysis?
What whole program?

8

9 JavaScript programs are streaming
You might be wondering how one does this

10 Facebook Code Exploration

11 OWA Code Exploration

12 Script Creation What does f refer to?
<HTML> <HEAD> <SCRIPT> function foo(){...} var f = foo; </SCRIPT> function bar(){...} if (...) f = bar; </HEAD> <BODY onclick="f();"> ...</BODY> </HTML> What does f refer to? Tell call graph story

13 Plan Server Client Pre-compute pointer information offline, for most of the program Optionally update server knowledge as more code is observed When more code is discovered, do analysis of it Combine the incremental results with pre-computed results

14 Gulfstream In Action Is it faster to Offline Online
Is it faster to transfer pre-computed results + add incremental results Compute everything from scratch Proceeds in 2 stages Offline is done on server Online is done in the browser Checking a safety property Offline Online

15 Simulated Devices For each device we have relative CPU speed, and network parameters. It is these parameters that allow us to compare the effectiveness of gulfstream on different devices

16 Try Different Configurations
Slow devices benefit from Gulfstream A slow network can negate the benefits of the staged analysis Large page updates don’t benefit from Gulfstream “+” means that staged incremental analysis is advantageous compared to full analysis on the client.

17 Gulfstream Savings: Fast Devices
10 seconds saved Savings were as much as 10 seconds

18 Gulfstream Savings: Slow Devices

19 Laptop Running Time Comparison
Break even point: After 30KB of updates, incremental Gulfstream is no longer faster Explain static base page first call out colors

20 Conclusion Gulfstream, staged analysis for JavaScript WebApps 2010
Offline on the server Online in the browser Wide range of experiments For small updates, Gulfstream is faster Devices with slow CPU benefit most

21 Pointer Analysis and Use Analysis

22 Use Analysis Practical Static Analysis of JavaScript Applications
in the Presence of Frameworks and Libraries, Madsen, Livshits, Fanning, in submission, 2013

23 Motivation: Win8 App Store
Native C/C++ apps .NET aps JavaScript/HTML apps

24 Win8 & Web Applications Windows 8 App Web App Builtin Builtin DOM DOM
WinJS WinJS Win8 Win8 Builtin Builtin DOM DOM jQuery jQuery

25 Practical Applications
Call graph discovery API surface discovery Capability analysis Auto-complete Concrete type inference Runtime optimizations

26 Practical Applications
Call graph discovery API surface discovery Capability analysis Auto-complete Concrete type inference Runtime optimizations Windows.Devices.Sensors Windows.Devices.Sms Windows.Media.Capture Windows.Networking.Sockets

27 Practical Applications
Call graph discovery API surface discovery Capability analysis Auto-complete Concrete type inference Runtime optimizations

28 Practical Applications
Call graph discovery API surface discovery Capability analysis Auto-complete Concrete type inference Runtime optimizations

29 Practical Applications
Call graph discovery API surface discovery Capability analysis Auto-complete Concrete type inference Runtime optimizations

30 Practical Applications
Call graph discovery API surface discovery Capability analysis Auto-complete Concrete type inference Runtime optimizations str int ref ref memory layout

31 Canvas Dilemma var canvas = document.querySelector("#leftcol .logo"); var context = canvas.getContext("2d"); context.fillRect(20, 20, c.width / 2, c.height / 2); context.strokeRect(0, 0, c.width, c. height); model querySelector as returning a reference to HTMLElement:prototype However, HTMLElement:prototype does not define getContext, so getContext remains unresolved Model querySelector as returning any HTML element within underlying page Returns elements on which getContext is undefined

32 Introducing Use Analysis
elm flows into playVideo elm flows into reset elm must have: muted and play elm must have: pause

33 Pointer vs. Use Analysis
Pointer analysis deals with “concrete” facts Facts we can observe variables declared in the program allocation sites

34 Pointer vs. Use Analysis
Use analysis deals with the “invisible” part of the heap It can exist entirely outside the JavaScript heap Constraints flows from callers to callees

35 Promises driveUtil.uploadFilesAsync( server.imagesFolderId). then( function (results) {...} )) analysis correctly maps then to WinJS:Promise:prototype.then

36 Local Storage var json = Windows.Storage. ApplicationData.current. localSettings.values[key]; correctly resolves localSettings to an instance of Windows:Storage:ApplicationDataContainer

37 Benchmarks 25 Windows 8 Apps: Average 1,587 lines of code
Approx. 30,000 lines of stubs Average ~1.500 lines of code compared to almost ~ lines of library stubs.

38 Evaluation: Summary The technique improves call graph resolution
Unification is both effective and precise The technique improves auto-completion compared to what is found in four widely used IDEs Analysis completes in a reasonable amount of time

39 Call Graph Resolution Baseline Partial
Median baseline resolution is 71.5% Baseline Median partial resolution is 81.5% Partial

40 Validating Results Incomplete is # of call sites which are sound, but have some spurious targets (i.e. imprecision is present) Unsound is the number of call sites for which some call targets are missing (i.e. the set of targets is too small ) Stubs is the number of call sites which were unresolved due to missing or faulty stubs.

41 Auto-complete We compared our technique to the auto-complete in four popular IDEs: Eclipse for JavaScript developers IntelliJ IDEA Visual Studio 2010 Visual Studio 2012 In all cases, where libraries were involved, our technique was an improvement

42 Auto-complete

43 Running Times All benchmarks complete within 22.0 sec
Median runtime for partial is 10.5 sec Analysis is not incremental – room for improvement

44 Conclusion We have presented a technique for handling large and complex libraries in static analysis of JavaScript applications It is based on pointer analysis and use analysis It is implemented declaratively in Datalog It exists in two flavors: partial and full inference We have evaluated our technique on 25 Windows 8 applications Call graph resolution is improved Running time is reasonable We improve on auto-complete compared to four widely available JavaScript IDEs We have shown a variety of practical applications

45 Two Issues in JavaScript Pointer Analysis
Gulfstream JSCap JavaScript programs on the web are streaming Fully static analysis pointer analysis is not possible, calling for a hybrid approach Setting: analyzing pages before they reach the browser JavaScript programs interop with a set of reach APIs such as the DOM We need to understand these APIs for analysis to be useful Setting: analyzing Win8 apps written in JavaScript

Download ppt "Challenges in Pointer Analysis of JavaScript"

Similar presentations

Introducing JavaScript

Introducing JavaScript
My first computer: The Apple ][ It wanted to be programmed.

My first computer: The Apple ][ It wanted to be programmed.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Web Server Programming

Web Server Programming
1 / 28 Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications ESEC/FSE 2011 Anders Møller, Magnus Madsen and Simon Holm.

1 / 28 Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications ESEC/FSE 2011 Anders Møller, Magnus Madsen and Simon Holm.
Run time vs. Compile time

Run time vs. Compile time
Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.
V1.00 © 2009 Research In Motion Limited Introduction to Mobile Device Web Development Trainer name Date.

V1.00 © 2009 Research In Motion Limited Introduction to Mobile Device Web Development Trainer name Date.
Development of mobile applications using PhoneGap and HTML 5

Development of mobile applications using PhoneGap and HTML 5
1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)

1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)
Automatic Mediation Of Privacy-sensitive Resource Access In Smartphone Applications Ben Livshits and Jaeyeon Jung Microsoft Research.

Automatic Mediation Of Privacy-sensitive Resource Access In Smartphone Applications Ben Livshits and Jaeyeon Jung Microsoft Research.
Social Media Apps Programming Min-Yuh Day, Ph.D. Assistant Professor Department of Information Management Tamkang University

Social Media Apps Programming Min-Yuh Day, Ph.D. Assistant Professor Department of Information Management Tamkang University
Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.

Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.
Microsoft Visual Basic 2012 CHAPTER ONE Introduction to Visual Basic 2012 Programming.

Microsoft Visual Basic 2012 CHAPTER ONE Introduction to Visual Basic 2012 Programming.
DHTML. What is DHTML?  DHTML is the combination of several built-in browser features in fourth generation browsers that enable a web page to be more.

DHTML. What is DHTML?  DHTML is the combination of several built-in browser features in fourth generation browsers that enable a web page to be more.
Gulfstream Salvatore Guarnieri University of Washington Ben Livshits Microsoft Research Staged Static Analysis for Streaming JavaScript Applications.

Gulfstream Salvatore Guarnieri University of Washington Ben Livshits Microsoft Research Staged Static Analysis for Streaming JavaScript Applications.
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Angelo Chan Kamran Bilgrami. Agenda ● WinJS - What and Why ● Modern Apps ● WinRT Architecture ● Demos o Controls o Data Bindings o Program LifeCycle Management.

Angelo Chan Kamran Bilgrami. Agenda ● WinJS - What and Why ● Modern Apps ● WinRT Architecture ● Demos o Controls o Data Bindings o Program LifeCycle Management.
Test Of Distributed Data Quality Monitoring Of CMS Tracker Dataset H->ZZ->2e2mu with PileUp - 10,000 events ( ~ 50,000 hits for events) The monitoring.

Test Of Distributed Data Quality Monitoring Of CMS Tracker Dataset H->ZZ->2e2mu with PileUp - 10,000 events ( ~ 50,000 hits for events) The monitoring.

Similar presentations

Ads by Google