skip to main content
10.1145/1963405.1963517acmotherconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article

Statically locating web application bugs caused by asynchronous calls

Published: 28 March 2011 Publication History

Abstract

Ajax becomes more and more important for web applications that care about client side user experience. It allows sending requests asynchronously, without blocking clients from continuing execution. Callback functions are only executed upon receiving the responses. While such mechanism makes browsing a smooth experience, it may cause severe problems in the presence of unexpected network latency, due to the non-determinism of asynchronism. In this paper, we demonstrate the possible problems caused by the asynchronism and propose a static program analysis to automatically detect such bugs in web applications. As client side Ajax code is often wrapped in server-side scripts, we also develop a technique that extracts client-side JavaScript code from server-side scripts. We evaluate our technique on a number of real-world web applications. Our results show that it can effectively identify real bugs. We also discuss possible ways to avoid such bugs.

References

[1]
T.J. Watson Libraries for Analysis (WALA). http://wala.sourceforge.net/.
[2]
the open source PHP compiler (phc). http://www.phpcompiler.org/.
[3]
JavaScipt usage statistics. http://trends.builtwith.com/javascript .
[4]
Ajallerix, a web image gallery. http://developer.novell.com/wiki/index.php/Ajallerix.
[5]
A. Aho, M. Lam, R. Sethi, and J. Ullman. Compilers: principles, techniques, and tools (2nd Ed.). Pearson Education, Inc, 2006.
[6]
S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar and M. Ernst. Finding Bugs in Dynamic Web Applications. In ISSTA'08.
[7]
R. Callahan, J. Choi. Hybrid dynamic data race detection. In PPoPP'03.
[8]
R. Chugh, J. Meister, R. Jhala, S. Lerner. Staged information flow for javascript. In PLDI'09.
[9]
C. Flanagan and S. Freund. Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs. In POPL'04 .
[10]
A. Guha, S. Krishnamurthi and T. Jim. Using Static Analysis for Ajax Intrusion Detection. In WWW'09.
[11]
W. Halfond, S. Anand, and A. Orso. Precise Interface Identification to Improve Testing and Analysis of Web Applications. In ISSTA'09.
[12]
S. Lu, J. Tucek, F. Qin, Y. Zhou. Avio: detecting atomicity violations via access interleaving invariants. In ASPLOS-XII.
[13]
A. Marchetto, P. Tonella and F. Ricca. State-Based Testing of Ajax Web Applications. In ICST'08.
[14]
A. Mesbah and A. Deursen. Invariant-based automatic testing of AJAX user interfaces. In ICSE'09.
[15]
Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW'05.
[16]
M. Naik, A. Aiken and J. Whaley. Effective static race detection for Java. In PLDI'06 .
[17]
C. Park, K.Sen. Randomized active atomicity violation detection in concurrent programs. In SIGSOFT '08/FSE-16.
[18]
G. Richards, S. Lebresne, B. Burg, J. Vitek. An analysis of the dynamic behavior of JavaScript programs. In PLDI'10.
[19]
S. Savage, M. Burrows, G. Nelso, P. Sobalvarro and T. Anderson. Eraser: a dynamic data race detector for multithreaded programs. In ACM Trans. Comput. Syst. 15(4): 391--411 (1997) .
[20]
G. Wassermann and Z. Su. Static Detection of Cross-Site Scripting Vulnerabilities. In ICSE'08.
[21]
C. Yue and H. Wang. Characterizing insecure javascript practices on the web. In WWW'09.

Cited By

View all
  • (2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
  • (2023)NodeRT: Detecting Races in Node.js Applications PracticallyProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598139(1332-1344)Online publication date: 12-Jul-2023
  • (2023)Learning How to Listen: Automatically Finding Bug Patterns in Event-Driven JavaScript APIsIEEE Transactions on Software Engineering10.1109/TSE.2022.314797549:1(166-184)Online publication date: 1-Jan-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
WWW '11: Proceedings of the 20th international conference on World wide web
March 2011
840 pages
ISBN:9781450306324
DOI:10.1145/1963405
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 March 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. ajax
  2. automatic debugging
  3. javascript
  4. static analysis

Qualifiers

  • Research-article

Conference

WWW '11
WWW '11: 20th International World Wide Web Conference
March 28 - April 1, 2011
Hyderabad, India

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)18
  • Downloads (Last 6 weeks)4
Reflects downloads up to 30 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
  • (2023)NodeRT: Detecting Races in Node.js Applications PracticallyProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598139(1332-1344)Online publication date: 12-Jul-2023
  • (2023)Learning How to Listen: Automatically Finding Bug Patterns in Event-Driven JavaScript APIsIEEE Transactions on Software Engineering10.1109/TSE.2022.314797549:1(166-184)Online publication date: 1-Jan-2023
  • (2021)Race Detection for Event-Driven Node.js Applications2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE51524.2021.9678814(480-491)Online publication date: Nov-2021
  • (2020)NodeRacer: Event Race Detection for Node.js Applications2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)10.1109/ICST46399.2020.00022(120-130)Online publication date: Oct-2020
  • (2019)Reasoning about the Node.js event loop using async graphsProceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization10.5555/3314872.3314882(61-72)Online publication date: 16-Feb-2019
  • (2019)ReverbProceedings of the ACM Symposium on Cloud Computing10.1145/3357223.3362733(428-440)Online publication date: 20-Nov-2019
  • (2019)Reasoning about the Node.js Event Loop using Async Graphs2019 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)10.1109/CGO.2019.8661173(61-72)Online publication date: Feb-2019
  • (2018)Finding broken promises in asynchronous JavaScript programsProceedings of the ACM on Programming Languages10.1145/32765322:OOPSLA(1-26)Online publication date: 24-Oct-2018
  • (2018)A Study of Concurrency Bugs and Advanced Development Support for Actor-based ProgramsProgramming with Actors10.1007/978-3-030-00302-9_6(155-185)Online publication date: 7-Sep-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media