skip to main content
10.1145/2814270.2814272acmconferencesArticle/Chapter ViewAbstractPublication PagessplashConference Proceedingsconference-collections
research-article

Static analysis of event-driven Node.js JavaScript applications

Published: 23 October 2015 Publication History

Abstract

Many JavaScript programs are written in an event-driven style. In particular, in server-side Node.js applications, operations involving sockets, streams, and files are typically performed in an asynchronous manner, where the execution of listeners is triggered by events. Several types of programming errors are specific to such event-based programs (e.g., unhandled events, and listeners that are registered too late). We present the event-based call graph, a program representation that can be used to detect bugs related to event handling. We have designed and implemented three analyses for constructing event-based call graphs. Our results show that these analyses are capable of detecting problems reported on StackOverflow. Moreover, we show that the number of false positives reported by the analysis on a suite of small Node.js applications is manageable.

References

[1]
E. Andreasen and A. Møller. Determinacy in Static Analysis for jQuery. In Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2014.
[2]
S. Artzi, J. Dolby, S. H. Jensen, A. Møller, and F. Tip. A Framework for Automated Testing of JavaScript Web Applications. In Proc. 33rd International Conference on Software Engineering (ICSE), 2011.
[3]
S. Artzi, J. Dolby, F. Tip, and M. Pistoia. Fault Localization for Dynamic Web Applications. In IEEE Transactions on Software Engineering, 2012.
[4]
M. Cantelon, M. Harter, T. Holowaychuk, and N. Rajlich. Node.js in Action. Manning Publications, 2014.
[5]
R. Dahl. Node.js online documentation, 2014.
[6]
A. Feldthaus and A. Møller. Semi-Automatic Rename Refactoring for JavaScript. In Proc. ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2013.
[7]
A. Feldthaus, T. Millstein, A. Møller, M. Schäfer, and F. Tip. Tool-supported Refactoring for JavaScript. In Proc. ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2011.
[8]
M. Felleisen, R. B. Findler, and M. Flatt. Semantics Engineering with PLT Redex. The MIT Press, 2009.
[9]
S. Guarnieri and B. Livshits. GateKeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In Proceedings of the Usenix Security Symposium, 2009.
[10]
A. Guha, C. Saftoiu, and S. Krishnamurthi. The Essence of JavaScript. In Proc. 24th European Conference on Objectoriented Programming (ECOOP), 2010.
[11]
S. Hong, Y. Park, and M. Kim. Detecting Concurrency Errors in Client-Side JavaScript Web Applications. In Proc. of 17th International Conference on Software Testing, Verification and Validation (ICST), 2014.
[12]
S. H. Jensen, A. Møller, and P. Thiemann. Type Analysis for JavaScript. In Proc. 16th International Static Analysis Symposium (SAS), 2009.
[13]
S. H. Jensen, M. Madsen, and A. Møller. Modeling the HTML DOM and Browser API in Static Analysis of JavaScript Web Applications. In Proc. 8th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), 2011.
[14]
S. H. Jensen, P. Jonsson, and A. Møller. Remedying the Eval That Men Do. In Proc. International Symposium on Software Testing and Analysis (ISSTA), 2012.
[15]
R. Jhala and R. Majumdar. Interprocedural Analysis of Asynchronous Programs. In Proc. 34th Symposium on Principles of Programming Languages (POPL), 2007.
[16]
J. B. Kam and J. D. Ullman. Monotone Data Flow Analysis Frameworks. Acta Informatica, 1977.
[17]
V. Kashyap, J. Sarracino, J. Wagner, B. Wiedermann, and B. Hardekopf. Type Refinement for Static Analysis of JavaScript. In Proc. 9th Symposium on Dynamic Languages, 2013.
[18]
V. Kashyap, K. Dewey, E. Kuefner, J. Wagner, K. Gibbons, J. Sarracino, B. Wiedermann, and B. Hardekopf. JSAI: A Static Analysis Platform for JavaScript. In Proc. 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2014.
[19]
B. S. Lerner, M. J. Carroll, D. P. Kimmel, H. Q.-D. L. Vallee, and S. Krishnamurthi. Modeling and reasoning about dom events. In Proc. 3rd USENIX Conference on Web Application Development, 2012.
[20]
M. Lutz. Learning Python. O’Reilly, 5 edition, 2013.
[21]
M. Madsen and E. Andreasen. String Analysis for Dynamic Field Access. In Proc. 23rd International Conference on Compiler Construction (CC), 2014.
[22]
M. Madsen and A. Møller. Sparse Dataflow Analysis with Pointers and Reachability. In Proc. 21st International Static Analysis Symposium (SAS), 2014.
[23]
M. Madsen, B. Livshits, and M. Fanning. Practical Static Analysis of JavaScript Applications in the Presence of Frameworks and Libraries. In Proc. European Software Engineering Conference and the Symposium on the Foundations of Software Engineering (ESEC/FSE), 2013.
[24]
L. Mauborgne and X. Rival. Trace Partitioning in Abstract Interpretation based Static Analyzers. In Proc. 14th European Symposium on Programming (ESOP), 2005.
[25]
F. Meawad, G. Richards, F. Morandat, and J. Vitek. Eval Begone!: Semi-automated Removal of Eval from JavaScript Programs. In Proc. ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 2012.
[26]
A. Møller and M. Schwarz. Automated Detection of Client-State Manipulation Vulnerabilities. Transactions on Software Engineering and Methodology, 2014.
[27]
E. Mutlu, S. Tasiran, and B. Livshits. I Know It When I See It: Observable Races in JavaScript Applications. In 8th Workshop on Dynamic Languages and Applications., 2014.
[28]
B. Petrov, M. Vechev, M. Sridharan, and J. Dolby. Race Detection for Web Applications. In Proc. 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2012.
[29]
V. Raychev, M. Vechev, and M. Sridharan. Effective Race Detection for Event-driven Programs. In Proc. of 27th European Conference on Object-oriented Programming (ECOOP), 2013.
[30]
T. Reps, S. Horwitz, and M. Sagiv. Precise Interprocedural Dataflow Analysis via Graph Reachability. In Proc. 22nd Symposium on Principles of Programming Languages (POPL), 1995.
[31]
M. Schaefer, M. Sridharan, J. Dolby, and F. Tip. Effective Smart Completion for JavaScript. Technical Report RC25359, IBM Research, 2013.
[32]
D. Thomas, A. Hunt, and C. Fowler. Programming Ruby 1.9 & 2.0: The Pragmatic Programmer’’s Guide. Pragmatic Bookshelf, 4 edition, 2013.
[33]
O. Tripp, M. Pistoia, P. Cousot, R. Cousot, and S. Guarnieri. Andromeda: Accurate and Scalable Security Analysis of Web Applications. In Proc. 16th International Conference on Fundamental Approaches to Software Engineering (FASE), 2013.
[34]
Y. Zheng, T. Bao, and X. Zhang. Statically Locating Web Application Bugs Caused by Asynchronous Calls. In Proc. 20th International Conference on World Wide Web, 2011.
[35]
Introduction Motivating Examples StackOverflow Question 19167407 StackOverflow Question 19081270 Limitations of Current Static Analyses Language Design Choices Syntax of _ Runtime of _ Semantics of _ Other Event Features Beyond Call Graphs Event-Based Call Graphs Bug Finding Analysis Framework Evaluation Implementation Research Questions Q1: Finding and Understanding Bugs Q2: Precision and Performance Discussion JavaScript in the Browser Environment Other Languages Related Work Conclusion

Cited By

View all
  • (2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
  • (2024)Efficient Auditing of Event-driven Web ApplicationsProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650089(1208-1224)Online publication date: 22-Apr-2024
  • (2024)(In)Security of File Uploads in Node.jsProceedings of the ACM Web Conference 202410.1145/3589334.3645342(1573-1584)Online publication date: 13-May-2024
  • Show More Cited By

Index Terms

  1. Static analysis of event-driven Node.js JavaScript applications

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    OOPSLA 2015: Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications
    October 2015
    953 pages
    ISBN:9781450336895
    DOI:10.1145/2814270
    • cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 50, Issue 10
      OOPSLA '15
      October 2015
      953 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2858965
      • Editor:
      • Andy Gill
      Issue’s Table of Contents
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 23 October 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. JavaScript
    2. event-based systems
    3. static analysis

    Qualifiers

    • Research-article

    Conference

    SPLASH '15
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 268 of 1,244 submissions, 22%

    Upcoming Conference

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)87
    • Downloads (Last 6 weeks)8
    Reflects downloads up to 30 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
    • (2024)Efficient Auditing of Event-driven Web ApplicationsProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650089(1208-1224)Online publication date: 22-Apr-2024
    • (2024)(In)Security of File Uploads in Node.jsProceedings of the ACM Web Conference 202410.1145/3589334.3645342(1573-1584)Online publication date: 13-May-2024
    • (2023)ARGUSProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620628(6983-7000)Online publication date: 9-Aug-2023
    • (2023)Silent springProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620546(5521-5538)Online publication date: 9-Aug-2023
    • (2023)Code Coverage Criteria for Asynchronous ProgramsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616292(1307-1319)Online publication date: 30-Nov-2023
    • (2023)Learning How to Listen: Automatically Finding Bug Patterns in Event-Driven JavaScript APIsIEEE Transactions on Software Engineering10.1109/TSE.2022.314797549:1(166-184)Online publication date: 1-Jan-2023
    • (2022)Characterizing and detecting bugs in WeChat mini-programsProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510114(363-375)Online publication date: 21-May-2022
    • (2022)DrAsyncProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510097(774-785)Online publication date: 21-May-2022
    • (2021)Modular call graph construction for security scanning of Node.js applicationsProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464836(29-41)Online publication date: 11-Jul-2021
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media