TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript

Size: px

Start display at page:

Download "TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript"

Clifton Quentin Carson
6 years ago
Views:

1 TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript Michael Pradel 1, Parker Schuh 2, Koushik Sen 2 1 TU Darmstadt, 2 UC Berkeley 1

2 Motivation JavaScript: Dynamic and permissive Problems remain unnoticed Purely static analysis is limited 2

3 Motivation JavaScript: Dynamic and permissive Problems remain unnoticed Purely static analysis is limited This talk: Mostly dynamic analysis to find otherwise missed errors 2

4 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

5 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

6 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

7 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

8 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

9 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; Incorrect behavior, but no obvious sign of misbehavior addwrapped({v:23); // 23 addwrapped({v:20, new Wrapper(3)); // 23 addwrapped({v:"18", new Wrapper(5)); // "185" 3

10 Observations 1) Most code follows implicit type rules A single type per variable A single type per object property Functions have fixed signatures 2) Many bugs are violations of these rules 4

11 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 5

12 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); x.v has types number and string 5

13 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); Returns both number and string 5

14 This Talk: TypeDevil Find inconsistent types of local variables properties of objects function signatures Challenges: No static type information No nominal types Intended polymorphism 6

15 Overview JavaScript program Gather type observations Summarize observations into type graph Find, merge, and filter inconsistencies Warnings about inconsistent types 7

16 Types Type = Primitive type or record type Property names Sets of types Record types represent: Object types Array types Function types this and return as properties Frame types Local variables as properties 8

17 Gather Type Observations One type per allocation site and function definition site Store unique name as shadow value Gather type observations through dynamic analysis Observation = (base, property, type) 9

18 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 10

19 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); object1 has property v of type number 10

20 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); addwrapped has local variable y of type undefined 10

21 Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); function addwrapped returns number 10

22 Type Graph Nodes = type, edges = properties number string undefined object1 v object2 v object3 v object4 v object5 v locals of addwrapped x y 11

23 Condensed Type Graph Summarize graph by merging equivalent types number string undefined object1235 v object4 v locals of addwrapped x y 12

24 Reporting Inconsistencies Report nodes with multiple outgoing edges for the same property 13

25 Reporting Inconsistencies Report nodes with multiple outgoing edges for the same property number string undefined object1235 v object4 v locals of addwrapped x y 13

26 Inconsistencies: Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 14

27 Inconsistencies: Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); x.v has types number and string 14

28 Inconsistencies: Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); y has types object and undefined 14

29 Prune and Merge Warnings Prune likely false positives: Via belief analysis By degree of inconsistency By size of type diff Structural subtypes null-related Merge warnings with same root cause: By dataflow relations By type diff By array type 15

30 Prune and Merge Warnings Prune likely false positives: Via belief analysis By degree of inconsistency By size of type diff Structural subtypes null-related Merge warnings with same root cause: By dataflow relations By type diff By array type 15

31 Prune via Belief Analysis Problem: Intended polymorphism 16

32 Prune via Belief Analysis Problem: Intended polymorphism function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); Code from Octane s crypto benchmark 16

33 Prune via Belief Analysis Problem: Intended polymorphism Naive approach: Warnings about inconsistent argument types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); Code from Octane s crypto benchmark 16

34 Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types 16

35 Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); Code from Octane s crypto benchmark 16

36 Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); a may be undefined or null Code from Octane s crypto benchmark 16

37 Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); a may be number Code from Octane s crypto benchmark 16

38 Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); Code from Octane s crypto benchmark Refined approach: No warning 16

39 Merge by Dataflow Relations Problem: Multiple references may refer to a single value 17

40 Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); 17

41 Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Variable x 17

42 Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Variable a 17

43 Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); g s return value 17

44 Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); f s return value 17

45 Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Variable x f s return value Variable a g s return value Naive approach: 4 warnings 17

46 Merge by Dataflow Relations Approach: Approximate dataflow via call graph Merge warnings that may refer to the same value 17

47 Merge by Dataflow Relations Approach: Approximate dataflow via call graph Merge warnings that may refer to the same value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Variable x f s return value Variable a g s return value 17

48 Merge by Dataflow Relations Approach: Approximate dataflow via call graph Merge warnings that may refer to the same value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Refined approach: 1 warning 17

49 Implementation Instrumentation-based implementation on top of Jalangi * Hooks into execution Browser + node.js Firefox.js instrumented.js Jalangi * Sen et al.,

50 Evaluation Setup: Sunspider, Octane, and 7 web apps Main results: Finds relevant problems: 33 warnings, 15 are relevant Pruning and merging is crucial: 578 warnings 33 warnings 19

51 Example SunSpider s regexp-dna: var dnaoutputstr; for (i in seqs) { dnaoutputstr += seqs[i].source; 20

52 Example SunSpider s regexp-dna: var dnaoutputstr; for (i in seqs) { dnaoutputstr += seqs[i].source; string and undefined Problem: Incorrect string value undefinedgtagg... 20

53 Other Problems Correctness problems Crash when dereferencing undefined Performance problems Arrays with holes Dangerous coding practices Variable string sometimes holds a number 21

54 Related Work Type inference and checking Thiemann 2005, Jensen 2009, Guha 2011, Heidegger 2010 Many false positives Type inference by JIT compilers Logozzo 2010, Hackett 2012, Rastogi 2012 Speculative optimizations Type annotations TypeScript Manual effort 22

55 Conclusion Find inconsistent types in JavaScript: Observe types and summarize them into type graph Deal with intended polymorphism Dynamic analysis: Powerful alternative to static checking 23

56 Conclusion Find inconsistent types in JavaScript: Observe types and summarize them into type graph Deal with intended polymorphism Dynamic analysis: Powerful alternative to static checking Thanks! 23

JITProf: Pinpointing JIT-Unfriendly JavaScript Code

JITProf: Pinpointing JIT-Unfriendly JavaScript Code Liang Gong 1, Michael Pradel 2, Koushik Sen 1 1 UC Berkeley, 2 TU Darmstadt 1 Motivation JavaScript: One of the most popular languages Performance: Crucial