JavaScript Errors in the Wild: An Empirical Study

Similar documents
Towards Improving the Reliability of JavaScript-based Web 2.0 Applications

Why do Web Applica/ons Fail and What can be done about it?

JavaScript Errors in the Wild: An Empirical Study

Why do Modern Web Applica2ons Fail and What Can We Do About It?

DoDOM: Leveraging DOM Invariants for Web 2.0 Applica<on Robustness Tes<ng

Automatic Fault Localization for Client-Side JavaScript

AutoFLox: An Automatic Fault Localizer for Client-Side JavaScript

Automatic fault localization for client-side JavaScript

DLint: Dynamically Checking Bad Coding Practices in JavaScript

Empirical study of the dynamic behavior of JavaScript objects

Preventing Defects. SWE 795, Spring 2017 Software Engineering Environments

Etanova Enterprise Solutions

Browser code isolation

AJAX: Rich Internet Applications

Need to Node: Profiling Node.js Applications

CGS 3066: Spring 2015 JavaScript Reference

Copyright IEEE. Citation for the published paper:

Analysis Tool Project

JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)

Unit 20: Extensions in ActiveBPEL

Rich Web Applications in Server-side Java without. Plug-ins or JavaScript

JavaScript Programming

3 Continuous Integration 3. Automated system finding bugs is better than people

MemRed: Towards Reliable Web Applications

Client-side Debugging. Gary Bettencourt

Test Automation to the Limit

Sweet Themes Are Made of This: The Magento PWA Studio

JavaScript: the language of browser interactions. Claudia Hauff TI1506: Web and Database Technology

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

2015 NALIT Professional Development Seminar September 30, Tools for Mobile App Development

DLint: Dynamically Checking Bad Coding Practices in JavaScript

SE 3S03 - Tutorial 2. Zahra Ali. Week of Feb 8, 2016

The Eval that Men Do

lecture'7:' quality'assurance'

Rich Web Applications in Server-side Java without. Plug-ins or JavaScript

Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

Introduction to JavaScript p. 1 JavaScript Myths p. 2 Versions of JavaScript p. 2 Client-Side JavaScript p. 3 JavaScript in Other Contexts p.

FRESHER TRAINING PROGRAM [MANUAL/QTP/ALM/QC/SE/LR/DB/ANDROID] COURSE OVERVIEW

Sahi. Cost effective Web Automation

The tools of the MATERIA Project

JavaScript CS 4640 Programming Languages for Web Applications

OSSW ICOSST 2009, Al-Khawarizmi Institute of Computer Science University of Engineering and Technology, Lahore

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology

CAP6135: Programming Project 2 (Spring 2010)

Automated Detection of Firefox Extension-

XHound: Quantifying the Fingerprintability of Browser Extensions. Priyankit Bangia Software Engineering. By Oleksii Starov & Nick Nikiforakis

Xcode Encountered An Internal Logic Error >>>CLICK HERE<<<

DLint: Dynamically Checking Bad Coding Practices in JavaScript

Ruby: Introduction, Basics

RESTful Web service composition with BPEL for REST

WebVM Security policy for device API access

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

The course is supplemented by numerous hands-on labs that help attendees reinforce their theoretical knowledge of the learned material.

Using the VMware vcenter Orchestrator Client. vrealize Orchestrator 5.5.1

Fingerprinting Information in JavaScript Implementations. Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham

Annoyed Users: Ads and Ad-Block Usage in the Wild

Test all the things! Get productive with automated testing in Drupal 8. Sam Becker

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

MODELING AND REASONING

HCA Tech Note 500. HCA Cloud Account (as of 29-May-2017) Do I need a Cloud Account?

Single Page Applications using AngularJS

But before understanding the Selenium WebDriver concept, we need to know about the Selenium first.

A Browser Developer's Research Wish List. Robert O'Callahan Mozilla Corporation

Hybrid DOM-Sensitive Change Impact Analysis for JavaScript

A Structural Operational Semantics for JavaScript

An Automated Input Generation Method for Crawling of Web Applications

gocept.selenium Release 3.0

BIRT Report Object Model Base Elements

Decision Making in C

Searching the Deep Web

Be Conservative: Enhancing Failure Diagnosis with Proactive Logging

Diploma in Mobile App Development Part I

WebSticker handbook. Overview 1. Requirements and supported browser versions 2. Known issues 2. Technical description / architecture 3

Some Facts Web 2.0/Ajax Security

Adobe Experience Cloud Launch

Repairing crashes in Android Apps. Shin Hwei Tan Zhen Dong Xiang Gao Abhik Roychoudhury National University of Singapore

Tenable.io User Guide. Last Revised: November 03, 2017

Run-time characteristics of JavaScript

JavaScript Patterns O'REILLY* S toy an Stefanov. Sebastopol. Cambridge. Tokyo. Beijing. Farnham K8ln

SMART DEVICES: DO THEY RESPECT YOUR PRIVACY?

Beginning Google Maps Mashups with Mapplets, KML, and GeoRSS

ArcGIS Runtime: Building Cross-Platform Apps. Rex Hansen Mark Baird Michael Tims Morten Nielsen

WELCOME TO STEELHOUSE NEW CLIENT QUICK START GUIDE

A web-based IDE for Java

MTAT : Software Testing

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

profiling Node.js applications

Google chrome toolbar download windows 7

[MS-POINTER]: Microsoft Edge / Internet Explorer Pointer Events Standards Support Document

JavaScript CS 4640 Programming Languages for Web Applications

Course Details. Skills Gained. Who Can Benefit. Prerequisites. View Online URL:

RSARTE Plugin for Model Fixup

Enabling Mobile Automation Testing using Open Source Tools

Google Organic Click Through Study: Comparison of Google's CTR by Position, Industry, and Query Type

TESTBEDS Paris

Frontend guide. Everything you need to know about HTML, CSS, JavaScript and DOM. Dejan V Čančarević

Variations in Tracking In Relation To Geographic Location

Using the VMware vrealize Orchestrator Client

Elementary Computing CSC 100. M. Cheng, Computer Science

Transcription:

JavaScript Errors in the Wild: An Empirical Study Frolin S. Ocariza, Jr. 1 Karthik Pattabiraman 1 Benjamin Zorn 2 1 University of British Columbia (UBC), 2 Microsoft Research (MSR)

Web 2.0 Application: Amazon.com Third Menu Amazon s party Shopping bar Web 2.0 applications own ad allow rich UI functionality gadget ad within a single cart web page 2

Web 2.0 Application: JavaScript Significant amount of JavaScript code executing in the browser 3

Web 2.0 Application: Amazon.com 4 Web Apps experience errors, yet they continue to execute!

Web 2.0 Applications: Problems Multiple Clients! Snapshot of ifeng.com: Leading media website in China Loose semantics DOM an error occurred when processing this directive 5

Studies of JavaScript Web Applications Performance and parallelism: JSMeter [Ratanaworabhan-2010], [Richards-2009], [Fortuna-2011] Reliability? Security and Privacy: [Yue-2009], Gatekeeper [Guarnieri-2009], [Jang-2010] Goal: Study the reliability of web applications in the wild performance reliability security 6

Contributions! Devised methodology to collect and categorize JS error messages from web applications! Characterized JS error messages that appeared in 50 top websites! Analysis of the implications of results! Find possible ways to write more reliable JS code! Improve the quality of JS testing! Highlight JS characteristics that should be captured by static analysis tools 7

JavaScript Error Messages! Any exception thrown by JS code is logged to JS console Multiple exceptions 8

Error Messages: Pros and Cons! Pros! No false positives unlike static analysis! Challenging to analyze JavaScript statically! Capture interactions with the DOM! Cons! Error message may be benign! Still an indication of potential problem! May be incomplete! Publicly available JS bug reports very limited 9

Steps to Collect Error Messages! Chose 50 web applications from the Alexa top 100! Created test suites for normal interactions in Selenium! Capture JavaScript Errors printed to Firebug console 10

Research Questions Do errors occur in web apps and if so, what categories do they fall in? How do errors correlate with static and dynamic characteristics of the app? How do errors vary by speed of testing? Are they all deterministic? 11

Firebug Error Messages 1. Description of error message 2. Line of code corresponding to error 3. File name and line number Two errors are different if any attribute is different 12

Errors and their classification: Results # of! Average of 4 distinct error messages for each app! Standard dev: 3! Max: 16 (Cnet)! Min: 0 (Google) Errors 18 16 14 12 10 8 6 4 2 0 Total Distinct Errors 13 Web Application

Errors and their classification: Results (2)! 94 % of errors fall into four predominant categories Distribution of Error Messages 4% 6% # of Permission Denied Errors # of Null Exception Errors 27% 54% # of Undefined Symbol Errors # of Syntax Errors 9% # of Miscellaneous Errors 14

Permission Denied Example Taken from imdb.com advertisement 4% 6% 27% 54% Error Message: Permission denied for http://view.atdmt.com to call method Location.toString on http://www.imdb.com 9% Explanation: Triggered by appearance of advertisement. Leads to SOP violation. 15 Bottom Line: JS errors may appear as a result of code written by others

Undefined Symbol Example Taken from cnn.com 4% 6% 27% 54% Error Message: cnn_onmemfbinit() is undefined // this probably isn t needed anymore if (CNN_ISMemInit && CNN_IsFBInit) cnn_onmemfbinit(); 9% Explanation: Both CNN_IsMemInit and CNN_IsFBInit set to true 16 Bottom Line: JS code is difficult to maintain

Null Exception Example Taken from amazon.com 4% 6% 27% 54% Error Message: document.getelementbyid( inappdiv ) is null Causes error on click document.getelementbyid( inappdiv ).style.display = none ; 9% Explanation: inappdiv was only defined for users who are logged in 17 Bottom Line: JS code may depend on the DOM

Syntax Error Example Taken from about.com 4% 6% 27% 54% 9% Error Message: unterminated string literal zgpu = http://movies.about.com/od/onlinemovies Movies_Available_on_the_Internet.html Bottom Line: JS code is sometimes not well-tested

Research Questions Do errors occur in web apps and if so, what categories do they fall in? How do errors correlate with static and dynamic characteristics of the app? 19 How do errors vary by speed of testing? Are they all deterministic?

Effect of Testing Speed: Method! Varied testing speed for replaying events! Performed three executions in each testing speed Fast Medium Slow 0 ms 500 ms 1000 ms 20

Effect of Testing Speed: Results Error Message (shortened) Permission Denied for view.atdmt.com to call <fname> on marquee.blogs.cnn.com targetwindow.cnnad showad is not a function window.parent.csimanager is undefined F 1 F 2 F 3 M 1 M 2 M 3 4 4 4 1 3 3 2 2 3 0 2 5 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 S 1 S 2 S 3 21

Non-Deterministic Error: Example! Tumblr page change_promo(promo)! expects promo to be within range 1-4 settimeout(change_promo, 5000)! no parameter specified, so random value for promo No exception if promo within range Exception if promo out of range

Effect of Testing Speed: Non-Determinism! More than 70% of distinct errors are non-deterministic Total non-deterministic errors 23

Research Questions Do errors occur in web apps and if so, what categories do they fall in? How do errors correlate with static and dynamic characteristics of the app? How do errors vary by speed of testing? Are they all deterministic? 24

Static/Dynamic Correlations: Summary Static Characteristics Measured using Phoenix & Firebug plugins Alexa Rank Dynamic Characteristics From Richards et al. [PLDI 2010]! Number of called functions Bytes of JavaScript code! Number of eval calls Number of domains! Properties deleted Domains containing JS! Object inheritance overridings 25

Dynamic Correlations: Eval Calls! Low correlation! Compare: eval calls! correlate well with security

Static Correlations: JS Code Size! Low correlation! JS reliability not tied very closely to code size

Research Questions: Answers Do Average errors of occur four in errors web apps in and what each categories app. Errors do fall they into fall in? four well-defined categories Correlated How do errors with correlate no of domains, with static # and of domains dynamic with characteristics JS, Alexa rank, of the but app? not with eval calls and code size Errors How vary do errors by speed vary by of testing. speed Majority of testing of? Are errors are they non-deterministic all? 28

Implications of Results! Programmers! Need to make code robust against other code/scripts! Make sure interactions with DOM are checked! Testers! Perform integration testing to see effects of ads! Need to test at multiple testing speeds, multiple times! Static analysis tool developers! Target most common classes of errors! Need to model the DOM in the analysis 29

Conclusion and Future Work! JavaScript code in production web apps! buggy!! Study exposes JS reliability problems and analyzes errors! Data publicly available! http://ece.ubc.ca/~frolino/project/jser! Future work! Better understanding of causes (root causes and correlations)! Currently: Fault localization

Backup Slides

JavaScript: Good or Evil? Versus E v a l s 100000 10000 1000 100 10 1 0.1 Eval Calls (from Richards et al. [PLDI-2010]) Real web applications do not stick to the good parts 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback