DLint: Dynamically Checking Bad Coding Practices in JavaScript

Similar documents
DLint: Dynamically Checking Bad Coding Practices in JavaScript

DLint and JITProf. [FSE 15] JITProf: Pinpointing JIT-unfriendly JavaScript code Liang Gong, Michael Pradel, Koushik Sen

DLint: Dynamically Checking Bad Coding Practices in JavaScript

DLint: Dynamically Checking Bad Coding Practices in JavaScript

JITProf: Pinpointing JIT-Unfriendly JavaScript Code

TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript

Understanding and Automatically Preventing Injection Attacks on Node.js

INF5750. Introduction to JavaScript and Node.js

JavaScript: Coercion, Functions, Arrays

JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)

JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)

Introduction to JavaScript p. 1 JavaScript Myths p. 2 Versions of JavaScript p. 2 Client-Side JavaScript p. 3 JavaScript in Other Contexts p.

The course is supplemented by numerous hands-on labs that help attendees reinforce their theoretical knowledge of the learned material.

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js

JavaScript Programming

The Good, the Bad, and the Ugly: An Empirical Study of Implicit Type Conversions in JavaScript

ADsafety. Type-based Verification of JavaScript Sandboxing. Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi

Principles of Programming Languages

The Typed Racket Guide

LECTURE 16. Functional Programming

Client-Side Web Technologies. JavaScript Part I

Typed Racket: Racket with Static Types

JavaScript CS 4640 Programming Languages for Web Applications

Chapter 2 Working with Data Types and Operators

Sprite an animation manipulation language Language Reference Manual

Static Analysis of JavaScript. Ben Hardekopf

JavaScript: Sort of a Big Deal,

6.184 Lecture 4. Interpretation. Tweaked by Ben Vandiver Compiled by Mike Phillips Original material by Eric Grimson

JavaScript CS 4640 Programming Languages for Web Applications

[ANALYSIS ASSIGNMENT 10]

Operators and Expressions

Run-time characteristics of JavaScript

JavaScript: Features, Trends, and Static Analysis

Program Testing and Analysis: Manual Testing Prof. Dr. Michael Pradel Software Lab, TU Darmstadt

Refinement Types for TypeScript

Javascript Arrays, Object & Functions

JavaScript Lecture 1

Princess Nourah bint Abdulrahman University. Computer Sciences Department

Interprocedural Type Specialization of JavaScript Programs Without Type Analysis

JavaScript: the language of browser interactions. Claudia Hauff TI1506: Web and Database Technology

CS 112 Introduction to Computing II. Wayne Snyder Computer Science Department Boston University

Using Jalangi for Automatic Error Detection in JavaScript Games

Getting started with Java

Client vs Server Scripting

JavaScript Syntax. Web Authoring and Design. Benjamin Kenwright

Perl Library Functions

Produced by. App Development & Modelling. BSc in Applied Computing. Eamonn de Leastar

Powerful JavaScript OOP concept here and now. CoffeeScript, TypeScript, etc

Principles of Programming Languages

An Actionable Performance Profiler for Optimizing the Order of Evaluations

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

CalFuzzer: An Extensible Active Testing Framework for Concurrent Programs Pallavi Joshi 1, Mayur Naik 2, Chang-Seo Park 1, and Koushik Sen 1

CS312: Programming Languages. Lecture 21: JavaScript

JavaScript: The Good Parts. Douglas Crockford Yahoo! Inc.

COP4020 Programming Languages. Functional Programming Prof. Robert van Engelen

Why Discuss JavaScript? CS312: Programming Languages. Lecture 21: JavaScript. JavaScript Target. What s a Scripting Language?

Programming Languages: Application and Interpretation

Functional Programming. Pure Functional Programming

Ruby: Introduction, Basics

JavaScript Errors in the Wild: An Empirical Study

JavaScript: the Big Picture

Principles of Programming Languages

6.037 Lecture 4. Interpretation. What is an interpreter? Why do we need an interpreter? Stages of an interpreter. Role of each part of the interpreter

COMP520 - GoLite Type Checking Specification

JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)

1 Introduction. 3 Syntax

Thrift specification - Remote Procedure Call

CSE 341, Spring 2011, Final Examination 9 June Please do not turn the page until everyone is ready.

CS1520 Recitation Week 2

JavaScript. History. Adding JavaScript to a page. CS144: Web Applications

CMPT 125: Lecture 3 Data and Expressions

Course 2320 Supplementary Materials. Modern JavaScript Best Practices

CS558 Programming Languages

COMP520 - GoLite Type Checking Specification

Web Application Development

PIC 20A Inheritance, Interface, and Polymorphism

Closures. Mooly Sagiv. Michael Clarkson, Cornell CS 3110 Data Structures and Functional Programming

A Structural Operational Semantics for JavaScript

JavaScript. Training Offer for JavaScript Introduction JavaScript. JavaScript Objects

Lexical Considerations

Scheme in Scheme: The Metacircular Evaluator Eval and Apply

JavaScript. What s wrong with JavaScript?

JavaScript Basics. Mendel Rosenblum. CS142 Lecture Notes - JavaScript Basics

Performance Issues and Optimizations in JavaScript: An Empirical Study

Understanding and Automatically Preventing Injection Attacks on Node.js

JavaScript. History. Adding JavaScript to a page. CS144: Web Applications

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

JavaScript: The Good Parts

Node.js I Getting Started

Pierce Ch. 3, 8, 11, 15. Type Systems

Language Based isolation of Untrusted JavaScript

Topics. Java arrays. Definition. Data Structures and Information Systems Part 1: Data Structures. Lecture 3: Arrays (1)

Hava Language Technical Reference

Programming Languages: Application and Interpretation

Node.js Training JavaScript. Richard richardrodger.com

TypeScript. Types. CS144: Web Applications

Lexical Considerations

ActionScript Coding Standards. by Michael Williams

«Computer Science» Requirements for applicants by Innopolis University

CMSC 330: Organization of Programming Languages

Transcription:

DLint: Dynamically Checking Bad Coding Practices in JavaScript Liang Gong 1, Michael Pradel 2, Manu Sridharan 3 and Koushik Sen 1 1 UC Berkeley 2 TU Darmstadt 3 Samsung Research America

Why JavaScript? The RedMonk Programming Language Ranking (1 st ) Based on GitHub and StackOverflow Assembly language for the web Web applications, DSL, Desktop apps, Mobile apps 2

Problematic JavaScript Designed and Implemented in 10 days Not all decisions were well-thought Problematic language features Error prone Poor performance Prone to security vulnerabilities Problematic features are still around Backward compatibility 3

Problematic JavaScript 4

What are coding practices? Good coding practices Informal rules Improve code quality Better quality means: Fewer correctness issues Better performance Better usability Better maintainability Fewer security loopholes Fewer surprises 5

Rule: avoid using for..in over arrays var sum = 0, value; var array = [11, 22, 33]; for (value in array) { sum += value; } > sum? 6

Rule: avoid using for..in over arrays var sum = 0, value; var array = [11, 22, 33]; for (value in array) { sum += value; } > sum? 11 + 22 + 33 => 66 array index (not array value) 0 + 1 + 2 => 3 array index : string 0+"0"+"1"+"2" => "0012" 7

Rule: avoid using for..in over arrays var sum = 0, value; var array = [11, 22, 33]; for (value in array) { sum += value; } > sum? 11 + 22 + 33 => 66 array index (not array value) 0 + 1 + 2 => 3 array index : string 0+"0"+"1"+"2" => "0012" 8 Cross-browser issues Result depends on the Array prototype object > "0012indexOftoString..."

Rule: avoid using for..in over arrays var sum = 0, value; var array = [11, 22, 33]; for (value in array) { sum += value; } > sum? for (i=0; i < array.length; i++) { sum += array[i]; } 9 function addup(element, index, array) { sum += element; } array.foreach(addup);

Rule: avoid using for..in over arrays var sum = 0, value; var array = [11, 22, 33]; for (value in array) { sum += value; } > sum? for (i=0; i < array.length; i++) { sum += array[i]; } 10 function addup(element, index, array) { sum += element; } array.foreach(addup);

Coding Practices and Lint Tools Existing Lint-like checkers Inspect source code Rule-based checking Detect common mistakes Limitations: Approximates behavior Unknown aliases Lint tools favor precision over soundness Difficulty: Precise static program analysis 11

DLint Dynamic Linter checking code quality rules for JS Open-source, robust, and extensible framework Formalized and implemented 28 rules Counterparts of static rules Additional rules Empirical study Compare static and dynamic checking 12

Jalangi: A Dynamic Analysis Framework for JavaScript [Sen et al. ESEC/FSE'2013] a.f = b.g PutField(Read("a", a), "f", GetField(Read("b", b), "g")) if (a.f())... if (Branch(Method(Read("a", a), "f")())... x = y + 1 x = Write("x", Binary( +,Read("y", y), Literal(1)) analysis.literal(c) analysis.branch(c) analysis.read(n, x) analysis.write(n, x) analysis.putfield(b, f, v) analysis.binary(op, x, y) analysis.function(f, isconstructor) analysis.getfield(b,f) analysis.method(b, f, isconstructor) analysis.unary(op, x)... 13

Runtime Patterns Single-event: Stateless checking Multi-event: Stateful checking 14

Formalization: declarative specification Predicates over runtime events propwrite(base, name, val) propread(base, name, val) cond(val) unop(op, val, res) binop(op, left, right, res) call(base, f, args, ret, isconstr) Example: propwrite(*, "myobject", val) isprim(val) 15

Language Misuse Avoid setting properties of primitives, which has no effect. var fact = 42; fact.istheanswer = true; console.log(fact.istheanswer); > undefined DLint Checker Predicate: propwrite(base,*,*) Λ isprim(base) 16

Avoid producing NaN (Not a Number). var x = 23 "five"; > NaN Uncommon Values DLint Checker Predicate: unop(*, val, NaN) Λ val NaN binop(*, left, right, NaN) Λ left NaN Λ right NaN call(*, *, args,nan, *) Λ NaN args 17

Uncommon Values Avoid concatenating undefined to string. var value;... var str = "price: ";... var result = str + value; > "price: undefined" 18 DLint Checker Predicate: binop(+, left, right, res) Λ (left = undefined right = undefined) Λ isstring(res)

Beware that all wrapped primitives coerce to true. var b = false; if (new Boolean(b)) { console.log("true"); } > true API Misuse DLint Checker Predicate: cond(val) Λ iswrappedboolean(val) Λ val.valueof() = false 19

Type Related Checker Avoid accessing the undefined property. var x; // undefined var y = {}; y[x] = 23; // { undefined: 23 } propwrite(*, "undefined",*) propread(*, "undefined", *) 20

21

22

23

DLint Overview JS program Jalangi Instrumented JS program DLint Checkers Behavior Information Final Report Modify SpiderMonkey to intercept JavaScript files Transpile JavaScript code with Jalangi DLint monitors runtime states and finds issues Reports root cause and code location 24

Evaluation Research Questions DLint warnings vs. JSHint warnings? Additional warnings from DLint? Coding convention vs. page popularity? Experimental Setup 200 web sites (top 50 + others) Comparison to JSHint 25

% of Warnings: DLint vs. JSHint JSHint Unique Common DLint Unique Websites 26 0% 20% 40% 60% 80% 100% % of warnings on each site Some sites: One approach finds all Most sites: Better together

Additional Warnings Reported by DLint Logarithmic average. # warning / site (base 2) 84 43 2 1 0 Checker shares warning with JSHint Checker shares no warnings with JSHint I5 T6 L3 T5 A2 V2 L4 A5 T1 L2 L1 A6 A8 A3 T2 A4 I1 I4 V3 L5 I2 T4 L6 A7 T3 DLint checkers 53 warnings per page 49 are missed by JSHint 27

Coding Convention vs. Page Popularity Quartile 1-3 Quartile 1-3 # JSHint Warning / LOC 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0 Mean # DLint Warn. / #Cov. Op. 0.02 0.0175 0.015 0.0125 0.01 0.0075 0.005 0.0025 0 Mean Websites traffic ranking Websites traffic ranking 28 Correlation between Alexa popularity and number of DLint warnings: 0.6

Missing 'new' prefix when invoking a constructor. eval can be harmful. Implied eval (string instead of function as argument). Do not override built-in variables. document.write can be a form of eval. The array literal notation [] is preferable. The object literal notation {} is preferable. The Function constructor is a form of eval. Do not use Number, Boolean, String as a constructor. 74 4933 2335 202 62 1401 416 191 359 79 8 26 15 6 167 125 62 205 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Fount by JSHint Only Common with DLint 29

A8 L4 A1 L1 T5 ConstructorFunctions ArgumentsVariable DoubleEvaluation Literals WrappedPrimitives 181 77 31 833 74 413 187 79 8 6 Found by Dlint Only 0% 20% 40% 60% 80% 100% Common with JSHint E.g., 181 calls of eval(), Function(), etc. missed by JSHint 30

31

32

33

34

NaN case study for IKEA <prices> <normal> <pricenormal unformatted="9.9">$9.90</pricenormal> <priceprevious /> <pricenormalperunit /> <pricepreviousperunit /> </normal> </prices> XML: Empty Element previousprice = JS: undefined getelementvalue("priceprevious" + suffix, normal); parsefloat(previousprice).tofixed(2).replace(...).replace('.00', '')); JS: NaN 35

36

37

38

39

Rule: avoid setting field on primitive values From Google Octane s Game Boy Emulator benchmark: var decode64 = ""; if (datalength > 3 && datalength % 4 == 0) { while (index < datalength) { decode64 += String.fromCharCode(...); } if (sixbits[3] >= 0x40) { decode64.length -= 1; } } 40

Rule: avoid setting field on primitive values From Google Octane s Game Boy Emulator benchmark: var decode64 = ""; if (datalength > 3 && datalength % 4 == 0) { while (index < datalength) { decode64 += String.fromCharCode(...); } if (sixbits[3] >= 0x40) { decode64.length -= 1; } } No effect because decode64 is a primitive string. 41

Rule: avoid no effect operations window.onbeforeunload= "Twitch.player.getPlayer().pauseVideo();" window.onunload= "Twitch.player.getPlayer().pauseVideo();" 42

Rule: avoid no effect operations window.onbeforeunload= "Twitch.player.getPlayer().pauseVideo();" window.onunload= "Twitch.player.getPlayer().pauseVideo();" window.onbeforeunload = function () { Twitch.player.getPlayer().pauseVideo(); } 43

Rule: avoid using for..in on arrays www.google.com/chrome, included code from Modernizr: for (i in props) { // props is an array prop = props[i]; before = mstyle.style[prop];... } https://github.com/modernizr/modernizr/pull/1419 44

Takeaways Dynamic lint-like checking for JavaScript Static checkers are not sufficient, DLint complements DLint is an open-source, robust, and extensible tool Works on real-world websites Found 19 clear bugs on most popular websites More information: Paper: DLint: Dynamically Checking Bad Coding Practices in JavaScript Source Code: https://github.com/berkeley-correctness-group/dlint Google DLint Berkeley 45

Takeaways Dynamic lint-like checking for JavaScript Static checkers are not sufficient, DLint complements DLint is an open-source, robust, and extensible tool Works on real-world websites Found 19 clear bugs on most popular websites More information: Paper: DLint: Dynamically Checking Bad Coding Practices in JavaScript Source Code: https://github.com/berkeley-correctness-group/dlint Google DLint Berkeley Thanks! 46

47 http://www.phdcomics.com/comics.php?f=1553

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback