TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript

Similar documents
JITProf: Pinpointing JIT-Unfriendly JavaScript Code

DLint: Dynamically Checking Bad Coding Practices in JavaScript

DLint: Dynamically Checking Bad Coding Practices in JavaScript

Static Analysis of JavaScript. Ben Hardekopf

DLint: Dynamically Checking Bad Coding Practices in JavaScript

DLint and JITProf. [FSE 15] JITProf: Pinpointing JIT-unfriendly JavaScript code Liang Gong, Michael Pradel, Koushik Sen

Understanding and Automatically Preventing Injection Attacks on Node.js

Transparent Object Proxies for JavaScript

An Actionable Performance Profiler for Optimizing the Order of Evaluations

6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014

The Good, the Bad, and the Ugly: An Empirical Study of Implicit Type Conversions in JavaScript

Finding User/Kernel Pointer Bugs with Type Inference p.1

B l o c k B i n d i n g s

Static Detection of Brittle Parameter Typing

Introduction to JavaScript p. 1 JavaScript Myths p. 2 Versions of JavaScript p. 2 Client-Side JavaScript p. 3 JavaScript in Other Contexts p.

JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)

22c:111 Programming Language Concepts. Fall Types I

Program Testing and Analysis: Manual Testing Prof. Dr. Michael Pradel Software Lab, TU Darmstadt

Compilers and computer architecture: Semantic analysis

Refinement Types for TypeScript

Principles of Programming Languages

Interprocedural Type Specialization of JavaScript Programs Without Type Analysis

Cog VM Evolution. Clément Béra. Thursday, August 25, 16

A brief introduction to C programming for Java programmers

Topic 9: Type Checking

Topic 9: Type Checking

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

Experimental New Directions for JavaScript

Automatic Testing of Sequential and Concurrent Substitutability

Marija Selakovic September 25th, 2015 JSConf, Berlin

Principles of Programming Languages

JavaScript: Introduction, Types

Midterm Exam. 5. What is the character - (minus) used for in JavaScript? Give as many answers as you can.

Dependent Types for JavaScript

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

2 Blending static and dynamic typing

Stephen McLaughlin. From Uncertainty to Belief: Inferring the Specification Within

Practical Mostly-Static Information Flow Control. Andrew Myers MIT Lab for Computer Science

Client-Side Web Technologies. JavaScript Part I

CS558 Programming Languages

Quickly Detecting Relevant Program Invariants

Understanding the Dynamics of JavaScript

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Cascade: A Universal Programmer-assisted Type Qualifier Inference Tool

Lecture 2: SML Basics

How Many of All Bugs Do We Find? A Study of Static Bug Detectors

Types and Type Inference

HeapMD: Identifying Heap-based Bugs using Anomaly Detection

JFlow: Practical Mostly-Static Information Flow Control

JSAI: A STATIC ANALYSIS PLATFORM FOR JAVASCRIPT

Some instance messages and methods

Whidbey Enhancements to C# Jeff Vaughan MSBuild Team July 21, 2004

A Serializability Violation Detector for Shared-Memory Server Programs

Towards automated detection of buffer overrun vulnerabilities: a first step. NDSS 2000 Feb 3, 2000

Types and Type Inference

CS558 Programming Languages

The gradual typing approach to mixing static and dynamic typing

Run-time characteristics of JavaScript

G Programming Languages Spring 2010 Lecture 6. Robert Grimm, New York University

Contents. I. Classes, Superclasses, and Subclasses. Topic 04 - Inheritance

Nomen est Omen: Exploring and Exploiting Name Similarities between Arguments and Parameters

Nick Senger & Jesse van den Kieboom

TYPES, VALUES AND DECLARATIONS

Outline. Computer programming. Debugging. What is it. Debugging. Hints. Debugging

TRANSLATING DART TO EFFICIENT JAVASCRIPT. Kasper Lund Google

JavaScript. Training Offer for JavaScript Introduction JavaScript. JavaScript Objects

CIS 341 Final Examination 4 May 2017

Static Analysis in Practice

Symbols. accessor properties, attributes, creating, adding properties, 8 anonymous functions, 20, 80

A Novel Approach to Explain the Detection of Memory Errors and Execution on Different Application Using Dr Memory.

COS 320. Compiling Techniques

Code verification. CSE 331 University of Washington. Michael Ernst

JSJS - Project Proposal

Static Analysis of Dynamically Typed Languages made Easy

Clock-directed Modular Code-generation for Synchronous Data-flow Languages

JITProf: Pinpointing JIT-Unfriendly JavaScript Code

Collaborative Verification of Information Flow for a High-Assurance App Store

Automatic Inference of Reference Count Invariants. David Detlefs Sun Microsystems Laboratories SPACE Jan. 2004

CPS 506 Comparative Programming Languages. Programming Language

Understanding Undefined Behavior

JavaScript: More Syntax and Using Events

Type Checking in COOL (II) Lecture 10

A Run-Time Type-Checking Debugger for C

Programming Languages Assignment #7

Modular and Verified Automatic Program Repairs

INF 102 CONCEPTS OF PROG. LANGS FUNCTIONAL COMPOSITION. Instructors: James Jones Copyright Instructors.

JavaScript: Sort of a Big Deal,

POLYMORPHISM 2 PART. Shared Interface. Discussions. Abstract Base Classes. Abstract Base Classes and Pure Virtual Methods EXAMPLE

Metacircular Virtual Machine Layering for Run-Time Instrumentation. Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.

JAVASCRIPT AND JQUERY: AN INTRODUCTION (WEB PROGRAMMING, X452.1)

POLYMORPHISM 2 PART Abstract Classes Static and Dynamic Casting Common Programming Errors

Microsoft SAGE and LLVM KLEE. Julian Cohen Manual and Automatic Program Analysis

Fully Automatic and Precise Detection of Thread Safety Violations

Leveraging Data Invariants in Model Inference for Test Case Generation

CPSC 427a: Object-Oriented Programming

INF5750. Introduction to JavaScript and Node.js

Functor abstract domain by example

Software Verification : Introduction

Programming Languages: Application and Interpretation

Type Systems. Seman&cs. CMPT 379: Compilers Instructor: Anoop Sarkar. anoopsarkar.github.io/compilers-class

Transcription:

TypeDevil: Dynamic Type Inconsistency Analysis for JavaScript Michael Pradel 1, Parker Schuh 2, Koushik Sen 2 1 TU Darmstadt, 2 UC Berkeley 1

Motivation JavaScript: Dynamic and permissive Problems remain unnoticed Purely static analysis is limited 2

Motivation JavaScript: Dynamic and permissive Problems remain unnoticed Purely static analysis is limited This talk: Mostly dynamic analysis to find otherwise missed errors 2

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 3

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; Incorrect behavior, but no obvious sign of misbehavior addwrapped({v:23); // 23 addwrapped({v:20, new Wrapper(3)); // 23 addwrapped({v:"18", new Wrapper(5)); // "185" 3

Observations 1) Most code follows implicit type rules A single type per variable A single type per object property Functions have fixed signatures 2) Many bugs are violations of these rules 4

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 5

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); x.v has types number and string 5

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); Returns both number and string 5

This Talk: TypeDevil Find inconsistent types of local variables properties of objects function signatures Challenges: No static type information No nominal types Intended polymorphism 6

Overview JavaScript program Gather type observations Summarize observations into type graph Find, merge, and filter inconsistencies Warnings about inconsistent types 7

Types Type = Primitive type or record type Property names Sets of types Record types represent: Object types Array types Function types this and return as properties Frame types Local variables as properties 8

Gather Type Observations One type per allocation site and function definition site Store unique name as shadow value Gather type observations through dynamic analysis Observation = (base, property, type) 9

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 10

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); object1 has property v of type number 10

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); addwrapped has local variable y of type undefined 10

Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); function addwrapped returns number 10

Type Graph Nodes = type, edges = properties number string undefined object1 v object2 v object3 v object4 v object5 v locals of addwrapped x y 11

Condensed Type Graph Summarize graph by merging equivalent types number string undefined object1235 v object4 v locals of addwrapped x y 12

Reporting Inconsistencies Report nodes with multiple outgoing edges for the same property 13

Reporting Inconsistencies Report nodes with multiple outgoing edges for the same property number string undefined object1235 v object4 v locals of addwrapped x y 13

Inconsistencies: Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); 14

Inconsistencies: Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); x.v has types number and string 14

Inconsistencies: Example function addwrapped(x, y) { if (y) return x.v + y.v; else return x.v; function Wrapper(v) { this.v = v; addwrapped({v:23); addwrapped({v:20, new Wrapper(3)); addwrapped({v:"18", new Wrapper(5)); y has types object and undefined 14

Prune and Merge Warnings Prune likely false positives: Via belief analysis By degree of inconsistency By size of type diff Structural subtypes null-related Merge warnings with same root cause: By dataflow relations By type diff By array type 15

Prune and Merge Warnings Prune likely false positives: Via belief analysis By degree of inconsistency By size of type diff Structural subtypes null-related Merge warnings with same root cause: By dataflow relations By type diff By array type 15

Prune via Belief Analysis Problem: Intended polymorphism 16

Prune via Belief Analysis Problem: Intended polymorphism function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); Code from Octane s crypto benchmark 16

Prune via Belief Analysis Problem: Intended polymorphism Naive approach: Warnings about inconsistent argument types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); Code from Octane s crypto benchmark 16

Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types 16

Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); Code from Octane s crypto benchmark 16

Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); a may be undefined or null Code from Octane s crypto benchmark 16

Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); a may be number Code from Octane s crypto benchmark 16

Prune via Belief Analysis Approach: Infer programmer beliefs from code Omit warnings about expected types function BigInteger(a, b, c) { if (a!= null) if ( number == typeof a) this.fromnumber(a, b, c); else if (b == null && string!= typeof a) this.fromstring(a, 256); else this.fromstring(a, b); Code from Octane s crypto benchmark Refined approach: No warning 16

Merge by Dataflow Relations Problem: Multiple references may refer to a single value 17

Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); 17

Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Variable x 17

Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Variable a 17

Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); g s return value 17

Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); f s return value 17

Merge by Dataflow Relations Problem: Multiple references may refer to a single value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Variable x f s return value Variable a g s return value Naive approach: 4 warnings 17

Merge by Dataflow Relations Approach: Approximate dataflow via call graph Merge warnings that may refer to the same value 17

Merge by Dataflow Relations Approach: Approximate dataflow via call graph Merge warnings that may refer to the same value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Variable x f s return value Variable a g s return value 17

Merge by Dataflow Relations Approach: Approximate dataflow via call graph Merge warnings that may refer to the same value function f(x) { return g(x); function g(a) { return a; f(23); f({p:"abc"); Refined approach: 1 warning 17

Implementation Instrumentation-based implementation on top of Jalangi * Hooks into execution Browser + node.js Firefox.js instrumented.js Jalangi * Sen et al., 2013 18

Evaluation Setup: Sunspider, Octane, and 7 web apps Main results: Finds relevant problems: 33 warnings, 15 are relevant Pruning and merging is crucial: 578 warnings 33 warnings 19

Example SunSpider s regexp-dna: var dnaoutputstr; for (i in seqs) { dnaoutputstr += seqs[i].source; 20

Example SunSpider s regexp-dna: var dnaoutputstr; for (i in seqs) { dnaoutputstr += seqs[i].source; string and undefined Problem: Incorrect string value undefinedgtagg... 20

Other Problems Correctness problems Crash when dereferencing undefined Performance problems Arrays with holes Dangerous coding practices Variable string sometimes holds a number 21

Related Work Type inference and checking Thiemann 2005, Jensen 2009, Guha 2011, Heidegger 2010 Many false positives Type inference by JIT compilers Logozzo 2010, Hackett 2012, Rastogi 2012 Speculative optimizations Type annotations TypeScript Manual effort 22

Conclusion Find inconsistent types in JavaScript: Observe types and summarize them into type graph Deal with intended polymorphism Dynamic analysis: Powerful alternative to static checking http://mp.binaervarianz.de/typedevil 23

Conclusion Find inconsistent types in JavaScript: Observe types and summarize them into type graph Deal with intended polymorphism Dynamic analysis: Powerful alternative to static checking http://mp.binaervarianz.de/typedevil Thanks! 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback