Challenges in Pointer Analysis of JavaScript
-
Upload
xantha-beck -
Category
Documents
-
view
31 -
download
2
description
Transcript of Challenges in Pointer Analysis of JavaScript
![Page 1: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/1.jpg)
CHALLENGES IN POINTER ANALYSIS
OF JAVASCRIPT
Ben Livshits
MSR
1
![Page 2: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/2.jpg)
2
Area man says:
JavaScript leads the pack as most popular programming language
JavaScript
![Page 3: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/3.jpg)
Two Issues in JavaScript
Pointer Analysis
3
![Page 4: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/4.jpg)
1is
distributed
• JavaScript programs on the web are streaming
• Fully static analysis pointer analysis is not possible, calling for a hybrid approach
• Setting: analyzing pages before they reach the browser
Gulfstream
![Page 5: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/5.jpg)
2is
distributed
• JavaScript programs interop with a set of reach APIs such as the DOM
• We need to understand these APIs for analysis to be useful
• Setting: analyzing Win8 apps written in JavaScript
Use analysis
![Page 6: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/6.jpg)
Gulfstream• Staged Static Analysis for
Streaming JavaScript Applications, Salvatore Guarnieri, Ben Livshits, WebApps 2009
6
![Page 7: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/7.jpg)
7
Whole program analysis? What whole program?
![Page 8: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/8.jpg)
8
![Page 9: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/9.jpg)
9
JavaScript programs are streaming
![Page 10: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/10.jpg)
Facebook Code Exploration
10
![Page 11: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/11.jpg)
OWA Code Exploration
11
![Page 12: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/12.jpg)
Script Creation<HTML> <HEAD> <SCRIPT> function foo(){...} var f = foo; </SCRIPT> <SCRIPT> function bar(){...} if (...) f = bar; </SCRIPT> </HEAD> <BODY onclick="f();"> ...</BODY></HTML>
12
What does f refer to?
![Page 13: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/13.jpg)
13
PlanServer
• Pre-compute pointer information offline, for most of the program
• Optionally update server knowledge as more code is observed
Client
• When more code is discovered, do analysis of it• Combine the incremental
results with pre-computed results
![Page 14: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/14.jpg)
✔
Gulfstream In Action
14
Offline Online
✔✔
Checking a safety property
Is it faster to
1) transfer pre-computed results + add incremental results
2) Compute everything from scratch
![Page 15: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/15.jpg)
Simulated Devices
15
![Page 16: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/16.jpg)
Try Different Configurations
16
• Slow devices benefit from Gulfstream
• A slow network can negate the benefits of the staged analysis
• Large page updates don’t benefit from Gulfstream
“+” means that staged incremental analysisis advantageous compared to full analysis on the client.
![Page 17: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/17.jpg)
17
Gulfstream Savings: Fast Devices
0
2
4
6
8
10
12
profile inbox friends home Se
cond
s
10 seconds saved
![Page 18: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/18.jpg)
18
Gulfstream Savings: Slow Devices
0
50
100
150
200
250
300
350
profile inbox friends home Se
cond
s
![Page 19: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/19.jpg)
19
30,000 35,000 40,000 45,000 50,000 55,000 60,000 65,0000
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
Total Page Size (KB)
Seco
nds
Laptop Running Time Comparison
Break even point:
After 30KB of updates, incremental Gulfstream is no
longer faster
![Page 20: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/20.jpg)
20
Conclusion• Gulfstream, staged analysis for JavaScript• WebApps 2010
• Staged analysis• Offline on the server• Online in the browser
• Wide range of experiments• For small updates, Gulfstream is faster• Devices with slow CPU benefit most
![Page 21: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/21.jpg)
21
Pointer Analysis and Use Analysis
![Page 22: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/22.jpg)
Use Analysis• Practical Static Analysis
of JavaScript Applications• in the Presence of
Frameworks and Libraries, Madsen, Livshits, Fanning, in submission, 2013
22
![Page 23: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/23.jpg)
23
Motivation: Win8 App Store
Native C/C++ apps.NET aps
JavaScript/HTML apps
![Page 24: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/24.jpg)
24
Win8 & Web Applications
Web App
DOM
Windows 8 App
Win8WinJSBuiltin DOM …jQueryBuiltinDOM Win8WinJSBuiltin DOM …jQueryBuiltin
![Page 25: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/25.jpg)
25
Practical Applications• Call graph discovery• API surface discovery• Capability analysis• Auto-complete• Concrete type inference• Runtime optimizations
![Page 26: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/26.jpg)
26
Practical Applications• Call graph discovery• API surface discovery• Capability analysis• Auto-complete• Concrete type inference• Runtime optimizations
Windows.Devices.SensorsWindows.Devices.SmsWindows.Media.CaptureWindows.Networking.Sockets…
![Page 27: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/27.jpg)
27
Practical Applications• Call graph discovery• API surface discovery• Capability analysis• Auto-complete• Concrete type inference• Runtime optimizations
![Page 28: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/28.jpg)
28
Practical Applications• Call graph discovery• API surface discovery• Capability analysis• Auto-complete• Concrete type inference• Runtime optimizations
![Page 29: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/29.jpg)
29
Practical Applications• Call graph discovery• API surface discovery• Capability analysis• Auto-complete• Concrete type inference• Runtime optimizations
![Page 30: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/30.jpg)
30
Practical Applications• Call graph discovery• API surface discovery• Capability analysis• Auto-complete• Concrete type inference• Runtime optimizations
str int ref ref
memory layout
![Page 31: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/31.jpg)
31
Canvas Dilemmavar canvas = document.querySelector("#leftcol .logo");var context = canvas.getContext("2d");context.fillRect(20, 20, c.width / 2, c.height / 2);context.strokeRect(0, 0, c.width, c. height);
• model querySelector as returning a reference to HTMLElement:prototype
• However, HTMLElement:prototype does not define getContext, so getContext remains unresolved
• Model querySelector as returning any HTML element within underlying page
• Returns elements on which getContext is undefined
![Page 32: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/32.jpg)
32
Introducing Use Analysis
elm flows into playVideo
elm flows into reset
elm must have:muted and play
elm must have:pause
![Page 33: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/33.jpg)
33
Pointer vs. Use Analysis
•Pointer analysis deals with “concrete” facts
•Facts we can observe• variables declared in the program• allocation sites
![Page 34: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/34.jpg)
34
Pointer vs. Use Analysis• Use analysis deals with the
“invisible” part of the heap
• It can exist entirely outside the JavaScript heap
• Constraints flows from callers to callees
![Page 35: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/35.jpg)
35
PromisesdriveUtil.uploadFilesAsync(
server.imagesFolderId).then( function (results) {...} ))
analysis correctly maps then toWinJS:Promise:prototype.then
![Page 36: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/36.jpg)
36
Local Storagevar json =
Windows.Storage.ApplicationData.current.
localSettings.values[key];
correctly resolves localSettings to an instance of Windows:Storage:ApplicationDataContainer
![Page 37: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/37.jpg)
37
Benchmarks
25 Windows 8 Apps:Average 1,587 lines of code
Approx. 30,000 lines of stubs
![Page 38: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/38.jpg)
38
Evaluation: Summary• The technique improves call graph resolution
• Unification is both effective and precise
• The technique improves auto-completion compared to what is found in four widely used IDEs
• Analysis completes in a reasonable amount of time
![Page 39: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/39.jpg)
39
Call Graph Resolution
Baseline
Partial
Median baseline resolution is 71.5%
Median partial resolution is 81.5%
![Page 40: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/40.jpg)
40
Validating Results• Incomplete is # of call sites
which are sound, but have some spurious targets (i.e. imprecision is present)• Unsound is the number of
call sites for which some call targets are missing (i.e. the set of targets is too small )• Stubs is the number of call
sites which were unresolved due to missing or faulty stubs.
![Page 41: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/41.jpg)
41
Auto-complete• We compared our technique to the auto-complete in four
popular IDEs:• Eclipse for JavaScript developers• IntelliJ IDEA• Visual Studio 2010• Visual Studio 2012
• In all cases, where libraries were involved, our technique was an improvement
![Page 42: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/42.jpg)
42
Auto-complete
![Page 43: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/43.jpg)
43
Running Times
Median runtime for partial is 10.5 sec
All benchmarks complete within 22.0 sec
Analysis is not incremental – room for improvement
![Page 44: Challenges in Pointer Analysis of JavaScript](https://reader035.fdocuments.us/reader035/viewer/2022062720/568134f3550346895d9c3ab5/html5/thumbnails/44.jpg)
Two Issues in JavaScript Pointer Analysis
Gulfstream• JavaScript programs on the
web are streaming
• Fully static analysis pointer analysis is not possible, calling for a hybrid approach
• Setting: analyzing pages before they reach the browser
JSCap• JavaScript programs interop
with a set of reach APIs such as the DOM
• We need to understand these APIs for analysis to be useful
• Setting: analyzing Win8 apps written in JavaScript
45