Detecting Atomicity Violations for Event-Driven Node.js Applications

Node.js has been widely-used as an event-driven server-side architecture. To improve performance, a task in a Node.js application is usually divided into a group of events, which are non-deterministically scheduled by Node.js. Developers may assume that the group of events (named atomic event group) should be atomically processed, without interruption. However, the atomicity of an atomic event group is not guaranteed by Node.js, and thus other events may interrupt the execution of the atomic event group, break down the atomicity and cause unexpected results. Existing approaches mainly focus on event race among two events, and cannot detect high-level atomicity violations among a group of events. In this paper, we propose NodeAV, which can predictively detect atomicity violations in Node.js applications based on an execution trace. Based on happens-before relations among events in an execution trace, we automatically identify a pair of events that should be atomically processed, and use predefined atomicity violation patterns to detect atomicity violations. We have evaluated NodeAV on real-world Node.js applications. The experimental results show that NodeAV can effectively detect atomicity violations in these Node.js applications.

[1]  Dongyoon Lee,et al.  The Case of the Poisoned Event Handler: Weaknesses in the Node.js Event-Driven Architecture , 2017, EUROSEC.

[2]  Shin Hong,et al.  Detecting Concurrency Errors in Client-Side Java Script Web Applications , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation.

[3]  Aditya Kanade,et al.  Efficient computation of happens-before relation for event-driven programs , 2017, ISSTA.

[4]  Stefan Marr,et al.  GEMs: shared-memory parallel programming for Node.js , 2016, OOPSLA.

[5]  Koushik Sen,et al.  Jalangi: a selective record-replay and dynamic analysis framework for JavaScript , 2013, ESEC/FSE 2013.

[6]  Satish Narayanasamy,et al.  Race detection for event-driven mobile applications , 2014, PLDI.

[7]  Daan Leijen,et al.  Semantics of asynchronous JavaScript , 2017, DLS.

[8]  B. Livshits,et al.  Understanding and Automatically Preventing Injection Attacks on N ODE . JS , .

[9]  Stephen N. Freund,et al.  Atomizer: a dynamic atomicity checker for multithreaded programs , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[10]  Manu Sridharan,et al.  Race detection for web applications , 2012, PLDI.

[11]  Andres Ojamaa,et al.  Assessing the security of Node.js platform , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[12]  Qi Gao,et al.  2ndStrike: toward manifesting hidden concurrency typestate bugs , 2011, ASPLOS XVI.

[13]  Manu Sridharan,et al.  Effective race detection for event-driven programs , 2013, OOPSLA.

[14]  Yongjian Hu,et al.  Static Detection of Event-based Races in Android Apps , 2018, ASPLOS.

[15]  Brandon Lucia,et al.  Atom-Aid: Detecting and Surviving Atomicity Violations , 2009, IEEE Micro.

[16]  Samuel P. Midkiff,et al.  Automatic atomic region identification in shared memory SPMD programs , 2010, OOPSLA.

[17]  Frank Tip,et al.  A framework for automated testing of javascript web applications , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[18]  Jie Wang,et al.  A comprehensive study on real world concurrency bugs in Node.js , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[19]  Stephen N. Freund,et al.  FastTrack: efficient and precise dynamic race detection , 2009, PLDI '09.

[20]  Martin T. Vechev,et al.  Scalable race detection for Android applications , 2015, OOPSLA.

[21]  Patrick Th. Eugster,et al.  ARROW: automated repair of races on client-side web pages , 2016, ISSTA.

[22]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[23]  James Davis,et al.  Node.fz: Fuzzing the Server-Side Event-Driven Architecture , 2017, EuroSys.

[24]  Frank Tip,et al.  Static analysis of event-driven Node.js JavaScript applications , 2015, OOPSLA.

[25]  Yuanyuan Zhou,et al.  AVIO: Detecting Atomicity Violations via Access-Interleaving Invariants , 2007, IEEE Micro.

[26]  Rupak Majumdar,et al.  Race detection for Android applications , 2014, PLDI.

[27]  Yuanyuan Zhou,et al.  CTrigger: exposing atomicity violation bugs from their hiding places , 2009, ASPLOS.

[28]  Yongjian Hu,et al.  Automatically verifying and reproducing event-based races in Android apps , 2016, ISSTA.

[29]  Benjamin Livshits,et al.  SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS , 2018, NDSS.

[30]  Nenad Medvidovic,et al.  Detecting event anomalies in event-based systems , 2015, ESEC/SIGSOFT FSE.