Systematic adaptation of dynamically generated source code via domain-specific examples

In modern web-based applications, an increasing amount of source code is generated dynamically at runtime. Web applications commonly execute dynamically generated code (DGC) emitted by third-party, black-box generators, run at remote sites. Web developers often need to adapt DGC before it can be executed: embedded HTML can be vulnerable to cross-site scripting attacks; an API may be incompatible with some browsers; and the program's state created by DGC may not be persisting. Lacking any systematic approaches for adapting DGC, web developers resort to ad-hoc techniques that are unsafe and error-prone. This study presents an approach for adapting DGC systematically that follows the program-transformation-by-example paradigm. The proposed approach provides predefined, domain-specific before/after examples that capture the variability of commonly used adaptations. By approving or rejecting these examples, web developers determine the required adaptation transformations, which are encoded in an adaptation script operating on the generated code's abstract syntax tree. The proposed approach is a suite of practical JavaScript program adaptations and their corresponding before/after examples. The authors have successfully applied the approach to real web applications to adapt third-party generated JavaScript code for security, browser compatibility, and persistence.

[1]  Koushik Sen,et al.  CodeHint: dynamic and interactive synthesis of code snippets , 2014, ICSE.

[2]  Serge Abiteboul,et al.  Detecting changes in XML documents , 2002, Proceedings 18th International Conference on Data Engineering.

[3]  Éric Tanter,et al.  AspectScript: expressive aspects for the web , 2010, AOSD.

[4]  Dániel Varró,et al.  Model transformation by example using inductive logic programming , 2008, Software & Systems Modeling.

[5]  Ritchie S. King The top 10 programming languages [The Data] , 2011 .

[6]  Manuel Wimmer,et al.  Towards Model Transformation Generation By-Example , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[7]  Dániel Varró,et al.  Model transformation by example , 2006, MoDELS'06.

[8]  Dániel Varró,et al.  Automating model transformation by example using inductive logic programming , 2007, SAC '07.

[9]  Hironori Washizaki,et al.  AOJS: aspect-oriented javascript programming framework for web development , 2009, ACP4IS '09.

[10]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[11]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[12]  James Miller,et al.  Securing web-clients with instrumented code and dynamic runtime monitoring , 2013, J. Syst. Softw..

[13]  Benjamin Livshits,et al.  AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications , 2007, TWEB.

[14]  Rastislav Bodík,et al.  Jungloid mining: helping to navigate the API jungle , 2005, PLDI '05.

[15]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.

[16]  Matias Martinez,et al.  Fine-grained and accurate source code differencing , 2014, ASE.

[17]  Gerti Kappel,et al.  Model Transformation By-Example: A Survey of the First Wave , 2012, Conceptual Modelling and Its Theoretical Foundations.

[18]  Juan de Lara,et al.  Ann: A domain-specific language for the effective design and validation of Java annotations , 2016, Comput. Lang. Syst. Struct..

[19]  Jan Vitek,et al.  An analysis of the dynamic behavior of JavaScript programs , 2010, PLDI '10.

[20]  Shane Markstrum,et al.  JavaCOP: Declarative pluggable types for java , 2010, TOPL.

[21]  Harald C. Gall,et al.  Change Distilling:Tree Differencing for Fine-Grained Source Code Change Extraction , 2007, IEEE Transactions on Software Engineering.

[22]  Andy Schürr,et al.  MDI: A Rule-based Multi-document and Tool Integration Approach , 2006, Software & Systems Modeling.

[23]  Itay Maman,et al.  JTL: the Java tools language , 2006, OOPSLA '06.

[24]  Hiroaki Fukuda,et al.  An expressive stateful aspect language , 2015, Sci. Comput. Program..

[25]  Miryung Kim,et al.  Lase: Locating and applying systematic edits by learning from examples , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[26]  Miryung Kim,et al.  Refactoring Inspection Support for Manual Refactoring Edits , 2018, IEEE Transactions on Software Engineering.

[27]  Manuel Wimmer,et al.  Applying Model Transformation By-Example on Business Process Modeling Languages , 2007, ER Workshops.

[28]  Martin Erwig,et al.  Toward the Automatic Derivation of XML Transformations , 2003, ER.

[29]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[30]  Dan Grossman,et al.  Supporting dynamic, third-party code customizations in JavaScript using aspects , 2010, OOPSLA.