Gulfstream: Incremental Static Analysis for Streaming JavaScript Applications

The advent of Web 2.0 has led to the proliferation of client-side code that is typically written in JavaScript. Recently, there has been an upsurge of interest in static analysis of client-side JavaScript. However, most approaches in static analysis literature assume that the entire program is available to analysis. This, however, is in direct contradiction with the nature of Web 2.0 programs that are essentially being streamed at the user’s browser. Users can see data being streamed to pages in the form of page updates, but the same thing can be done with code, essentially delaying the downloading of code until it is needed. In essence, the entire program is never completely available, by interacting with the application, more and more code is sent over to the browser. This paper explores incremental static analysis as a way to analyze streaming JavaScript programs. In particular, we advocate the use of combined offline-online static analysis as a way to accomplish fast, online incremental analysis at the expense of a more thorough and costly offline analysis on the static code. We find that in normal use, where updates to the code are small, we can incrementally update static analysis results quickly enough to be acceptable for everyday use. We demonstrate this hybrid approach to be advantageous in a wide variety of settings, especially in mobile devices.

[1]  Robert Cartwright,et al.  Soft typing , 2004, SIGP.

[2]  Benjamin Livshits,et al.  AjaxScope: A Platform for Remotely Monitoring the Client-Side Behavior of Web 2.0 Applications , 2010, ACM Trans. Web.

[3]  Benjamin Livshits,et al.  AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications , 2007, TWEB.

[4]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[5]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[6]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[7]  Paola Giannini,et al.  Type Checking for JavaScript , 2005, Electron. Notes Theor. Comput. Sci..

[8]  Amer Diwan,et al.  Fast online pointer analysis , 2007, TOPL.

[9]  Barbara G. Ryder,et al.  Precise Call Graphs for C Programs with Function Pointers , 2004, Automated Software Engineering.

[10]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[11]  Emden R. Gansner,et al.  Graphviz - Open Source Graph Drawing Tools , 2001, GD.

[12]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[13]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[14]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[15]  Mason Chang,et al.  Trace-based just-in-time type specialization for dynamic languages , 2009, PLDI '09.

[16]  Westley Weimer,et al.  Talking to strangers without taking their candy: isolating proxied content , 2008, SocialNets '08.

[17]  Ondrej Lhoták,et al.  Points-to analysis using BDDs , 2003, PLDI '03.

[18]  Monica S. Lam,et al.  Using Datalog with Binary Decision Diagrams for Program Analysis , 2005, APLAS.

[19]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[20]  Helen J. Wang,et al.  MashupOS: Operating System Abstractions for Client Mashups , 2007, HotOS.