Jalangi: A Dynamic Analysis Framework for JavaScript · • Assembly Language for the Web:...

Jalangi:ADynamicAnalysisFrameworkforJavaScript

Withcontributionsfrom:

ChristofferAdamsen,EsbenAndreasen,TasneemBrutch,SatishChandra,ColinS.Gordon,SimonGibbs,SimonJenson,SwaroopKalasapur,Rezwana

Karim,MagnusMadsen,MichaelPradel,FrankTip

ManuSridharanUber

KoushikSen,LiangGongUniversityofCalifornia,Berkeley

WhyJavaScript?• TheRedMonkProgrammingLanguageRankings(Popularity):January2015and2016

– BasedonprojectshostedatGitHubandquestionspostedatStackOverflow

Growthinpopularity(basedonjobsavailable)from2012–2013

Source: http://blog.learntoprogram.tv/five-resons-javascript-important-programming-language-learn/

WhyJavaScript?

http://blog.learntoprogram.tv/five-resons-javascript-important-programming-language-learn/








• Client-sideJavaScriptinRichWebApplications

• DesktopApps(Windows8andGnome),FirefoxOS,TizenOS

• Server-side(node.js)– Paypal,Ebay,Uber,NYtimes,Linkedin,andmanymore

• AssemblyLanguagefortheWeb:emscripten,coffeescript,TypeScript

• AlanguagetoimplementDSLframeworks– Angular.js,Knockout.js,React.js

WhyJavaScript?

• Hugeecosystemoflibrariesandframeworks

• JavaScripthaslowlearningcurve– peoplecanstartcodingandgetresultsquickly

• Nospecialinstallation/executionenvironment– Justuseamodernbrowser

• JavaScriptsupportsfunctionalprogramming– higherorderfunctions

• ModernJavaScriptVMsarefast

WhyJavaScript?

Atwood’sLaw

“AnyapplicationthatcanbewritteninJavaScript,willeventuallybewrittenin

JavaScript.”

• JavaScripthasitsquirks(many)

WhyToolsforJavaScript?

varx=“1”;

++x;

console.log(x);

varx=“1”;

x+=1;

console.log(x);


varx=“1”;

++x;

console.log(x);

//prints2

varx=“1”;

x+=1;

console.log(x);

//prints11


• Easytointroducebugs:correctness,performance,memory– Degreesofequality==vs.===

• Loosely-typed– forgiving:implicittypeconversion– trieshardtoexecutewithoutthrowingexception

• LikeHTML

• Highlyreflective– evalanydynamicallycreatedstring

• Asynchronousprogramming


• Loosely-typed– forgiving:implicittypeconversion

– trieshardtoexecutewithoutthrowingexception

• LikeHTML

ToolsforBugFindingandSecurityAnalysis

• Remarkableprogressinprogram-analysisandconstraintsolving– Commercialtools:Coverity,Klocwork,Grammatech,TotalView,Parallocity,StaticDeviceVerifierfromMicrosoft,WALAatIBM

– Open-sourcetools:GDB,lint,FindBugs,Valgrind– Academictools:SLAM,BLAST,ESP,JPF,Bandera,Saturn,MAGIC,DART,CUTE,jCUTE

– MostlyfocusedonC/C++andJavaprograms

• HardlyanysoftwarequalitytoolforJavaScriptandHTML5– Staticanalysisisdifficultfordynamiclanguages

Jalangi

Apowerfulbrowser-independent(dynamic)analysisframeworkforJavaScripthttps://github.com/Samsung/jalangi2

• Jalangi:Aselectiverecord-replayanddynamicanalysisframeworkforJavaScript.KoushikSen,SwaroopKalasapur,TasneemBrutch,andSimonGibbs.InESEC/FSE,2013.

https://github.com/Samsung/jalangi2


Jalangi:GoalsandRequirements

• FrameworkforDynamicandhybridStatic/Dynamicanalysis– supportssymbolicexecution,bugfinding,memoryanalysis,runtimetype

analysis,valuetracking,tainttracking,performanceanalysis• HandleALLdynamicfeatures

– notOKtoignoreeval,newFunction• Independentofbrowser

– source-to-sourcecodeinstrumentation– instrumentedprogramwhenexecutedperformsanalysis

• EasyImplementationofDynamicAnalysis– Observeanexecutionpassively:(conventionaldynamicanalysis)– Modifysemantics/values– Repeatedlyexecutearbitrarypathswithinafunction

WhynotModifyaBrowser?• Hard to keep up with browser development • Harder to get people to use of customized browser

Jalangi1and2• Jalangi1:

– https://github.com/SRA-SiliconValley/jalangi

– recordexecutionandreplaytoperformanalysis

– Shadowvalues(wrappedobjects)

– Nolongersupported

• Jalangi2:– https://github.com/Samsung/jalangi2

– norecord/replayorshadowvalues

– optionalshadowmemory

– activedevelopment

https://github.com/SRA-SiliconValley/jalangi

https://github.com/SRA-SiliconValley/jalangi



HowJalangiWorks?

JavaScript and HTML

Jalangi Runtime

User Written Analysis

Jalangi

Analysis Writer

Intermediate

HowJalangiWorks?

JavaScript and HTML

Instrumented Files

Jalangi Instrumentor

Jalangi Runtime


Source Information

Jalangi

Analysis Writer

Intermediate

HowJalangiWorks?

JavaScript and HTML

Instrumented Files


Jalangi Runtime


Execute in Browser/Node.js

Trace

Output Data

Source Information

Jalangi

Analysis Writer

Intermediate

HowJalangiWorks?

JavaScript and HTML

Instrumented Files


Jalangi Runtime


Execute in Browser/Node.js

Trace Offline Analysis

Output Data

Visualize Output

Final Output

Source Information

Jalangi

Analysis Writer

Intermediate

JalangiInstrumentation(simplified)

x=y+1 => x=Write(“x”,Binary(‘+’,Read(“y”,y),Literal(1),x)

a.f=b.g => PutField(Read(“a”,a),“f”,GetField(Read(“b”,b),“g”))

if(a.f())… => if(Branch(Method(Read(“a”,a),“f”)()))…

JalangiRuntime

functionBinary(op,left,right,...){

result=leftopright;

returnresult;

}

JalangiRuntime


vararet=analysis.binaryPre(op,left,write,...); result=leftopright;aret=analysis.binary(op,left,right,result,...);

returnresult;

}

JalangiRuntime


varskip=false;vararet=analysis.binaryPre(op,left,write,...); if(aret){ op=aret.op;left=aret.left;right=aret.right;skip=aret.skip;}} if(!skip) result=leftopright;aret=analysis.binary(op,left,right,result,...);

returnresult;

}

JalangiRuntime


varskip=false;vararet=analysis.binaryPre(op,left,write,...); if(aret){ op=aret.op;left=aret.left;right=aret.right;skip=aret.skip;}} if(!skip) result=leftopright;aret=analysis.binary(op,left,right,result,...);if(aret)returnaret.result;else

returnresult;

}

DownloadandInstallJalangi2

Download:

gitclonehttps://github.com/Samsung/jalangi2.git

cdjalangi2

Install:

npminstall

Test:pythonscripts/test.traceall.py

pythonscripts/test.analysis.py

pythonscripts/test.dlint.py

JalangiCallbacks

functioninvokeFunPre(iid,f,base,args,isConstructor,isMethod,functionIid);

functioninvokeFun(iid,f,base,args,result,isConstructor,isMethod,functionIid);

functionliteral(iid,val,hasGetterSetter);

functionforinObject(iid,val);

functiondeclare(iid,name,val,isArgument,argumentIndex,isCatchParam);

functiongetFieldPre(iid,base,offset,isComputed,isOpAssign,isMethodCall);

functiongetField(iid,base,offset,val,isComputed,isOpAssign,isMethodCall);

functionputFieldPre(iid,base,offset,val,isComputed,isOpAssign);

functionputField(iid,base,offset,val,isComputed,isOpAssign);

functionread(iid,name,val,isGlobal,isScriptLocal);

functionwrite(iid,name,val,lhs,isGlobal,isScriptLocal);

function_return(iid,val);

function_throw(iid,val);

function_with(iid,val);

functionfunctionEnter(iid,f,dis,args);functionfunctionExit(iid,returnVal,wrappedExceptionVal);functionscriptEnter(iid,instrumentedFileName,originalFileName);functionscriptExit(iid,wrappedExceptionVal);functionbinaryPre(iid,op,left,right,isOpAssign,isSwitchCaseComparison,isComputed);functionbinary(iid,op,left,right,result,isOpAssign,isSwitchCaseComparison,isComputed);functionunaryPre(iid,op,left);functionunary(iid,op,left,result);functionconditional(iid,result);functioninstrumentCodePre(iid,code);functioninstrumentCode(iid,newCode,newAst);functionendExpression(iid);functionendExecution();functionrunInstrumentedFunctionBody(iid,f,functionIid);functiononReady(cb);

• Eachanalysisneedstoimplementasubsetofthesecallbacks.• MultipleanalysesclassescanbechainedfunctionbinaryPre(iid,op,left,right,isOpAssign,isSwitchCaseComparison,isComputed);functionbinary(iid,op,left,right,result,isOpAssign,isSwitchCaseComparison,isComputed);

Documentation: jalangi2/docs/MyAnalysis.html

TraceAll.jsanalysis:printsallcallbacks

ForNode.js• nodesrc/js/commands/jalangi.js--inlineIID--inlineSource--analysissrc/js/sample_analyses/

ChainedAnalyses.js--analysissrc/js/runtime/SMemory.js--analysissrc/js/sample_analyses/pldi16/TraceAll.jstests/pldi16/TraceAllTest.js

Forbrowser:• nodesrc/js/commands/esnstrument_cli.js--inlineIID--inlineSource--analysissrc/js/

sample_analyses/ChainedAnalyses.js--analysissrc/js/runtime/SMemory.js--analysissrc/js/sample_analyses/pldi16/TraceAll.js--out/tmp/pldi16/TraceAllTest.htmltests/pldi16/TraceAllTest.html

• nodesrc/js/commands/esnstrument_cli.js--inlineIID--inlineSource--analysissrc/js/sample_analyses/ChainedAnalyses.js--analysissrc/js/runtime/SMemory.js--analysissrc/js/sample_analyses/pldi16/TraceAll.js--out/tmp/pldi16/TraceAllTest.jstests/pldi16/TraceAllTest.js

• openfile:///tmp/pldi16/TraceAllTest.html

SampleAnalyses

Examples:src/js/sample_analyses/pldi16

Tests:tests/pldi16

Sampleanalysis:checkifundefinedisconcatenatedwithastring

See:src/js/sample_analyses/pldi16/CheckUndefinedConcatenatedToString.js

this.binary=function(iid,op,left,right,result){ if(op==='+'&&typeofresult==='string'&&

(left===undefined||right===undefined))

J$.log(“Concatenatedundefinedwithstringat”+

J$.iidToLocation(J$.sid,iid));

}

SourceLocations• Instrumentationassociatesaniidwitheveryexpression

• Atruntime,eachloadedscriptisgivenauniquescriptID(sid)

• sidofcurrentscriptstoredinJ$.sid

• J$.getGlobalIID(iid)getsagloballyuniqueid

• J$.iidToLocation(J$.sid,iid)getssourcelocation

• filename:start_line:start_col:end_line:end_col

• Trackslocationsofenclosingevals

Sampleanalysis:countbranches

vartrueBranches={};varfalseBranches={};//initialize....

this.conditional=function(iid,result){

varid=J$.getGlobalIID(iid);

if(result)

trueBranches[id]++;

else

falseBranches[id]++;

}

this.endExecution=function(){print(trueBranches,“True”);print(falseBranches,“False”);}

functionprint(map,str){for(varidinmap)if(map.hasOwnProperty(id)){J$.log(str+“branchtakenat”+J$.iidToLocation(id)+“”+map[id]+“times”;}}

See: src/js/sample_analyses/pldi16/BranchCoverage.js

Sampleanalysis:countnumberofobjectsallocatedateachsite

varallocCount={};

this.literal=function(iid,val){ varid=J$.getGlobalIID(iid);

if(typeofval===‘object’)

allocCount[id]++;

};

this.invokeFunPre=function(iid,f,

base,args,isConstructor){

varid=J$.getGlobalIID(iid);

if(isConstructor)

allocCount[id]++;

};

this.endExecution=function(){print(allocCount);}

functionprint(map){for(varidinmap)if(map.hasOwnProperty(id)){J$.log(“Objectallocatedat”+J$.iidToLocation(id)+“=”+map[id]);}}

See: src/js/sample_analyses/pldi16/CountObjectsPerAllocationSite.js

ShadowObjects(SMemory.js)• AssociatesashadowobjectwitheachJavaScriptobject(excludesprimitivevaluesincludingstringsandnull)

• Associatesashadowobjectwitheachactivationframe

• Shadowobjectcanstoremeta-information

• Ashadowobjectcontainsanuniqueid– canbeusedaslogicaladdressofanobject/frame

--analysissrc/js/sample_analyses/ChainedAnalyses.js--analysissrc/js/runtime/SMemory.js

SMemory.jsAPIDocumentation:jalangi2/docs/SMemory.html

• getShadowObject(obj,prop,isGetField)

Thismethodshouldbecalledonabaseobjectandapropertynametoretrievetheshadowobjectassociatedwiththeobjectthatactuallyownstheproperty

• getShadowObjectOfObject(val)Thismethodreturnstheshadowobjectassociatedwiththeargument.Iftheargumentcannotbeassociatedwithashadowobject,thefunctionreturnsundefined.

• getShadowFrame(name)

Thismethodreturnstheshadowobjectassociatedwiththeactivationframethatcontainsthevariable"name".Togetthecurrentactivationframe'sshadowobject,callgetShadowFrame('this')

• getIDFromShadowObjectOrFrame(obj)

Givenashadowobjectorframe,itreturnstheuniqueidoftheshadowobjectorframe.Itreturnsundefined,ifobjisundefined,null,ornotavalidshadowobject.

• getActualObjectOrFunctionFromShadowObjectOrFrame(obj)Givenashadowobject/frame,itreturnstheactualobject/thefunctionwhoseinvocationcreatedtheframe.

AssociateAllocationSite

See:src/js/sample_analyses/pldi16/LogLoadStoreAlloc.js

this.literal=function(iid,val,hasGetterSetter){ if(typeofval==="object"&&val!==null){ varsobj=sandbox.smemory.getShadowObjectOfObject(val);sobj.allocSite=J$.iidToLocation(J$.sid,iid);} };

this.getFieldPre=function(iid,base,offset,isComputed,isOpAssign,isMethodCall){ varsobj=sandbox.smemory.getShadowObject(base,offset,true).owner;varret="Load'"+offset+"'ofobjectallocatedat"+sobj.allocSite;ret+="at"+J$.iidToLocation(J$.sid,iid);log(ret);};

LogAllLoadsandStoresSee:src/js/sample_analyses/pldi16/LogLoadStoreAlloc.js

this.getFieldPre=function(iid,base,offset,isComputed,isOpAssign,isMethodCall){varsobj=sandbox.smemory.getShadowObject(base,offset,true).owner;varactualObjectId=sandbox.smemory.getIDFromShadowObjectOrFrame(sobj);varret="Loadofobject(id="+actualObjectId+")."+offset;ret+="at"+J$.iidToLocation(J$.sid,iid);log(ret);};

this.write=function(iid,name,val,lhs,isGlobal,isScriptLocal){varsobj=sandbox.smemory.getShadowFrame(name);varframeId=sandbox.smemory.getIDFromShadowObjectOrFrame(sobj);varret="Storeofframe(id="+frameId+")."+name;ret+="at"+J$.iidToLocation(J$.sid,iid);log(ret);return{result:val};};

Sampleanalysis(modifysemantics):interpret‘*’as‘+’

See:src/js/sample_analyses/pldi16/ChangeSematicsOfMult.js

this.binaryPre=function(iid,op,left,right){

if(op===‘*’) return{op:op,left:left,right:right,skip:true};};

this.binary=function(iid,op,left,right,result){ if(op===‘*’) return{result:left+right};};

Sampleanalysis(modifysemantics):skipexecutionofanevilfunction

See:src/js/sample_analyses/pldi16/SkipFunction.js

this.invokeFunPre=function(iid,f,base,args){ if(typeofevilFunction==="function"&&f===evilFunction){

return{f:f,base:base,args:args,skip:true};};

Sampleanalysis(modifysemantics):loopafunctionbody

functionloop(n){

varret=ret?ret-1:n;//dosomething

console.log(ret);

returnret;

}

loop(10);

See: src/js/sample_analyses/pldi16/BackTrackLoop.js


functionloop(n){


console.log(ret);

returnret;

}

loop(10);

Prints 10



this.functionExit=function(iid,rv,ex){ return{returnVal:rv,wrappedExceptionVal:ex,isBacktrack:rv?true:false};

};

----------------------------------Program------------------------------------

functionloop(n){


console.log(ret);

returnret;

}

loop(10); Prints 10 to 0


Sampleanalysis(modifysemantics):MultiSE:Multi-PathSymbolicExecutionusingValueSummaries

(ESEC/FSE2015)

• Symbolicexecution

• Exploreallpathsinafunction– butmergestatefromallpathsbeforeexitingthefunction

• Overridedefaultsemanticstoperformsymbolicevaluation

• Backtrackwithinafunctionuntilallpathsareexplored

• Customsemanticsandbacktracking– forsimpleabstractinterpretation

– forsimpledataflowanalysis

Jalangi2Summary

• Observeanexecutionandcollectinformation

• Changevaluesusedinanexecution

• Changesemanticsofoperators/functions

• Explorearbitrarypathinafunction

• Re-executethebodyofafunctionrepeatedly

• Maintainyourown(abstract)stateandcallstack

• 3x-100xslowdown

SeriousAnalyseswithJalangi• "Feedback-DirectedInstrumentationforDeployedJavaScriptApplications,"

– MagnusMadsenandFrankTipandEsbenAndreasenandKoushikSenandAndersMoller(ICSE'16)• "TraceTyping:AnApproachforEvaluatingRetrofittedTypeSystems,"

– EsbenAndreasenandColinS.GordonandSatishChandraandManuSridharanandFrankTipandKoushikSen(ECOOP'16)

• "TypeDevil:DynamicTypeInconsistencyAnalysisforJavaScript,”– MichaelPradelandParkerSchuhandKoushikSen(ICSE'15)

• "JITProf:PinpointingJIT-unfriendlyJavaScriptCode,"– LiangGongandMichaelPradelandKoushikSen(ESEC/FSE'15)

• "MemInsight:Platform-IndependentMemoryDebuggingforJavaScript,”– SimonJensenandManuSridharanandKoushikSenandSatishChandra(ESEC/FSE'15)

• "DLint:DynamicallyCheckingBadCodingPracticesinJavaScript,"– LiangGongandMichaelPradelandManuSridharanandKoushikSen(ISSTA'15)

• "MultiSE:Multi-PathSymbolicExecutionusingValueSummaries,”– KoushikSenandGeorgeNeculaandLiangGongandWontaeChoi,(ESEC/FSE'15)

• "TheGood,theBad,andtheUgly:AnEmpiricalStudyofImplicitTypeConversionsinJavaScript,"– MichaelPradelandKoushikSen(ECOOP'15)

• "EventBreak:AnalyzingtheResponsivenessofUserInterfacesthroughPerformance-GuidedTestGeneration,"

– MichaelPradelandParkerSchuhandGeorgeNeculaandKoushikSen(OOPSLA'14)

SeriousAnalyseswithJalangi• "Feedback-DirectedInstrumentationforDeployedJavaScriptApplications,"

– MagnusMadsenandFrankTipandEsbenAndreasenandKoushikSenandAnders(ICSE'16)• "TraceTyping:AnApproachforEvaluatingRetrofittedTypeSystems,"

– EsbenAndreasenandColinS.GordonandSatishChandraandManuSridharanandFrankTipandKoushikSen(ECOOP'16)

• "TypeDevil:DynamicTypeInconsistencyAnalysisforJavaScript,”– MichaelPradelandParkerSchuhandKoushikSen(ICSE'15)

• "JITProf:PinpointingJIT-unfriendlyJavaScriptCode,"– LiangGongandMichaelPradelandKoushikSen(ESEC/FSE'15)

• "MemInsight:Platform-IndependentMemoryDebuggingforJavaScript,”– SimonJensenandManuSridharanandKoushikSenandSatishChandra(ESEC/FSE'15)

• "DLint:DynamicallyCheckingBadCodingPracticesinJavaScript,"– LiangGongandMichaelPradelandManuSridharanandKoushikSen(ISSTA'15)

• "MultiSE:Multi-PathSymbolicExecutionusingValueSummaries,”– KoushikSenandGeorgeNeculaandLiangGongandWontaeChoi,(ESEC/FSE'15)

• "TheGood,theBad,andtheUgly:AnEmpiricalStudyofImplicitTypeConversionsinJavaScript,"– MichaelPradelandKoushikSen(ECOOP'15)

• "EventBreak:AnalyzingtheResponsivenessofUserInterfacesthroughPerformance-GuidedTestGeneration,"

– MichaelPradelandParkerSchuhandGeorgeNeculaandKoushikSen(OOPSLA'14)

MemInsightPlatform-Independent Memory

Debugging for JavaScript

47

http://github.com/Samsung/meminsight

http://github.com/Samsung/meminsight

JS Apps and Memory

48

Leaks and Staleness

• Staleness: long gap between last use and unreachable

• Leak: never unreachable

• Many stale objects indicates a potential problem

Object allocated ! Object used ! Object is unreachable!

Staleness!

49

Leak Examplevar name2obj = {};var cache = [];

function add(name) { var x = new Obj(); name2obj[name] = x; cache.push(x);}

function remove(name) { name2obj[name] = null; // forgot to remove from the cache!}

More insidious in web apps, where DOM nodes are involved50

Churn

51

Bloat

52

Heap Snapshots

Chrome Dev Tools https://developers.google.com/chrome-developer-tools/docs/javascript-memory-profiling

53

https://developers.google.com/chrome-developer-tools/docs/javascript-memory-profiling

Heap Snapshots

• Capture several snapshots, diff to find possible leaks

• Low overhead, but:

• No information on staleness (does not track uses)

• Can miss excessive churn

• Cannot handle fine-grained time-varying properties

54

MemInsight• Platform independent: use on any modern browser or

node.js

• Fine-grained behaviors via detailed tracing

• computes exact object lifetimes

• enables a variety of client analyses

• Exposes DOM manipulation

• Reasonable overhead55

Memory leak!

57

Memory leak - Details

58

jQuery issue!

59

Memory leak - Details

60

Challenges

• Prefer not to modify a browser engine Yet handle full JavaScript Keep overhead reasonable

• Want to report staleness of DOM nodes, without modifying browser

• Figure out object lifetimes accurately without information from the garbage collector

61

How does MemInsight work?

(via Jalangi)

Jalangi is a dynamic analysis framework for JavaScriptSee FSE 2013, Sen et al.

62

Trace generation(A)$

JavaScript$code$

(B)$Instrumented$JavaScript$

code$

Instrumentor$(C)$

Trace$(D)$

Enhanced$Trace$

Life>me$analysis$

Run$ Client$analyses$ GUI$

Figure 5: MEMINSIGHT tool chain

2. We show that the detailed information collected byMEMINSIGHT is useful for diagnosing and fixing mem-ory issues in real-world web applications.The rest of the paper is organized as follows. After outlin-

ing the different phases of MEMINSIGHT in Sections 2–4 asdescribed above, Sections 5 and 6 respectively present a quan-titative evaluation of MEMINSIGHT and case studies showingits usefulness. Finally, Section 7 discusses related work.

2. Trace GenerationIn principle, our memory analysis framework could be imple-mented in an entirely “online” fashion, with client analysesrunning while the target program is being exercised. How-ever, this approach could have very high analysis overhead,adversely affecting the usability of the target program. Hence,our framework divides the work into two phases. A tracegeneration phase runs along with the target program, record-ing relevant memory operations into a trace file. Then, clientanalyses run in an offline mode, based on the recorded trace.Here we first discuss the design of our trace format, craftedto balance detail with analysis overhead. Then, we discussour handling of uninstrumented code and the DOM in particu-lar. We defer discussion of certain challenges in handling theJavaScript language to Section 3.3.

2.1. Trace Design

To enable client analyses like leak detection, we require thattraces be sufficient to reconstruct object lifetimes, i.e., whenobjects are created and become unreachable. Hence, tracesmust include records of each object allocation and each mem-ory write, both to variables and to object fields (“properties”in JavaScript parlance). As an optimization, we avoid loggingwrites when the old and new values are both primitive, assuch writes are irrelevant to a memory analysis. A deleteoperation on an object property is modeled as a write of null.3

To handle functions, the generator logs calls and returns,and also logs declarations of local variables to enable properscope handling. For leak detection, we also log the last use ofeach object, where an object is used when it is dereferenced or,for function objects, when it is invoked. We only log the lastuse of each object since we found that logging all uses wasprohibitively expensive, and last use information is sufficientfor computing object staleness.

Figure 6 shows the generated trace for a simple example.Most entries includes a source location at the end. The allo-

3We do not yet model the effect of delete on the shape of the object, orphysical object sizes in general; see “Limitations” in Section 5.1.

1 var x = {};

2 var y = {};

3 function m(p,q)

4 {

5 p.f = q;

6 };

7 m(x,y);

8 x = null;

DECLARE x,y,m;

ALLOCOBJ 2 at 1;

WRITE x,2 at 1;

ALLOCOBJ 3 at 2;

WRITE y,3 at 2;

ALLOCFUN 4 at 3;

WRITE m,4 at 3;

CALL 4 at 7;

DECLARE p = 2,

q = 3;

PUTFIELD 2,"f",3

at 5;

LASTUSE 2 at 5;

RETURN at 7;

LASTUSE 4 at 7;

WRITE x,0 at 8;

UNREACHABLE

2 at 8;

UNREACHABLE

3 at end;

UNREACHABLE

4 at end;

Figure 6: A simple code example and the corresponding trace.Red entries are added in the enhanced trace.

1 var elem = document.createElement("div");

2 div.innerHTML = "<p><h1>Hello World!</h1></p>";

3 document.getElementById("x").appendChild(elem);

Figure 7: Example to illustrate handling of DOM-related code.

cation entries introduce a unique identifier used to name thecorresponding object throughout the trace. We use a distinctentry type to identify function object allocation, used to enableproper handling of closures (see below). In our implementa-tion, LASTUSE entries include a timestamp and all appear atthe end of the generated trace (since the last use is only knownat the end of the program); a separate post-processing phaseinserts the entries at the appropriate slots.

2.2. Uninstrumented Code

MEMINSIGHT works robustly in the presence of uninstru-mented JavaScript code or native code from the environment,e.g., DOM functions. Here, we detail our strategies for han-dling uninstrumented code and the DOM.

Uninstrumented Code In principle, uninstrumented codecould arbitrarily mutate any memory locations to which it hasaccess. Attempting to discover all such behavior via codeinstrumentation alone would be difficult or impossible, partic-ularly since invocations of uninstrumented code may not beobservable (e.g., a browser invoking an uninstrumented eventhandler). Furthermore, such conservative detection wouldrequire frequent traversals of the full heap visible to uninstru-mented code, a very costly operation.

In practice, we have found a policy of only tracking refer-ences created in instrumented code to strike a good balancebetween coverage of relevant behaviors and analysis overhead.

4

63


JavaScript$code$


code$

Instrumentor$(C)$

Trace$(D)$

Enhanced$Trace$

Life>me$analysis$






2.1. Trace Design





1 var x = {};

2 var y = {};

3 function m(p,q)

4 {

5 p.f = q;

6 };

7 m(x,y);

8 x = null;

DECLARE x,y,m;

ALLOCOBJ 2 at 1;

WRITE x,2 at 1;

ALLOCOBJ 3 at 2;

WRITE y,3 at 2;

ALLOCFUN 4 at 3;

WRITE m,4 at 3;

CALL 4 at 7;

DECLARE p = 2,

q = 3;

PUTFIELD 2,"f",3

at 5;

LASTUSE 2 at 5;

RETURN at 7;

LASTUSE 4 at 7;

WRITE x,0 at 8;

UNREACHABLE

2 at 8;

UNREACHABLE

3 at end;

UNREACHABLE

4 at end;











4

Preserve line numbers

63


JavaScript$code$


code$

Instrumentor$(C)$

Trace$(D)$

Enhanced$Trace$

Life>me$analysis$






2.1. Trace Design





1 var x = {};

2 var y = {};

3 function m(p,q)

4 {

5 p.f = q;

6 };

7 m(x,y);

8 x = null;

DECLARE x,y,m;

ALLOCOBJ 2 at 1;

WRITE x,2 at 1;

ALLOCOBJ 3 at 2;

WRITE y,3 at 2;

ALLOCFUN 4 at 3;

WRITE m,4 at 3;

CALL 4 at 7;

DECLARE p = 2,

q = 3;

PUTFIELD 2,"f",3

at 5;

LASTUSE 2 at 5;

RETURN at 7;

LASTUSE 4 at 7;

WRITE x,0 at 8;

UNREACHABLE

2 at 8;

UNREACHABLE

3 at end;

UNREACHABLE

4 at end;











4

Preserve call stack

63


JavaScript$code$


code$

Instrumentor$(C)$

Trace$(D)$

Enhanced$Trace$

Life>me$analysis$






2.1. Trace Design





1 var x = {};

2 var y = {};

3 function m(p,q)

4 {

5 p.f = q;

6 };

7 m(x,y);

8 x = null;

DECLARE x,y,m;

ALLOCOBJ 2 at 1;

WRITE x,2 at 1;

ALLOCOBJ 3 at 2;

WRITE y,3 at 2;

ALLOCFUN 4 at 3;

WRITE m,4 at 3;

CALL 4 at 7;

DECLARE p = 2,

q = 3;

PUTFIELD 2,"f",3

at 5;

LASTUSE 2 at 5;

RETURN at 7;

LASTUSE 4 at 7;

WRITE x,0 at 8;

UNREACHABLE

2 at 8;

UNREACHABLE

3 at end;

UNREACHABLE

4 at end;











4

Only last use

63


JavaScript$code$


code$

Instrumentor$(C)$

Trace$(D)$

Enhanced$Trace$

Life>me$analysis$






2.1. Trace Design





1 var x = {};

2 var y = {};

3 function m(p,q)

4 {

5 p.f = q;

6 };

7 m(x,y);

8 x = null;

DECLARE x,y,m;

ALLOCOBJ 2 at 1;

WRITE x,2 at 1;

ALLOCOBJ 3 at 2;

WRITE y,3 at 2;

ALLOCFUN 4 at 3;

WRITE m,4 at 3;

CALL 4 at 7;

DECLARE p = 2,

q = 3;

PUTFIELD 2,"f",3

at 5;

LASTUSE 2 at 5;

RETURN at 7;

LASTUSE 4 at 7;

WRITE x,0 at 8;

UNREACHABLE

2 at 8;

UNREACHABLE

3 at end;

UNREACHABLE

4 at end;











4

From lifetime analysis

63

Object lifetimes• From trace, model runtime heap

• Including call stack and closures

• Reference counting to compute unreachability time

• Handle cycles with Merlin algorithm[Hertz et al. ASPLOS’06]

• Insert unreachability times in the enhanced trace

64

DOM Challenges• DOM: tree data structure representing rendered HTML

• Often involved in web app memory leaks

• Many manipulations not directly visible to JavaScript

// allocates new div elementvar elem = document.createElement(“div");

// allocates DOM tree from HTML string and// updates children of elemelem.innerHTML = "<p><h1>Hello World!</h1></p>”;

// inserts elem into global DOMdocument.getElementById("x").appendChild(elem);

65

Our DOM Handling

• elem gets reified into a fresh object ID • no special handling of createElement

• For DOM manipulations, leverage HTML5 mutation observers • Provide asynchronous notifications of DOM mutation • Handles innerHTML manipulation and appendChild

• Additional handling of innerHTML for better source locations

// allocates new div elementvar elem = document.createElement(“div");

// allocates DOM tree from HTML string and// updates children of elemelem.innerHTML = "<p><h1>Hello World!</h1></p>";

// inserts elem into global DOMdocument.getElementById("x").appendChild(elem);

66

Other tricky features

• Constructors: need to properly handle this, and get good source locations

• Eval: instrument on the fly

• Getters / setters: don’t treat calls as reads / writes

• Global object, prototypes, further native models, …

67

Clients built atop MemInsight

• Leak detection: increasing stale object count at idle points (empty call stack)

• Non-escaping: no object escapes allocating function

• Leverages execution index [Xin et al. PLDI’08]

• Inlineable: objects consistently “owned” by objects from another site

• Many more are possible!

68

Case Studies (see paper for details)

• Leaks

• Fixed in one Tizen app shopping_list (patch accepted)

• Confirmed existing patch fixes leak in dataTables

• Leaks found by internal users in other apps

• Churn

• Fixed in one Tizen app annex for 10% speedup (patch accepted)

• 10X speedup for escodegen (patch accepted)

• Bloat: Found object inlining opportunity in old esprima version (since fixed)

69

Leak in Shopping List app

Should have used $.empty()!

70

Run an instrumented app

71

Interactive staleness analysis

72

Interactive staleness analysis

73

Overhead

Low overhead for (most) interactive apps

benchmark overheadrichards 10.4Xdeltablue 15X

crypto 47.1Xraytrace 41.3X

earley-boyer 99.8Xregexp 26.7Xsplay 43.4X

navier-stokes 45.4Xpdfjs 31.8Xbox2d 35.8X

typescript 77.2X

74

Reducing Overhead• Only log the last use of an object (not all uses)

• Don’t log operations on primitive fields

• Enhanced Jalangi to do selective instrumentation

• Binary trace format

• Work with simulated heap as opposed to real heap

• Reflection too expensive / fragile

75

Advanced Jalangi Usage

76

Tracing• Common technique: store a trace, and do heavyweight

analysis over the trace • Supported directly in Jalangi 1 via record/replay • But, hard to debug and write analyses

• lib/analysis/Loggers.ts has all analysis tracing code • Under Node.js, dump trace to file system

(BinaryFSLogger) • From web, trace over web socket

(BinaryWebSocketLogger) • lib/server/server.ts has server code • pipes trace directly to running lifetime analysis

77

Integrating Static Analysis

• MemInsight needs the “free variables” of each function

• Captured by closures, relevant for lifetimes • Computed by freeVarsAstHandler.ts • Provided as an AST handler to Jalangi instrumentation • Jalangi stores result of AST handler inside

instrumented code • For eval’d code, use the instrumentCode callback

78

Native Methods• Built-in methods that cannot be instrumented

• Standard JS library, DOM routines • (In general, any uninstrumented code)

• Modeling is analysis-specific • For MemInsight, lib/analysis/NativeModels.ts

• Also, careful with callbacks from native methods • may see functionEnter without invokeFunPre

79

Analysis Configuration

• May want analysis-wide configuration options • E.g., MemInsight allows for a debug function for

dumping ref counts • Use --initParam option to instrument.js (web) or esnstrument_cli.js (node.js)

• values stored in J$.initParams

80

Debugging with JSDelta

81

https://github.com/WALA/jsdelta

https://github.com/WALA/jsdelta

JSDelta: motivation• Building a Jalangi analysis

• Works great on unit tests

• But, crashes on jQuery!

• What went wrong? Need a minimized input

• Jsdelta does automatic input minimization

• Via delta debugging [Zeller, FSE’99]

82

JSDelta: Demo

83

Google “JS Delta Walkthrough”

Using JSDelta• Easy: write a script that prints a message when error

occurs

• Also works for JSON, entire directories

• For a Jalangi analysis:

• Check for errors in uninstrumented program first

• Always run with a timeout (e.g., with timeout command)

• For browser code, use PhantomJS, Selenium, etc.

84

• DLint:DynamicallyCheckingJSCodingPractice

• JITProf:FindJScodethatprohibitJIT-optimization

85

DLintandJITProf

LiangGong,ElectricEngineering&ComputerScience,UniversityofCalifornia,Berkeley.

[ISSTA’15] DLint: Dynamically Checking Bad Coding Practices in JavaScriptLiang Gong, Michael Pradel, Manu Sridharan, Koushik Sen

[FSE’15] JITProf: Pinpointing JIT-unfriendly JavaScript codeLiang Gong, Michael Pradel, Koushik Sen

DLintandJITProfforWebPages

mitmproxyObserve requests & intercepts responses

that contain JS and webpages

©LiangGong,ElectricEngineering&ComputerScience,UniversityofCalifornia,Berkeley.86



87

DLintandJITProf




• Goodcodingpractices• Informalrules• Improvecodequality

• Betterqualitymeans:• Fewercorrectnessissues• Betterperformance• Betterusability• Bettermaintainability• Fewersecurityloopholes• Fewersurprises• …

88

Whatarecodingpractices?


89

varsum=0,value;vararray=[11,22,33];for(valueinarray){sum+=value;}>sum?

Rule:avoidusingfor..inoverarrays


90


11+22+33=>66arrayindex

(notarrayvalue)0+1+2=>3 arrayindex:string0+"0"+"1"+"2"=>"0012"



• Cross-browserissues• ResultdependsontheArrayprototypeobject

91


11+22+33=>66arrayindex

(notarrayvalue)0+1+2=>3 arrayindex:string0+"0"+"1"+"2"=>"0012"

>"0012indexOftoString..."



92


for(i=0;i<array.length;i++){sum+=array[i];}

functionaddup(element,index,array){sum+=element;}array.forEach(addup);



93






CodingPracticesandLintTools

• ExistingLint-likecheckers– Inspectsourcecode

– Detectcommonmistakes

• Limitations:– Approximatesbehavior

– Unknownaliases

– Linttoolsfavorprecisionoversoundness

• Difficulty:Precisestaticprogramanalysis

94LiangGong,ElectricEngineering&ComputerScience,UniversityofCalifornia,Berkeley.

95

• DynamicLintercheckingcodequalityrulesforJS

• Open-source,robust,andextensibleframework• Formalizedandimplemented28rules

– Counterpartsofstaticrules– Additionalrules

• Empiricalstudy– ItisbettertouseDLintandstaticlintertogether

DLint


96




Detectfor..inoverarrayswithJalangi



for(valueinobj){sum+=value;}




Have a warning whenobj in for-in is an array.




instrumentation


JalangiInstrumentedCode




instrumentation

functionforinObject(iid,val){

}






instrumentation

functionforinObject(iid,val){if(isArray(val)){//reportwarning!}}






instrumentation







instrumentation




J$.iidToLocation(iid);




instrumentation




file.js:<start line>:<start col>:<end line>:<end col>



Checkers

107

CheckNaN.jsConcatUndefinedToString.jsNonObjectPrototype.js SetFieldToPrimitive.js OverFlowUnderFlow.js StyleMisuse.js ToStringGivesNonString.js UndefinedOffset.js NoEffectOperation.js AddEnumerablePropertyToObject.js ConstructWrappedPrimitive.jsInconsistentNewCallPrefix.jsUncountableSpaceInRegexp.jsFloatNumberEqualityComparison.js

FunctionToString.js ShadowProtoProperty.jsForInArray.jsNonNumericArrayProperty.jsOverwrittenPrototype.jsGlobalThis.js CompareFunctionWithPrimitives.js InconsistentConstructor.js FunctionCalledWithMoreArguments.js IllegalUseOfArgumentsVariable.js DoubleEvaluation.jsEmptyClassInRegexp.jsUseArrObjConstrWithoutArg.jsMissRadixArgInParseNum.js


Chained Analysis

108

PutField(Read("a",a),"f",GetField(Read("b",b),"g"))

a.f=b.g

functions

ChainedAnalysis

PutField

Read

…

functions

Checker-1

PutField

Read

…functions

Checker-2

PutField

Read

…

functions

Checker-n

PutField

Read

…

…


Other Resources


Jalangi (v2) Github

https://github.com/ksen007/jalangi2analysesDLint + JITProf Github based on Jalangi (v2)

LiangGong,ElectricEngineering&ComputerScience,UniversityofCalifornia,Berkeley.109

https://github.com/JacksonGL/jitprof-visualizationJITProf Visualization Github based on Jalangi (v2)



110

DLintandJITProf




Simplifies coding• Write less, do more ! more productive• Code is less verbose ! easier to understand

Dynamic language features:


Motivation of JITProf

Simplifies coding• Write less, do more ! more productive• Code is less verbose ! easier to understand Slow execution• Too many runtime checks• Object property lookup -> hash table lookup ...

Dynamic language features:


Motivation of JITProf

SplayTree.prototype.insert=function(key,value){ ...varnode=newSplayTree.Node(key,value);if(key>this.root_.key){node.left=this.root_;node.right=this.root_.right;...}else{node.right=this.root_;node.left=this.root_.left;...}this.root_=node;};

113

Pinpointing JIT-unfriendly JavaScript Code


• Code snippet from Google Octane Benchmark:


114




Causeofpoorperformance:• nodehastwolayouts:offsetofleftinnodecanbe0or1• JITcannotreplacenode.leftwithnode[0]ornode[1]

Performanceboost:

15%

6.7%

115





Performanceboost:

15%

6.7%

116





JITProf Simulates the Hidden Classesbased on the information provided by Jalangi

Back to the Motivating Example

functionThing(flag){if(!flag){this.b=4;this.a=3;}else{this.a=2;this.b=1;}}

for(vari=0;i<1000000;i++){varo=newThing(i%2);result+=o.a+o.b;}


• Each object has a meta information associated with it

• The meta information keeps track of its object layout and its transition history.





Objects

Property Offset

__proto__

HiddenClassesAnonymous

HiddenClass

Hiddenclasssimulationbeforethestatement





Objects

Property Offset

__proto__


HiddenClass

Objects

Property Offset__proto__


Offset0 4

HiddenClass

Property Offset

b 0

__proto__


Hiddenclasssimulationafterthestatement





Objects

Property Offset

__proto__


Offset0 4

Offset1 3

HiddenClassProperty Offset

b 0

__proto__

Property Offset

b 0

__proto__

a 1

Objects

Anonymous2

HiddenClass

Property Offset

a 0

__proto__

Offset0 2

Offset1 3

Property Offset

a 0

__proto__

b 1





Objects

Property Offset

__proto__


HiddenClass

Property Offset__proto__Offset0 4

HiddenClass

Property Offset

b 0

__proto__







Objects

Property Offset

__proto__


HiddenClass


HiddenClass

Property Offset

b 0

__proto__



functionputFieldPre(iid,base,offset,val…){//logicforupdatingthehiddenclass

}

invoke

Jalangi





Objects

Property Offset

__proto__


HiddenClass


HiddenClass

Property Offset

b 0

__proto__




}

invoke

Jalangithis.b=4;





Objects

Property Offset

__proto__


HiddenClass


HiddenClass

Property Offset

b 0

__proto__




}

invoke

Jalangithis.b=4;

'b'





Objects

Property Offset

__proto__


HiddenClass


HiddenClass

Property Offset

b 0

__proto__



functionputFieldPre(iid,base,offset,val…){varsobj=J$.smemory.getShadowObject(base);sobj.hiddenClass...}

invoke

Jalangithis.b=4;

'b'




varo={a:1,b:2};


InterceptputFieldtoupdatethehiddenclass




varo={a:1,b:2};



InterceptinvokeFuntorecordobjectcreationlocation




varo={a:1,b:2};




InterceptgetFieldtorecordinlinecachemisses




varo={a:1,b:2};




InterceptgetFieldtorecordinlinecachemisses

Interceptliteraltoupdatehiddenclass+recordobjectcreationlocation


• Use inconsistent object layout• Access undeclared property or array element• Store non-numeric value in numeric arrays• Use in-contiguous keys for arrays• Not all properties are initialized in constructors• … and more

JIT-unfriendly Code Checked by JITProf

©LiangGong,ElectricEngineering&ComputerScience,UniversityofCalifornia,Berkeley.

vararray=[];for(vari=10000;i>=0;i--){array[i]=i;}

134

Rule #5: Use Contiguous Keys for Array



135

array[10000]=10000;array[9999]=9999;...

• non-contiguous array • To save memory, JIT-engine decides to represent

the array with slow data structures like hash table.


10X+speedup!



for(vari=0;i<=10000;i++){array[i]=i;}

136




137

loc1:

• InterceptputFieldoperationofarrays• Ranklocationsbynumberassignmentstonon-contiguousarrays


higher ! better

138

(*)means smaller is better group average improve rate

sunspider-chrome-sha1 (*) original 1884.7588 26.3%refactored 1299.0706

octane-firefox-Splay original 11331.59 3.5%refactored 12198.65

Sunspider-String-Tagcloud (*) original 9178.76 11.7%refactored 9457.53

octane-firefox-DeltaBlue original 28473.53 1.4%refactored 31154.06

octane-chrome-Box2D original 24569.47 7.5%refactored 24915.00

octane-chrome-RayTrace original 43595.94 12.9%refactored 48140.35


higher ! better

(*)means smaller is better group average improve rate

octane-chrome-Splay original 10278.59 15.1%refactored 11885.71

octane-chrome-SplayLatency original 20910.24 3.8%refactored 21994.82

sunspider-chrome-3d-Cube (*) original 597.047059 1.1%refactored 593.744118

sunspider-firefox-sha1 (*) original 680.476471 3.3%refactored 669.932353

sunspider-firefox-Xparb (*) original 364.6824 19.7%refactored 357.2235

sunspider-chrome-md5 (*) original 774.3500 24.6%refactored 665.8382

sunspider-chrome-format-tofte (*) original 212.2029 3.4%refactored 200.9000

139©LiangGong,ElectricEngineering&ComputerScience,UniversityofCalifornia,Berkeley.

• https://github.com/ksen007/jalangi2analyses

140

InstallDLintandJITProfwithJalangi2


npm install

• pip install pyOpenSSL • pip install mitmproxy==0.11.3

Installthemitmproxycertificatemanually(drag-and-drop)

(third-party framework)

• man-in-the-middleproxy• Interactive,SSL-capableproxyforHTTPwith

aconsoleinterface.• Intercepthttpcommunicationbetweenthe

clientandtheserverforinstrumentation.

141

mitmproxyBrowser Server

requestforwarded request

responseforwarded response


(third-party framework)


142

Installmitmproxy



143

Installmitmproxy


• Man-in-the-middleProxy• SSLandHTTPSisdesignedagainstMITM• HTTPSHandleshakeerrorduetouncertified

modificationviainstrumentation

144

TheHTTPSProblem

Browser Server


response


mitmproxy +Jalangi Instrumentation

145

TheHTTPSProblem



+ a CertificateAuthorityImplementation

Browser Server


response



146

TheHTTPSProblem



+ a CertificateAuthorityImplementation

Browser Server


response



Other Resources


Jalangi (v2) Github

https://github.com/ksen007/jalangi2analysesDLint + JITProf Github based on Jalangi (v2)


Questions

https://github.com/JacksonGL/jitprof-visualizationJITProf Visualization Github based on Jalangi (v2)

Jalangi: A Dynamic Analysis Framework for JavaScript · • Assembly Language for the Web:...

Documents

Transcript of Jalangi: A Dynamic Analysis Framework for JavaScript · • Assembly Language for the Web:...