Including javascript code from many different hosts is a popular practice in developing web applications. For example, to include a social plugin like the Facebook Like button, a web developer needs to only include a ...
详细信息
ISBN:
(纸本)9781450367479
Including javascript code from many different hosts is a popular practice in developing web applications. For example, to include a social plugin like the Facebook Like button, a web developer needs to only include a script from *** in her/his web page. However, in a web browser, all the identifiers (i.e., variable names and function names) in scripts loaded in the same frame share a single global namespace. Therefore, a script can overwrite any of the global variables and/or global functions defined in another script, causing unexpected behavior. In this work, we develop a browser-based dynamic analysis framework, that monitors and records any writes to javascript global variables and global functions. Our tool is able to cover all the code executed in the run time. We detected 778 conflicts across the Alexa top 1K websites. Our results show that global name conflicts can indeed expose web applications to security risks.
To solve javascript's callback hell problem, several language mechanisms like Promise and async/await have already been introduced to javascript. Using async/await, which is the most promising one, callback hell c...
详细信息
ISBN:
(纸本)9781450359337
To solve javascript's callback hell problem, several language mechanisms like Promise and async/await have already been introduced to javascript. Using async/await, which is the most promising one, callback hell code can be rewritten to another simple and shallow nested code with (almost) the same behavior. Unfortunately, however, it is still difficult to precisely understand the execution order of the rewritten async/await code, because the semantics of async/await is difficult. This paper first clarifies that this problem is caused by the difficulty of the async/await semantics. Then, we propose and implement a novel async/await visualizer called AwaitViz, to support for programmers to understand the execution order of async/await. Our contribution is twofold. First, we show the feasibility of implementing the visualizer AwaitViz based on source-code instrumentation, which provides precise information on the javascript's asynchronous behavior. Second, we show the difficulties and limitations of implementing AwaitViz.
Industry widely uses unstructured merge tools that rely on textual analysis to detect and resolve conflicts between code contributions. Semistructured merge tools go further by partially exploring the syntactic struct...
详细信息
ISBN:
(纸本)9781728125084
Industry widely uses unstructured merge tools that rely on textual analysis to detect and resolve conflicts between code contributions. Semistructured merge tools go further by partially exploring the syntactic structure of code artifacts, and, as a consequence, obtaining significant merge accuracy gains for Java-like languages. To understand whether semistructured merge and the observed gains generalize to other kinds of languages, we implement two semistructured merge tools for javascript, and compare them to an unstructured tool. We find that current semistructured merge algorithms and frameworks are not directly applicable for scripting languages like javascript. By adapting the algorithms, and studying 10,345 merge scenarios from 50 javascript projects on GitHub, we find evidence that our javascript tools report fewer spurious conflicts than unstructured merge, without compromising the correctness of the merging process. The gains, however, are much smaller than the ones observed for Java-like languages, suggesting that semistructured merge advantages might be limited for languages that allow both commutative and non-commutative declarations at the same syntactic level.
Object serialization is important to a variety of applications, including session migration and distributed computing. A general javascript object serializer must support function serialization as functions are first-...
详细信息
ISBN:
(纸本)9781450369855
Object serialization is important to a variety of applications, including session migration and distributed computing. A general javascript object serializer must support function serialization as functions are first-class objects. However, javascript offers no built-in function serialization and limits custom serializers by exposing no meta operator to query a function's captured variables. Code instrumentation can expose captured variables but state-of-the-art instrumentation techniques introduce high overheads, vary in supported syntax and/or use complex (de)serialization algorithms. We introduce FlashFreeze, an instrumentation technique based on capture lists. FlashFreeze achieves a tiny run time overhead: an Octane score reduction of 3% compared to 76% for the state-of-the-art ThingsMigrate tool and 1% for the work-in-progress FSM tool. FlashFreeze supports all self-contained ECMAScript 5 programs except for specific uses of eval, with, and source code inspection. FlashFreeze's construction gives rise to simple (de)serialization algorithms.
The goal of this transcompiler is to open javascript to some advanced OOP features, such as operators overloading, as well as to introduce new syntax patterns for a comfortable code writing.
ISBN:
(纸本)9783030026837;9783030026820
The goal of this transcompiler is to open javascript to some advanced OOP features, such as operators overloading, as well as to introduce new syntax patterns for a comfortable code writing.
Existing static analyzers for javascript use constant propagation domains to analyze strings. The simplicity of these domains results in a huge loss of precision when dealing with features such as dynamic property acc...
详细信息
ISBN:
(纸本)9781450365734
Existing static analyzers for javascript use constant propagation domains to analyze strings. The simplicity of these domains results in a huge loss of precision when dealing with features such as dynamic property access. This paper presents a string analysis for the full javascript language based on abstract interpretation. The analysis uses finite state automata to track all possible strings a variable might hold during execution. We present an empirical performance and precision evaluation on some javascript benchmarks and show that the analysis achieves a higher level of precision especially when handling dynamic property access.
暂无评论