Sukyoung Ryu

Towards a Cost-Effective Estimation of Uncaught Exceptions in SML Programs

We present a static analysis that detects potential runtime exceptions that are raised and never handled inside Standard ML (SML) programs. This analysis will predict abrupt termination of SML programs, which is SMLs only one “safety hole”.

Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity

The numbers and sizes of JavaScript applications are ever growing but static analysis techniques for analyzing large-scale JavaScript applications are not yet ready in a scalable and precise manner. Even when building complex software like compilers and operating systems in JavaScript, developers do not get much benefits from existing static analyzers, which suffer from mutually intermingled problems of scalability and imprecision. In this paper, we present Loop-Sensitive Analysis (LSA) that improves the analysis scalability by enhancing the analysis precision in loops. LSA distinguishes loop iterations as many as needed by automatically choosing loop unrolling numbers during analysis. We formalize LSA in the abstract interpretation framework and prove its soundness and precision theorems using Coq. We evaluate our implementation of LSA using the analysis results of main web pages in the 5 most popular websites and those of the programs that use top 5 JavaScript libraries, and show that it outperforms the state-of-the-art JavaScript static analyzers in terms of analysis scalability. Our mechanization and implementation of LSA are both publicly available.

Modular multiple dispatch with multiple inheritance

Overloaded functions and methods with multiple dispatch are useful for extending the functionality of existing classes in an object-oriented language. However, such functions introduce the possibility of ambiguous calls that cannot be resolved at run time, and modular static checking that such ambiguity does not exist has proved elusive in the presence of multiple implementation inheritance. We present a core language for defining overloaded functions and methods that supports multiple dispatch and multiple inheritance, together with a set of restrictions on these definitions that can be statically and modularly checked. We have proved that these restrictions guarantee that no undefined nor ambiguous calls occur at run time, while still permitting various kinds of overloading.

SAFEWAPI: web API misuse detector for web applications

The evolution of Web 2.0 technologies makes web applications prevalent in various platforms including mobile devices and smart TVs. While one of the driving technologies of web applications is JavaScript, the extremely dynamic features of JavaScript make it very difficult to define and detect errors in JavaScript applications. The problem becomes more important and complicated for JavaScript web applications which may lead to severe security vulnerabilities. To help developers write safe JavaScript web applications using vendor-specific Web APIs, vendors specify their APIs often in Web IDL, which enables both API writers and users to communicate better by understanding the expected behaviors of the Web APIs. In this paper, we present SAFEWAPI, a tool to analyze Web APIs and JavaScript web applications that use the Web APIs and to detect possible misuses of Web APIs by the web applications. Even though the JavaScript language semantics allows to call a function defined with some parameters without any arguments, platform developers may require application writers to provide the exact number of arguments. Because the library functions in Web APIs expose their intended semantics clearly to web application developers unlike pure JavaScript functions, we can detect wrong uses of Web APIs precisely. For representative misuses of Web APIs defined by software quality assurance engineers, our SAFEWAPI detects such misuses in real-world JavaScript web applications.

Static Analysis of JavaScript Web Applications in the Wild via Practical DOM Modeling (T)

We present SAFEWapp, an open-source static analysis framework for JavaScript web applications. It provides a faithful (partial) model of web application execution environments of various browsers, based on empirical data from the main web pages of the 9,465 most popular websites. A main feature of SAFEWapp is the configurability of DOM tree abstraction levels to allow users to adjust a trade-off between analysis performance and precision depending on their applications. We evaluate SAFEWapp on the 5 most popular JavaScript libraries and the main web pages of the 10 most popular websites in terms of analysis performance, precision, and modeling coverage. Additionally, as an application of SAFEWapp, we build a bug detector for JavaScript web applications that uses static analysis results from SAFEWapp. Our bug detector found previously undiscovered bugs including ones from wikipedia.org and amazon.com.

Formal specification of a JavaScript module system

The JavaScript programming language, originally developed as a simple scripting language, is now the language of choice for web applications. All the top 100 sites on the web use JavaScript and its use outside web pages is rapidly growing. However, JavaScript is not yet ready for programming in the large: it does not support a module system. Lack of namespaces introduces module patterns, and makes it difficult to use multiple JavaScript frameworks together. In this paper, we propose a formal specification of a JavaScript module system. A module system for JavaScript will allow safe and incremental development of JavaScript web applications. While the next version of the JavaScript standard proposes a module system, it informally describes its design in prose. We formally specify a module system as an extension to the existing JavaScript language, and rigorously describe its semantics via desugaring to LambdaJS, a prior core calculus for JavaScript. We implement the desugaring process and show its faithfulness using real-world test suites. Finally, we define a set of properties for valid JavaScript programs using modules and formally prove that the proposed module system satisfies the validity properties.

Parsing Fortress syntax

In this paper, we report our experience with parsing the syntax of the Fortress programming language. Fortress is a new programming language designed for scientific and high-performance computing. Features include: implicit parallelism, transactions, and concrete syntax that emulates mathematical notation. Fortress is intended to grow over time to accommodate the changing needs of its users. Parsing the Fortress syntax is nontrivial due to its support for mathematical syntax and growable syntax. Mathematical syntax is highly ambiguous and growable syntax allows a program itself to define how it is parsed. Fortress currently runs entirely on the JVM, which requires internal representation of Fortress as Java classes. We describe our trials to parse the entire Fortress syntax, in the presence of constant changes of the language syntax and its internal representation. and the lessons we learned from the experience.

HybriDroid: static analysis framework for Android hybrid applications

Mobile applications (apps) have long invaded the realm of desktop apps, and hybrid apps become a promising solution for supporting multiple mobile platforms. Providing both platform-specific functionalities via native code like native apps and user interactions via JavaScript code like web apps, hybrid apps help developers build multiple apps for different platforms without much duplicated efforts. However, most hybrid apps are developed in multiple programming languages with different semantics, which may be vulnerable to programmer errors. Moreover, because untrusted JavaScript code may access device-specific features via native code, hybrid apps may be vulnerable to various security attacks. Unfortunately, no existing tools can help hybrid app developers by detecting errors or security holes. In this paper, we present HybriDroid, a static analysis framework for Android hybrid apps. We investigate the semantics of Android hybrid apps especially for the interoperation mechanism of Android Java and JavaScript. Then, we design and implement a static analysis framework that analyzes inter-communication between Android Java and JavaScript. As example analyses supported by HybriDroid, we implement a bug detector that identifies programmer errors due to the hybrid semantics, and a taint analyzer that finds information leaks cross language boundaries. Our empirical evaluation shows that the tools are practically usable in that they found previously uncovered bugs in real-world Android hybrid apps and possible information leaks via a widely-used advertising platform.

Practically Tunable Static Analysis Framework for Large-Scale JavaScript Applications (T)

We present a novel approach to analyze large-scale JavaScript applications statically by tuning the analysis scalability possibly giving up its soundness. For a given sound static baseline analysis of JavaScript programs, our framework allows users to define a sound approximation of selected executions that they are interested in analyzing, and it derives a tuned static analysis that can analyze the selected executions practically. The selected executions serve as parameters of the framework by taking trade-off between the scalability and the soundness of derived analyses. We formally describe our framework in abstract interpretation, and implement two instances of the framework. We evaluate them by analyzing large-scale real-world JavaScript applications, and the evaluation results show that the framework indeed empowers users to experiment with different levels of scalability and soundness. Our implementation provides an extra level of scalability by deriving sparse versions of derived analyses, and the implementation is publicly available.

Development nature matters: An empirical study of code clones in JavaScript applications

Code cloning is one of the active research areas in the software engineering community. Specifically, researchers have conducted numerous empirical studies on code cloning and reported that 7 % to 23 % of the code in a typical software system has been cloned. However, there was less awareness of code clones in dynamically-typed languages and most studies are limited to statically-typed languages such as Java, C, and C++. In addition, most previous studies did not consider different application domains such as standalone projects or web applications. As a result, very little is known about clones in dynamically-typed languages, such as JavaScript, in different application domains. In this paper, we report a large-scale clone detection experiment in a dynamically-typed programming language, JavaScript, for different application domains: web pages and standalone projects. Our experimental results showed that unlike JavaScript standalone projects, JavaScript web applications have 95 % of inter-file clones and 91–97 % of widely scattered clones. We observed that web application developers created clones intentionally and such clones may not be as risky as claimed in previous studies. Understanding the risks of cloning in web applications requires further studies, as cloning may be due to either good or bad intentions. Also, we identified unique development practices such as including browser-dependent or device-specific code in code clones of JavaScript web applications. This indicates that features of programming languages and technologies affect how developers duplicate code.