Write a Blog >>
ICSE 2023
Sun 14 - Sat 20 May 2023 Melbourne, Australia
Fri 19 May 2023 15:45 - 16:00 at Meeting Room 104 - Program analysis Chair(s): Marsha Chechik

JavaScript is an increasingly popular language for server-side development, thanks in part to the Node.js runtime environment and its vast ecosystem of modules. With the Node.js package manager npm, users are able to easily include external modules as dependencies in their projects. However, npm installs modules with all of their functionality, even if only a fraction is needed, which causes an undue increase in code size. Eliminating this unused functionality from distributions is desirable, but the sound analysis required to find unused code is difficult due to JavaScript’s extreme dynamicity. We present a fully automatic technique that identifies unused code by constructing static or dynamic call graphs from the application’s tests, and replacing code deemed unreachable with either file- or function-level stubs. Due to JavaScript’s highly dynamic nature, call graph construction may suffer from unsoundness, i.e., code identified as unused may in fact be reachable. To handle such cases, if a stub is called, it will fetch and execute the original code on-demand to preserve the application’s behavior. The technique also provides an optional guarded execution mode to guard application against injection vulnerabilities in untested code that resulted from stub expansion. This technique is implemented in an open source tool called Stubbifier, designed to help package developers to produce a minimal production distribution. Stubbifier supports the ECMAScript 2019 standard. In an empirical evaluation on 15 Node.js applications and 75 clients of these applications, Stubbifier reduced application size by 56% on average while incurring only minor performance overhead. The evaluation also shows that Stubbifier’s guarded execution mode is capable of preventing several known injection vulnerabilities that are manifested in stubbed-out code. Finally, Stubbifier can work alongside bundlers, popular JavaScript tools for bundling an application with its dependencies. For the considered subject applications, we measured an average size reduction of 37% in bundled distributions.

Fri 19 May

Displayed time zone: Hobart change

15:45 - 17:15
15:45
15m
Talk
Stubbifier: debloating dynamic server-side JavaScript applications
Journal-First Papers
Alexi Turcotte Northeastern University, Ellen Arteca Northeastern University, Ashish Mishra Purdue University, Saba Alimadadi Simon Fraser University, Frank Tip Northeastern University
16:00
15m
Talk
DStream: A Streaming-Based Highly Parallel IFDS Framework
Technical Track
Xizao Wang Nanjing University, Zhiqiang Zuo Nanjing University, Lei Bu Nanjing University, Jianhua Zhao Nanjing University, China
16:15
15m
Talk
(Partial) Program Dependence Learning
Technical Track
Aashish Yadavally The University of Texas at Dallas, Wenbo Wang New Jersey Institute of Technology, Shaohua Wang New Jersey Institute of Technology, Tien N. Nguyen University of Texas at Dallas
Pre-print
16:30
15m
Talk
MirrorTaint: Practical Non-intrusive Dynamic Taint Tracking for JVM-based Microservice Systems
Technical Track
Yicheng Ouyang University of Illinois at Urbana-Champaign, Kailai Shao Ant Group, Kunqiu Chen Southern University of Science and Technology, Ruobing Shen Peking University, Chao Chen Ant Group, Mingze Xu Ant Group, Yuqun Zhang Southern University of Science and Technology, Lingming Zhang University of Illinois at Urbana-Champaign
Pre-print
16:45
15m
Talk
Incremental Call Graph Construction in Industrial Practice
SEIP - Software Engineering in Practice
Zelin Zhao Ant Group, Xizao Wang Nanjing University, Zhaogui Xu Ant Group, Zhenhao Tang Ant Group, Yongchao Li Ant Group, Peng Di Ant Group
17:00
15m
Talk
Generic Partition Refinement and Weighted Tree Automata
Showcase
Hans-Peter Deifel Friedrich-Alexander University Erlangen-Nürnberg, Germany, Stefan Milius , Lutz Schröder University of Erlangen-Nuremberg, Thorsten Wißmann Friedrich-Alexander University Erlangen-Nürnberg
Link to publication DOI Pre-print