Interprocedural Type Specialization of JavaScript Programs Without Type Analysis

Dynamically typed programming languages such as Python and JavaScript defer type checking to run time. VM implementations can improve performance by eliminating redundant dynamic type checks. However, type inference analyses are often costly and involve tradeoffs between compilation time and resulting precision. This has lead to the creation of increasingly complex multi-tiered VM architectures. Lazy basic block versioning is a simple JIT compilation technique which effectively removes redundant type checks from critical code paths. This novel approach lazily generates type-specialized versions of basic blocks on-the-fly while propagating context-dependent type information. This approach does not require the use of costly program analyses, is not restricted by the precision limitations of traditional type analyses. This paper extends lazy basic block versioning to propagate type information interprocedurally, across function call boundaries. Our implementation in a JavaScript JIT compiler shows that across 26 benchmarks, interprocedural basic block versioning eliminates more type tag tests on average than what is achievable with static type analysis without resorting to code transformations. On average, 94.3% of type tag tests are eliminated, yielding speedups of up to 56%. We also show that our implementation is able to outperform Truffle/JS on several benchmarks, both in terms of execution time and compilation time.Comment: 10 pages, 10 figures, submitted to CGO 201

Simple and Effective Type Check Removal through Lazy Basic Block Versioning

Dynamically typed programming languages such as JavaScript and Python defer type checking to run time. In order to maximize performance, dynamic language VM implementations must attempt to eliminate redundant dynamic type checks. However, type inference analyses are often costly and involve tradeoffs between compilation time and resulting precision. This has lead to the creation of increasingly complex multi-tiered VM architectures. This paper introduces lazy basic block versioning, a simple JIT compilation technique which effectively removes redundant type checks from critical code paths. This novel approach lazily generates type-specialized versions of basic blocks on-the-fly while propagating context-dependent type information. This does not require the use of costly program analyses, is not restricted by the precision limitations of traditional type analyses and avoids the implementation complexity of speculative optimization techniques. We have implemented intraprocedural lazy basic block versioning in a JavaScript JIT compiler. This approach is compared with a classical flow-based type analysis. Lazy basic block versioning performs as well or better on all benchmarks. On average, 71% of type tests are eliminated, yielding speedups of up to 50%. We also show that our implementation generates more efficient machine code than TraceMonkey, a tracing JIT compiler for JavaScript, on several benchmarks. The combination of implementation simplicity, low algorithmic complexity and good run time performance makes basic block versioning attractive for baseline JIT compilers

Static Types with Less Syntax: Locus Types

Optionally and gradually-typed languages allow types to be introduced to dynamic code as needed. While this approach allows some gradual movement from dynamically to statically-typed code, it requires rewriting object-constructing code to use conventional static types. We introduce a flexible notion of type, deemed "locus types", that aims to minimize syntactic burden and the need for refactoring when introducing types to dynamic code. Locus types are gained by objects that pass through an annotated code site, following the creed of "code is types". Their structure is inferred from local type information computed through flow-based type refinement. The design of LocusTypeScript, a language extending TypeScript with locus types, is detailed. Tooling support, building on that of TypeScript, for programming with locus types is described. As well, the general properties and applicability of locus types are explored. LocusTypeScript's simple algorithm for computing stable flow-based refinement types is presented. The implications and performance impact of making locus types sound are discussed

Configurable and Sound Static Analysis of JavaScript: Techniques and Applications

JavaScript is widespread. Web developers use JavaScript to enrich user experience via dynamic content ranging from scripts to enhance a web page's appearance, to full-blown web applications, to extending the functionality of web browsers in the form of browser addons. Desktop developers use JavaScript, e.g., for OS applications in Windows 8. JavaScript's growing prominence means that secure, correct, and fast JavaScript code is becoming ever more critical. Static analysis traditionally plays a large role in providing these characteristics: it can be used for security auditing, error-checking, debugging, optimization, and program refactoring, among other uses. Thus, a sound, precise static analysis platform for JavaScript can be of enormous advantage.In this thesis, we present our work on creating a sound, precise, configurable and fast static analysis for JavaScript called JSAI that we have made openly available to the research community. JSAI is both a practical tool for JavaScript static analysis and also a research platform for experimenting with static analysis techniques. JSAI showcases a number of novel techniques to soundly compute a combination of type inference, pointer analysis, control-flow analysis, string analysis, and integer and boolean constant propagation for JavaScript programs. It also provides a unique method for modularly configuring analysis precision that is based on fundamental new insights into the theory of static analysis. We describe precision-increasing techniques for the analysis using type refinement; and performance-increasing techniques for the analysis based on parallelization of JSAI. As an example use-case for JSAI, we discuss a novel security analysis for JavaScript-based browser addon vetting

Rétro ingénierie d'applications web javascript pour aider à la compréhension et à la documentation

Ce mémoire s’intéresse à la rétro-ingénierie comme solution pour aider les développeurs à comprendre, modifier et documenter la structure de leurs applications web. Pour retrouver la structure d’une application, il faut souvent recourir à de l’analyse statique du code source pour retrouver les différents éléments et les différentes relations qui composent l’application. Le développement web présente ici des défis particuliers puisqu’il fait intervenir plusieurs langages. Certains de ces langages, comme HTML et CSS sont relativement simples; d’autres le sont moins. En particulier, JavaScript, un langage clé de la technologie Web, présente des aspects dynamiques importants (p. ex.: typage dynamique, évaluation dynamique de chaines de caractères) qui pourraient rendre très inefficace une analyse statique du code source. En effet, la récupération des éléments constituant l’application et de leurs liens pourrait devoir nécessiter une analyse dite dynamique qui se ferait sur des scénarios d’exécution. Cependant, de telles analyses dynamiques ne garantissent pas une couverture complète de l’application et ne peuvent se faire que si le code est exécutable. Nous avons donc conduit une étude empirique sur la viabilité de l’analyse statique pour la rétro-ingénierie de JavaScript. Forts de ces résultats ainsi que des constats sur les techniques et outils existants, nous proposons nos propres pistes de solutions sous forme d’une nouvelle approche de rétro-ingénierie (Web application Viewer). Cet outil est subséquemment utilisé pour performer des expérimentations de visualisation de structure à l’aide de diagrammes de force dirigée et diagrammes de classes. L’outil de rétro-ingénierie créé permet d’extraire les principaux éléments de la structure d’une application web pour les langages JavaScript, Node.js, HTML et CSS. Les résultats sont satisfaisants et permettent au développeur de documenter leurs applications rapidement à l’aide de diagrammes