Gulfstream: Incremental Static Analysis for Streaming JavaScript Applications

  • Ben Livshits ,
  • Salvatore Guarnieri

MSR-TR-2010-4 |

The advent of Web 2.0 has led to the proliferation of client-side code that is typically written in JavaScript. Recently, there has been an upsurge of interest in static analysis of client-side JavaScript. However, most approaches in static analysis literature assume that the entire program is available to analysis. This, however, is in direct contradiction with the nature of Web~2.0 programs that are essentially being streamed at the user’s browser. Users can see data being streamed to pages in the form of page updates, but the same thing can be done with code, essentially delaying the downloading of code until it is needed. In essence, the entire program is never completely available, by interacting with the application, more and more code is sent over to the browser.

This paper explores incremental static analysis as a way to analyze streaming JavaScript programs. In particular, we advocate the use of combined offline-online static analysis as a way to accomplish fast, online incremental analysis at the expense of a more thorough and costly offline analysis on the static code. We find that in normal use, where updates to the code are small, we can incrementally update static analysis results quickly enough to be acceptable for everyday use. We demonstrate this hybrid approach to be advantageous in a wide variety of settings, especially in mobile devices.