How I Learned to Stop Worrying and Love the “DOM”: Characterizing and Improving the Reliability of JavaScript-based Web Applications

JavaScript is today the de-facto programming language of the modern web, and has enabled Rich Interactive Web Applications (RIAs). RIAs are fast replacing traditional desktop and mobile applications. Yet writing RIAs using JavaScript is challenging due to the dynamic nature of the language, and the interaction of JavaScript code with the webpage’s Document Object Model (DOM). DOM interactions are especially challenging as they rely upon the programmer having a correct mental model of the DOM at any point in time, and reasoning based on this model. However, currently there is little tool support for programmers to reason about these DOM interactions.

In this talk, I will present our work on characterizing and improving the reliability of RIAs. We study over 300 JavaScript bug reports from twelve different applications to understand the characteristics of JavaScript errors. We find that nearly two-thirds of the bug reports are due to DOM-JavaScript interactions or what we call DOM-related faults. Furthermore, about 80% of the highest-impact JavaScript faults (such as security vulnerabilities), are DOM-related faults. Finally, we find that most DOM-related faults arise from the JavaScript code itself, and fall into a few recurring patterns. I will conclude this talk by describing some of the tools and techniques that we’re building in our group to deal with JavaScript faults, and particularly DOM-related faults.

This is joint work with Frolin Ocariza, Kartik Bajaj and Ali Mesbah from UBC.