Gregorio Robles,Raula Gaikovina Kula,Chaiyong Ragkhitwetsagul,Tattiya Sakulniwat,Kenichi Matsumoto,Jesus M. Gonzalez-Barahona

DOI: https://doi.org/10.48550/arXiv.2203.15990

2022-03-30

Abstract:Python is known to be a versatile language, well suited both for beginners and advanced users. Some elements of the language are easier to understand than others: some are found in any kind of code, while some others are used only by experienced programmers. The use of these elements lead to different ways to code, depending on the experience with the language and the knowledge of its elements, the general programming competence and programming skills, etc. In this paper, we present pycefr, a tool that detects the use of the different elements of the Python language, effectively measuring the level of Python proficiency required to comprehend and deal with a fragment of Python code. Following the well-known Common European Framework of Reference for Languages (CEFR), widely used for natural languages, pycefr categorizes Python code in six levels, depending on the proficiency required to create and understand it. We also discuss different use cases for pycefr: identifying code snippets that can be understood by developers with a certain proficiency, labeling code examples in online resources such as Stackoverflow and GitHub to suit them to a certain level of competency, helping in the onboarding process of new developers in Open Source Software projects, etc. A video shows availability and usage of the tool: <a class="link-external link-https" href="https://tinyurl.com/ypdt3fwe" rel="external noopener nofollow">this https URL</a>.

Software Engineering

Lingfeng Bao,Shengyi Pan,Zhenchang Xing,Xin Xia,David Lo,Xiaohu Yang

DOI: https://doi.org/10.1145/3368089.3417925

2020-01-01

Abstract:Programming screencasts have become a pervasive resource on the Internet, which is favoured by many developers for learning new programming skills. For developers, the source code in screencasts is valuable and important. However, the streaming nature of screencasts limits the choice that they have for interacting with the code. Many studies apply the Optical Character Recognition (OCR) technique to convert screen images into text, which can be easily searched and indexed. However, we observe that the noise in the screen images significantly affects the quality of OCRed code. In this paper, we develop a tool named psc2code , which has two components, denoising code extraction from screencasts and enhancing programming video interaction. Experiment results on 1142 programming screencasts from YouTube show psc2code can effectively identify frames containing valid code region with a F1-score of 0.88 and improve the quality of OCRed code by fixing 46% of the errors. We also conduct a user study to evaluate the applicability of psc2code in enhancing video interaction, which shows it helps participants learn the knowledge in tutorials more efficiently.

Leonardo Humberto Silva,Daniel Hovadick,Marco Tulio Valente,Alexandre Bergel,Nicolas Anquetil,Anne Etien

DOI: https://doi.org/10.48550/arXiv.1602.05891

2016-02-18

Software Engineering

Abstract:With the increasing usage of JavaScript in web applications, there is a great demand to write JavaScript code that is reliable and maintainable. To achieve these goals, classes can be emulated in the current JavaScript standard version. In this paper, we propose a reengineering tool to identify such class-like structures and to create an object-oriented model based on JavaScript source code. The tool has a parser that loads the AST (Abstract Syntax Tree) of a JavaScript application to model its structure. It is also integrated with the Moose platform to provide powerful visualization, e.g., UML diagram and Distribution Maps, and well-known metric values for software analysis. We also provide some examples with real JavaScript applications to evaluate the tool.

Liming Wang,Ying Xian,Li Zhang,Xiyang Liu

DOI: https://doi.org/10.4028/www.scientific.net/AMM.241-244.2690

2013-01-01

Abstract:The rapid development of Web 2.0 leads scripting language such as JavaScript to be ubiquitous in web pages; however the dynamic nature and flexibility of JavaScript make its development, debugging, maintenance, and reuse difficult. To improve the efficiency and accuracy of JavaSript security analysis, we propose a new JavaScript analysis method based on program slicing, together with a prototype-implemented JavaScript slicing tool, named JSSlicer. We also present a proof-of-concept application example of JSSlicer where an example of the common mode failure problem is tackled.

Marcos Viana,Andre Hora,Marco Tulio Valente

DOI: https://doi.org/10.48550/arXiv.1705.05476

2017-05-15

Software Engineering

Abstract:JavaScript is one of the most popular programming languages on the web. Despite the language popularity and the increasing size of JavaScript systems, there is a limited number of visualization tools that can be used by developers to comprehend, maintain, and evolve JavaScript software. In this paper, we introduce JSCity, an implementation in JavaScript of the well-known Code City software visualization metaphor. JSCity relies on JavaScript features and libraries to show "software cities" in standard web browsers, without requiring complex installation procedures. We also report our experience on producing visualizations for 40 popular JavaScript systems using JScity.

Kunlun Ren,Weizhong Qiang,Yueming Wu,Yi Zhou,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1109/dsn58367.2023.00041

2023-01-01

Abstract:Due to the convenience and popularity of Web applications, they have become a prime target for attackers. As the main programming language for Web applications, many methods have been proposed for detecting malicious JavaScript, among which static analysis-based methods play an important role because of their high effectiveness and efficiency. However, obfuscation techniques are commonly used in JavaScript, which makes the features extracted by static analysis contain many useless and disguised features, leading to many false positives and false negatives in detection results. In this paper, we propose a novel method to find out the essential features related to the semantics of JavaScript code. Specifically, we develop JS-Revealer, a robust, effective, scalable, and interpretable detector for malicious JavaScript. To test the capabilities of JSRevealer, we conduct comparative experiments with four other state-of-the-art malicious JavaScript detection tools. The experimental results show that JSRevealer has an average F1 of 84.8% on the data obfuscated by different obfuscators, which is 21.6%, 22.3%, 18.7%, and 22.9% higher than the tools CUJO, ZOZZLE, JAST, and JSTAP, respectively. Moreover, the detection results of JSRevealer can be interpreted, which can provide meaningful insights for further security research.

Jiabin Ye,Cheng Zhang,Lei Ma,Haibo Yu,Jianjun Zhao

DOI: https://doi.org/10.1109/saner.2016.96

2016-01-01

Abstract:JavaScript is the de facto dominant programming language for developing web applications. Most popular websites are using JavaScript, especially to develop client-side features. Being syntactically flexible and highly dynamic, JavaScript is easy to use and productive, but its code is known to be less maintainable. The task of maintaining client-side JavaScript code is further complicated by the pervasive interactions between JavaScript code and HTML elements, through browsers. In this paper, we present JS-Slicer, a dynamic slicer for JavaScript, to ease the task of understanding and debugging practical client-side JavaScript code. JS-Slicer defines three types of dependences, including data dependences, control dependences, and DOM dependences, to capture all relationships between program elements. JS-Slicer extends a novel dynamic analysis framework and combines dynamic and static analysis to precisely capture the dependences at run-time. A lot of language specific issues are properly handled, which enables JS-Slicer to slice practical JavaScript code. Our evaluation on six real-world web applications and JavaScript libraries shows that JS-Slicer is both precise and efficient: on average it captures around 40K dependences in 2.5K lines of code, in less than 3.0 seconds.

Cristian Mattarei,Clark Barrett,Shu-yu Guo,Bradley Nelson,Ben Smith,JF Bastien

DOI: https://doi.org/10.48550/arXiv.1801.10140

2018-01-30

Logic in Computer Science

Abstract:Nearly all web-based interfaces are written in JavaScript. Given its prevalence, the support for high performance JavaScript code is crucial. The ECMA Technical Committee 39 (TC39) has recently extended the ECMAScript language (i.e., JavaScript) to support shared memory accesses between different threads. The extension is given in terms of a natural language memory model specification. In this paper we describe a formal approach for validating both the memory model and its implementations in various JavaScript engines. We first introduce a formal version of the memory model and report results on checking the model for consistency and other properties. We then introduce our tool, EMME, built on top of the Alloy analyzer, which leverages the model to generate all possible valid executions of a given JavaScript program. Finally, we report results using EMME together with small test programs to analyze industrial JavaScript engines. We show that EMME can find bugs as well as missed opportunities for optimization.

Feng Xiao,Zhongfu Su,Guangliang Yang,Wenke Lee

DOI: https://doi.org/10.1109/sp54263.2024.00183

2024-01-01

Abstract:Static data flow analysis techniques have been broadly applied in analyzing and detecting security threats in web applications. However, without actual code execution, they often suffer serious precision issues and may even miss serious vulnerabilities, especially when facing modern JavaScript applications characterized by complex operations and semantics. To combat these complex semantics, we propose a novel semantic understanding approach, namely computation-based semantic explanation (CSE). CSE can effectively identify and resolve common failures arising from complex semantics in static data flow analysis, ultimately improving the detection of potential vulnerabilities.We implement a prototype tool of CSE, called Jasmine. By applying Jasmine to more than 10K real-world JavaScript programs, we find complex operations and semantics are prevalent in practice and heavily impede the state-of-art static techniques (e.g., Github’s CodeQL and IBM’s WALA) from regular security validations. Our experiments show Jasmine can effectively resolve complex semantics and lead to the discovery of 22 hidden vulnerabilities, which are not detectable by existing tools. Among these vulnerabilities, 13 ones are previously unknown, i.e., zero-day vulnerabilities. Up to now, nine CVEs have been issued, and five of them have been rated as ‘critical’ with a 9.8 severity score.

Brittany Reid,Marcelo d`Amorim,Markus Wagner,Christoph Treude

DOI: https://doi.org/10.48550/arXiv.2101.00756

2023-01-02

Abstract:Code reuse is an important part of software development. The adoption of code reuse practices is especially common among <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> developers. The <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> package manager, NPM, indexes over 1 Million packages and developers often seek out packages to solve programming tasks. Due to the vast number of packages, selecting the right package is difficult and time consuming. With the goal of improving productivity of developers that heavily reuse code through third-party packages, we present Node Code Query (NCQ), a Read-Eval-Print-Loop environment that allows developers to 1) search for NPM packages using natural language queries, 2) search for code snippets related to those packages, 3) automatically correct errors in these code snippets, 4) quickly setup new environments for testing those snippets, and 5) transition between search and editing modes. In two user studies with a total of 20 participants, we find that participants begin programming faster and conclude tasks faster with NCQ than with baseline approaches, and that they like, among other features, the search for code snippets and packages. Our results suggest that NCQ makes <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> developers more efficient in reusing code.

Software Engineering

Guixin Ye,Zhanyong Tang,Shin Hwei Tan,Songfang Huang,Dingyi Fang,Xiaoyang Sun,Lizhong Bian,Haibo Wang,Zheng Wang

DOI: https://doi.org/10.1145/3453483.3454054

2021-01-01

Abstract:JavaScript (JS) is a popular, platform-independent programming language. To ensure the interoperability of JS programs across different platforms, the implementation of a JS engine should conform to the ECMAScript standard. However, doing so is challenging as there are many subtle definitions of API behaviors, and the definitions keep evolving. We present Comfort, a new compiler fuzzing framework for detecting JS engine bugs and behaviors that deviate from the ECMAScript standard. COMFORT leverages the recent advance in deep learning-based language models to automatically generate JS test code. As a departure from prior fuzzers, COMFORT utilizes the well-structured ECMAScript specifications to automatically generate test data along with the test programs to expose bugs that could be overlooked by the developers or manually written test cases. COMFORT then applies differential testing methodologies on the generated test cases to expose standard conformance bugs. We apply COMFORT to ten mainstream JS engines. In 200 hours of automated concurrent testing runs, we discover bugs in all tested JS engines. We had identified 158 unique JS engine bugs, of which 129 have been verified, and 115 have already been fixed by the developers. Furthermore, 21 of the COMFORT-generated test cases have been added to Test262, the official ECMAScript conformance test suite.

Aditi Agrawal,Archit Jain,Benjamin Reed

DOI: https://doi.org/10.48550/arXiv.2211.11883

2022-11-21

Computers and Society

Abstract:CodEval is a code evaluation tool that integrates with the Canvas Learning Management System to automatically evaluates students' work within a few minutes of the submission. This early feedback allows students to catch and correct problems in their submissions before their submission is graded and gives them a clear idea of the quality of their submission. CodEval handles the tedious aspects of grading, such as compiling and running tests, leaving graders more time to spend on the qualitative aspect of grading. Before using CodEval, instructors would not have a clear view of the student's comprehension of the concept evaluated by the assignment until after the due date. CodeEval helps instructors identify and address the gaps in students' understanding and thus helps more students successfully complete the assignment. We implemented CodEval using Python using the public Canvas API. Any instructor or grader for a Canvas course can use CodEval to automatically evaluate submissions for programming assignments. We developed a syntax to express requirements of submissions such as compilation parameters, inputs, outputs, command-line arguments, timeouts, exit codes, functions used, files generated, output validators, and more. We have made CodEval open source. CodEval is an easy tool for students, graders, and instructors and seamlessly integrates with Canvas. We share our experience with using CodEval in two classes with a total of 90 students and multiple coding assignments.

Yi Hou,Wuxia Jin,Zhijun Wang,Liuming Wang,Shuguang Chen,Yihan Wang,Lei Sang,Haijun Wang,Ting Liu

DOI: https://doi.org/10.1145/3671016.3674820

2024-01-01

Abstract:In the field of software development, the application of code quality check tools has become a key factor in improving product quality and development efficiency. While many existing tools are effective at detecting common problems in code, there are still some limitations. Firstly, these tools rely on predefined rules that may not fully encompass real-world coding challenges. Secondly, a lack of consideration of dependencies leads to failure to report violations occurring across files or modules. Third, the metrics used by these tools primarily focus on object-oriented programming, limiting their ability to assess software quality from the perspective of nationalized standards. To address these issues, this work proposes a dependency-enhanced method namely ERD-CQC for code quality detection and measurement. ERD-CQC provides 88 detection rules and 45 metrics, supplementing checking rules in categories such as Circuit Breaking, Serializable, and Security. ERD-CQC constructs an infused graph by integrating abstract syntax trees (ASTs), entities, and dependencies for violation detection. Based on the detection results, ERD-CQC provides a code quality measurement system with 4 nationalized standard dimensions for the purpose of measuring code quality from multiple perspectives. To validate the effectiveness of ERD-CQC, we manually examined 647 compliant and 528 non-compliant code snippets. ERD-CQC achieves the recall and F1 score exceeding 98%. We also collected open-source projects and closed-source projects in the real world, containing a total of 4,319 non-compliant code snippets. On this real-world benchmark, the average F1 score of ERD-CQC is 11.44% higher than the advanced tool SonarQube. Finally, we visualized the quality measurement results based on metrics and found that open-source and closed-source projects have certain patterns in metric performance. Our work will benefit developers in checking, evaluating, and monitoring their software quality comprehensively.

Shivadharshan S,Akilesh P,Rajrupa Chattaraj,Sridhar Chimalakonda

2024-12-18

Abstract:With the increasing complexity of modern software and the demand for high performance, energy consumption has become a critical factor for developers and researchers. While much of the research community is focused on evaluating the energy consumption of machine learning and artificial intelligence systems -- often implemented in Python -- there is a gap when it comes to tools and frameworks for measuring energy usage in other programming languages. C++, in particular, remains a foundational language for a wide range of software applications, from game development to parallel programming frameworks, yet lacks dedicated energy measurement solutions. To address this, we have developed CPPJoules, a tool built on top of Intel-RAPL to measure the energy consumption of C++ code snippets. We have evaluated the tool by measuring the energy consumption of the standard computational tasks from the Rosetta Code repository. The demonstration of the tool is available at \url{<a class="link-external link-https" href="https://www.youtube.com/watch?v=GZXYF3AKzPk" rel="external noopener nofollow">this https URL</a>} and related artifacts at \url{<a class="link-external link-https" href="https://rishalab.github.io/CPPJoules/" rel="external noopener nofollow">this https URL</a>}.

Software Engineering

Gao Pengfei,Xu Yongjie,Song Fu,Chen Taolue

DOI: https://doi.org/10.1007/s11704-020-0356-7

IF: 2.6688

2021-01-01

Frontiers of Computer Science

Abstract:JavaScript has become one of the most widely used languages for Web development. Its dynamic and event-driven features make it challenging to ensure the correctness of Web applications written in JavaScript. A variety of dynamic analysis techniques have been proposed which are, however, limited in either coverage or scalability. In this paper, we propose a simple, yet effective, model-based automated testing approach to achieve a high code-coverage within the time budget via testing with longer event sequences. We implement our approach as an open-source tool LJS, and perform extensive experiments on 21 publicly available benchmarks. On average, LJS is able to achieve 86.5% line coverage in 10 minutes. Compared with JSDEP, a state-of-the-art breadth-first search based automated testing tool enriched with partial order reduction, the coverage of LJS is 11%–19% higher than that of JSDEP on real-world large Web applications. Our empirical findings support that proper longer test sequences can achieve a higher code coverage in JavaScript Web application testing.

Ryosuke Ishizue,Kazunori Sakamoto,Hironori Washizaki,Yoshiaki Fukazawa

DOI: https://doi.org/10.1016/j.heliyon.2020.e03806

IF: 3.776

2020-04-01

Heliyon

Abstract:Many researchers have proposed program visualization tools for memory management. Examples include state-of-the-art tools for C languages such as SeeC and Python Tutor (PT). However, three problems hinder the use of these and other tools: capability (P1), installability (P2), and usability (P3). (P1) Tools do not fully support dynamic memory allocation or File Input / Output (I/O) and Standard Input. (P2) Novice programmers often have difficulty installing SeeC due to its dependence on Clang and setting up an offline environment that uses PT. (P3) Revisualization of the modified source code in SeeC requires several steps. To alleviate these issues, we propose a new visualization tool called PlayVisualizerC.js (PVC.js). PVC.js, which is designed for novice C language programmers to provide solutions (S1–3) for P1–3. S1 offers complete support for dynamic memory allocation, standard I/O, and file I/O. S2 involves installation in a user web browser. This system is composed of JavaScript programs, including C language execution functions. S3 reduces the steps required for revisualization. To evaluate PVC.js, we conducted two experiments. The first experiment found that students using PVC solved a set of four programming tasks on average 1.7—times faster and with 19% more correct answers than those using SeeC. The second experiment found that PVC.js has a visualization performance equivalent to PT, and that PVC.js is more effective than existing general debugging tools for novices to understand programs in cases where the values of important variables change and the control flow is complicated.

Yuejun Guo,Seifeddine Bettaieb,Qiang Hu,Yves Le Traon,Qiang Tang

2023-07-27

Abstract:Representing source code in a generic input format is crucial to automate software engineering tasks, e.g., applying machine learning algorithms to extract information. Visualizing code representations can further enable human experts to gain an intuitive insight into the code. Unfortunately, as of today, there is no universal tool that can simultaneously visualise different types of code representations. In this paper, we introduce a tool, CodeLens, which provides a visual interaction environment that supports various representation methods and helps developers understand and explore them. CodeLens is designed to support multiple programming languages, such as Java, Python, and JavaScript, and four types of code representations, including sequence of tokens, abstract syntax tree (AST), data flow graph (DFG), and control flow graph (CFG). By using CodeLens, developers can quickly visualize the specific code representation and also obtain the represented inputs for models of code. The Web-based interface of CodeLens is available at <a class="link-external link-http" href="http://www.codelens.org" rel="external noopener nofollow">this http URL</a>. The demonstration video can be found at <a class="link-external link-http" href="http://www.codelens.org/demo" rel="external noopener nofollow">this http URL</a>.

Software Engineering,Artificial Intelligence,Machine Learning

Vineeth Kashyap,Kyle Dewey,Ethan A. Kuefner,John Wagner,Kevin Gibbons,John Sarracino,Ben Wiedermann,Ben Hardekopf

DOI: https://doi.org/10.48550/arXiv.1403.3996

2014-03-17

Programming Languages

Abstract:We describe JSAI, an abstract interpreter for JavaScript. JSAI uses novel abstract domains to compute a reduced product of type inference, pointer analysis, string analysis, integer and boolean constant propagation, and control-flow analysis. In addition, JSAI allows for analysis control-flow sensitivity (i.e., context-, path-, and heap-sensitivity) to be modularly configured without requiring any changes to the analysis implementation. JSAI is designed to be provably sound with respect to a specific concrete semantics for JavaScript, which has been extensively tested against existing production-quality JavaScript implementations. We provide a comprehensive evaluation of JSAI's performance and precision using an extensive benchmark suite. This benchmark suite includes real-world JavaScript applications, machine-generated JavaScript code via Emscripten, and browser addons. We use JSAI's configurability to evaluate a large number of analysis sensitivities (some well-known, some novel) and observe some surprising results. We believe that JSAI's configurability and its formal specifications position it as a useful research platform to experiment on novel sensitivities, abstract domains, and client analyses for JavaScript.

Vikas Kambhampati,Nehaz Hussain Mohammed,Amin Milani Fard

2024-11-29

Abstract:JavaScript has been consistently among the most popular programming languages in the past decade. However, its dynamic, weakly-typed, and asynchronous nature can make it challenging to write maintainable code for developers without in-depth knowledge of the language. Consequently, many JavaScript applications tend to contain code smells that adversely influence program comprehension, maintenance, and debugging. Due to the widespread usage of JavaScript, code security is an important matter. While JavaScript code smells and detection techniques have been studied in the past, current work on security smells for JavaScript is scarce. Security code smells are coding patterns indicative of potential vulnerabilities or security weaknesses. Identifying security code smells can help developers to focus on areas where additional security measures may be needed. We present a set of 24 JavaScript security code smells, map them to a possible security awareness defined by Common Weakness Enumeration (CWE), explain possible refactoring, and explain our detection mechanism. We implement our security code smell detection on top of an existing open source tool that was proposed to detect general code smells in JavaScript.

Cryptography and Security,Software Engineering

Zhe Li,Fei Xie

DOI: https://doi.org/10.48550/arxiv.2405.06832

2024-05-10

Software Engineering

Abstract:JavaScript is prevalent in web and server apps, handling sensitive data. JS testing methods lag behind other languages. Insitu concolic testing for JS is effective but slow and complex. Our method enhances tracing with V8 Sparkplug baseline compiler and remill libraries for assembly to LLVM IR conversion. Evaluation on 160 Node.js libraries reveals comparable coverage and bug detection in significantly less time than the in-situ method.