Detecting JavaScript Races that Matter

As JavaScript has become virtually omnipresent as the lan- guage for programming large and complex web applica- tions in the last several years, we have seen an increase in interest in finding data races in client-side JavaScript. While JavaScript execution is single-threaded, there is still enough potential for data races, created largely by the non- determinism of the scheduler. Recently, several academic efforts have explored both static and runtime analysis ap- proaches in an effort to find data races. However, despite this, we have not seen these analysis techniques deployed in practice and we have only seen scarce evidence that devel- opers find and fix bugs related to data races in JavaScript.

In this paper we argue for a different formulation of what it means to have a data race in a JavaScript application and distinguish between benign and harmful races, affecting per- sistent browser or server state. We further argue that while benign races the subject of the majority of prior work do exist, harmful races are exceedingly rare in practice (19 harmful vs. 621 benign). Our results shed a new light on the issues of data race prevalence and importance.

To find races, we also propose a novel lightweight runtime symbolic exploration algorithm for finding races in traces of runtime execution. Our algorithm eschews schedule explo- ration in favor of smaller runtime overheads and thus can be used by beta testers or in crowd-sourced testing. In our experiments on 26 sites, we demonstrate that benign races are considerably more common than harmful ones.