Visible to the public A Deep Study of the Effects and Fixes of Server-Side Request Races in Web Applications

TitleA Deep Study of the Effects and Fixes of Server-Side Request Races in Web Applications
Publication TypeConference Paper
Year of Publication2022
AuthorsQiu, Zhengyi, Shao, Shudi, Zhao, Qi, Khan, Hassan Ali, Hui, Xinning, Jin, Guoliang
Conference Name2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR)
Keywordscharacteristic study, composability, Computer bugs, Computer languages, Concurrency, concurrency control, external and internal effects, fix strategies, Metrics, Object-Relational Mapping, pubcrawl, resilience, Resiliency, security, Semantics, Software, Synchronization, web-application request races
Abstract

Server-side web applications are vulnerable to request races. While some previous studies of real-world request races exist, they primarily focus on the root cause of these bugs. To better combat request races in server-side web applications, we need a deep understanding of their characteristics. In this paper, we provide a complementary focus on race effects and fixes with an enlarged set of request races from web applications developed with Object-Relational Mapping (ORM) frameworks. We revisit characterization questions used in previous studies on newly included request races, distinguish the external and internal effects of request races, and relate requestrace fixes with concurrency control mechanisms in languages and frameworks for developing server-side web applications. Our study reveals that: (1) request races from ORM-based web applications share the same characteristics as those from raw-SQL web applications; (2) request races violating application semantics without explicit crashes and error messages externally are common, and latent request races, which only corrupt some shared resource internally but require extra requests to expose the misbehavior, are also common; and (3) various fix strategies other than using synchronization mechanisms are used to fix request races. We expect that our results can help developers better understand request races and guide the design and development of tools for combating request races.

Notes

ISSN: 2574-3864

DOI10.1145/3524842.3528463
Citation Keyqiu_deep_2022