A Principled Approach to GraphQL Query Cost Analysis
ACM SIGSOFT Distinguished Paper Award
The landscape of web APIs is evolving to meet new client requirements and to facilitate how providers fulfill them. A recent web API model is GraphQL, which is both a query language and a runtime. Using GraphQL, client queries express the data they want to retrieve or mutate, and servers respond with exactly those data or changes. GraphQL’s expressiveness is risky for service providers because clients can succinctly request stupendous amounts of data, and responding to overly complex queries can be costly or disrupt service availability. Recent empirical work has shown that many service providers are at risk. Using traditional API management methods is not sufficient, and practitioners lack principled means of estimating and measuring the cost of the GraphQL queries they receive.
In this work, we present a linear-time GraphQL query analysis that can measure the cost of a query without executing it. Our approach can be applied in a separate API management layer and used with arbitrary GraphQL backends. In contrast to existing static approaches, our analysis supports common GraphQL conventions that affect query cost, and our analysis is provably correct based on our formal specification of GraphQL semantics.
We demonstrate the potential of our approach using a novel GraphQL query-response corpus for two commercial GraphQL APIs. Our query analysis consistently obtains upper cost bounds, tight enough relative to the true response sizes to be actionable for service providers. In contrast, existing static GraphQL query analyses exhibit over-estimates and under-estimates because they fail to support GraphQL conventions.
Wed 11 NovDisplayed time zone: (UTC) Coordinated Universal Time change
01:30 - 02:00
Cloud / Services 2Paper Presentations / Research Papers / Industry Papers at Virtual room 2
|A Principled Approach to GraphQL Query Cost AnalysisACM SIGSOFT Distinguished Paper Award|
Alan Cha IBM Research, USA, Erik Wittern IBM, USA, Guillaume Baudart IBM Research, USA, James C. Davis Purdue University, USA, Louis Mandel IBM Research, USA, Jim A. Laredo IBM Research, USADOI Pre-print Media Attached
|Block Public Access: Trust Safety Verification of Access Control Policies|
Malik Bouchet Amazon, USA, Byron Cook Amazon, Bryant Cutler Amazon, USA, Anna Druzkina Amazon, USA, Andrew Gacek Amazon, USA, Liana Hadarean Amazon, Ranjit Jhala Amazon, USA, Brad Marshall Amazon, USA, Dan Peebles Amazon, USA, Neha Rungta Amazon Web Services, Cole Schlesinger Amazon, USA, Chriss Stephens Amazon, USA, Carsten Varming Amazon, USA, Andy Warfield Amazon, USADOI
|Efficient Incident Identification from Multi-dimensional Issue Reports via Meta-heuristic Search|
Jiazhen Gu Fudan University, China, Chuan Luo Microsoft Research, China, Si Qin Microsoft Research, n.n., Bo Qiao Microsoft Research, China, Qingwei Lin Microsoft Research, China, Hongyu Zhang University of Newcastle, Australia, Ze Li Microsoft, USA, Yingnong Dang Microsoft, USA, Shaowei Cai Institute of Software at Chinese Academy of Sciences, China, Wei-Cheng Wu University of Southern California, USA, Yangfan Zhou Fudan University, China, Murali Chintalapati Microsoft, n.n., Dongmei Zhang Microsoft Research, ChinaDOI
|Graph-Based Trace Analysis for Microservice Architecture Understanding and Problem Diagnosis|
Xiaofeng Guo Fudan University, China, Xin Peng Fudan University, China, Hanzhang Wang eBay, Wanxue Li eBay, USA, Huai Jiang eBay, USA, Dan Ding Fudan University, China, Tao Xie Peking University, Liangfei Su eBay, USADOI
|Real-Time Incident Prediction for Online Service Systems|
Nengwen Zhao Tsinghua University, Junjie Chen Tianjin University, China, Zhou Wang BizSeer, China, Xiao Peng Beijing University of Posts and Telecommunications, China, Gang Wang China EverBright Bank, Yong Wu China EverBright Bank, Fang Zhou China EverBright Bank, Zhen Feng EverBright Bank, China, Xiaohui Nie EverBright Bank, China, Wenchi Zhang Tsinghua University, China, Kaixin Sui BizSeer, Dan Pei BizSeer, ChinaDOI
|Scaling Static Taint Analysis to Industrial SOA Applications: A Case Study at Alibaba|
Jie Wang Peking University, China / Ant Group, China / Alibaba Group, China, Yunguang Wu Ant Group, China, Gang Zhou Ant Group, China, Yiming Yu Ant Group, China, Zhenyu Guo Ant Group, China, Yingfei Xiong Peking UniversityDOI
|Conversations on Cloud / Services 2|
Alan Cha IBM Research, USA, Andrew Gacek , Jiazhen Gu , Jie Wang Institute of Software, Chinese Academy of Sciences, Nengwen Zhao Tsinghua University, Xiaofeng Guo Fudan University, China, M: Satish Chandra Facebook, USA