Watch the video or explore the live demo yourself, and read how it works at https://github.com/coekie/flowtracker
For instrumentation, instead of an instrumenting agent it uses a fork of the official Clojure compiler (in Clojure you can easily swap compilers at dev) that adds extra bytecode. What is interesting about recording Clojure programs execution is that most values are immutable, so you can snapshot them by just retaining the pointers.
Edit: Since the OP demo is about exploring a web app for people interested in this topics I'm leaving a demo of FlowStorm debugging a web app also https://www.youtube.com/watch?v=h8AFpZkAwPo
Do you like use data structure metadata for tracking values?
Thanks for the video, I'm gonna go watch it.
I love how good the tooling is in the java/jvm ecosystem. Last time I was this blown away was with jitwatch ( https://github.com/AdoptOpenJDK/jitwatch )
FlowTracker reminds me a little of taint analysis, which is used for tracking unvalidated user inputs or secrets through a program, making sure it is not leaked or used without validation.
search keywords are "dynamic taint tracking/analysis"
https://github.com/gmu-swe/phosphor
I can totally see a future where tools like this are the first line of defense when troubleshooting bugs.
As I was developing FlowTracker, a lot of the work was driven by making tracking of specific example programs work. I knew what result I was aiming for, but it was hard to predict what lower level mechanisms needed to be supported to make a specific example work. That often depended on internal implementation details of the JDK or libraries being used where the data was passing through.
But the HTML element linking back to the SQL script that added that data into the database wasn't like that. I didn't expect or work towards it, that just happened, so it blew me away a little too and got me excited about what else this approach could accomplish.
Maybe also some way to track if the data is meant to be transient or meant to be written back.
The more such constraints which could be described up front, the better.
Integration of any solution like this into existing frameworks feels like a big challenge.
[1] HTML Source Maps - https://github.com/connorjclark/html-source-maps https://docs.google.com/document/d/19XYWiPL9h9vA6QcOrGV9Nfkr...
https://www.youtube.com/watch?v=TWAMr72VaaU&t=164s and https://witheve.com/
It would be possible to extend what FlowTracker does to also find SQL (or other) injection vulnerabilities. So it's possible the tool you're thinking of used a similar approach.
Been trying to get this work with VSCode with a project I'm trying to make sense of. Having to take a pause on it right now, but looking forward to getting it working and playing with it.
I think a similar experience can be quickly achieved with tracing in aspire: https://devblogs.microsoft.com/dotnet/introducing-dotnet-asp...
It's a bit different but I don't know if anyone made a quick handy GUI tool to hook up to .NET's EventPipe and display its data in a nice way, but the extensive API for that is there.
From a quick skim read, it sounds similar in some aspects. And also it's a good starting point.