ABSTRACT
JavaScript is a language that is widely-used for both web- based and standalone applications such as those in the upcoming Windows 8 operating system. Analysis of JavaScript has long been known to be challenging due to its dynamic nature. On top of that, most JavaScript applications rely on large and complex libraries and frameworks, often written in a combination of JavaScript and native code such as C and C++. Stubs have been commonly employed as a partial specification mechanism to address the library problem; however, they are tedious to write, incomplete, and occasionally incorrect.
However, the manner in which library code is used within applications often sheds light on what library APIs return or consume as parameters. In this paper, we propose a technique which combines pointer analysis with use analysis to handle many challenges posed by large JavaScript libraries. Our approach enables a variety of applications, ranging from call graph discovery to auto-complete to supporting runtime optimizations. Our techniques have been implemented and empirically validated on a set of 25 Windows 8 JavaScript applications, averaging 1,587 lines of code, demonstrating a combination of scalability and precision.
- K. Ali and O. Lhotak. Application-only call graph construction. In Proceedings of the European Conference on Object-Oriented Programming, 2012. Google ScholarDigital Library
- L. O. Andersen. Program analysis and specialization for the C programming language. Technical report, University of Copenhagen, 1994.Google Scholar
- C. Anderson and P. Giannini. Type checking for JavaScript. In In WOOD ˇ S04, volume WOOD of ENTCS. Elsevier, 2004. http://www.binarylord.com/ work/js0wood.pdf, 2004.Google Scholar
- C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for JavaScript. In In Proceedings of the European Conference on Object-Oriented Programming, pages 429–452, July 2005. Google ScholarDigital Library
- M. Bravenboer and Y. Smaragdakis. Strictly declarative specification of sophisticated points-to analyses. In OOPSLA, pages 243–262, 2009. Google ScholarDigital Library
- R. Cartwright and M. Fagan. Soft typing. SIGPLAN Notices, 39(4):412–428, 2004. Google ScholarDigital Library
- R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In PLDI, June 2009. Google ScholarDigital Library
- L. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, pages 337–340, 2008.Google ScholarDigital Library
- P. Gardner, S. Maffeis, and G. D. Smith. Towards a program logic for JavaScript. In POPL, 2012. Google ScholarDigital Library
- M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In NDSS, 2012.Google Scholar
- D. Grove and C. Chambers. A framework for call graph construction algorithms. Transactions of Programming Language Systems, 23(6), 2001. Google ScholarDigital Library
- D. Grove, G. DeFouw, J. Dean, and C. Chambers. Call graph construction in object-oriented languages. In OOPSLA, pages 108–124, Oct. 1997. Google ScholarDigital Library
- S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In Proceedings of the Usenix Security Symposium, Aug. 2009. Google ScholarDigital Library
- S. Guarnieri and B. Livshits. Gulfstream: Incremental static analysis for streaming JavaScript applications. In Proceedings of the USENIX Conference on Web Application Development, June 2010. Google ScholarDigital Library
- A. Guha, M. Fredrikson, B. Livshits, and N. Swamy. Verified security for browser extensions. In IEEE Symposium on Security and Privacy, May 2011. Google ScholarDigital Library
- S. H. Jensen, P. A. Jonsson, and A. Møller. Remedying the eval that men do. In ISSTA, July 2012. Google ScholarDigital Library
- S. H. Jensen, M. Madsen, and A. Møller. Modeling the HTML DOM and browser API in static analysis of JavaScript web applications. In FSE, 2011. Google ScholarDigital Library
- S. H. Jensen, A. Møller, and P. Thiemann. Type analysis for JavaScript. In Proceedings of the International Static Analysis Symposium, volume 5673, August 2009. Google ScholarDigital Library
- B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, Aug. 2005. Google ScholarDigital Library
- B. Livshits, M. Sridharan, Y. Smaragdakis, and O. Lhotak. In defense of unsoundness. http://soundiness.org, 2013.Google Scholar
- B. Livshits, J. Whaley, and M. S. Lam. Reflection analysis for java. In LNCS 3780, Nov. 2005. Google ScholarDigital Library
- M. Madsen, B. Livshits, and M. Fanning. Practical static analysis of JavaScript applications in the presence of frameworks and libraries. Technical Report MSR-TR-2012-66, Microsoft Research, 2012.Google Scholar
- S. Maffeis, J. Mitchell, and A. Taly. An operational semantics for JavaScript. 2008.Google Scholar
- A. Milanova, A. Rountev, and B. G. Ryder. Precise and efficient call graph construction for programs with function pointers. Journal of Automated Software Engineering, 2004. Google ScholarDigital Library
- G. Richards, C. Hammer, B. Burg, and J. Vitek. The eval that men do – a large-scale study of the use of eval in JavaScript applications. In ECOOP, pages 52–78, 2011. Google ScholarDigital Library
- M. Schaefer, M. Sridharan, J. Dolby, and F. Tip. Effective smart completion for JavaScript. Technical Report RC25359, IBM Research, Mar. 2013.Google Scholar
- M. Sridharan, J. Dolby, S. Chandra, M. Schaefer, and F. Tip. Correlation tracking for points-to analysis of JavaScript. In ECOOP, 2012. Google ScholarDigital Library
- P. Thiemann. Towards a type system for analyzing JavaScript programs. European Symposium On Programming, 2005. Google ScholarDigital Library
- P. Thiemann. A type safe DOM API. In DBPL, pages 169–183, 2005. Google ScholarDigital Library
- J. Whaley, D. Avots, M. Carbin, and M. S. Lam. Using Datalog and binary decision diagrams for program analysis. In APLAS, Nov. 2005. Google ScholarDigital Library
Index Terms
Practical static analysis of JavaScript applications in the presence of frameworks and libraries
Recommendations
Static analysis of event-driven Node.js JavaScript applications
OOPSLA '15Many JavaScript programs are written in an event-driven style. In particular, in server-side Node.js applications, operations involving sockets, streams, and files are typically performed in an asynchronous manner, where the execution of listeners is ...
Points-to analysis for JavaScript
SAC '09: Proceedings of the 2009 ACM symposium on Applied ComputingJavaScript is widely used by web developers and the complexity of JavaScript programs has increased over the last year. Therefore, the need for program analysis for JavaScript is evident. Points-to analysis for JavaScript is to determine the set of ...
Correlation tracking for points-to analysis of javascript
ECOOP'12: Proceedings of the 26th European conference on Object-Oriented ProgrammingJavaScript poses significant challenges for points-to analysis, particularly due to its flexible object model in which object properties can be created and deleted at run-time and accessed via first-class names. These features cause an increase in the ...
Comments