ABSTRACT
Existing static analyzers for JavaScript use constant propagation domains to analyze strings. The simplicity of these domains results in a huge loss of precision when dealing with features such as dynamic property access. This paper presents a string analysis for the full JavaScript language based on abstract interpretation. The analysis uses finite state automata to track all possible strings a variable might hold during execution. We present an empirical performance and precision evaluation on some JavaScript benchmarks and show that the analysis achieves a higher level of precision especially when handling dynamic property access.
- R. Amadini, A. Jordan, G. Gange, F. Gauthier, P. Schachte, H. Søndergaard, P. J. Stuckey, and C. Zhang. Combining string abstract domains for javascript analysis: An evaluation. In A. Legay and T. Margaria, editors, Tools and Algorithms for the Construction and Analysis of Systems, pages 41--57, Berlin, Heidelberg, 2017. Springer Berlin Heidelberg. Google ScholarDigital Library
- C. Bartzis and T. Bultan. Widening arithmetic automata. In R. Alur and D. A. Peled, editors, Computer Aided Verification, pages 321--333, Berlin, Heidelberg, 2004. Springer Berlin Heidelberg.Google ScholarCross Ref
- T.-H. Choi, O. Lee, H. Kim, and K.-G. Doh. A practical string analyzer by the widening approach. In N. Kobayashi, editor, Programming Languages and Systems, pages 374--388, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg. Google ScholarDigital Library
- A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In R. Cousot, editor, Static Analysis, pages 1--18, Berlin, Heidelberg, 2003. Springer Berlin Heidelberg. Google ScholarDigital Library
- G. Costantini, P. Ferrara, and A. Cortesi. Static analysis of string values. In S. Qin and Z. Qiu, editors, Formal Methods and Software Engineering, pages 505--521, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg. Google ScholarDigital Library
- P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pages 238--252. ACM, 1977. Google ScholarDigital Library
- S. H. Jensen, A. Møller, and P. Thiemann. Type analysis for JavaScript. In Static Analysis, pages 238--255. Springer, 2009. Google ScholarDigital Library
- V. Kashyap, K. Dewey, E. A. Kuefner, J.Wagner, K. Gibbons, J. Sarracino, B. Wiedermann, and B. Hardekopf. Jsai: A static analysis platform for javascript. In 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 121--132. ACM, 2014. Google ScholarDigital Library
- H. Lee, S.Won, J. Jin, J. Cho, and S. Ryu. Safe: Formal specification and implementation of a scalable analysis framework for ecmascript. In International Workshop on Foundations of Object-Oriented Languages (FOOL), 2012.Google Scholar
- M. Madsen and E. Andreasen. String analysis for dynamic field access. In A. Cohen, editor, Compiler Construction, pages 197--217, Berlin, Heidelberg, 2014. Springer Berlin Heidelberg.Google ScholarCross Ref
- C. Park, H. Im, and S. Ryu. Precise and scalable static analysis of jquery using a regular expression domain. In Proceedings of the 12th Symposium on Dynamic Languages, DLS 2016, pages 25--36, New York, NY, USA, 2016. ACM. Google ScholarDigital Library
- M. Sridharan, J. Dolby, S. Chandra, M. Schäfer, and F. Tip. Correlation tracking for points-to analysis of javascript. In J. Noble, editor, ECOOP 2012 -- Object-Oriented Programming, pages 435--458, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg. Google ScholarDigital Library
- F. Yu, T. Bultan, M. Cova, and O. H. Ibarra. Symbolic string verification: An automata-based approach. In K. Havelund, R. Majumdar, and J. Palsberg, editors, Model Checking Software, pages 306--324, Berlin, Heidelberg, 2008. Springer Berlin Heidelberg. Google ScholarDigital Library
Index Terms
- Precise String Analysis for JavaScript Programs Using Automata
Recommendations
Precise and scalable static analysis of jQuery using a regular expression domain
DLS '16jQuery is the most popular JavaScript library but the state-of-the-art static analyzers for JavaScript applications fail to analyze simple programs that use jQuery. In this paper, we present a novel abstract string domain whose elements are simple ...
Precise null-pointer analysis
In Java, C or C++, attempts to dereference the null value result in an exception or a segmentation fault. Hence, it is important to identify those program points where this undesired behaviour might occur or prove the other program points (and possibly ...
Precise and scalable static analysis of jQuery using a regular expression domain
DLS 2016: Proceedings of the 12th Symposium on Dynamic LanguagesjQuery is the most popular JavaScript library but the state-of-the-art static analyzers for JavaScript applications fail to analyze simple programs that use jQuery. In this paper, we present a novel abstract string domain whose elements are simple ...
Comments