A trusted mechanised JavaScript specification

JavaScript is the most widely used web language for client-side applications. Whilst the development of JavaScript was initially just led by implementation, there is now increasing momentum behind the ECMA standardisation process. The time is ripe for a formal, mechanised specification of JavaScript, to clarify ambiguities in the ECMA standards, to serve as a trusted reference for high-level language compilation and JavaScript implementations, and to provide a platform for high-assurance proofs of language properties. We present JSCert, a formalisation of the current ECMA standard in the Coq proof assistant, and JSRef, a reference interpreter for JavaScript extracted from Coq to OCaml. We give a Coq proof that JSRef is correct with respect to JSCert and assess JSRef using test262, the ECMA conformance test suite. Our methodology ensures that JSCert is a comparatively accurate formulation of the English standard, which will only improve as time goes on. We have demonstrated that modern techniques of mechanised specification can handle the complexity of JavaScript.

[1]  Robin Milner,et al.  Definition of standard ML , 1990 .

[2]  Y. Gurevich Evolving Algebras , 1994, IFIP Congress.

[3]  Don Syme,et al.  Proving Java Type Soundness , 1999, Formal Syntax and Semantics of Java.

[4]  Sarfraz Khurshid,et al.  Is the Java Type System Sound? , 1999, Theory Pract. Object Syst..

[5]  Frank Pfenning,et al.  System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[6]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[7]  José Meseguer,et al.  Formal Analysis of Java Programs in JavaFAN , 2004, CAV.

[8]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[9]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[10]  Egon Börger,et al.  A high-level modular definition of the semantics of C# , 2005, Theor. Comput. Sci..

[11]  Michael Norrish,et al.  Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations , 2006, POPL '06.

[12]  Karl Crary,et al.  Towards a mechanized metatheory of standard ML , 2007, POPL '07.

[13]  Cormac Flanagan,et al.  Status report: specifying javascript with ML , 2007, ML '07.

[14]  Tom Ridge,et al.  Ott: effective tool support for the working semanticist , 2007, ICFP '07.

[15]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[16]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[17]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[18]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[19]  Xavier Leroy,et al.  Mechanized Semantics for the Clight Subset of the C Language , 2009, Journal of Automated Reasoning.

[20]  Kwang-Moo Choe,et al.  Points-to analysis for JavaScript , 2009, SAC '09.

[21]  Ankur Taly,et al.  Isolating JavaScript with Filters, Rewriting, and Wrappers , 2009, ESORICS.

[22]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[23]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[24]  Jade Alglave,et al.  Fences in Weak Memory Models , 2010, CAV.

[25]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[26]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[27]  Grigore Rosu,et al.  An overview of the K semantic framework , 2010, J. Log. Algebraic Methods Program..

[28]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[29]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.

[30]  Sukyoung Ryu,et al.  An Empirical Study on the Rewritability of the with Statement in JavaScript , 2011 .

[31]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[32]  Suresh Jagannathan,et al.  Relaxed-memory concurrency and verified compilation , 2011, POPL '11.

[33]  Peter Sewell,et al.  Mathematizing C++ concurrency , 2011, POPL '11.

[34]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[35]  Andrew W. Appel Verified Software Toolchain - (Invited Talk) , 2011, ESOP.

[36]  Philippa Gardner,et al.  Towards a program logic for JavaScript , 2012, POPL '12.

[37]  Ravi Chugh,et al.  Dependent types for JavaScript , 2012, OOPSLA '12.

[38]  Joe Gibbs Politz,et al.  A tested semantics for getters, setters, and eval in JavaScript , 2012, DLS.

[39]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[40]  Sukyoung Ryu,et al.  SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript , 2012 .

[41]  Chucky Ellison,et al.  An executable formal semantics of C with applications , 2011, POPL '12.

[42]  P. Gardner,et al.  JuS: Squeezing the Sense out of JavaScript Programs , 2013 .

[43]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[44]  Karthikeyan Bhargavan,et al.  Language-based Defenses Against Untrusted Browser Origins , 2013, USENIX Security Symposium.

[45]  Arthur Charguéraud,et al.  Pretty-Big-Step Semantics , 2013, ESOP.

[46]  Alexey Gotsman,et al.  Library abstraction for C/C++ concurrency , 2013, POPL.