Determinacy in static analysis for jQuery

Static analysis for JavaScript can potentially help programmers find errors early during development. Although much progress has been made on analysis techniques, a major obstacle is the prevalence of libraries, in particular jQuery, which apply programming patterns that have detrimental consequences on the analysis precision and performance. Previous work on dynamic determinacy analysis has demonstrated how information about program expressions that always resolve to a fixed value in some call context may lead to significant scalability improvements of static analysis for such code. We present a static dataflow analysis for JavaScript that infers and exploits determinacy information on-the-fly, to enable analysis of some of the most complex parts of jQuery. The analysis combines selective context and path sensitivity, constant propagation, and branch pruning, based on a systematic investigation of the main causes of analysis imprecision when using a more basic analysis. The techniques are implemented in the TAJS analysis tool and evaluated on a collection of small programs that use jQuery. Our results show that the proposed analysis techniques boost both precision and performance, specifically for inferring type information and call graphs.

[1]  Simon Holm Jensen,et al.  Remedying the eval that men do , 2012, ISSTA 2012.

[2]  Benjamin Livshits,et al.  Practical static analysis of JavaScript applications in the presence of frameworks and libraries , 2013, ESEC/FSE 2013.

[3]  Peter Thiemann,et al.  Interprocedural Analysis with Lazy Propagation , 2010, SAS.

[4]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[5]  Barbara G. Ryder,et al.  Practical blended taint analysis for JavaScript , 2013, ISSTA.

[6]  Andrew A. Chien,et al.  Precise Concrete Type Inference for Object-Oriented Languages , 1994, OOPSLA.

[7]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[8]  Frank Tip,et al.  Tool-supported refactoring for JavaScript , 2011, OOPSLA '11.

[9]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[10]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[11]  Matthew Might,et al.  Improving flow analyses via ΓCFA: abstract garbage collection and counting , 2006, ICFP '06.

[12]  Mark N. Wegman,et al.  Constant propagation with conditional branches , 1985, POPL.

[13]  Susan Horwitz,et al.  The Effects of the Precision of Pointer Analysis , 1997, SAS.

[14]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[15]  Kwang-Moo Choe,et al.  Points-to analysis for JavaScript , 2009, SAC '09.

[16]  Thomas W. Reps,et al.  Recency-Abstraction for Heap-Allocated Storage , 2006, SAS.

[17]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[18]  Jeffrey D. Ullman,et al.  Monotone data flow analysis frameworks , 1977, Acta Informatica.

[19]  Francesco Logozzo,et al.  RATA: Rapid Atomic Type Analysis by Abstract Interpretation - Application to JavaScript Optimization , 2010, CC.

[20]  Ben Hardekopf,et al.  Type refinement for static analysis of JavaScript , 2013, DLS '13.

[21]  Xiangyu Zhang,et al.  Statically locating web application bugs caused by asynchronous calls , 2011, WWW.

[22]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2003, Sci. Comput. Program..

[23]  Jincheng Li,et al.  Combining Form and Function: Static Types for JQuery Programs , 2013, ECOOP.

[24]  Frank Tip,et al.  Correlation Tracking for Points-To Analysis of JavaScript , 2012, ECOOP.

[25]  Frank Tip,et al.  Dynamic determinacy analysis , 2013, PLDI.

[26]  Anders Møller,et al.  Semi-automatic rename refactoring for JavaScript , 2013, OOPSLA.

[27]  Yannis Smaragdakis,et al.  Hybrid context-sensitivity for points-to analysis , 2013, PLDI.

[28]  Frank Tip,et al.  Efficient construction of approximate call graphs for JavaScript IDE services , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[29]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[30]  Magnus Madsen,et al.  Modeling the HTML DOM and browser API in static analysis of JavaScript web applications , 2011, ESEC/FSE '11.

[31]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[32]  Sriram K. Rajamani,et al.  Bebop: a path-sensitive interprocedural dataflow engine , 2001, PASTE '01.

[33]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[34]  Brian Hackett,et al.  Fast and precise hybrid type inference for JavaScript , 2012, PLDI '12.