Combining String Abstract Domains for JavaScript Analysis: An Evaluation

Strings play a central role in JavaScript and similar scripting languages. Owing to dynamic features such as the eval function and dynamic property access, precise string analysis is a prerequisite for automated reasoning about practically any kind of runtime property. Although the literature presents a considerable number of abstract domains for capturing and representing specific aspects of strings, we are not aware of tools that allow flexible combination of string abstract domains. Indeed, support for string analysis is often confined to a single, dedicated string domain. In this paper we describe a framework that allows us to combine multiple string abstract domains for the analysis of JavaScript programs. It is implemented as an extension of SAFE, an open-source static analysis tool. We investigate different combinations of abstract domains that capture various aspects of strings. Our evaluation suggests that a combination of a few, simple abstract domains suffice to outperform the precision of state-of-the-art static analysis tools for JavaScript.

[1]  Esben Andreasen,et al.  String Analysis for Dynamic Field Access , 2014, CC.

[2]  G. Costantini,et al.  Lexical and numerical domains for abstract interpretation , 2013 .

[3]  Thomas A. Henzinger,et al.  Program Analysis with Dynamic Precision Adjustment , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[4]  Peter J. Stuckey,et al.  The MiniZinc Challenge 2008-2013 , 2014, AI Mag..

[5]  Sukyoung Ryu,et al.  SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript , 2012 .

[6]  Se-Won Kim,et al.  Inferring Grammatical Summaries of String Values , 2014, APLAS.

[7]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[8]  Ben Hardekopf,et al.  JSAI: a static analysis platform for JavaScript , 2014, SIGSOFT FSE.

[9]  Kyung-Goo Doh,et al.  A Practical String Analyzer by the Widening Approach , 2006, APLAS.

[10]  Agostino Cortesi,et al.  A suite of abstract domains for static analysis of string values , 2015, Softw. Pract. Exp..

[11]  Frank Tip,et al.  Correlation Tracking for Points-To Analysis of JavaScript , 2012, ECOOP.

[12]  Hyeonseung Im,et al.  Precise and scalable static analysis of jQuery using a regular expression domain , 2016, DLS.

[13]  Sukyoung Ryu,et al.  Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity , 2015, ECOOP.

[14]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[15]  Thomas A. Henzinger,et al.  Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis , 2007, CAV.

[16]  Olivier Danvy,et al.  Proceedings Semantics, Abstract Interpretation, and Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his Sixtieth Birthday: Dave Schmidt: a Lifetime of Scholarship , 2013 .

[17]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[18]  Agostino Cortesi,et al.  Static Analysis of String Values , 2011, ICFEM.

[19]  Agostino Cortesi,et al.  A Survey on Product Operators in Abstract Interpretation , 2013, Festschrift for Dave Schmidt.