Revamping JavaScript static analysis via localization and remediation of root causes of imprecision

Static analysis is challenged by the dynamic language constructs of JavaScript which often lead to unacceptable performance and/or precision results. We describe an approach that focuses on improving the practicality and accuracy of points-to analysis and call graph construction for JavaScript programs. The approach first identifies program constructs which are sources of imprecision (i.e., root causes) through monitoring the static analysis process. We then examine and suggest specific context-sensitive analyses to apply. Our technique is able to to find that the root causes comprise less than 2% of the functions in JavaScript library applications. Moreover, the specialized analysis derived by our approach finishes within a few seconds, even on programs which can not complete within 10 minutes with the original analysis.

[1]  Frank Tip,et al.  Efficient construction of approximate call graphs for JavaScript IDE services , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[2]  Mayur Naik,et al.  Learning minimal abstractions , 2011, POPL '11.

[3]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[4]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[5]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[6]  Barbara G. Ryder,et al.  Adaptive Context-sensitive Analysis for JavaScript , 2015, ECOOP.

[7]  Esben Andreasen,et al.  Determinacy in static analysis for jQuery , 2014, OOPSLA 2014.

[8]  Calvin Lin,et al.  Client-Driven Pointer Analysis , 2003, SAS.

[9]  Yannis Smaragdakis,et al.  Introspective analysis: context-sensitivity, across the board , 2014, PLDI.

[10]  Sukyoung Ryu,et al.  Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity , 2015, ECOOP.

[11]  Brian Hackett,et al.  Fast and precise hybrid type inference for JavaScript , 2012, PLDI '12.

[12]  A Pnueli,et al.  Two Approaches to Interprocedural Data Flow Analysis , 2018 .

[13]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[14]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[15]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[16]  Frank Tip,et al.  Static analysis of event-driven Node.js JavaScript applications , 2015, OOPSLA.

[17]  Frank Tip,et al.  Dynamic determinacy analysis , 2013, PLDI.

[18]  Frank Tip,et al.  Correlation Tracking for Points-To Analysis of JavaScript , 2012, ECOOP.

[19]  Barbara G. Ryder,et al.  Precise Call Graphs for C Programs with Function Pointers , 2004, Automated Software Engineering.

[20]  Ben Hardekopf,et al.  JSAI: a static analysis platform for JavaScript , 2014, SIGSOFT FSE.

[21]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .