Practical static analysis of JavaScript applications in the presence of frameworks and libraries

JavaScript is a language that is widely-used for both web- based and standalone applications such as those in the upcoming Windows 8 operating system. Analysis of JavaScript has long been known to be challenging due to its dynamic nature. On top of that, most JavaScript applications rely on large and complex libraries and frameworks, often written in a combination of JavaScript and native code such as C and C++. Stubs have been commonly employed as a partial specification mechanism to address the library problem; however, they are tedious to write, incomplete, and occasionally incorrect. However, the manner in which library code is used within applications often sheds light on what library APIs return or consume as parameters. In this paper, we propose a technique which combines pointer analysis with use analysis to handle many challenges posed by large JavaScript libraries. Our approach enables a variety of applications, ranging from call graph discovery to auto-complete to supporting runtime optimizations. Our techniques have been implemented and empirically validated on a set of 25 Windows 8 JavaScript applications, averaging 1,587 lines of code, demonstrating a combination of scalability and precision.

[1]  David Grove,et al.  Call graph construction in object-oriented languages , 1997, OOPSLA '97.

[2]  David Grove,et al.  A framework for call graph construction algorithms , 2001, TOPL.

[3]  Barbara G. Ryder,et al.  Precise Call Graphs for C Programs with Function Pointers , 2004, Automated Software Engineering.

[4]  Robert Cartwright,et al.  Soft typing , 2004, SIGP.

[5]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[6]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[7]  Paola Giannini,et al.  Type Checking for JavaScript , 2005, Electron. Notes Theor. Comput. Sci..

[8]  Monica S. Lam,et al.  Using Datalog with Binary Decision Diagrams for Program Analysis , 2005, APLAS.

[9]  Peter Thiemann A Type Safe DOM API , 2005, DBPL.

[10]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[11]  Benjamin Livshits,et al.  Reflection Analysis for Java , 2005, APLAS.

[12]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[13]  Dawson R. Engler,et al.  From uncertainty to belief: inferring the specification within , 2006, OSDI '06.

[14]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[15]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[16]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[17]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[18]  Yannis Smaragdakis,et al.  Strictly declarative specification of sophisticated points-to analyses , 2009, OOPSLA.

[19]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[20]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[21]  Ben Livshits,et al.  Gulfstream: Incremental Static Analysis for Streaming JavaScript Applications , 2010 .

[22]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[23]  Salvatore Guarnieri GULFSTREAM: Staged Static Analysis for Streaming JavaScript Applications , 2010, WebApps.

[24]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.

[25]  Benjamin Livshits,et al.  Verified Security for Browser Extensions , 2011, 2011 IEEE Symposium on Security and Privacy.

[26]  Magnus Madsen,et al.  Modeling the HTML DOM and browser API in static analysis of JavaScript web applications , 2011, ESEC/FSE '11.

[27]  Philippa Gardner,et al.  Towards a program logic for JavaScript , 2012, POPL '12.

[28]  Frank Tip,et al.  Correlation Tracking for Points-To Analysis of JavaScript , 2012, ECOOP.

[29]  B. Livshits,et al.  Towards JavaScript Verification with the Dijkstra State Monad , 2012 .

[30]  Simon Holm Jensen,et al.  Remedying the eval that men do , 2012, ISSTA 2012.

[31]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[32]  Ondrej Lhoták,et al.  Application-Only Call Graph Construction , 2012, ECOOP.