KJS: a complete formal semantics of JavaScript

This paper presents KJS, the most complete and throughly tested formal semantics of JavaScript to date. Being executable, KJS has been tested against the ECMAScript 5.1 conformance test suite, and passes all 2,782 core language tests. Among the existing implementations of JavaScript, only Chrome V8's passes all the tests, and no other semantics passes more than 90%. In addition to a reference implementation for JavaScript, KJS also yields a simple coverage metric for a test suite: the set of semantic rules it exercises. Our semantics revealed that the ECMAScript 5.1 conformance test suite fails to cover several semantic rules. Guided by the semantics, we wrote tests to exercise those rules. The new tests revealed bugs both in production JavaScript engines (Chrome V8, Safari WebKit, Firefox SpiderMonkey) and in other semantics. KJS is symbolically executable, thus it can be used for formal analysis and verification of JavaScript programs. We verified non-trivial programs and found a known security vulnerability.

[1]  José Meseguer,et al.  Conditioned Rewriting Logic as a United Model of Concurrency , 1992, Theor. Comput. Sci..

[2]  Cormac Flanagan,et al.  Status report: specifying javascript with ML , 2007, ML '07.

[3]  水野 貴明,et al.  JavaScript : the good parts : 「良いパーツ」によるベストプラクティス , 2008 .

[4]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[5]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[6]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[7]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[8]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[9]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.

[10]  Grigore Rosu,et al.  An overview of the K semantic framework , 2010, J. Log. Algebraic Methods Program..

[11]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[12]  Alon Zakai Emscripten: an LLVM-to-JavaScript compiler , 2011, OOPSLA Companion.

[13]  Marc Feeley,et al.  Bootstrapping a self-hosted research virtual machine for JavaScript: an experience report , 2011, DLS '11.

[14]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[15]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.

[16]  Philippa Gardner,et al.  Towards a program logic for JavaScript , 2012, POPL '12.

[17]  Joe Gibbs Politz,et al.  A tested semantics for getters, setters, and eval in JavaScript , 2012, DLS.

[18]  Sukyoung Ryu,et al.  SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript , 2012 .

[19]  Chucky Ellison,et al.  An executable formal semantics of C with applications , 2011, POPL '12.

[20]  Grigore Rosu,et al.  Checking reachability using matching logic , 2012, OOPSLA '12.

[21]  Xuejun Yang,et al.  Test-case reduction for C compiler bugs , 2012, PLDI.

[22]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[23]  Dwight Guth,et al.  A formal semantics of Python 3.3 , 2013 .

[24]  Carlo A. Furia,et al.  Javanni: A Verifier for JavaScript , 2013, FASE.

[25]  Arthur Charguéraud,et al.  A trusted mechanised JavaScript specification , 2014, POPL.

[26]  Automatically Extracting Requirements Specifications from Natural Language , 2014, ArXiv.

[27]  Sergio Maffeis,et al.  An Executable Formal Semantics of PHP , 2014, ECOOP.

[28]  Chucky Ellison,et al.  The K Primer (version 3.3) , 2011, K.

[29]  Ben Hardekopf,et al.  JSAI: a static analysis platform for JavaScript , 2014, SIGSOFT FSE.

[30]  Grigore Rosu,et al.  K-Java , 2015, POPL.