research-article

Automatically deriving JavaScript static analyzers from specifications using Meta-level static analysis

Authors:

Sukyoung RyuAuthors Info & Claims

ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 1022 - 1034

https://doi.org/10.1145/3540250.3549097

Published: 09 November 2022 Publication History

Abstract

JavaScript is one of the most dominant programming languages. However, despite its popularity, it is a challenging task to correctly understand the behaviors of JavaScript programs because of their highly dynamic nature. Researchers have developed various static analyzers that strive to conform to ECMA-262, the standard specification of JavaScript. Unfortunately, all the existing JavaScript static analyzers require manual updates for new language features. This problem has become more critical since 2015 because the JavaScript language itself rapidly evolves with a yearly release cadence and open development process.

In this paper, we present JSAVER, the first tool that automatically derives JavaScript static analyzers from language specifications. The main idea of our approach is to extract a definitional interpreter from ECMA-262 and perform a meta-level static analysis with the extracted interpreter. A meta-level static analysis is a novel technique that indirectly analyzes programs by analyzing a definitional interpreter with the programs. We also describe how to indirectly configure abstract domains and analysis sensitivities in a meta-level static analysis. For evaluation, we derived a static analyzer from the latest ECMA-262 (ES12, 2021) using JSAVER. The derived analyzer soundly analyzed all applicable 18,556 official conformance tests with 99.0% of precision in 590 ms on average. In addition, we demonstrate the configurability and adaptability of JSAVER with several case studies.

References

[1]

2021. engine262: An Implementation of ECMA-262 in JavaScript. https://github.com/engine262/engine262

[2]

2021. Narcissus: A JavaScript Interpreter written in pure JavaScript developed by Mozilla. https://github.com/mozilla/narcissus

[3]

Roberto Amadini, Alexander Jordan, Graeme Gange, François Gauthier, Peter Schachte, Harald Søndergaard, Peter J Stuckey, and Chenyi Zhang. 2017. Combining String Abstract Domains for JavaScript Analysis: An Evaluation. In Proceedings of the 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). https://doi.org/10.1007/978-3-662-54577-5_3

Digital Library

[4]

SungGyeong Bae, Hyunghun Cho, Inho Lim, and Sukyoung Ryu. 2014. SAFEWAPI: Web API Misuse Detector for Web Applications. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE). https://doi.org/10.1145/2635868.2635916

Digital Library

[5]

Martin Bodin, Arthur Charguéraud, Daniele Filaretti, Philippa Gardner, Sergio Maffeis, Daiva Naudziuniene, Alan Schmitt, and Gareth Smith. 2014. A Trusted Mechanised JavaScript Specification. Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming (POPL), 49, 1 (2014), 87–100. https://doi.org/10.1145/2535838.2535876

Digital Library

[6]

Arthur Charguéraud, Alan Schmitt, and Thomas Wood. 2018. JSExplain: A Double Debugger for JavaScript. In Companion Proceedings of the The Web Conference (WWW). https://doi.org/10.1145/3184558.3185969

Digital Library

[7]

David R. Chase, Mark Wegman, and F. Kenneth Zadeck. 1990. Analysis of Pointers and Structures. In Proceedings of the ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation (PLDI) (PLDI ’90). Association for Computing Machinery, New York, NY, USA. 296–310. isbn:0897913647 https://doi.org/10.1145/93542.93585

Digital Library

[8]

Patrick Cousot and Radhia Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming languages (POPL). https://doi.org/10.1145/512950.512973

Digital Library

[9]

Patrick Cousot and Radhia Cousot. 1977. Static Determination of Dynamic Properties of Generalized Type Unions. In Proceedings of an ACM Conference on Language Design for Reliable Software. Association for Computing Machinery, New York, NY, USA. 77–94. isbn:9781450373807 https://doi.org/10.1145/800022.808314

Digital Library

[10]

Patrick Cousot and Radhia Cousot. 1992. Abstract Interpretation Frameworks. Journal of Logic and Computation (JLC), 2, 4 (1992), 511–547. https://doi.org/10.1093/logcom/2.4.511

[11]

Arlen Cox, Bor-Yuh Evan Chang, and Xavier Rival. 2014. Automatic Analysis of Open Objects in Dynamic Language Programs. In Proceedings of the 21st International Symposium on Static Analysis (SAS). https://doi.org/10.1007/978-3-319-10936-7_9

[12]

David Darais, Nicholas Labich, Phúc C. Nguyen, and David Van Horn. 2017. Abstracting Definitional Interpreters (Functional Pearl). In Proceedings of the 22nd ACM SIGPLAN International Conference on Functional Programming (ICFP). https://doi.org/10.1145/3110256

Digital Library

[13]

José Fragoso Santos, Petar Maksimović, Daiva Naudžiūnienė, Thomas Wood, and Philippa Gardner. 2017. JaVerT: JavaScript Verification Toolchain. Proceedings of the 44th ACM SIGPLAN-SIGACT Symposium on Principles of Programming (POPL), 2, POPL (2017), 1–33. https://doi.org/10.1145/3158138

Digital Library

[14]

Dionna Glaze and David Van Horn. 2014. Abstracting Abstract Control. In Proceedings of the 10th ACM Symposium on Dynamic Languages (DLS). https://doi.org/10.1145/2661088.2661098

Digital Library

[15]

Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. 2010. The essence of JavaScript. In Proceedings of the 24th European Conference on Object-Oriented Programming (ECOOP). 126–150. https://doi.org/10.1007/978-3-642-14107-2_7

[16]

David Herman and Cormac Flanagan. 2007. Status Report: Specifying Javascript with ML. In Proceedings of the 2007 Workshop on Workshop on ML. https://doi.org/10.1145/1292535.1292543

Digital Library

[17]

Stefan Heule, Manu Sridharan, and Satish Chandra. 2015. Mimic: Computing Models for Opaque Code. In Proceedings of the 10th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE). https://doi.org/10.1145/2786805.2786875

Digital Library

[18]

Jerry L Hintze and Ray D Nelson. 1998. Violin Plots: A Box Plot-Density Trace Synergism. The American Statistician, 52, 2 (1998), 181–184.

[19]

Ecma International. 2021. ECMA-262, 12th edition, June 2021, ECMAScript® 2021 Language Specification. https://262.ecma-international.org/12.0/

[20]

Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type Analysis for JavaScript. In Proceedings of the 16th International Symposium on Static Analysis (SAS). https://doi.org/10.1007/978-3-642-03237-0_17

Digital Library

[21]

Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A Static Analysis Platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE). https://doi.org/10.1145/2635868.2635904

Digital Library

[22]

Se-Won Kim, Wooyoung Chin, Jimin Park, Jeongmin Kim, and Sukyoung Ryu. 2014. Inferring Grammatical Summaries of String Values. In Asian Symposium on Programming Languages and Systems (APLAS). 372–391. https://doi.org/10.1007/978-3-319-12736-1_20

[23]

Se-Won Kim, Xavier Rival, and Sukyoung Ryu. 2018. A Theoretical Foundation of Sensitivity in an Abstract Interpretation Framework. ACM Transactions on Programming Languages and Systems (TOPLAS), 40, 3 (2018), Article 13, 44 pages. issn:0164-0925 https://doi.org/10.1145/3230624

Digital Library

[24]

Yoonseok Ko, Xavier Rival, and Sukyoung Ryu. 2019. Weakly sensitive analysis for JavaScript object-manipulating programs. Software: Practice and Experience (SPE), 49, 5 (2019), 840–884. https://doi.org/10.1002/spe.2676

[25]

Chris Lattner, Andrew Lenharth, and Vikram Adve. 2007. Making Context-Sensitive Points-to Analysis with Heap Cloning Practical for the Real World. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 278–289. https://doi.org/10.1145/1250734.1250766

Digital Library

[26]

Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript. In Proceedings of 19th International Workshop on Foundations of Object-Oriented Languages (FOOL).

[27]

Magnus Madsen and Esben Andreasen. 2014. String Analysis for Dynamic Field Access. In Proceedings of the 23rd International Conference on Compiler Construction (CC). https://doi.org/10.1007/978-3-642-54807-9_12

[28]

Matthew Might and Olin Shivers. 2006. Improving Flow Analyses via Γ CFA: Abstract Garbage Collection and Counting. In Proceedings of the 11th ACM SIGPLAN International Conference on Functional Programming (ICFP). 13–25. https://doi.org/10.1145/1159803.1159807

Digital Library

[29]

Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2005. Parameterized Object Sensitivity for Points-to Analysis for Java. ACM Transactions on Software Engineering and Methodology (TOSEM), 14, 1 (2005), Jan., 1–41. issn:1049-331X https://doi.org/10.1145/1044834.1044835

Digital Library

[30]

Benjamin Barslev Nielsen and Anders Møller. 2020. Value Partitioning: A Lightweight Approach to Relational Static Analysis for JavaScript. In Proceedings of the 34th European Conference on Object-Oriented Programming (ECOOP). https://doi.org/10.4230/LIPIcs.ECOOP.2020.16

[31]

Changhee Park, Hyeonseung Im, and Sukyoung Ryu. 2016. Precise and Scalable Static Analysis of jQuery using a Regular Expression Domain. In Proceedings of the 12th Symposium on Dynamic Languages (DLS). https://doi.org/10.1145/2989225.2989228

Digital Library

[32]

Changhee Park, Hongki Lee, and Sukyoung Ryu. 2018. Static analysis of JavaScript libraries in a scalable and precise way using loop sensitivity. Software: Practice and Experience (SPE), 48, 4 (2018), 911–944. https://doi.org/10.1002/spe.2676

[33]

Changhee Park and Sukyoung Ryu. 2015. Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity. In Proceedings of the 29th European Conference on Object-Oriented Programming (ECOOP). https://doi.org/10.4230/LIPIcs.ECOOP.2015.735

[34]

Daejun Park, Andrei Stefănescu, and Grigore Roşu. 2015. KJS: A Complete Formal Semantics of JavaScript. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 346–356. https://doi.org/10.1145/2737924.2737991

Digital Library

[35]

Jihyeok Park. 2014. JavaScript API misuse detection by using TypeScript. In Proceedings of the companion publication of the 13th international conference on Modularity. https://doi.org/10.1145/2584469.2584472

Digital Library

[36]

Jihyeok Park, Seungmin An, and Sukyoung Ryu. 2021. A Meta-level Static Analysis for JavaScript. https://doi.org/10.5281/zenodo.6797394

[37]

Jihyeok Park, Seungmin An, and Sukyoung Ryu. 2021. JSAVER: JavaScript Static Analyzer via ECMAScript Representation. https://doi.org/10.5281/zenodo.6906415

Digital Library

[38]

Jihyeok Park, Seungmin An, Wonho Shin, Yusung Sim, and Sukyoung Ryu. 2021. JSTAR: JavaScript Specification Type Analyzer using Refinement. In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). https://doi.org/10.1109/ASE51524.2021.9678781

Digital Library

[39]

Jihyeok Park, Seungmin An, Dongjun Youn, Gyeongwon Kim, and Sukyoung Ryu. 2021. JEST: N+1-version Differential Testing of Both JavaScript Engines and Specification. In Proceedings of IEEE/ACM 43rd International Conference on Software Engineering (ICSE). 13–24. https://doi.org/10.1109/ICSE43902.2021.00015

Digital Library

[40]

Joonyoung Park, Alexander Jordan, and Sukyoung Ryu. 2019. Automatic Modeling of Opaque Code for JavaScript Static Analysis. In Proceedings of the 22nd International Conference on Fundamental Approaches to Software Engineering (FASE). https://doi.org/10.1007/978-3-030-16722-6_3

[41]

Jihyeok Park, Hongki Lee, and Sukyoung Ryu. 2021. A Survey of Parametric Static Analysis. ACM Computing Surveys (CSUR), 54, 7 (2021), 1–37. https://doi.org/10.1145/3464457

Digital Library

[42]

Joonyoung Park, Inho Lim, and Sukyoung Ryu. 2016. Battles with False Positives in Static Analysis of JavaScript Web Applications in the Wild. In Proceedings of the 38th IEEE/ACM International Conference on Software Engineering Companion (ICSE-C). https://doi.org/10.1145/2889160.2889227

Digital Library

[43]

Jihyeok Park, Jihee Park, Seungmin An, and Sukyoung Ryu. 2020. JISET: JavaScript IR-based Semantics Extraction Toolchain. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering (ASE). 647–658. https://doi.org/10.1145/3324884.3416632

Digital Library

[44]

Joonyoung Park, Jihyeok Park, Dongjun Youn, and Sukyoung Ryu. 2021. Accelerating JavaScript Static Analysis via Dynamic Shortcuts. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE) (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA. 1129–1140. isbn:9781450385626 https://doi.org/10.1145/3468264.3468556

Digital Library

[45]

Jihyeok Park, Yeonhee Ryou, Joonyoung Park, and Sukyoung Ryu. 2017. Analysis of JavaScript Web Applications Using SAFE 2.0. In Proceedings of the 39th IEEE/ACM International Conference on Software Engineering Companion (ICSE-C). https://doi.org/10.1109/ICSE-C.2017.4

Digital Library

[46]

Joonyoung Park, Kwangwon Sun, and Sukyoung Ryu. 2018. EventHandler-Based Analysis Framework for Web Apps Using Dynamically Collected States. In Proceedings of the 21st International Conference on Fundamental Approaches to Software Engineering (FASE). https://doi.org/10.1007/978-3-319-89363-1_8

[47]

John C. Reynolds. 1972. Definitional Interpreters for Higher-Order Programming Languages. In Proceedings of the ACM Annual Conference - Volume 2. https://doi.org/10.1145/800194.805852

Digital Library

[48]

Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Dynamic Determinacy Analysis. In Proceedings of the 34th annual ACM SIGPLAN conference on Programming Language Design and Implementation (PLDI). https://doi.org/10.1145/2499370.2462168

Digital Library

[49]

Micha Sharir and Amir Pnueli. 1981. Two Approaches to Interprocedural Data Flow Analysis.

[50]

Olin Grigsby Shivers. 1991. Control-Flow Analysis of Higher-Order Languages. Carnegie Mellon University.

Digital Library

[51]

Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick Your Contexts Well: Understanding Object-Sensitivity. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). Association for Computing Machinery, New York, NY, USA. 17–30. isbn:9781450304900 https://doi.org/10.1145/1926385.1926390

Digital Library

[52]

Manu Sridharan, Julian Dolby, Satish Chandra, Max Schäfer, and Frank Tip. 2012. Correlation Tracking for Points-To Analysis of JavaScript. In Proceedings of the 26th European Conference on Object-Oriented Programming (ECOOP). https://doi.org/10.1007/978-3-642-31057-7_20

Digital Library

[53]

Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang, and Anders Møller. 2019. Static Analysis with Demand-Driven Value Refinement. In Proceedings of the 34th ACM SIGPLAN conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). https://doi.org/10.1145/3360566

Digital Library

[54]

David Van Horn and Matthew Might. 2010. Abstracting Abstract Machines. In Proceedings of the 15th ACM SIGPLAN International Conference on Functional Programming (POPL). https://doi.org/10.1145/1863543.1863553

Digital Library

[55]

David Van Horn and Matthew Might. 2011. Abstracting Abstract Machines: A Systematic Approach to Higher-Order Program Analysis. Communications of the ACM (CACM)t, 54, 9 (2011), 101–109. https://doi.org/10.1145/1995376.1995400

Digital Library

[56]

Shiyi Wei and Barbara G Ryder. 2013. Practical Blended Taint Analysis for JavaScript. In Proceedings of the 22th International Symposium on Software Testing and Analysis (ISSTA). https://doi.org/10.1145/2483760.2483788

Digital Library

[57]

Allen Wirfs-Brock and Brendan Eich. 2020. JavaScript: The First 20 Years. Proceedings of ACM Programming Languages, 4, HOPL (2020), Article 77, June, 189 pages. https://doi.org/10.1145/3386327

Digital Library

[58]

Xuezheng Xu, Xudong Wang, and Jingling Xue. 2021. Automatic Synthesis of Data-Flow Analyzers. In Proceedings of the 28th International Symposium on Static Analysis (SAS). 453–478.

Digital Library

Cited By

De Santo NBarrière APit-Claudel C(2024)A Coq Mechanization of JavaScript Regular Expression SemanticsProceedings of the ACM on Programming Languages10.1145/36746668:ICFP(1003-1031)Online publication date: 15-Aug-2024
https://dl.acm.org/doi/10.1145/3674666
Youn DShin WLee JRyu SBreitner JGardner PLindley SPretnar MRao XWatt CRossberg A(2024)Bringing the WebAssembly Standard up to Speed with SpecTecProceedings of the ACM on Programming Languages10.1145/36564408:PLDI(1559-1584)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656440
Ryu SPark J(2024)JavaScript Language Design and Implementation in TandemCommunications of the ACM10.1145/362472367:5(86-95)Online publication date: 1-May-2024
https://dl.acm.org/doi/10.1145/3624723
Show More Cited By

Index Terms

Automatically deriving JavaScript static analyzers from specifications using Meta-level static analysis
1. Software and its engineering
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program verification

Index terms have been assigned to the content through auto-classification.

Recommendations

Systematic approaches for increasing soundness and precision of static analyzers
SOAP 2017: Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis

Building static analyzers for modern programming languages is difficult. Often soundness is a requirement, perhaps with some well-defined exceptions, and precision must be adequate for producing useful results on realistic input programs. Formally ...
Type refinement for static analysis of JavaScript
DLS '13: Proceedings of the 9th symposium on Dynamic languages

Static analysis of JavaScript has proven useful for a variety of purposes, including optimization, error checking, security auditing, program refactoring, and more. We propose a technique called type refinement that can improve the precision of such ...
Points-to analysis for JavaScript
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

JavaScript is widely used by web developers and the complexity of JavaScript programs has increased over the last year. Therefore, the need for program analysis for JavaScript is evident. Points-to analysis for JavaScript is to determine the set of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

November 2022

1822 pages

ISBN:9781450394130

DOI:10.1145/3540250

General Chair:
Abhik Roychoudhury
National University of Singapore, Singapore
,
Program Chairs:
Cristian Cadar
Imperial College London, UK
,
Miryung Kim
University of California at Los Angeles, USA

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

National Research Foundation of Korea (NRF)
Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government (MSIT)

Conference

ESEC/FSE '22

Sponsor:

ESEC/FSE '22: 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

November 14 - 18, 2022

Singapore, Singapore

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
302
Total Downloads

Downloads (Last 12 months)102
Downloads (Last 6 weeks)9

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

De Santo NBarrière APit-Claudel C(2024)A Coq Mechanization of JavaScript Regular Expression SemanticsProceedings of the ACM on Programming Languages10.1145/36746668:ICFP(1003-1031)Online publication date: 15-Aug-2024
https://dl.acm.org/doi/10.1145/3674666
Youn DShin WLee JRyu SBreitner JGardner PLindley SPretnar MRao XWatt CRossberg A(2024)Bringing the WebAssembly Standard up to Speed with SpecTecProceedings of the ACM on Programming Languages10.1145/36564408:PLDI(1559-1584)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656440
Ryu SPark J(2024)JavaScript Language Design and Implementation in TandemCommunications of the ACM10.1145/362472367:5(86-95)Online publication date: 1-May-2024
https://dl.acm.org/doi/10.1145/3624723
Park JYoun DLee KRyu S(2023)Feature-Sensitive Coverage for Conformance Testing of Programming Language ImplementationsProceedings of the ACM on Programming Languages10.1145/35912407:PLDI(493-515)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3591240
Youn DLee SRyu S(2023)Declarative static analysis for multilingual programs using CodeQLSoftware: Practice and Experience10.1002/spe.319953:7(1472-1495)Online publication date: 9-Mar-2023
https://doi.org/10.1002/spe.3199

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents