State-Sensitive Points-to Analysis for the Dynamic Behavior of JavaScript Objects [chapter]

Shiyi Wei, Barbara G. Ryder
2014 Lecture Notes in Computer Science  
JavaScript object behavior is dynamic and adheres to prototype-based inheritance. The behavior of a JavaScript object can be changed by adding and removing properties at runtime. Points-to analysis calculates the set of values a reference property or variable may have during execution. We present a novel, partially flow-sensitive, contextsensitive points-to algorithm that accurately models dynamic changes in object behavior. The algorithm represents objects by their creation sites and local
more » ... erty names; it tracks property updates via a new control-flow graph representation. The calling context comprises the receiver object, its local properties and prototype chain. We compare the new points-to algorithm with an existing JavaScript points-to algorithm in terms of their respective performance and accuracy on a client application. The experimental results on real JavaScript websites show that the new points-to analysis significantly improves precision, uniquely resolving on average 11% more property lookup statements. 1 Informally, a flow-sensitive analysis follows the execution order of statements in a program; a flow-sensitive analysis can perform strong updates, but a flow-insensitive one cannot. A context-sensitive analysis distinguishes between different calling contexts of a method, producing different analysis results for each context [21, 24] . A context-insensitive analysis calculates one solution per method.
doi:10.1007/978-3-662-44202-9_1 fatcat:wcgljbeclzavtcbkdivg4fmi3y