JSAI: a static analysis platform for JavaScript

Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, Ben Hardekopf
2014 Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering - FSE 2014  
JavaScript is used everywhere from the browser to the server, including desktops and mobile devices. However, the current state of the art in JavaScript static analysis lags far behind that of other languages such as C and Java. Our goal is to help remedy this lack. We describe JSAI, a formally specified, robust abstract interpreter for JavaScript. JSAI uses novel abstract domains to compute a reduced product of type inference, pointer analysis, control-flow analysis, string analysis, and
more » ... r and boolean constant propagation. Part of JSAI's novelty is user-configurable analysis sensitivity, i.e., context-, path-, and heap-sensitivity. JSAI is designed to be provably sound with respect to a specific concrete semantics for JavaScript, which has been extensively tested against a commercial JavaScript implementation. We provide a comprehensive evaluation of JSAI's performance and precision using an extensive benchmark suite, including real-world JavaScript applications, machine generated JavaScript code via Emscripten, and browser addons. We use JSAI's configurability to evaluate a large number of analysis sensitivities (some well-known, some novel) and observe some surprising results that go against common wisdom. These results highlight the usefulness of a configurable analysis platform such as JSAI. scope and popularity and is used to extend the functionality of web browsers via browser addons, to develop desktop applications (e.g., for Windows 8 [1]) and server-side applications (e.g., using Node.js [2]), and to develop mobile phone applications (e.g., for Firefox OS [3]). JavaScript's growing prominence means that secure, correct, maintainable, and fast JavaScript code is becoming ever more critical. Static analysis traditionally plays a large role in providing these characteristics: it can be used for security auditing, errorchecking, debugging, optimization, program understanding, refactoring, and more. However, JavaScript's inherently dynamic nature and many unintuitive quirks cause great difficulty for static analysis. Our goal is to overcome these difficulties and provide a formally specified, well-tested static analysis platform for JavaScript, immediately useful for many client analyses such as those listed above. In fact, we have used JSAI in previous work to build a security auditing tool for browser addons [35] and to experiment with strategies to improve analysis precision [36] . We have also used JSAI to build a static program slicing [48] client and to build a novel abstract slicing [49] client. These are only a few examples of JSAI's usefulness. Several important characteristics distinguish JSAI from existing JavaScript static analyses (which are discussed further in Section 2):
doi:10.1145/2635868.2635904 dblp:conf/sigsoft/KashyapDKWGSWH14 fatcat:nvhqwr7nqbg2fkor673vgnv23y