Department of Computer Science University of California ... · The JavaScript Language Imperative,...
Transcript of Department of Computer Science University of California ... · The JavaScript Language Imperative,...
![Page 1: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/1.jpg)
Static Analysis of JavaScriptInsights and Challenges
Ben Hardekopf
Department of Computer ScienceUniversity of California, Santa Barbara
![Page 2: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/2.jpg)
Setting Expectations
What this talk is about
• Brief introduction to current state of JavaScript analysis
• Mostly from perspective of my research lab
F Lessons we’ve learned
F Challenges we’ve faced
• Some discussion of other groups attacking this problem
What this talk is not about
• Comprehensive overview of the entire field
• A tutorial on how exactly to analyze JavaScript
2
![Page 3: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/3.jpg)
Talk Outline
• Motivation
• The JavaScript Language
• General Approaches to JavaScript Analysis
• The JSAI JavaScript Analyzer
• Some Lessons Learned
• The Challenges Ahead
3
![Page 4: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/4.jpg)
JavaScript is Everywhere
4
![Page 5: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/5.jpg)
JavaScript is Hard to Get Right
Source: http://blog.safeshepherd.com/23/how-one-missing-var-ruined-our-launch/
5
![Page 6: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/6.jpg)
6
![Page 7: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/7.jpg)
We Need Better Tools for JavaScript
JavaScript program desiderata:• Fast• Correct• Secure• Maintainable
Static analysis to the rescue?• Sound?• Precise?• Efficient?
7
![Page 8: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/8.jpg)
Example: Browser Addon Security
• Written in JavaScript by3rd-party developers
• Complete access to browserinformation
• No sandboxing or other securityrestrictions
• Vulnerabilities (e.g., arbitrarycode execution)
• Malware (e.g., key loggers)
• Proof-of-concept exploits(e.g., FFSniff)
Kashyap et al, “Security Signature Inference for JavaScript-based Browser Addons”CGO 2014
8
![Page 9: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/9.jpg)
Talk Outline
• Motivation
• The JavaScript Language
• General Approaches to JavaScript Analysis
• The JSAI JavaScript Analyzer
• Some Lessons Learned
• The Challenges Ahead
9
![Page 10: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/10.jpg)
The JavaScript Language
• Imperative, dynamically-typed languageF Objects, prototype-based inheritance, closures, exceptions
• Objects are the fundamental data structureF Object properties can be dynamically inserted and deleted
F Property accesses can be computed at runtime
F Object introspection (runtime reflection)
F Functions and arrays are just objects
• Designed to be resilientF Nonsensical actions (accessing a property of a non-object, adding
two functions together, etc) are handled using implicit conversionsand default behaviors
F Lots of quirks and edge cases (with, this, arguments, . . . )
10
![Page 11: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/11.jpg)
Prototype-Based Inheritance
(plus dynamic property computation and insertion.)
JavaScript source code:
bar.func = function() {· · · }var name = "fu" + "nc"foo[name]()
↑
bar −→
{ protofunc
...xproto
...xfoo −→
{proto
...
11
![Page 12: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/12.jpg)
Prototype-Based Inheritance
(plus dynamic property computation and insertion.)
JavaScript source code:
bar.func = function() {· · · }var name = "fu" + "nc"foo[name]()
↑
bar −→
{ protofunc
...xproto
...xfoo −→
{proto
...
11
![Page 13: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/13.jpg)
Prototype-Based Inheritance
(plus dynamic property computation and insertion.)
JavaScript source code:
bar.func = function() {· · · }var name = "fu" + "nc"foo[name]()
↑
bar −→
{ protofunc
...xproto
...xfoo −→
{proto
...
11
![Page 14: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/14.jpg)
Prototype-Based Inheritance
(plus dynamic property computation and insertion.)
JavaScript source code:
bar.func = function() {· · · }var name = "fu" + "nc"foo[name]()
↑
bar −→
{ protofunc
...xproto
...xfoo −→
{proto
...
11
![Page 15: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/15.jpg)
Implicit Conversion: var x = myArray[idx]
What happens in the interpreter:
if myArray is null or undefined then raise type-errorif myArray is primitive then obj = toObject(myArray)else obj = myArrayif idx is primitive then property = toString(idx)else if idx.toString is callable then
if tmp is primitive then property = toString(tmp)elseVAL:if idx.valueOf is callable then
if tmp is primitive then property = toString(tmp)else raise type-error
else raise type-errorelse goto VALx = obj.property
12
![Page 16: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/16.jpg)
Implicit Conversion: var x = myArray[idx]
What happens in the interpreter:
if myArray is null or undefined then raise type-errorif myArray is primitive then obj = toObject(myArray)else obj = myArrayif idx is primitive then property = toString(idx)else if idx.toString is callable then
tmp = idx.toString()if tmp is primitive then property = toString(tmp)else
VAL:if idx.valueOf is callable then
tmp = idx.valueOf()if tmp is primitive then property = toString(tmp)else raise type-error
else raise type-errorelse goto VALx = obj.property
12
![Page 17: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/17.jpg)
Implicit Conversion: var x = myArray[idx]
What happens in the interpreter:
if myArray is null or undefined then raise type-errorif myArray is primitive then obj = toObject(myArray)else obj = myArrayif idx is primitive then property = toString(idx)else if idx.toString is callable then
tmp = idx.toString()if tmp is primitive then property = toString(tmp)else
VAL:if idx.valueOf is callable then
tmp = idx.valueOf()if tmp is primitive then property = toString(tmp)else raise type-error
else raise type-errorelse goto VALx = obj.property
12
![Page 18: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/18.jpg)
Talk Outline
• Motivation
• The JavaScript Language
• General Approaches to JavaScript Analysis
• The JSAI JavaScript Analyzer
• Some Lessons Learned
• The Challenges Ahead
13
![Page 19: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/19.jpg)
To be Sound or Not to be Sound
• It is hard to be simultaneously sound, precise, and efficientF This is always true, but for JavaScript achieving soundness is
especially difficult
• Most JavaScript analyses give up on soundness, and for somedomains this is perfectly OK, e.g., IDEs
F Code completion (Feldthaus et al, OOPSLA’13)
F Approximate callgraph construction (Feldthaus et al, ICSE’13)
• Other domains require soundness, e.g., security
F Addon security vetting (Kashyap et al, CGO’14)
• In general, it’s easier to start with soundness and remove featuresthan to start with unsoundness and add features
14
![Page 20: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/20.jpg)
Intermediate Representations
What level of IR should we analyze?
Source Codeww�High-Level IRww�Mid-Level IRww�Low-Level IR
• Lower-Level IRF Pro: Simple, regular expressions;
implicit operations made explicit
F Con: Complex translation; resultshard to map to the source code
• Higher-Level IRF Pro: Simple translation (if any);
easy to map results to source code
F Con: Complex, irregularexpressions; implicit semantics
15
![Page 21: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/21.jpg)
Type of Analysis
What analysis method should we use?
• Constraint-Based (Flow-Insensitive)
F Non-starter!
F We need flow-sensitivity at a minimum
• Dataflow Analysis (CFG-based)
F A popular choice, but (in my opinion) flawed
F We need complex analysis to compute control-flow
• State Reachability (Abstract Interpretation-based)
F Abstracting abstract machines (Van Horn and Might, ICFP’10)
F Widening for control-flow (Hardekopf et al, VMCAI’14)
16
![Page 22: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/22.jpg)
Other Research Groups
There are other research groups doing excellent work on JavaScriptstatic analysis who have explored in different directions.
• Anders Møller’s group, Aarhus University, Denmark
• WALA group, IBM T.J. Watson
• Sukyoung Ryu’s group, KAIST, Korea
• And others...
17
![Page 23: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/23.jpg)
Talk Outline
• Motivation
• The JavaScript Language
• General Approaches to JavaScript Analysis
• The JSAI JavaScript Analyzer
• Some Lessons Learned
• The Challenges Ahead
18
![Page 24: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/24.jpg)
JSAI Challenges
• How to guarantee soundess?F People have tried “best effort” and it doesn’t work
F Need formalisms, abstract interpretation
• How to define static analysis?F Standard dataflow analysis doesn’t work (no CFG available)
F Need different formulation of static analysis
• What abstractions/sensitivities should be used?F No one knows what abstractions and sensitivities work best
F Need to easily experiment with different possibilities
19
![Page 25: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/25.jpg)
JSAI Features
• Features of JSAIF First provably sound static analysis for JavaScript
F Extensively tested against commercial JavaScript engines
F Configurable control-flow sensitivity and abstract domains
F Novel abstract domains for objects and strings
• Publically available to research communityF Build client analyses
F Experiment with abstract domains
F Experiment with sensitivities
20
![Page 26: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/26.jpg)
JSAI Architecture
Concretesemantics
Concreteresult
JavaScriptprogram
notJSIR
Sensitivitystrategy
Abstractsemantics
Abstractresult
translate
specify
execute
execute
21
![Page 27: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/27.jpg)
The notJS IR
We designed the IR with static analysis in mind in order to make theanalysis simpler, more efficient, and more precise.
Selected IR Features
• Separate pure expressions from impure statements
• Translate implicit conversions into explicit operations
• Make the this and arguments parameters explicit
• And more...
22
![Page 28: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/28.jpg)
Concrete Semantics
• Concrete semantics specifies actual program behaviorF Define as a state transition system
F Technically, an abstract machine smallstep operational semantics
• Sound analysis⇒ formal semanticsF Forces us to precisely specify behavior
F Amenable to proofs
• Reality-check on our understanding of JavaScript behaviorF “Ground truth” for our static analysis
F Heavily tested on over 1 million JavaScript programs, usingSpidermonkey as a reference
23
![Page 29: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/29.jpg)
Concrete State Transition System1 x := random int()2 if (x < 0) {3 x := -x}
4 if (x > 42) {5 x := 42}
6 print x
State = ProgramPoint × StoreStore = Variable→ Z⇒ ∈ State× State
1x 7→?
2x 7→ −50
2x 7→ 33
. . .
3x 7→ −50
4x 7→ 50
5x 7→ 50
6x 7→ 42
4x 7→ 33
6x 7→ 33
24
![Page 30: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/30.jpg)
Abstract Semantics
• Also in the form of a state transition systemF Think of an abstract state as representing a (potentially infinite) set
of possible concrete states
F There is no control-flow graph; the analysis computes the set ofreachable abstract states using the state transition system
• Specifies the actual static analysisF Combines type inference, pointer analysis, control-flow analysis,
string analysis, and boolean and number constant propagation
F Novel abstract domains to represent objects and strings
• Sound wrt the concrete semantics
25
![Page 31: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/31.jpg)
Abstract State Transition System1 x := random int()2 if (x < 0) {3 x := -x}
4 if (x > 42) {5 x := 42}
6 print x
State] = ProgramPoint × Store]
Store] = Variable→ Z]
⇒ ∈ State] × State]
1x 7→ ⊥
2x 7→ (−∞,∞)
3x 7→ (−∞,−1]
4x 7→ [1,∞)
5x 7→ [43,∞)
6x 7→ [42, 42]
6x 7→ [1, 42]
4x 7→ [0,∞)
5x 7→ [43,∞)
6x 7→ [42, 42]
6x 7→ [0, 42]
26
![Page 32: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/32.jpg)
Configurable Sensitivity
• The previous abstract semantics is exponential in the number ofnondeterministic transitions
• Control-flow sensitivity bounds the state space
F Flow-sensitivity, context-sensitivity, path-sensitivity
F Enables trade-offs between precision versus performanceF An analysis usually bakes in a specific sensitivity
• Theoretical insight: Completely separate sensitivity strategyfrom abstract semantics
F Define and implement abstract semantics independently from thesensitivity strategy
F Plug in sensitivity strategies a posteriori, modularly tuning theanalysis sensitivity
27
![Page 33: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/33.jpg)
Widened Abstract State Transition System1 x := random int()2 if (x < 0) {3 x := -x}
4 if (x > 42) {5 x := 42}
6 print x
State] = ProgramPoint × Store]
Store] = Variable→ Z]
⇒ ∈ State] × State]
1x 7→ ⊥
2x 7→ (−∞,∞)
3x 7→ (−∞,−1]
4x 7→ [0,∞)
5x 7→ [43,∞)
6x 7→ [0, 42]
28
![Page 34: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/34.jpg)
JSAI Architecture Review
Concretesemantics
Concreteresult
JavaScriptprogram
notJSIR
Sensitivitystrategy
Abstractsemantics
Abstractresult
translate
specify
execute
execute
29
![Page 35: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/35.jpg)
JSAI Evaluation
• We evaluate JSAI for both performance and precisionF We use a type-error analysis to measure relative precision:
because the analysis is sound, fewer potential type errors meansmore precise
• 28 benchmarks, 4 different categories of JavaScript programs(prior work mostly used just the first category)
F Standard benchmarks (Sunspider, Octane)F Browser addonsF Real-world open-source programs from GithubF Generated JavaScript via Emscripten
• Tested 56 different sensitivitiesF Largest such study ever done, due to our configurable sensitivity
30
![Page 36: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/36.jpg)
Selected Results
5.4-stack
1.0-stack 5.4-obj
1.0-obj
fs
31
![Page 37: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/37.jpg)
Talk Outline
• Motivation
• The JavaScript Language
• General Approaches to JavaScript Analysis
• The JSAI JavaScript Analyzer
• Some Lessons Learned
• The Challenges Ahead
32
![Page 38: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/38.jpg)
Reduced Product is Essential
Computing control-flow and data-flow requires:
• Type inference• Pointer analysis• Control-flow analysis• String analysis• Number analysis• Boolean constant propagation
All of these need to work together in carefully designed harmony inorder to get useful results.
33
![Page 39: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/39.jpg)
String and Object Abstract Domains Very Important
• Object classes. Objects come from different pre-defined classes,e.g., Array, Function, Number, etc. An object’s class affects itssemantics.
F Example: assignment to length property for Array vs non-Array
• Property names. The names of properties are just strings;looking up an unknown string as a property can lose tremendousamounts of precision.
F Example: Prototype-based inheritance means that the resultsmerge all properties of all objects in the prototype chain
34
![Page 40: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/40.jpg)
Type Refinement
Old idea: refine abstract values based on branch conditions.
• Often ignored in dataflow analysis• Especially important for JavaScript• Most important refinements are to type information• Most important branches are implicit in the semantics• A low-level IR helps tremendously
We tried this with JSAI for a type-error client analysis.
• Average 53% reduction in reported type errors• Maximum 86% reduction in reported type errors
35
![Page 41: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/41.jpg)
Higher Precision ⊃ Better Performance
5.4-stack
1.0-stack 5.4-obj
1.0-obj
fs
36
![Page 42: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/42.jpg)
Context-Sensitivity: Callstring > Object
5.4-stack
1.0-stack 5.4-obj
1.0-obj
fs
37
![Page 43: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/43.jpg)
State Reachability ⊃ Good Parallelization
The state reachability method for static analysis turns out to beamenable to parallelization:
• State reachability is embarassingly parallel
• Merging states for sensitivity adds synchronization points
• Different sensitivities tradeoff parallelism for reduced state space
We tried this for JSAI.
• 2–4× speedup on average, 36× maximum
• We think it could do even better with more work
38
![Page 44: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/44.jpg)
Talk Outline
• Motivation
• The JavaScript Language
• General Approaches to JavaScript Analysis
• The JSAI JavaScript Analyzer
• Some Lessons Learned
• The Challenges Ahead
39
![Page 45: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/45.jpg)
Sensitivities and Abstractions
What are the right ones to use?
• Better abstractions for strings and objects
• Better sensitivities for precision and performance
Need to explore more sensitivities to find the sweet-spot (JavaScript’sequivalent of object-sensitivity for Java).
JSAI’s configurable sensitivity helps make this feasible.
40
![Page 46: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/46.jpg)
Performance
We can handle 1,000s–10,000s LOC, but we need to handle 100,000s.
• Parallelism. We’ve made a good start, but need more
• Sparseness. Traditional SSA won’t cut it; what can we do?
F Complex dependencies, need to consider branch conditions
F Some progress. (Jensen et al, SAS 2010; Madsen et al, 2014)
F Not a solved problem
• Other ideas?
41
![Page 47: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/47.jpg)
Frameworks
JavaScript frameworks are extremely useful and popular, e.g., JQuery.
• Some of the hairiest JavaScript code you’ll ever see
• Very difficult to get precision and performance
• One of the biggest open problems in JavaScript analysis
• Some progress, but much remains (Shafer et al, PLDI’13;Andreasen et al, OOPSLA’14)
42
![Page 48: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/48.jpg)
Dynamic Code Injection
Handling eval and family.
Dynamic code injection is the bane of static analysis. What can we do?
• Some application domains don’t use eval
F Browser addons
F Machine-generated JavaScript
• Sometimes we can eliminate eval from the program
F Unnecessary uses of eval when other techniques will work
• What about when we do have to deal with eval?F Assume and enforce?
F Dynamically patch analysis?
F Other ideas?
43
![Page 49: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/49.jpg)
Dialects of JavaScript
Different JavaScript engines have effectively their own dialects.
• JavaScript engine implementors sometimes consider the ECMAlanguage specification more of a “suggestion”
F Mozilla SpiderMonkey allows assignment to object prototype fields
• Different engines refine underspecified behavior in different ways
F V8 vs SpiderMonkey: different iteration orders for for..in loops
• Production engines are used to proselytize potential futurelanguage extensions
F Mozilla SpiderMonkey: object proxies, typed arrays
44
![Page 50: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/50.jpg)
Different Environments
JavaScript is used in different settings which require static analyses tomodel different external environments.
• Web pages: DOM
• Addons: XPCOM
• Server: Node.js API
This is a major problem and concern for JavaScript analysisinfrastructures.
45
![Page 51: Department of Computer Science University of California ... · The JavaScript Language Imperative, dynamically-typed language F Objects, prototype-based inheritance, closures, exceptions](https://reader034.fdocuments.net/reader034/viewer/2022042320/5f09abd67e708231d427f48f/html5/thumbnails/51.jpg)
The End
Questions?
46