skip to main content
research-article

All about the with statement in JavaScript: removing with statements in JavaScript applications

Published:28 October 2013Publication History
Skip Abstract Section

Abstract

The with statement in JavaScript makes static analysis of JavaScript applications difficult by introducing a new scope at run time and thus invalidating lexical scoping. Therefore, many static approaches to JavaScript program analysis and the strict mode of ECMAScript 5 simply disallow the with statement. To justify exclusion of the with statement, we should better understand the actual usage patterns of the with statement.

In this paper, we present the usage patterns of the with statement in real-world JavaScript applications currently used in the 898 most popular web sites. We investigate whether we can rewrite the with statements in each pattern to other statements not using the with statement. We show that we can rewrite all the static occurrences of the with statement that do not have any dynamic code generating functions. Even though the rewriting process is not applicable to any dynamically generated with statements, our results are still promising. Because all the static approaches that disallow the with statement also disallow dynamic code generation, such static approaches can allow the with statement using our rewriting process. We formally present our rewriting strategy, provide its implementation, and show its faithfulness using extensive testing. We believe that removing with statements will simplify JavaScript program analysis designs without considering dynamic scope introduction while imposing fewer syntactic restrictions.

References

  1. Christopher Anderson, Paola Giannini, and Sophia Drossopoulou. Towards type inference for JavaScript. In Proceedings of the 19th European Conference on Object-Oriented Programming, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for JavaScript. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Douglas Crockford. ADsafe. http://www.adsafe.org.Google ScholarGoogle Scholar
  4. Douglas Crockford. with Statement Considered Harmful. http://yuiblog.com/blog/2006/04/11/ with-statement-considered-harmful/.Google ScholarGoogle Scholar
  5. European Association for Standardizing Information and Communication Systems (ECMA). ECMA-262: ECMAScript Language Specification. Edition 5.1, 2011.Google ScholarGoogle Scholar
  6. Google. Caja. http://code.google.com/p/google-caja.Google ScholarGoogle Scholar
  7. Salvatore Guarnieri and Benjamin Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for Ajax intrusion detection. In Proceedings of the 18th International Conference on World Wide Web, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. The essence of JavaScript. In Proceedings of the 24th European Conference on Object-Oriented Programming, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Phillip Heidegger and Peter Thiemann. Recency types for analyzing scripting languages. In Proceedings of the 24th European Conference on Object-Oriented Programming, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. An empirical study of privacy-violating information flows in JavaScript web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Simon Holm Jensen, Peter A. Jonsson, and Anders Møller. Remedying the eval that men do. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pages 34--44, New York, NY, USA, 2012. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Simon Holm Jensen, Anders Møller, and Peter Thiemann. Type analysis for JavaScript. In Proceedings of the 16th International Symposium on Static Analysis, SAS '09, pages 238--255, Berlin, Heidelberg, 2009. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Simon Holm Jensen, Anders Møller, and Peter Thiemann. Interprocedural analysis with lazy propagation. In Proceedings of the 17th international conference on Static analysis, SAS'10, pages 320--339, Berlin, Heidelberg, 2010. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In International Workshop on Foundations of Object Oriented Languages, FOOL'12, 2012.Google ScholarGoogle Scholar
  16. Sergio Maffeis, John C. Mitchell, and Ankur Taly. An operational semantics for JavaScript. In Proceedings of the 6th Asian Symposium on Programming Languages and Systems, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Sergio Maffeis, John C. Mitchell, and Ankur Taly. Isolating JavaScript with filters, rewriting, and wrappers. In 14th European Symposium on Research in Computer Security, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Sergio Maffeis, John C. Mitchell, and Ankur Taly. Object capabilities and isolation of untrusted web applications. In IEEE Symposium on Security and Privacy, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Changhee Park, Hongki Lee, and Sukyoung Ryu. An empirical study on the rewritability of the with statement in JavaScript. In International Workshop on Foundations of Object Oriented Languages, FOOL'11, 2011.Google ScholarGoogle Scholar
  20. Changhee Park, Hongki Lee, and Sukyoung Ryu. All about the with statement in JavaScript: Removing with statements in JavaScript applications. http://plrg.kaist.ac.kr/research/publications, 2013.Google ScholarGoogle Scholar
  21. Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and Shriram Krishnamurthi. ADsafety: type-based verification of JavaScript sandboxing. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 12--12, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. John Resig and Bear Bibeault. Secrets of the JavaScript Ninja. Manning Publications, 2011.Google ScholarGoogle Scholar
  23. Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. The eval that men do: a large-scale study of the use of eval in JavaScript applications. In Proceedings of the 25th European Conference on Object-Oriented Programming. Springer LNCS, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. An analysis of the dynamic behavior of JavaScript programs. In Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Ankur Taly, Ulfar Erlingsson, John C. Michell, Mark S. Miller, and Jasvir Nagra. Automated analysis of security-critical JavaScript APIs. In IEEE Symposium on Security and Privacy, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Peter Thiemann. Towards a type system for analyzing JavaScript programs. In Proceedings of the 14th European Symposium on Programming, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. T.J. Watson Libraries for Analysis (WALA). http://wala.sf.net.Google ScholarGoogle Scholar

Index Terms

  1. All about the with statement in JavaScript: removing with statements in JavaScript applications

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 49, Issue 2
      DLS '13
      February 2014
      105 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2578856
      Issue’s Table of Contents
      • cover image ACM Conferences
        DLS '13: Proceedings of the 9th symposium on Dynamic languages
        October 2013
        118 pages
        ISBN:9781450324335
        DOI:10.1145/2508168

      Copyright © 2013 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 28 October 2013

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!