Abstract
The with statement in JavaScript makes static analysis of JavaScript applications difficult by introducing a new scope at run time and thus invalidating lexical scoping. Therefore, many static approaches to JavaScript program analysis and the strict mode of ECMAScript 5 simply disallow the with statement. To justify exclusion of the with statement, we should better understand the actual usage patterns of the with statement.
In this paper, we present the usage patterns of the with statement in real-world JavaScript applications currently used in the 898 most popular web sites. We investigate whether we can rewrite the with statements in each pattern to other statements not using the with statement. We show that we can rewrite all the static occurrences of the with statement that do not have any dynamic code generating functions. Even though the rewriting process is not applicable to any dynamically generated with statements, our results are still promising. Because all the static approaches that disallow the with statement also disallow dynamic code generation, such static approaches can allow the with statement using our rewriting process. We formally present our rewriting strategy, provide its implementation, and show its faithfulness using extensive testing. We believe that removing with statements will simplify JavaScript program analysis designs without considering dynamic scope introduction while imposing fewer syntactic restrictions.
- Christopher Anderson, Paola Giannini, and Sophia Drossopoulou. Towards type inference for JavaScript. In Proceedings of the 19th European Conference on Object-Oriented Programming, 2005. Google Scholar
Digital Library
- Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for JavaScript. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, 2009. Google Scholar
Digital Library
- Douglas Crockford. ADsafe. http://www.adsafe.org.Google Scholar
- Douglas Crockford. with Statement Considered Harmful. http://yuiblog.com/blog/2006/04/11/ with-statement-considered-harmful/.Google Scholar
- European Association for Standardizing Information and Communication Systems (ECMA). ECMA-262: ECMAScript Language Specification. Edition 5.1, 2011.Google Scholar
- Google. Caja. http://code.google.com/p/google-caja.Google Scholar
- Salvatore Guarnieri and Benjamin Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009. Google Scholar
Digital Library
- Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for Ajax intrusion detection. In Proceedings of the 18th International Conference on World Wide Web, 2009. Google Scholar
Digital Library
- Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. The essence of JavaScript. In Proceedings of the 24th European Conference on Object-Oriented Programming, 2010. Google Scholar
Digital Library
- Phillip Heidegger and Peter Thiemann. Recency types for analyzing scripting languages. In Proceedings of the 24th European Conference on Object-Oriented Programming, 2010. Google Scholar
Digital Library
- Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. An empirical study of privacy-violating information flows in JavaScript web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010. Google Scholar
Digital Library
- Simon Holm Jensen, Peter A. Jonsson, and Anders Møller. Remedying the eval that men do. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pages 34--44, New York, NY, USA, 2012. ACM. Google Scholar
Digital Library
- Simon Holm Jensen, Anders Møller, and Peter Thiemann. Type analysis for JavaScript. In Proceedings of the 16th International Symposium on Static Analysis, SAS '09, pages 238--255, Berlin, Heidelberg, 2009. Springer-Verlag. Google Scholar
Digital Library
- Simon Holm Jensen, Anders Møller, and Peter Thiemann. Interprocedural analysis with lazy propagation. In Proceedings of the 17th international conference on Static analysis, SAS'10, pages 320--339, Berlin, Heidelberg, 2010. Springer-Verlag. Google Scholar
Digital Library
- Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In International Workshop on Foundations of Object Oriented Languages, FOOL'12, 2012.Google Scholar
- Sergio Maffeis, John C. Mitchell, and Ankur Taly. An operational semantics for JavaScript. In Proceedings of the 6th Asian Symposium on Programming Languages and Systems, 2008. Google Scholar
Digital Library
- Sergio Maffeis, John C. Mitchell, and Ankur Taly. Isolating JavaScript with filters, rewriting, and wrappers. In 14th European Symposium on Research in Computer Security, 2009. Google Scholar
Digital Library
- Sergio Maffeis, John C. Mitchell, and Ankur Taly. Object capabilities and isolation of untrusted web applications. In IEEE Symposium on Security and Privacy, 2010. Google Scholar
Digital Library
- Changhee Park, Hongki Lee, and Sukyoung Ryu. An empirical study on the rewritability of the with statement in JavaScript. In International Workshop on Foundations of Object Oriented Languages, FOOL'11, 2011.Google Scholar
- Changhee Park, Hongki Lee, and Sukyoung Ryu. All about the with statement in JavaScript: Removing with statements in JavaScript applications. http://plrg.kaist.ac.kr/research/publications, 2013.Google Scholar
- Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and Shriram Krishnamurthi. ADsafety: type-based verification of JavaScript sandboxing. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 12--12, Berkeley, CA, USA, 2011. USENIX Association. Google Scholar
Digital Library
- John Resig and Bear Bibeault. Secrets of the JavaScript Ninja. Manning Publications, 2011.Google Scholar
- Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. The eval that men do: a large-scale study of the use of eval in JavaScript applications. In Proceedings of the 25th European Conference on Object-Oriented Programming. Springer LNCS, 2011. Google Scholar
Digital Library
- Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. An analysis of the dynamic behavior of JavaScript programs. In Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation, 2010. Google Scholar
Digital Library
- Ankur Taly, Ulfar Erlingsson, John C. Michell, Mark S. Miller, and Jasvir Nagra. Automated analysis of security-critical JavaScript APIs. In IEEE Symposium on Security and Privacy, 2011. Google Scholar
Digital Library
- Peter Thiemann. Towards a type system for analyzing JavaScript programs. In Proceedings of the 14th European Symposium on Programming, 2005. Google Scholar
Digital Library
- T.J. Watson Libraries for Analysis (WALA). http://wala.sf.net.Google Scholar
Index Terms
All about the with statement in JavaScript: removing with statements in JavaScript applications
Recommendations
Analysis of JavaScript Programs: Challenges and Research Trends
JavaScript has been a de facto standard language for client-side web programs, and now it is expanding its territory to general purpose programs. In this article, we classify the client-side JavaScript research for the last decade or so into six topics: ...
All about the with statement in JavaScript: removing with statements in JavaScript applications
DLS '13: Proceedings of the 9th symposium on Dynamic languagesThe with statement in JavaScript makes static analysis of JavaScript applications difficult by introducing a new scope at run time and thus invalidating lexical scoping. Therefore, many static approaches to JavaScript program analysis and the strict ...







Comments