Abstract
Static analysis tools for JavaScript must strike a delicate balance, achieving the level of precision required by the most complex features of target programs without incurring prohibitively high analysis time. For example, reasoning about dynamic property accesses sometimes requires precise relational information connecting the object, the dynamically-computed property name, and the property value. Even a minor precision loss at such critical program locations can result in a proliferation of spurious dataflow that renders the analysis results useless.
We present a technique by which a conventional non-relational static dataflow analysis can be combined soundly with a value refinement mechanism to increase precision on demand at critical locations. Crucially, our technique is able to incorporate relational information from the value refinement mechanism into the non-relational domain of the dataflow analysis.
We demonstrate the feasibility of this approach by extending an existing JavaScript static analysis with a demand-driven value refinement mechanism that relies on backwards abstract interpretation. Our evaluation finds that precise analysis of widely used JavaScript utility libraries depends heavily on the precision at a small number of critical locations that can be identified heuristically, and that backwards abstract interpretation is an effective mechanism to provide that precision on demand.
Supplemental Material
- Roberto Amadini, Alexander Jordan, Graeme Gange, François Gauthier, Peter Schachte, Harald Søndergaard, Peter J. Stuckey, and Chenyi Zhang. 2017. Combining String Abstract Domains for JavaScript Analysis: An Evaluation. In Tools and Algorithms for the Construction and Analysis of Systems - 23rd International Conference, TACAS 2017 (Lecture Notes in Computer Science), Vol. 10205. 41–57.Google Scholar
- Esben Andreasen and Anders Møller. 2014. Determinacy in Static Analysis for jQuery. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA 2014. ACM, 17–31.Google Scholar
Digital Library
- Esben Sparre Andreasen, Anders Møller, and Benjamin Barslev Nielsen. 2017. Systematic Approaches for Increasing Soundness and Precision of Static Analyzers. In Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis, [email protected] 2017. 31–36.Google Scholar
Digital Library
- Thomas Ball, Orna Kupferman, and Greta Yorsh. 2005. Abstraction for Falsification. In Computer Aided Verification, 17th International Conference, CAV 2005 (Lecture Notes in Computer Science), Vol. 3576. Springer, 67–81.Google Scholar
- Thomas Ball and Sriram K. Rajamani. 2001. Automatically Validating Temporal Safety Properties of Interfaces. In Model Checking Software, 8th International SPIN Workshop, 2001 (Lecture Notes in Computer Science), Vol. 2057. Springer, 103–122.Google Scholar
- Sam Blackshear, Bor-Yuh Evan Chang, and Manu Sridharan. 2013. Thresher: Precise Refutations for Heap Reachability. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation. 275–286.Google Scholar
Digital Library
- Satish Chandra, Stephen J. Fink, and Manu Sridharan. 2009. Snugglebug: A Powerful Approach to Weakest Preconditions. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009. ACM, 363–374.Google Scholar
Digital Library
- Bor-Yuh Evan Chang and K. Rustan M. Leino. 2005. Abstract Interpretation with Alien Expressions and Heap Structures. In Verification, Model Checking, and Abstract Interpretation, 6th International Conference, VMCAI 2005. 147–163.Google Scholar
- David R. Chase, Mark N. Wegman, and F. Kenneth Zadeck. 1990. Analysis of Pointers and Structures. In Proceedings of the ACM SIGPLAN’90 Conference on Programming Language Design and Implementation, PLDI 1990. ACM, 296–310.Google Scholar
- Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2000. Counterexample-Guided Abstraction Refinement. In Computer Aided Verification, 12th International Conference, CAV 2000 (Lecture Notes in Computer Science), Vol. 1855. Springer, 154–169.Google Scholar
- Patrick Cousot and Radhia Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In Conference Record of the Fourth ACM Symposium on Principles of Programming Languages, POPL 1977. ACM, 238–252.Google Scholar
Digital Library
- Patrick Cousot and Radhia Cousot. 1979. Systematic Design of Program Analysis Frameworks. In Conference Record of the Sixth Annual ACM Symposium on Principles of Programming Languages POPL 1979. 269–282.Google Scholar
- Patrick Cousot and Radhia Cousot. 1992. Abstract Interpretation Frameworks. J. Log. Comput. 2, 4 (1992), 511–547.Google Scholar
Cross Ref
- Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2006. Combination of Abstractions in the ASTRÉE Static Analyzer. In Advances in Computer Science - ASIAN 2006. Secure Software and Related Issues, 11th Asian Computing Science Conference (Lecture Notes in Computer Science), Vol. 4435. Springer, 272–300.Google Scholar
- Patrick Cousot, Radhia Cousot, and Francesco Logozzo. 2011. Precondition Inference from Intermittent Assertions and Application to Contracts on Collections. In Verification, Model Checking, and Abstract Interpretation - 12th International Conference, VMCAI 2011. 150–168.Google Scholar
- Arlen Cox, Bor-Yuh Evan Chang, and Xavier Rival. 2014. Automatic Analysis of Open Objects in Dynamic Language Programs. In Static Analysis - 21st International Symposium, SAS 2014. 134–150.Google Scholar
- Kyle Dewey, Vineeth Kashyap, and Ben Hardekopf. 2015. A Parallel Abstract Interpreter for JavaScript. In Proceedings of the 13th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2015. IEEE Computer Society, 34–45.Google Scholar
Cross Ref
- Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. 2002. Extended Static Checking for Java. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 234–245.Google Scholar
Digital Library
- Philippa Gardner, Sergio Maffeis, and Gareth David Smith. 2012. Towards a Program Logic for JavaScript. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012. 31–44.Google Scholar
Digital Library
- Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. 2010. The Essence of JavaScript. In ECOOP 2010 - Object-Oriented Programming, 24th European Conference, Proceedings. Springer, 126–150.Google Scholar
- Bhargav S. Gulavani and Sriram K. Rajamani. 2006. Counterexample Driven Refinement for Abstract Interpretation. In Tools and Algorithms for the Construction and Analysis of Systems, 12th International Conference, TACAS 2006 (Lecture Notes in Computer Science), Vol. 3920. Springer, 474–488.Google Scholar
- Samuel Z. Guyer and Calvin Lin. 2005. Error Checking with Client-Driven Pointer Analysis. Sci. Comput. Program. 58, 1-2 (2005), 83–114.Google Scholar
- Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2002. Lazy Abstraction. In Conference Record of POPL 2002: The 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, 58–70.Google Scholar
- IBM Research. 2018. T.J. Watson Libraries for Analysis (WALA).Google Scholar
- Samin S. Ishtiaq and Peter W. O’Hearn. 2001. BI as an Assertion Language for Mutable Data Structures. In Conference Record of POPL 2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, 14–26.Google Scholar
- Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type Analysis for JavaScript. In Static Analysis, 16th International Symposium, SAS 2009 (Lecture Notes in Computer Science), Vol. 5673. Springer, 238–255.Google Scholar
- John B. Kam and Jeffrey D. Ullman. 1977. Monotone Data Flow Analysis Frameworks. Acta Inf. 7 (1977), 305–317.Google Scholar
Digital Library
- Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A Static Analysis Platform for JavaScript. In Proc. 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. 121–132.Google Scholar
Digital Library
- Gary A. Kildall. 1973. A Unified Approach to Global Program Optimization. In Conference Record of the ACM Symposium on Principles of Programming Languages, POPL 1973. ACM Press, 194–206.Google Scholar
Digital Library
- Yoonseok Ko, Xavier Rival, and Sukyoung Ryu. 2017. Weakly Sensitive Analysis for Unbounded Iteration over JavaScript Objects. In Programming Languages and Systems - 15th Asian Symposium, APLAS 2017. 148–168.Google Scholar
- Yoonseok Ko, Xavier Rival, and Sukyoung Ryu. 2019. Weakly Sensitive Analysis for JavaScript Object-Manipulating Programs. Softw., Pract. Exper. 49, 5 (2019), 840–884.Google Scholar
Cross Ref
- Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript. In Proc. International Workshop on Foundations of Object Oriented Languages (FOOL 2012).Google Scholar
- Sorin Lerner, David Grove, and Craig Chambers. 2002. Composing Dataflow Analyses and Transformations. In Conference Record of POPL 2002: The 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 270–282.Google Scholar
- Percy Liang and Mayur Naik. 2011. Scaling Abstraction Refinement via Pruning. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011. 590–601.Google Scholar
Digital Library
- Magnus Madsen and Esben Andreasen. 2014. String Analysis for Dynamic Field Access. In Proc. 23rd International Conference on Compiler Construction (Lecture Notes in Computer Science), Vol. 8409. Springer.Google Scholar
Cross Ref
- Roman Manevich, Manu Sridharan, Stephen Adams, Manuvir Das, and Zhe Yang. 2004. PSE: Explaining Program Failures via Postmortem Static Analysis. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2004. ACM, 63–72.Google Scholar
Digital Library
- Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. 2016. Selective X-Sensitive Analysis Guided by Impact Pre-Analysis. ACM Trans. Program. Lang. Syst. 38, 2 (2016), 6:1–6:45.Google Scholar
Digital Library
- Changhee Park, Hyeonseung Im, and Sukyoung Ryu. 2016. Precise and Scalable Static Analysis of jQuery using a Regular Expression Domain. In Proceedings of the 12th Symposium on Dynamic Languages, DLS 2016. ACM, 25–36.Google Scholar
Digital Library
- Changhee Park and Sukyoung Ryu. 2015. Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity. In Proc. 29th European Conference on Object-Oriented Programming. 735–756.Google Scholar
- Xavier Rival and Laurent Mauborgne. 2007. The Trace Partitioning Abstract Domain. ACM Trans. Program. Lang. Syst. 29, 5 (2007), 26.Google Scholar
Digital Library
- José Fragoso Santos, Petar Maksimovic, Daiva Naudziuniene, Thomas Wood, and Philippa Gardner. 2018. JaVerT: JavaScript Verification Toolchain. PACMPL 2, POPL (2018), 50:1–50:33.Google Scholar
- José Fragoso Santos, Petar Maksimovic, Gabriela Sampaio, and Philippa Gardner. 2019. JaVerT 2.0: Compositional Symbolic Execution for JavaScript. PACMPL 3, POPL (2019), 66:1–66:31.Google Scholar
- Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, and Eric Bodden. 2016. Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java. In 30th European Conference on Object-Oriented Programming, ECOOP 2016. 22:1–22:26.Google Scholar
- Manu Sridharan and Rastislav Bodík. 2006. Refinement-Based Context-Sensitive Points-To Analysis for Java. In Proceedings of the ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation, PLDI 2006. 387–400.Google Scholar
Digital Library
- Manu Sridharan, Julian Dolby, Satish Chandra, Max Schäfer, and Frank Tip. 2012. Correlation Tracking for Points-To Analysis of JavaScript. In Proc. 26th European Conference on Object-Oriented Programming.Google Scholar
Digital Library
- Antoine Toubhans, Bor-Yuh Evan Chang, and Xavier Rival. 2013. Reduced Product Combination of Abstract Domains for Shapes. In Verification, Model Checking, and Abstract Interpretation, 14th International Conference, VMCAI 2013. 375–395.Google Scholar
- Shiyi Wei, Omer Tripp, Barbara G. Ryder, and Julian Dolby. 2016. Revamping JavaScript Static Analysis via Localization and Remediation of Root Causes of Imprecision. In Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2016. ACM, 487–498.Google Scholar
Digital Library
Index Terms
Static analysis with demand-driven value refinement
Recommendations
Improving static analyses of C programs with conditional predicates
Static code analysis is increasingly used to guarantee the absence of undesirable behaviors in industrial programs. Designing sound analyses is a continuing trade-off between precision and complexity. Notably, dataflow analyses often perform overly wide ...
Demand-driven pointer analysis
Known algorithms for pointer analysis are “global” in the sense that they perform an exhaustive analysis of a program or program component. In this paper we introduce a demand-driven approach for pointer analysis. Specifically, we describe a demand-...
A Value Analysis for C Programs
SCAM '09: Proceedings of the 2009 Ninth IEEE International Working Conference on Source Code Analysis and ManipulationWe demonstrate the value analysis of Frama-C. Frama-C is an Open Source static analysis framework for the C language. In Frama-C, each static analysis technique, approach or idea can be implemented as a new plug-in, with the opportunity to obtain ...






Comments