skip to main content
research-article
Open Access

Static analysis with demand-driven value refinement

Published:10 October 2019Publication History
Skip Abstract Section

Abstract

Static analysis tools for JavaScript must strike a delicate balance, achieving the level of precision required by the most complex features of target programs without incurring prohibitively high analysis time. For example, reasoning about dynamic property accesses sometimes requires precise relational information connecting the object, the dynamically-computed property name, and the property value. Even a minor precision loss at such critical program locations can result in a proliferation of spurious dataflow that renders the analysis results useless.

We present a technique by which a conventional non-relational static dataflow analysis can be combined soundly with a value refinement mechanism to increase precision on demand at critical locations. Crucially, our technique is able to incorporate relational information from the value refinement mechanism into the non-relational domain of the dataflow analysis.

We demonstrate the feasibility of this approach by extending an existing JavaScript static analysis with a demand-driven value refinement mechanism that relies on backwards abstract interpretation. Our evaluation finds that precise analysis of widely used JavaScript utility libraries depends heavily on the precision at a small number of critical locations that can be identified heuristically, and that backwards abstract interpretation is an effective mechanism to provide that precision on demand.

Skip Supplemental Material Section

Supplemental Material

a140-stein

Presentation at OOPSLA '19

References

  1. Roberto Amadini, Alexander Jordan, Graeme Gange, François Gauthier, Peter Schachte, Harald Søndergaard, Peter J. Stuckey, and Chenyi Zhang. 2017. Combining String Abstract Domains for JavaScript Analysis: An Evaluation. In Tools and Algorithms for the Construction and Analysis of Systems - 23rd International Conference, TACAS 2017 (Lecture Notes in Computer Science), Vol. 10205. 41–57.Google ScholarGoogle Scholar
  2. Esben Andreasen and Anders Møller. 2014. Determinacy in Static Analysis for jQuery. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA 2014. ACM, 17–31.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Esben Sparre Andreasen, Anders Møller, and Benjamin Barslev Nielsen. 2017. Systematic Approaches for Increasing Soundness and Precision of Static Analyzers. In Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis, [email protected] 2017. 31–36.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Thomas Ball, Orna Kupferman, and Greta Yorsh. 2005. Abstraction for Falsification. In Computer Aided Verification, 17th International Conference, CAV 2005 (Lecture Notes in Computer Science), Vol. 3576. Springer, 67–81.Google ScholarGoogle Scholar
  5. Thomas Ball and Sriram K. Rajamani. 2001. Automatically Validating Temporal Safety Properties of Interfaces. In Model Checking Software, 8th International SPIN Workshop, 2001 (Lecture Notes in Computer Science), Vol. 2057. Springer, 103–122.Google ScholarGoogle Scholar
  6. Sam Blackshear, Bor-Yuh Evan Chang, and Manu Sridharan. 2013. Thresher: Precise Refutations for Heap Reachability. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation. 275–286.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Satish Chandra, Stephen J. Fink, and Manu Sridharan. 2009. Snugglebug: A Powerful Approach to Weakest Preconditions. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009. ACM, 363–374.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Bor-Yuh Evan Chang and K. Rustan M. Leino. 2005. Abstract Interpretation with Alien Expressions and Heap Structures. In Verification, Model Checking, and Abstract Interpretation, 6th International Conference, VMCAI 2005. 147–163.Google ScholarGoogle Scholar
  9. David R. Chase, Mark N. Wegman, and F. Kenneth Zadeck. 1990. Analysis of Pointers and Structures. In Proceedings of the ACM SIGPLAN’90 Conference on Programming Language Design and Implementation, PLDI 1990. ACM, 296–310.Google ScholarGoogle Scholar
  10. Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2000. Counterexample-Guided Abstraction Refinement. In Computer Aided Verification, 12th International Conference, CAV 2000 (Lecture Notes in Computer Science), Vol. 1855. Springer, 154–169.Google ScholarGoogle Scholar
  11. Patrick Cousot and Radhia Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In Conference Record of the Fourth ACM Symposium on Principles of Programming Languages, POPL 1977. ACM, 238–252.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Patrick Cousot and Radhia Cousot. 1979. Systematic Design of Program Analysis Frameworks. In Conference Record of the Sixth Annual ACM Symposium on Principles of Programming Languages POPL 1979. 269–282.Google ScholarGoogle Scholar
  13. Patrick Cousot and Radhia Cousot. 1992. Abstract Interpretation Frameworks. J. Log. Comput. 2, 4 (1992), 511–547.Google ScholarGoogle ScholarCross RefCross Ref
  14. Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2006. Combination of Abstractions in the ASTRÉE Static Analyzer. In Advances in Computer Science - ASIAN 2006. Secure Software and Related Issues, 11th Asian Computing Science Conference (Lecture Notes in Computer Science), Vol. 4435. Springer, 272–300.Google ScholarGoogle Scholar
  15. Patrick Cousot, Radhia Cousot, and Francesco Logozzo. 2011. Precondition Inference from Intermittent Assertions and Application to Contracts on Collections. In Verification, Model Checking, and Abstract Interpretation - 12th International Conference, VMCAI 2011. 150–168.Google ScholarGoogle Scholar
  16. Arlen Cox, Bor-Yuh Evan Chang, and Xavier Rival. 2014. Automatic Analysis of Open Objects in Dynamic Language Programs. In Static Analysis - 21st International Symposium, SAS 2014. 134–150.Google ScholarGoogle Scholar
  17. Kyle Dewey, Vineeth Kashyap, and Ben Hardekopf. 2015. A Parallel Abstract Interpreter for JavaScript. In Proceedings of the 13th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2015. IEEE Computer Society, 34–45.Google ScholarGoogle ScholarCross RefCross Ref
  18. Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. 2002. Extended Static Checking for Java. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 234–245.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Philippa Gardner, Sergio Maffeis, and Gareth David Smith. 2012. Towards a Program Logic for JavaScript. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012. 31–44.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. 2010. The Essence of JavaScript. In ECOOP 2010 - Object-Oriented Programming, 24th European Conference, Proceedings. Springer, 126–150.Google ScholarGoogle Scholar
  21. Bhargav S. Gulavani and Sriram K. Rajamani. 2006. Counterexample Driven Refinement for Abstract Interpretation. In Tools and Algorithms for the Construction and Analysis of Systems, 12th International Conference, TACAS 2006 (Lecture Notes in Computer Science), Vol. 3920. Springer, 474–488.Google ScholarGoogle Scholar
  22. Samuel Z. Guyer and Calvin Lin. 2005. Error Checking with Client-Driven Pointer Analysis. Sci. Comput. Program. 58, 1-2 (2005), 83–114.Google ScholarGoogle Scholar
  23. Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2002. Lazy Abstraction. In Conference Record of POPL 2002: The 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, 58–70.Google ScholarGoogle Scholar
  24. IBM Research. 2018. T.J. Watson Libraries for Analysis (WALA).Google ScholarGoogle Scholar
  25. Samin S. Ishtiaq and Peter W. O’Hearn. 2001. BI as an Assertion Language for Mutable Data Structures. In Conference Record of POPL 2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, 14–26.Google ScholarGoogle Scholar
  26. Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type Analysis for JavaScript. In Static Analysis, 16th International Symposium, SAS 2009 (Lecture Notes in Computer Science), Vol. 5673. Springer, 238–255.Google ScholarGoogle Scholar
  27. John B. Kam and Jeffrey D. Ullman. 1977. Monotone Data Flow Analysis Frameworks. Acta Inf. 7 (1977), 305–317.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A Static Analysis Platform for JavaScript. In Proc. 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. 121–132.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Gary A. Kildall. 1973. A Unified Approach to Global Program Optimization. In Conference Record of the ACM Symposium on Principles of Programming Languages, POPL 1973. ACM Press, 194–206.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Yoonseok Ko, Xavier Rival, and Sukyoung Ryu. 2017. Weakly Sensitive Analysis for Unbounded Iteration over JavaScript Objects. In Programming Languages and Systems - 15th Asian Symposium, APLAS 2017. 148–168.Google ScholarGoogle Scholar
  31. Yoonseok Ko, Xavier Rival, and Sukyoung Ryu. 2019. Weakly Sensitive Analysis for JavaScript Object-Manipulating Programs. Softw., Pract. Exper. 49, 5 (2019), 840–884.Google ScholarGoogle ScholarCross RefCross Ref
  32. Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript. In Proc. International Workshop on Foundations of Object Oriented Languages (FOOL 2012).Google ScholarGoogle Scholar
  33. Sorin Lerner, David Grove, and Craig Chambers. 2002. Composing Dataflow Analyses and Transformations. In Conference Record of POPL 2002: The 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 270–282.Google ScholarGoogle Scholar
  34. Percy Liang and Mayur Naik. 2011. Scaling Abstraction Refinement via Pruning. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011. 590–601.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Magnus Madsen and Esben Andreasen. 2014. String Analysis for Dynamic Field Access. In Proc. 23rd International Conference on Compiler Construction (Lecture Notes in Computer Science), Vol. 8409. Springer.Google ScholarGoogle ScholarCross RefCross Ref
  36. Roman Manevich, Manu Sridharan, Stephen Adams, Manuvir Das, and Zhe Yang. 2004. PSE: Explaining Program Failures via Postmortem Static Analysis. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2004. ACM, 63–72.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. 2016. Selective X-Sensitive Analysis Guided by Impact Pre-Analysis. ACM Trans. Program. Lang. Syst. 38, 2 (2016), 6:1–6:45.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Changhee Park, Hyeonseung Im, and Sukyoung Ryu. 2016. Precise and Scalable Static Analysis of jQuery using a Regular Expression Domain. In Proceedings of the 12th Symposium on Dynamic Languages, DLS 2016. ACM, 25–36.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Changhee Park and Sukyoung Ryu. 2015. Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity. In Proc. 29th European Conference on Object-Oriented Programming. 735–756.Google ScholarGoogle Scholar
  40. Xavier Rival and Laurent Mauborgne. 2007. The Trace Partitioning Abstract Domain. ACM Trans. Program. Lang. Syst. 29, 5 (2007), 26.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. José Fragoso Santos, Petar Maksimovic, Daiva Naudziuniene, Thomas Wood, and Philippa Gardner. 2018. JaVerT: JavaScript Verification Toolchain. PACMPL 2, POPL (2018), 50:1–50:33.Google ScholarGoogle Scholar
  42. José Fragoso Santos, Petar Maksimovic, Gabriela Sampaio, and Philippa Gardner. 2019. JaVerT 2.0: Compositional Symbolic Execution for JavaScript. PACMPL 3, POPL (2019), 66:1–66:31.Google ScholarGoogle Scholar
  43. Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, and Eric Bodden. 2016. Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java. In 30th European Conference on Object-Oriented Programming, ECOOP 2016. 22:1–22:26.Google ScholarGoogle Scholar
  44. Manu Sridharan and Rastislav Bodík. 2006. Refinement-Based Context-Sensitive Points-To Analysis for Java. In Proceedings of the ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation, PLDI 2006. 387–400.Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Manu Sridharan, Julian Dolby, Satish Chandra, Max Schäfer, and Frank Tip. 2012. Correlation Tracking for Points-To Analysis of JavaScript. In Proc. 26th European Conference on Object-Oriented Programming.Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Antoine Toubhans, Bor-Yuh Evan Chang, and Xavier Rival. 2013. Reduced Product Combination of Abstract Domains for Shapes. In Verification, Model Checking, and Abstract Interpretation, 14th International Conference, VMCAI 2013. 375–395.Google ScholarGoogle Scholar
  47. Shiyi Wei, Omer Tripp, Barbara G. Ryder, and Julian Dolby. 2016. Revamping JavaScript Static Analysis via Localization and Remediation of Root Causes of Imprecision. In Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2016. ACM, 487–498.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Static analysis with demand-driven value refinement

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image Proceedings of the ACM on Programming Languages
      Proceedings of the ACM on Programming Languages  Volume 3, Issue OOPSLA
      October 2019
      2077 pages
      EISSN:2475-1421
      DOI:10.1145/3366395
      Issue’s Table of Contents

      Copyright © 2019 Owner/Author

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 10 October 2019
      Published in pacmpl Volume 3, Issue OOPSLA

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!