Abstract
Static analysis tools for JavaScript must strike a delicate balance, achieving the level of precision required by the most complex features of target programs without incurring prohibitively high analysis time. For example, reasoning about dynamic property accesses sometimes requires precise relational information connecting the object, the dynamically-computed property name, and the property value. Even a minor precision loss at such critical program locations can result in a proliferation of spurious dataflow that renders the analysis results useless. We present a technique by which a conventional non-relational static dataflow analysis can be combined soundly with a value refinement mechanism to increase precision on demand at critical locations. Crucially, our technique is able to incorporate relational information from the value refinement mechanism into the non-relational domain of the dataflow analysis. We demonstrate the feasibility of this approach by extending an existing JavaScript static analysis with a demand-driven value refinement mechanism that relies on backwards abstract interpretation. Our evaluation finds that precise analysis of widely used JavaScript utility libraries depends heavily on the precision at a small number of critical locations that can be identified heuristically, and that backwards abstract interpretation is an effective mechanism to provide that precision on demand.
Highlights
The many dynamic features of the JavaScript programming language provide great flexibility, they make it difficult to reason statically about dataflow and control-flow
We demonstrate the feasibility of this approach by extending an existing JavaScript static analysis with a demand-driven value refinement mechanism that relies on backwards abstract interpretation
We evaluate each tool on three sets of benchmarks: a series of micro-benchmarks designed as minimal representative examples of dynamic property manipulation patterns, a collection of evaluation suites drawn from other JavaScript static analysis research papers, and the unit test suites of two popular JavaScript libraries that are unanalyzable by the existing static analysis tools
Summary
The many dynamic features of the JavaScript programming language provide great flexibility, they make it difficult to reason statically about dataflow and control-flow. We find that demand-driven value refinement is effective for providing precise relational information, even though the abstract domain of the underlying dataflow analysis is non-relational Such relational information is essential for the precise analysis of many common dynamic language programming paradigms, especially those found in widely-used libraries like Underscore and Lodash that rely heavily on metaprogramming. We present a separation logic-based backwards abstract interpreter, which can answer value refinement queries to precisely refine abstract values and provide relational precision to the non-relational dataflow analysis as an abstract domain reduction This backwards analysis is first described for the minimal dynamic language (Section 5) and for JavaScript (Section 6).
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
