Affiliation:
1. University of Colorado Boulder, USA
2. Aarhus University, Denmark
Abstract
Static analysis tools for JavaScript must strike a delicate balance, achieving the level of precision required by the most complex features of target programs without incurring prohibitively high analysis time. For example, reasoning about dynamic property accesses sometimes requires precise relational information connecting the object, the dynamically-computed property name, and the property value. Even a minor precision loss at such critical program locations can result in a proliferation of spurious dataflow that renders the analysis results useless.
We present a technique by which a conventional non-relational static dataflow analysis can be combined soundly with a value refinement mechanism to increase precision on demand at critical locations. Crucially, our technique is able to incorporate relational information from the value refinement mechanism into the non-relational domain of the dataflow analysis.
We demonstrate the feasibility of this approach by extending an existing JavaScript static analysis with a demand-driven value refinement mechanism that relies on backwards abstract interpretation. Our evaluation finds that precise analysis of widely used JavaScript utility libraries depends heavily on the precision at a small number of critical locations that can be identified heuristically, and that backwards abstract interpretation is an effective mechanism to provide that precision on demand.
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,Software
Cited by
12 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Precise Compositional Buffer Overflow Detection via Heap Disjointness;Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis;2024-09-11
2. HODOR: Shrinking Attack Surface on Node.js via System Call Limitation;Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security;2023-11-15
3. Reusing Single-Language Analyses for Static Analysis of Multi-language Programs;Companion Proceedings of the 2023 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity;2023-10-22
4. Automatically deriving JavaScript static analyzers from specifications using Meta-level static analysis;Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering;2022-11-07
5. A Survey of Parametric Static Analysis;ACM Computing Surveys;2022-09-30