JSkel: Towards a Formalization of JavaScript’s Semantics

Proceedings of the ACM on Programming Languages, 2019

We propose a novel, unified approach to the development of compositional symbolic execution tools, bridging the gap between classical symbolic execution and compositional program reasoning based on separation logic. Using this approach, we build JaVerT 2.0, a symbolic analysis tool for JavaScript that follows the language semantics without simplifications. JaVerT 2.0 supports whole-program symbolic testing, verification, and, for the first time, automatic compositional testing based on bi-abduction. The meta-theory underpinning JaVerT 2.0 is developed modularly, streamlining the proofs and informing the implementation. Our explicit treatment of symbolic execution errors allows us to give meaningful feedback to the developer during whole-program symbolic testing and guides the inference of resource of the bi-abductive execution. We evaluate the performance of JaVerT 2.0 on a number of JavaScript data-structure libraries, demonstrating: the scalability of our whole-program symbolic te...

Proceedings of the 24th International Symposium on Principles and Practice of Declarative Programming

We present an ongoing formalization of algorithms of ECMAScript, the specification describing the semantics of JavaScript, in a tiny functional metalanguage. We show that this formalization is concise, readable, maintainable, and textually close to the specification. We extract an OCaml interpreter from our description and run small JavaScript programs whose semantics is based on these algorithms.

Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '13, 2013

Many tools allow programmers to develop applications in highlevel languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program properties. Relying on type-based invariants and applicative bisimilarity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equivalent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.

We describe JSAI, an abstract interpreter for JavaScript. JSAI uses novel abstract domains to compute a reduced product of type inference, pointer analysis, string analysis, integer and boolean constant propagation, and control-flow analysis. In addition, JSAI allows for analysis control-flow sensitivity (i.e., context-, path-, and heap-sensitivity) to be modularly configured without requiring any changes to the analysis implementation. JSAI is designed to be provably sound with respect to a specific concrete semantics for JavaScript, which has been extensively tested against existing production-quality JavaScript implementations. We provide a comprehensive evaluation of JSAI's performance and precision using an extensive benchmark suite. This benchmark suite includes real-world JavaScript applications, machine-generated JavaScript code via Emscripten, and browser addons. We use JSAI's configurability to evaluate a large number of analysis sensitivities (some well-known, som...

Lecture Notes in Computer Science, 2017

In this position paper, we argue for what we believe is a correct pathway to achieving scalable symbolic verification of JavaScript based on separation logic. We highlight the difficulties imposed by the language, the current state-of-the-art in the literature, and the sequence of steps that needs to be taken. We briefly describe JaVerT, our semiautomatic toolchain for JavaScript verification. We illustrate the complexity of JavaScript by appealing to a JavaScript priority queue library, which uses an implementation based on singly-linked node lists. It is a variation on a Node.js priority queue library that uses doubly linked lists [18], simplified for exposition. We use this example to showcase the intricacies of JavaScript semantics as well as some of the major challenges that need to be addressed before JavaScript programs can be verified.

Le Centre pour la Communication Scientifique Directe - HAL - Université Paris Descartes, 2022

We present Skel, a meta language designed to describe the semantics of programming languages, and Necro, a set of tools to manipulate said descriptions. We show how Skel, although minimal, can faithfully and formally capture informal specifications. We also show how we can use these descriptions to generate OCaml interpreters and Coq formalizations of the specified language.

This is a preliminary version of a technical report accompanying a conference submission of the same title. It differs from the submission in the following main regards. (1) Expanded section 4, where we provide more details on our JavaScript semantics and background on Lambda JS. (2) Expanded section 5, where we provide more details on our verified runtime JSVerify, more details on the heap invariant used in our theory, and more description of the light translation as well. We also improved on some of the syntactic conventions, which helped facilitate the mechanized proof of JSVerify in F . This makes some of definitions look superficially different, although they remain essentially unchanged. For example, rather than overload stub functions in the Abs heap, we now separate them into their own heap compartment called Stub. This makes the proofs easier, although the main ideas remain unchanged. (3) Expanded section 7, with all the details on our applicative bisimulation machinery—we ...

2005

Object-oriented scripting languages like Javascript and Python are popular partly because of their dynamic features. These include the runtime modification of objects and classes through addition of fields or updating of methods. These features make static typing difficult and so usually dynamic typing is used. Consequently, errors such as access to non-existent members are not detected until runtime. We first develop a formalism for an object based language, JS0 with features from Javascript, including dynamic addition of fields and updating of methods. We give an operational semantics and static type system for JS0using structural types. Our types allow objects to evolve in a controlled manner by classifying members as definite or potential. We define a type inference algorithm for JS0 that is sound with respect to the type system. If the type inference algorithm succeeds, then the program is typeable. Therefore, programmers can benefit from the safety offered by the type system, without the need to write explicitly types in their programs.

Lecture Notes in Computer Science, 2009

JavaScript is the main scripting language for Web browsers, and it is essential to modern Web applications. Programmers have started using it for writing complex applications, but there is still little tool support available during development. We present a static program analysis infrastructure that can infer detailed and sound type information for JavaScript programs using abstract interpretation. The analysis is designed to support the full language as defined in the ECMAScript standard, including its peculiar object model and all built-in functions. The analysis results can be used to detect common programming errors -or rather, prove their absence, and for producing type information for program comprehension. Preliminary experiments conducted on real-life JavaScript code indicate that the approach is promising regarding analysis precision on small and medium size programs, which constitute the majority of JavaScript applications. With potential for further improvement, we propose the analysis as a foundation for building tools that can aid JavaScript programmers.

2011

This paper describes an implementation of a non-strict purely functional language in JavaScript. This particular implementation is based on the translation of a high-level functional language such as Haskell or Clean into JavaScript via the intermediate functional language Sapl. The resulting code relies on the use of an evaluator function to emulate the non-strict semantics of these languages. The speed of execution is competitive with that of the original Sapl interpreter itself and better than that of other existing interpreters.

2010

As AJAX applications gain popularity, client-side JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code's complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic end-to-end tool, Kudzu, and apply it to the problem of finding client-side code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more that were previously found only with a manually-constructed test suite.

Proceedings of the 20th International Symposium on Principles and Practice of Declarative Programming

We present a framework for trustworthy symbolic execution of JavaScripts programs, whose aim is to assist developers in the testing of their code: the developer writes symbolic tests for which the framework provides concrete counter-models. We create the framework following a new, general methodology for designing compositional program analyses for dynamic languages. We prove that the underlying symbolic execution is sound and does not generate false positives. We establish additional trust by using the theory to precisely guide the implementation and by thorough testing. We apply our framework to whole-program symbolic testing of real-world JavaScript libraries and compositional debugging of separation logic specifications of JavaScript programs.

Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security - PLAS '13, 2013

Dependency analysis is a program analysis that determines potential data flow between program points. While it is not a security analysis per se, it is a viable basis for investigating data integrity, for ensuring confidentiality, and for guaranteeing sanitization. A noninterference property can be stated and proved for the dependency analysis.

Journal of Artificial Intelligence & Cloud Computing, 2023

JavaScript, first conceptualized as a scripting language mostly used on the client side, has seen a notable transformation, emerging as a crucial programming language capable of operating on the whole software stack. This article explores the intricate trajectory of JavaScript, charting its evolution from its birth to its present-day significance. In this study, we investigate the evolutionary course of the language, with a particular focus on the influence of ECMAScript standardization and the significant contribution of ES6 in augmenting its functionalities and facilitating its maintainability. The introduction of ES6 modules has substantially transformed the arrangement of code, fostering the principles of modularity and code reuse. This article examines the importance of current JavaScript frameworks, including React, Angular, and especially Vue.js, in modern web development. These frameworks have revolutionized the field of front-end development by providing a range of tools that enable the creation of user interfaces that are both responsive and interactive. The virtual DOM and component-based architecture of React contributes to improving user experiences. At the same time, Angular's extensive framework with Vue.js's progressive approach is designed to accommodate a wide range of developer preferences. The study results validate the extensive acceptance of these discoveries, mostly attributed to their user-friendly characteristics for developers and the strong backing from a thriving community. In addition, integrating JavaScript into full-stack development, made possible by using Node.js, has resulted in more efficient workflows and decreased the challenges of handling several programming languages for front-end and back-end development. The event-driven and non-blocking I/O mechanism of Node.js has played a significant role in developing server applications with high-performance capabilities. Including the Node Package Manager (npm) has enhanced the usability of JavaScript as a full-stack language. In summary, the trajectory of JavaScript exemplifies the capacity for innovation and adaptability. The inherent flexibility, diversity, and thriving ecosystem of this technology solidify its position as a fundamental element in the realm of web development, displaying great potential for a prosperous future within the ever-evolving landscape of technology.DOM and component-based architecture of React contributes to improving user experiences. At the same time, Angular's extensive framework with Vue.js's progressive approach is designed to accommodate a wide range of developer preferences. The study results validate the extensive acceptance of these discoveries, mostly attributed to their user-friendly characteristics for developers and the strong backing from a thriving community. In addition, integrating JavaScript into full-stack development, made possible by using Node.js, has resulted in more efficient workflows and decreased the challenges of handling several programming languages for front-end and back-end development. The event-driven and non-blocking I/O mechanism of Node.js has played a significant role in developing server applications with high-performance capabilities. Including the Node Package Manager (npm) has enhanced the usability of JavaScript as a full-stack language. In summary, the trajectory of JavaScript exemplifies the capacity for innovation and adaptability. The inherent flexibility, diversity, and thriving ecosystem of this technology solidify its position as a fundamental element in the realm of web development, displaying great potential for a prosperous future within the ever-evolving landscape of technology.

Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering - SIGSOFT/FSE '11, 2011

Developers of JavaScript web applications have little tool support for catching errors early in development. In comparison, an abundance of tools exist for statically typed languages, including sophisticated integrated development environments and specialized static analyses. Transferring such technologies to the domain of JavaScript web applications is challenging. In this paper, we discuss the challenges, which include the dynamic aspects of JavaScript and the complex interactions between JavaScript, HTML, and the browser. From this, we present the first static analysis that is capable of reasoning about the flow of control and data in modern JavaScript applications that interact with the HTML DOM and browser API. One application of such a static analysis is to detect typerelated and dataflow-related programming errors. We report on experiments with a range of modern web applications, including Chrome Experiments and IE Test Drive applications, to measure the precision and performance of the technique. The experiments indicate that the analysis is able to show absence of errors related to missing object properties and to identify dead and unreachable code. By measuring the precision of the types inferred for object properties, the analysis is precise enough to show that most expressions have unique types. By also producing precise call graphs, the analysis additionally shows that most invocations in the programs are monomorphic. We furthermore study the usefulness of the analysis to detect spelling errors in the code. Despite the encouraging results, not all problems are solved and some of the experiments indicate a potential for improvement, which allows us to identify central remaining challenges and outline directions for future work.