JSAVER is a JavaScript Static Analyzer via ECMAScript Representation. It is the first tool that automatically derives JavaScript static analyzers from language specifications using an interpreter-based approach called meta-level static analysis instead of traditional a compiler-based approach.
This artifact extends JISET, a JavaScript IR-based Semantics Extraction Toolchain, to extract JavaScript definitional interpreters from diverse versions of ECMA-262, the standard specification of ECMAScript (the official name of JavaScript) written in English. The extracted definitional interpreter is written in IRES, an Intermediate Representations for ECMAScript Specifications.
The source code of JSAVER and the dataset of our study are publicly available at https://doi.org/10.5281/zenodo.6785678, and the latest version is maintained as a GitHub repository:
$ git clone --recurse-submodules https://github.com/kaist-plrg/jsaver.git
Please see INSTALL.md
for the detailed guide on installation and how to use
this artifact. We also provide a docker image as follows:
$ docker run -it -m=16g --rm jhnaldo/fse22-jsaver
JSAVER consists of two phases: 1) definitional interpreter extraction and 2) meta-level static analysis.
We utilize another tool JISET, a JavaScript IR-based Semantics Extraction Toolchain, to extract JavaScript definitional interpreters from given ECMA-262. In this artifact, we extracted the definitional interpreter from ES2021 (ES12), the latest version of ECMA-262, and manually filled out essential steps of its not-yet-compiled parts. It consists of two different main parts for semantics and syntax of JavaScript. For semantics, it compiles abstract algorithms in ECMA-262 to corresponding IRES Functions. For syntax, it generates a JavaScript Parser in Scala.
JSAVER performs a meta-level static analysis with JavaScript as its defined-language and IRES as its defining-language. Thus, it indirectly analyzes a JavaScript program by analyzing IRES functions with the AST of the program as an argument. Using the generated parser, it first parses a given JavaScript program to produce an Abstract Syntax Tree (AST). Then, Analysis Initializer constructs an initial Abstract State with the extracted IRES functions and the produced AST. Finally, JSAVER computes the fixpoint of the Abstract Transfer Function with the initial abstract state.
It utilizes a Worklist algorithm to update the abstract state per Control Point, a pair of the following two components:
- A Node in Control-Flow Graph of the extracted definitional interpreter
- A View that represents an analysis sensitivity.