An Operational Semantics for JavaScript

  • Sergio Maffeis
  • John C. Mitchell
  • Ankur Taly
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5356)


We define a small-step operational semantics for the ECMAScript standard language corresponding to JavaScript, as a basis for analyzing security properties of web applications and mashups. The semantics is based on the language standard and a number of experiments with different implementations and browsers. Some basic properties of the semantics are proved, including a soundness theorem and a characterization of the reachable portion of the heap.


Operational Semantic Garbage Collection Semantic Rule Contextual Rule Core Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AdSafe: Making JavaScript safe for advertising,
  2. 2.
    Google-Caja, A.: source-to-source translator for securing JavaScript-based Web,
  3. 3.
    Jscript (Windows Script Technologies),
  4. 4.
    Rhino: Javascript for Java,
  5. 5.
    Abadi, M., Cardelli, L.: A Theory of Objects. Springer, Heidelberg (1996)CrossRefzbMATHGoogle Scholar
  6. 6.
    Adida, B.: BeamAuth: two-factor Web authentication with a bookmark. In: ACM Computer and Communications Security, pp. 48–57 (2007)Google Scholar
  7. 7.
    Anderson, C., Giannini, P., Drossopoulou, S.: Towards type inference for JavaScript. In: Black, A.P. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 428–452. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Eich, B.: Javascript at ten years,
  9. 9.
    Fisher, K., Honsell, F., Mitchell, J.C.: A lambda calculus of objects and method specialization. Nordic J. Computing (formerly BIT) 1, 3–37 (1994)MathSciNetzbMATHGoogle Scholar
  10. 10.
    Flanagan, D.: JavaScript: The Definitive Guide. O’Reilly, Sebastopol (2006), zbMATHGoogle Scholar
  11. 11.
    Herman, D.: Classic JavaScript,
  12. 12.
    Herman, D., Flanagan, C.: Status report: specifying JavaScript with ML. In: ML 2007: Proc. Workshop on ML, pp. 47–52 (2007)Google Scholar
  13. 13.
    ECMA International. ECMAScript 4,
  14. 14.
    ECMA International. ECMAScript language specification. stardard ECMA-262, 3rd Edition (1999),
  15. 15.
    Maffeis, S., Mitchell, J., Taly, A.: Complete ECMA 262-3 operational semantics and long version of present paper. Semantics: Paper:
  16. 16.
    Mitchell, J.C.: Toward a typed foundation for method specialization and inheritance. In: POPL 1990, pp. 109–124 (1990)Google Scholar
  17. 17.
    Mozilla. Spidermonkey (javascript-c) engine,
  18. 18.
    Reis, C., Dunagan, J., Wang, H., Dubrovsky, O., Esmeir, S.: Browsershield: Vulnerability-driven filtering of dynamic HTML. ACM Transactions on the Web 1(3) (2007)Google Scholar
  19. 19.
    Siek, J., Taha, W.: Gradual typing for objects. In: Ernst, E. (ed.) ECOOP 2007. LNCS, vol. 4609, pp. 2–27. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
  21. 21.
    Thiemann, P.: Towards a type system for analyzing JavaScript programs. In: Sagiv, M. (ed.) ESOP 2005, vol. 3444, pp. 408–422. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Thiemann, P.: A type safe DOM api. In: Bierman, G., Koch, C. (eds.) DBPL 2005. LNCS, vol. 3774, pp. 169–183. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Ungar, D., Smith, R.B.: Self: The power of simplicity. In: Proc. OOPSLA, vol. 22, pp. 227–242 (1987)Google Scholar
  24. 24.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: ACM POPL, pp. 237–249 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Sergio Maffeis
    • 1
  • John C. Mitchell
    • 2
  • Ankur Taly
    • 2
  1. 1.Department of ComputingImperial College LondonUK
  2. 2.Department of Computer ScienceStanford UniversityUSA

Personalised recommendations