An Operational Semantics for JavaScript

  • Sergio Maffeis
  • John C. Mitchell
  • Ankur Taly
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5356)


We define a small-step operational semantics for the ECMAScript standard language corresponding to JavaScript, as a basis for analyzing security properties of web applications and mashups. The semantics is based on the language standard and a number of experiments with different implementations and browsers. Some basic properties of the semantics are proved, including a soundness theorem and a characterization of the reachable portion of the heap.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AdSafe: Making JavaScript safe for advertising,
  2. 2.
    Google-Caja, A.: source-to-source translator for securing JavaScript-based Web,
  3. 3.
    Jscript (Windows Script Technologies),
  4. 4.
    Rhino: Javascript for Java,
  5. 5.
    Abadi, M., Cardelli, L.: A Theory of Objects. Springer, Heidelberg (1996)CrossRefMATHGoogle Scholar
  6. 6.
    Adida, B.: BeamAuth: two-factor Web authentication with a bookmark. In: ACM Computer and Communications Security, pp. 48–57 (2007)Google Scholar
  7. 7.
    Anderson, C., Giannini, P., Drossopoulou, S.: Towards type inference for JavaScript. In: Black, A.P. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 428–452. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Eich, B.: Javascript at ten years,
  9. 9.
    Fisher, K., Honsell, F., Mitchell, J.C.: A lambda calculus of objects and method specialization. Nordic J. Computing (formerly BIT) 1, 3–37 (1994)MathSciNetMATHGoogle Scholar
  10. 10.
    Flanagan, D.: JavaScript: The Definitive Guide. O’Reilly, Sebastopol (2006), MATHGoogle Scholar
  11. 11.
    Herman, D.: Classic JavaScript,
  12. 12.
    Herman, D., Flanagan, C.: Status report: specifying JavaScript with ML. In: ML 2007: Proc. Workshop on ML, pp. 47–52 (2007)Google Scholar
  13. 13.
    ECMA International. ECMAScript 4,
  14. 14.
    ECMA International. ECMAScript language specification. stardard ECMA-262, 3rd Edition (1999),
  15. 15.
    Maffeis, S., Mitchell, J., Taly, A.: Complete ECMA 262-3 operational semantics and long version of present paper. Semantics: Paper:
  16. 16.
    Mitchell, J.C.: Toward a typed foundation for method specialization and inheritance. In: POPL 1990, pp. 109–124 (1990)Google Scholar
  17. 17.
    Mozilla. Spidermonkey (javascript-c) engine,
  18. 18.
    Reis, C., Dunagan, J., Wang, H., Dubrovsky, O., Esmeir, S.: Browsershield: Vulnerability-driven filtering of dynamic HTML. ACM Transactions on the Web 1(3) (2007)Google Scholar
  19. 19.
    Siek, J., Taha, W.: Gradual typing for objects. In: Ernst, E. (ed.) ECOOP 2007. LNCS, vol. 4609, pp. 2–27. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
  21. 21.
    Thiemann, P.: Towards a type system for analyzing JavaScript programs. In: Sagiv, M. (ed.) ESOP 2005, vol. 3444, pp. 408–422. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Thiemann, P.: A type safe DOM api. In: Bierman, G., Koch, C. (eds.) DBPL 2005. LNCS, vol. 3774, pp. 169–183. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Ungar, D., Smith, R.B.: Self: The power of simplicity. In: Proc. OOPSLA, vol. 22, pp. 227–242 (1987)Google Scholar
  24. 24.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: ACM POPL, pp. 237–249 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Sergio Maffeis
    • 1
  • John C. Mitchell
    • 2
  • Ankur Taly
    • 2
  1. 1.Department of ComputingImperial College LondonUK
  2. 2.Department of Computer ScienceStanford UniversityUSA

Personalised recommendations