Correlation Tracking for Points-To Analysis of JavaScript

  • Manu Sridharan
  • Julian Dolby
  • Satish Chandra
  • Max Schäfer
  • Frank Tip
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7313)


JavaScript poses significant challenges for points-to analysis, particularly due to its flexible object model in which object properties can be created and deleted at run-time and accessed via first-class names. These features cause an increase in the worst-case running time of field-sensitive Andersen-style analysis, which becomes O(N 4), where N is the program size, in contrast to the O(N 3) bound for languages like Java. In practice, we found that a standard implementation of the analysis was unable to analyze popular JavaScript frameworks.

We identify correlated dynamic property accesses as a common code pattern that is analyzed very imprecisely by the standard analysis, and show how a novel correlation tracking technique enables us to handle this pattern more precisely, thereby making the analysis more scalable. In an experimental evaluation, we found that correlation tracking often dramatically improved analysis scalability and precision on popular JavaScript frameworks, though in some cases scalability challenges remain.


Points-to analysis call graph construction JavaScript 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agesen, O.: The Cartesian Product Algorithm: Simple and Precise Type Inference of Parametric Polymorphism. In: Olthoff, W. (ed.) ECOOP 1995. LNCS, vol. 952, pp. 2–26. Springer, Heidelberg (1995)Google Scholar
  2. 2.
    An, D., Chaudhuri, A., Foster, J.S., Hicks, M.: Dynamic Inference of Static Types for Ruby. In: POPL (2011)Google Scholar
  3. 3.
    Andersen, L.O.: Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, DIKU (1994)Google Scholar
  4. 4.
    Balakrishnan, G., Reps, T.: Recency-Abstraction for Heap-Allocated Storage. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 221–239. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Blackshear, S., Chang, B.-Y.E., Sankaranarayanan, S., Sridharan, M.: The Flow-Insensitive Precision of Andersen’s Analysis in Practice. In: Yahav, E. (ed.) SAS 2011. LNCS, vol. 6887, pp. 60–76. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Chaudhuri, S.: Subcubic Algorithms for Recursive State Machines. In: POPL (2008)Google Scholar
  7. 7.
    ECMA. ECMAScript Language Specification, 5th edn., ECMA-262 (2009)Google Scholar
  8. 8.
    Feldthaus, A., Millstein, T., Møller, A., Schäfer, M., Tip, F.: Tool-supported Refactoring for JavaScript. In: OOPSLA (2011)Google Scholar
  9. 9.
    Grove, D., Chambers, C.: A Framework for Call Graph Construction Algorithms. TOPLAS 23(6) (2001)Google Scholar
  10. 10.
    Guarnieri, S., Livshits, V.B.: Gatekeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: USENIX Security Symposium (2009)Google Scholar
  11. 11.
    Guarnieri, S., Livshits, V.B.: Gulfstream: Incremental Static Analysis for Streaming JavaScript Applications. In: WebApps (2010)Google Scholar
  12. 12.
    Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the World Wide Web from Vulnerable JavaScript. In: ISSTA (2011)Google Scholar
  13. 13.
    Guha, A., Saftoiu, C., Krishnamurthi, S.: The Essence of JavaScript. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126–150. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Jensen, S.H., Møller, A., Thiemann, P.: Type Analysis for JavaScript. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 238–255. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Jensen, S.H., Møller, A., Thiemann, P.: Interprocedural Analysis with Lazy Propagation. In: Cousot, R., Martel, M. (eds.) SAS 2010. LNCS, vol. 6337, pp. 320–339. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  16. 16.
    Lhoták, O., Hendren, L.: Scaling Java Points-to Analysis Using SPARK. In: Hedin, G. (ed.) CC 2003. LNCS, vol. 2622, pp. 153–169. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Maffeis, S., Mitchell, J.C., Taly, A.: An Operational Semantics for JavaScript. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 307–325. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Milanova, A., Rountev, A., Ryder, B.G.: Parameterized Object Sensitivity for Points-to Analysis for Java. TOSEM 14(1) (2005)Google Scholar
  19. 19.
    Schäfer, M., Verbaere, M., Ekman, T., de Moor, O.: Stepping Stones over the Refactoring Rubicon. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 369–393. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Smaragdakis, Y., Bravenboer, M., Lhoták, O.: Pick Your Contexts Well: Understanding Object-sensitivity. In: POPL (2011)Google Scholar
  21. 21.
    Sridharan, M., Fink, S.J.: The Complexity of Andersen’s Analysis in Practice. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 205–221. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Sridharan, M., Gopan, D., Shan, L., Bodík, R.: Demand-Driven Points-To Analysis for Java. In: OOPSLA (2005)Google Scholar
  23. 23.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: Effective Taint Analysis of Web Applications. In: PLDI (2009)Google Scholar
  24. 24.
    Tripp, O., Weisman, O.: Hybrid Analysis for JavaScript Security Assessment. In: ESEC/FSE 2011, Industrial Track (2011)Google Scholar
  25. 25.
    Vardoulakis, D., Shivers, O.: CFA2: A Context-Free Approach to Control-Flow Analysis. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 570–589. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Watson, T.J.: Libraries for Analysis (WALA),
  27. 27.
    Web Technology Surveys. Usage of JavaScript libraries for websites, (accessed March 30, 2012)
  28. 28.
    Zheng, Y., Bao, T., Zhang, X.: Statically Locating Web Application Bugs Caused by Asynchronous Calls. In: WWW (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Manu Sridharan
    • 1
  • Julian Dolby
    • 1
  • Satish Chandra
    • 1
  • Max Schäfer
    • 1
  • Frank Tip
    • 1
  1. 1.IBM T.J. Watson Research CenterYorktown HeightsUSA

Personalised recommendations