Towards Logic-Based Verification of JavaScript Programs

  • José Fragoso Santos
  • Philippa Gardner
  • Petar Maksimović
  • Daiva Naudžiūnienė
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10395)


In this position paper, we argue for what we believe is a correct pathway to achieving scalable symbolic verification of JavaScript based on separation logic. We highlight the difficulties imposed by the language, the current state-of-the-art in the literature, and the sequence of steps that needs to be taken. We briefly describe Open image in new window , our semi-automatic toolchain for JavaScript verification.



Fragoso Santos, Gardner, and Maksimović were supported by the EPSRC Programme Grant REMS: Rigorous Engineering for Mainstream Systems (EP/K008528/1), and the Department of Computing in Imperial College London. Naudžiūnienė was supported by an EPSRC DTA award. Maksimović was also partially supported by the Serbian Ministry of Education and Science through the Mathematical Institute of Serbian Academy of Sciences and Arts, projects ON174026 and III44006.


  1. 1.
    Andreasen, E., Møller, A.: Determinacy in static analysis for jQuery. In: OOPSLA (2014)Google Scholar
  2. 2.
    Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: Boer, F.S., Bonsangue, M.M., Graf, S., Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 115–137. Springer, Heidelberg (2006). doi: 10.1007/11804192_6 CrossRefGoogle Scholar
  3. 3.
    Berdine, J., Cook, B., Ishtiaq, S.: Slayer: Memory safety for systems-level code. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 178–183. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22110-1_15 CrossRefGoogle Scholar
  4. 4.
    Bodin, M., Charguéraud, A., Filaretti, D., Gardner, P., Maffeis, S., Naudziuniene, D., Schmitt, A., Smith, G.: A trusted mechanised JavaScript specification. In: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2014, pp. 87–100. ACM Press (2014)Google Scholar
  5. 5.
    Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Draves, R., van Renesse, R. (eds.) 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2008, 8–10 December 2008, San Diego, California, USA, Proceedings, pp. 209–224. USENIX Association (2008)Google Scholar
  6. 6.
    Calcagno, C., Distefano, D., Dubreil, J., Gabi, D., Hooimeijer, P., Luca, M., O’Hearn, P., Papakonstantinou, I., Purbrick, J., Rodriguez, D.: Moving fast with software verification. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 3–11. Springer, Cham (2015). doi: 10.1007/978-3-319-17524-9_1 Google Scholar
  7. 7.
    Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Compositional shape analysis by means of bi-abduction. In: POPL (2009)Google Scholar
  8. 8.
    Ştefănescu, A., Park, D., Yuwen, S., Li, Y., Roşu, G.: Semantics-based program verifiers for all languages. In: Proceedings of the 31th Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2016), pp. 74–91. ACM, November 2016Google Scholar
  9. 9.
    Distefano, D., Parkinson, M.: jStar: towards practical verification for Java. In: OOPSLA (2008)Google Scholar
  10. 10.
    ECMAScript Committee. The 5th edn. of the ECMAScript Language Specification. Technical report, ECMA (2011)Google Scholar
  11. 11.
    ECMAScript Committee. Test262 test suite (2017).
  12. 12.
    Fink, S., Dolby, J.: WALA – The T.J. Watson Libraries for Analysis (2015).
  13. 13.
    Gardner, P., Maffeis, S., Smith, G.: Towards a program logic for JavaScript. In: Proceedings of the 40th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2013, pp. 31–44. ACM Press (2012)Google Scholar
  14. 14.
    Guha, A., Saftoiu, C., Krishnamurthi, S.: The essence of JavaScript. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126–150. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14107-2_7 CrossRefGoogle Scholar
  15. 15.
    Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: a powerful, sound, predictable, fast verifier for C and java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20398-5_4 CrossRefGoogle Scholar
  16. 16.
    JaVerT Team. Javert (2017).
  17. 17.
    Jensen, S.H., Møller, A., Thiemann, P.: Type analysis for JavaScript. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 238–255. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03237-0_17 CrossRefGoogle Scholar
  18. 18.
    Jones, J.: Priority queue data structure (2016).
  19. 19.
    Kashyap, V., Dewey, K., Kuefner, E.A., Wagner, J., Gibbons, K., Sarracino, J., Wiedermann, B., Hardekopf, B.: JSAI: a static analysis platform for JavaScript. In: FSE, pp. 121–132 (2014)Google Scholar
  20. 20.
    Kroening, D., Tautschnig, M.: CBMC – C bounded model checker. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 389–391. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54862-8_26 CrossRefGoogle Scholar
  21. 21.
    Livshits, B.: JSIR, an intermediate representation for JavaScript analysis (2014).
  22. 22.
    Park, D., Stefănescu, A., Roşu, G.: KJS: a complete formal semantics of JavaScript. In: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2015, New York, USA, pp. 346–356. ACM (2015)Google Scholar
  23. 23.
    Politz, J.G., Carroll, M.J., Lerner, B.S., Pombrio, J., Krishnamurthi, S.: A tested semantics for getters, setters, and eval in JavaScript. In: Proceedings of the 8th Symposium on Dynamic Languages (2012)Google Scholar
  24. 24.
    Roşu, G., Şerbănuţă, T.F.: An overview of the K semantic framework. J. Logic Algebraic Program. 79(6), 397–434 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Schwinghammer, J., Birkedal, L., Reus, B., Yang, H.: Nested hoare triples and frame rules for higher-order store. Logical Methods Comput. Sci. 7(3), 1–42 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Sridharan, M., Dolby, J., Chandra, S., Schäfer, M., Tip, F.: Correlation tracking for points-to analysis of JavaScript. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 435–458. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31057-7_20 CrossRefGoogle Scholar
  27. 27.
    Visser, W., Pǎsǎreanu, C.S., Khurshid, S.: Test input generation with java pathfinder. In: Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2004, New York, USA, pp. 97–107. ACM (2004)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • José Fragoso Santos
    • 1
  • Philippa Gardner
    • 1
  • Petar Maksimović
    • 1
    • 2
  • Daiva Naudžiūnienė
    • 1
  1. 1.Imperial College LondonLondonUK
  2. 2.Mathematical Institute of the Serbian Academy of Sciences and ArtsBelgradeSerbia

Personalised recommendations