Combining String Abstract Domains for JavaScript Analysis: An Evaluation

  • Roberto AmadiniEmail author
  • Alexander Jordan
  • Graeme Gange
  • François Gauthier
  • Peter Schachte
  • Harald Søndergaard
  • Peter J. Stuckey
  • Chenyi Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10205)


Strings play a central role in JavaScript and similar scripting languages. Owing to dynamic features such as the eval function and dynamic property access, precise string analysis is a prerequisite for automated reasoning about practically any kind of runtime property. Although the literature presents a considerable number of abstract domains for capturing and representing specific aspects of strings, we are not aware of tools that allow flexible combination of string abstract domains. Indeed, support for string analysis is often confined to a single, dedicated string domain. In this paper we describe a framework that allows us to combine multiple string abstract domains for the analysis of JavaScript programs. It is implemented as an extension of SAFE, an open-source static analysis tool. We investigate different combinations of abstract domains that capture various aspects of strings. Our evaluation suggests that a combination of a few, simple abstract domains suffice to outperform the precision of state-of-the-art static analysis tools for JavaScript.


Direct Product Regular Expression Abstract Domain Control Flow Graph Abstract Syntax Tree 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work is supported by the Australian Research Council (ARC) through Linkage Project Grant LP140100437.


  1. 1.
    Beyer, D., Henzinger, T.A., Théoduloz, G.: Configurable software verification: concretizing the convergence of model checking and program analysis. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 504–518. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73368-3_51 CrossRefGoogle Scholar
  2. 2.
    Beyer, D., Henzinger, T.A., Théoduloz, G.: Program analysis with dynamic precision adjustment. In: 23rd IEEE/ACM International Conference on Automated Software Engineering (ASE 2008), pp. 29–38 (2008)Google Scholar
  3. 3.
    Choi, T.-H., Lee, O., Kim, H., Doh, K.-G.: A practical string analyzer by the widening approach. In: Kobayashi, N. (ed.) APLAS 2006. LNCS, vol. 4279, pp. 374–388. Springer, Heidelberg (2006). doi: 10.1007/11924661_23 CrossRefGoogle Scholar
  4. 4.
    Cortesi, A., Costantini, G., Ferrara, P.: A survey on product operators in abstract interpretation. In: Semantics, Abstract Interpretation, and Reasoning About Programs: Essays Dedicated to David A. Schmidt on the Occasion of his Sixtieth Birthday, pp. 325–336 (2013)Google Scholar
  5. 5.
    Costantini, G.: Lexical and numerical domains for abstract interpretation. Ph.D. thesis, Università Ca’ Foscara Di Venezia (2014)Google Scholar
  6. 6.
    Costantini, G., Ferrara, P., Cortesi, A.: Static analysis of string values. In: Qin, S., Qiu, Z. (eds.) ICFEM 2011. LNCS, vol. 6991, pp. 505–521. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24559-6_34 CrossRefGoogle Scholar
  7. 7.
    Costantini, G., Ferrara, P., Cortesi, A.: A suite of abstract domains for static analysis of string values. Softw. Pract. Exp. 45(2), 245–287 (2015)CrossRefGoogle Scholar
  8. 8.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the Fourth ACM Symposium on Principles of Programming Languages, pp. 238–252. ACM Publication (1977)Google Scholar
  9. 9.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proceedings of the Sixth Annual ACM Symposium on Principles of Programming Languages, pp. 269–282. ACM Publication (1979)Google Scholar
  10. 10.
  11. 11.
    Jensen, S.H., Møller, A., Thiemann, P.: Type analysis for JavaScript. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 238–255. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03237-0_17 CrossRefGoogle Scholar
  12. 12.
    jQuery JavaScript library.
  13. 13.
    Kashyap, V., Dewey, K., Kuefner, E.A., Wagner, J., Gibbons, K., Sarracino, J., Wiedermann, B., Hardekopf, B.: JSAI: A static analysis platform for JavaScript. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 121–132. ACM Publication (2014)Google Scholar
  14. 14.
    Kim, S.-W., Chin, W., Park, J., Kim, J., Ryu, S.: Inferring grammatical summaries of string values. In: Garrigue, J. (ed.) APLAS 2014. LNCS, vol. 8858, pp. 372–391. Springer, Cham (2014). doi: 10.1007/978-3-319-12736-1_20 Google Scholar
  15. 15.
    Lee, H., Won, S., Jin, J., Cho, J., Ryu, S.: SAFE: formal specification and implementation of a scalable analysis framework for ECMAScript. In: Proceedings of the 19th International Workshop on Foundations of Object-Oriented Languages (FOOL 2012) (2012)Google Scholar
  16. 16.
    Madsen, M., Andreasen, E.: String analysis for dynamic field access. In: Cohen, A. (ed.) CC 2014. LNCS, vol. 8409, pp. 197–217. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54807-9_12 CrossRefGoogle Scholar
  17. 17.
    Park, C., Im, H., Ryu, S.: Precise and scalable static analysis of jQuery using a regular expression domain. In: Proceedings of the 12th Symposium on Dynamic Languages, DLS 2016, Amsterdam, The Netherlands, 1 November 2016, pp. 25–36 (2016)Google Scholar
  18. 18.
    Park, C., Ryu, S.: Scalable and precise static analysis of JavaScript applications via loop-sensitivity. In: Boyland, J.T. (ed.) Proceedings of the 29th European Conference on Object-Oriented Programming (ECOOP 2015), Leibniz International Proceedings in Informatics, pp. 735–756. Dagstuhl Publishing (2015)Google Scholar
  19. 19.
    Sridharan, M., Dolby, J., Chandra, S., Schäfer, M., Tip, F.: Correlation tracking for points-to analysis of JavaScript. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 435–458. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31057-7_20 CrossRefGoogle Scholar
  20. 20.
    Stuckey, P.J., Feydy, T., Schutt, A., Tack, G., Fischer, J.: The MiniZinc challenge 2008–2013. AI Mag. 35(2), 55–60 (2014)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  • Roberto Amadini
    • 1
    Email author
  • Alexander Jordan
    • 2
  • Graeme Gange
    • 1
  • François Gauthier
    • 2
  • Peter Schachte
    • 1
  • Harald Søndergaard
    • 1
  • Peter J. Stuckey
    • 1
  • Chenyi Zhang
    • 2
    • 3
  1. 1.Department of Computing and Information SystemsThe University of MelbourneMelbourneAustralia
  2. 2.Oracle Labs AustraliaBrisbaneAustralia
  3. 3.College of Information Science and TechnologyJinan UniversityGuangzhouChina

Personalised recommendations