DXR JS Analysis

From MozillaWiki
Jump to: navigation, search

Requirements for DxR

  • Must work with lastest version of ecmascript (6 as of this writing)
    • See caution below
  • Produce a call graph

General note of caution about bleeding edge support of features

Because Ecmascript (and many other popular languages) do not offer executable semantics (See the K Framework for an example), there is no way to ensure tools will remain compatiable with new language features.

Any tool that is not built ontop of these semantics is likely wrong or eventually wrong when the spec changes. Given that there are no executable semantics provided for ecmascript and we require bleeding edge features for the FF code base, this will become an issue.

Bonus Features

  • Type Inference

Existing work:

See: <https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis>

Framework ES6 Interface Function References Type Inference Other Notes
JS WebTools No
Esprima Partial JS Partial ES6 Support
Ternjs No JS or http+json
Doctorjs No JS
Safe No Java
JSAI No Coffee Script (stated in paper) Couldn't locate code

Algorithms and Techniques


Family of flow analyses that approximate the program as a DFA via a structure called the call graph.

Anderson's Points-To Analysis

Use Analysis


Approximate the program as a PDA allowing seperate call sites to be distiguished (avoiding call/return mismatch). Implemented in Doctorjs

Inlining Eval

Dealing with "with"

Ways to get the AST

Name InterFace Compatiable with Mozilla Parser API Other Pros Other Cons
Spidermonkey Reflect.parse JS Yes Full ES6 Suport
Acorn JS yes
Sweet.js JS Yes Partial ES6 Support