DXR JS Analysis
Requirements for DxR
- Must work with lastest version of ecmascript (6 as of this writing)
- See caution below
- Produce a call graph
General note of caution about bleeding edge support of features
Because Ecmascript (and many other popular languages) do not offer executable semantics (See the K Framework for an example), there is no way to ensure tools will remain compatiable with new language features.
Any tool that is not built ontop of these semantics is likely wrong or eventually wrong when the spec changes. Given that there are no executable semantics provided for ecmascript and we require bleeding edge features for the FF code base, this will become an issue.
Bonus Features
- Type Inference
Existing work:
See: <https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis>
| Framework | ES6 | Interface | Function References | Type Inference | Other Notes |
|---|---|---|---|---|---|
| JS WebTools | No | ||||
| Esprima | Partial | JS | Partial ES6 Support | ||
| Ternjs | No | JS or http+json | |||
| Doctorjs | No | JS | |||
| Safe | No | Java | |||
| JSAI | No | Coffee Script (stated in paper) | Couldn't locate code | ||
| TAJS | No |
Algorithms and Techniques
k-CFA
Family of flow analyses that approximate the program as a DFA via a structure called the call graph.
Anderson's Points-To Analysis
Use Analysis
CFA2
Approximate the program as a PDA allowing seperate call sites to be distiguished (avoiding call/return mismatch). Implemented in Doctorjs
Inlining Eval
Dealing with "with"
Ways to get the AST
| Name | InterFace | Compatiable with Mozilla Parser API | Other Pros | Other Cons |
|---|---|---|---|---|
| Spidermonkey Reflect.parse | JS | Yes | Full ES6 Suport | |
| Acorn | JS | yes | ||
| Sweet.js | JS | Yes | Partial ES6 Support |
