DXR JS Analysis: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 18: Line 18:


See: <https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis>
See: <https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis>
<table border="2" cellspacing="0" cellpadding="6" rules="groups" frame="hsides">
<tr>
<th scope="col" class="left">Framework</th>
<th scope="col" class="left">ES6+</th>
<th scope="col" class="left">Interface</th>
<th scope="col" class="left">Function References (Call Graph or Something)</th>
<th scope="col" class="left">Type Inference</th>
<th scope="col" class="left">Other Notes</th>
</tr>
<tr>
<td class="left">JSWebTools</td>
<td class="left">No</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
</tr>
<tr>
<td class="left">Esprima</td>
<td class="left">Partial</td>
<td class="left">JS</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
</tr>
<tr>
<td class="left">Ternjs</td>
<td class="left">No</td>
<td class="left">JS or http+json</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
</tr>
<tr>
<td class="left">Doctorjs</td>
<td class="left">No</td>
<td class="left">JS</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
</tr>
<tr>
<td class="left">Safe</td>
<td class="left">No</td>
<td class="left">Java</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
</tr>
<tr>
<td class="left">JSAI</td>
<td class="left">&#xa0;</td>
<td class="left">Coffee Script (from paper)</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
<td class="left">couldn't find code</td>
</tr>


== Algorithms and Techniques ==
== Algorithms and Techniques ==
Line 103: Line 33:
=== Removing the with Statement ===
=== Removing the with Statement ===


= Ways to get the AST =
{| class="wikitable"
|-
! Framework !! ES6 !! Interface !! Function References !! Type Inference !! Other Notes
|-
| JS WebTools || No || || || ||
|-
| Acorn || NO || JS || || ||
|-
| Esprima || Partial || JS || Partial ES6 Support || ||
|-
| Ternjs || No || JS or http+json || || ||
|-
| Doctorjs || No || JS || || ||
|-
| Safe || No || Java || || ||
|-
| JSAI || || Coffee Script (stated in paper) || || Couldn't locate code ||
|}


<table border="2" cellspacing="0" cellpadding="6" rules="groups" frame="hsides">


<tr>
<th scope="col" class="left">Name</th>
<th scope="col" class="left">Interface</th>
<th scope="col" class="left">Compatible with Mozilla Parser API</th>
<th scope="col" class="left">Other Pros</th>
<th scope="col" class="left">Other Cons</th>
</tr>


<tr>
<td class="left">Spidermonkey Reflect.parse</td>
<td class="left">JS</td>
<td class="left">Yes (by construction)</td>
<td class="left">Full ES6 support</td>
<td class="left">&#xa0;</td>
</tr>
<tr>
<td class="left">Acorn.js</td>
<td class="left">JS</td>
<td class="left">yes</td>
<td class="left">&#xa0;</td>
<td class="left">&#xa0;</td>
</tr>
<tr>
<td class="left">Sweet.js</td>
<td class="left">JS</td>
<td class="left">yes</td>
<td class="left">support for macros</td>
<td class="left">might be hard for the analysis</td>
</tr>


= Ways to get the AST =


<tr>
{| class="wikitable"
<td class="left">Esprima</td>
|-
<td class="left">JS</td>
! Name !! InterFace !! Compatiable with Mozilla Parser API !! Other Pros !! Other Cons
<td class="left">yes</td>
|-
<td class="left">Partial ES6 support</td>
| Spidermonkey Reflect.parse || JS || Yes || Full ES6 Suport ||
<td class="left">&#xa0;</td>
|-
</tr>
| Acorn || JS || yes || ||
|-
| Sweet.js || JS || Yes || Partial ES6 Support ||
|}

Revision as of 17:39, 24 June 2014

Requirements for DxR

  • Must work with lastest version of ecmascript (6 as of this writing)
    • See caution below
  • Produce a call graph

General note of caution about bleeding edge support of features

Because Ecmascript (and many other popular languages) do not offer executable semantics (See the K Framework for an example), there is no way to ensure tools will remain compatiable with new language features.

Any tool that is not built ontop of these semantics is likely wrong or eventually wrong when the spec changes. Given that there are no executable semantics provided for ecmascript and we require bleeding edge features for the FF code base, this will become an issue.

Bonus Features

  • Type Inference

Existing work:

See: <https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis>

Algorithms and Techniques

k-CFA

Anderson's Points-To Analysis

Use Analysis

CFA2

Inlining Eval

Removing the with Statement

Framework ES6 Interface Function References Type Inference Other Notes
JS WebTools No
Acorn NO JS
Esprima Partial JS Partial ES6 Support
Ternjs No JS or http+json
Doctorjs No JS
Safe No Java
JSAI Coffee Script (stated in paper) Couldn't locate code



Ways to get the AST

Name InterFace Compatiable with Mozilla Parser API Other Pros Other Cons
Spidermonkey Reflect.parse JS Yes Full ES6 Suport
Acorn JS yes
Sweet.js JS Yes Partial ES6 Support
Retrieved from "https://wiki.mozilla.org/index.php?title=DXR_JS_Analysis&oldid=991985"