Points-to Analysis for JavaScript∗ Dongseok Jang Kwang-Moo Choe Dept. of Computer Science Dept. of Computer Science Korea Advanced Institute of Science & Korea Advanced Institute of Science & Technology Technology [email protected] [email protected] ABSTRACT ysis, scripting language JavaScript is widely used by web developers and the com- plexity of JavaScript programs has increased over the last 1. INTRODUCTION year. Therefore, the need for program analysis for Java- JavaScript is a scripting language designed for client-side Script is evident. Points-to analysis for JavaScript is to de- web scripting. There is now a standardized version, EC- termine the set of objects to which a reference variable or MAScript[6]. JavaScript has attracted more users and Java- an object property may point. Points-to analysis for Java- Script programs have become lengthy and complex. Al- Script is a basis for further program analyses for JavaScript. most all web browsers support JavaScript. With help of It has a wide range of applications in code optimization and the DOM[11] and Ajax[7], there are more and more sophis- software engineering tools. However, points-to analysis for ticated JavaScript programs used in popular web sites in JavaScript has not yet been developed. these days. The web sites use JavaScript to implement im- JavaScript has dynamic features such as the runtime mod- portant application logic rather than simple user interfaces. ification of objects through addition of properties or updat- A problem of JavaScript programs is slow execution speed. ing of methods. We propose a points-to analysis for Java- That is because JavaScript programs are usually executed Script which precisely handles the dynamic features of Java- by interpreters and JavaScript has many dynamic features Script. Our work is the first attempt to analyze the points-to which must be checked at runtime. The speed of JavaScript behavior of JavaScript. We evaluate the analysis on a set programs affects people’s perception about the responsive- of JavaScript programs. We also apply the analysis to a ness of popular websites. code optimization technique to show that the analysis can Performance improvement through the use of code opti- be practically useful. mization is an important method for making JavaScript a proper choice for building high quality software. Because a Categories and Subject Descriptors JavaScript statement executes many machine instructions, D.3.2 [Programming Languages]: Language Classifica- a little change of a JavaScript source code can bring about tions—Specialized application languages; F.3.2 [Logics and much improvement of the performance. Code optimization Meanings of Programs]: Semantics of Programming Lan- can be statically applied by using source level transforma- guages—Program analysis tion. JavaScript compilers can also adopt code optimization to generate faster target code. Even JavaScript interpreters can utilize code optimization techniques at runtime. General Terms Points-to analysis for JavaScript is essential for code opti- Algorithms,Design,Experimentation,Languages mization, but it has not yet been developed. Points-to anal- ysis for JavaScript determines the set of objects to which a Keywords reference variable or an object property may point. Points- to analysis enables essential analyses for code optimization, JavaScript, points-to analysis, pointer analysis, program anal- such as side-effect analysis and def-use analysis. ∗This work was supported by the Engineering Research Cen- In this paper, we present and evaluate a points-to analy- ter of Excellence Program of Korea Ministry of Education, sis for JavaScript as a first step for further program analyses Science and Technology(MEST) / Korea Science and Engi- for JavaScript. Our analysis is based on Andersen’s points- neering Foundation(KOSEF), grant number R11-2008-007- to analysis for C[2]. In Section 2, we discuss a motivating 02004-0. example of our research. Then, we define a restricted lan- guage to briefly describe points-to behavior of JavaScript in Section 3. We present a constraint-based, flow- and context- insensitive 1 points-to analysis for the restricted language in Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are Section 4. In Section 5, we evaluate our analysis on a set not made or distributed for profit or commercial advantage and that copies of JavaScript programs. We also evaluate the impact of bear this notice and the full citation on the first page. To copy otherwise, to the analysis on a special case of partial-redundancy elimi- republish, to post on servers or to redistribute to lists, requires prior specific 1 permission and/or a fee. A flow-insensitive analysis does not take control-flow into SAC’09 March 8-12, 2009, Honolulu, Hawaii, U.S.A. account. A context-insensitive analysis does not distinguish Copyright 2009 ACM 978-1-60558-166-8/09/03 ...$5.00. between different invocations of a function S0 : var str = prompt(); If we maintain information for each property to increase S1 : var a = new Object(); // o1 the precision of the analysis, we obtain the points-to graph S2 : a.x = new Object(); // o2 on the bottom right of Figure 1. In the graph, we maintain S3 : a.y = new Object(); // o3 the name of each property of an object. For example, we use S4 : // o a[str] = new Object(); 4 o1.x to represent the property x of the object o1. For the S5 : b = a.x; added property via the [ ] operator, we use the aggregate o1[ ] in the same way of Andersen’s analysis. When an object property is updated via the [ ] operator, a O 1 we may not know what property of the object is actually updated because the name of the changing property may O a O 1 O 1.x 2 not be statically determined. Any existing property of the object may be updated, or a new property may be created O .y O1 [] O 2 1 O 3 in the object. Because str may evaluate to "x" or "y" at S4, o1.x and o1.y point to o4 in our points-to graph for the b O 3 O 1 [] O 4 program. The node o1[ ] is for the case that str evaluate to a property name which cannot be statically determined. In O 4 b our points-to graph, the points-to set of b is {o2, o4}. This is more accurate than the conventional approaches. Our points-to analysis increases accuracy by distinguishing each Figure 1: Example of JavaScript program and its property separately while considering dynamic features of points-to graphs. Top: Program code, Bottom left: JavaScript. Conventional graph, Bottom right: Graph with con- sidering properties 3. SIMPLESCRIPT For presentation brevity, we define SimpleScript, a re- nation[1] for the JavaScript programs. Section 6 discusses stricted language of JavaScript. The most part of Simple- related work. Finally, Section 7 presents conclusions and Script is based on Thiemann’s work [16], but modified in future work. some ways. We add the . operation and a unique global ob- ject to SimpleScript to expose significant points-to behaviors 2. MOTIVATION of JavaScript. JavaScript is a weakly and dynamically typed object-based In a sense, a JavaScript object is an associative array–a language. JavaScript has no classes but supports construc- data structure that allows to dynamically associate arbitrary 2 tors and prototyping to share functionality of code. Java- data values with arbitrary strings. An object property can Script provides the runtime modification of objects through be accessed as an array element. The feature is represented addition of properties or updating of methods. A JavaScript in JavaScript syntax. For example, the JavaScript expres- object is just like an associative array– a data structure that sion object.property is equivalent to object["property"]. allows to dynamically associate arbitrary data values with In Figure 1, the program shows that behavior. S0 gets arbitrary strings(property names). a string from a library function. Then, S1 creates a new JavaScript has lexically scoped first-class functions which object o1 with no properties. Here we name an object by behave as functions or methods. When a function object is its allocation site in a program. S2 assigns o2 to a non- assigned to a property of an object, the function acts as a existing property named x of o1 referenced by a. Because method if it is referenced by the property of the object and it does not exist, the property is created on the fly and the called. If a function is called as a method of an object, each value is assigned to the newly created property. S3 does reference to this is bound to the object in the function body. similar operations to the property y of o1. S4 assigns o4 Otherwise, each reference to this resolves to the unique to a property whose name is given by the expression str global object of JavaScript. A function can be used as a via the [ ] operator. The expression str may evaluate to constructor when invoked through the new operator. The "x","y", or a non-existing property name. When an object new operator creates a new object, and calls a constructor property is accessed by the [ ] operator, the actual property which binds this to the new object in the function body. name may be statically unknown. JavaScript has a unique global object. Whenever a vari- Conventional points-to analyses based on Andersen’s anal- able is declared in the global scope or a value is assigned to ysis[2] treat elements of an array as an aggregate. If we an undeclared variable, the variable becomes a property of naively adapt the conventional analyses to JavaScript, ob- the global object.