An Analytic Framework for JavaScript

As the programming language of the web, JavaScript deserves a principled yet robust framework for static analysis. To achieve both aims simultaneously, we start from an established reduction semantics for JavaScript and systematically derive its intensional abstract interpretation. Our first step is to transform the semantics into an equivalent low-level abstract machine: the JavaScript Abstract Machine (JAM). We then derive the systematic abstraction of the entire low-level machine. That process yields a finitestate, machine-based abstract interpretation for JavaScript. The calculation of this analysis is itself a milestone, constituting the first “field validation” of the theory behind systematically abstracting abstract machines. This finite-state framework allows us to import important techniques from the over 30 years of work on higher-order program analysis. We can instantiate the abstraction to obtain traditional analyses, such as k-CFA and CPA, extended to JavaScript. Not content with the precision of this analysis over complex control effects, we extend our systematic approach with a new mode: unbounded abstraction of continuations. This new mode yields an infinite-state yet decidable pushdown machine whose stack precisely models the structure of the concrete program stack. The precise model of stack structure in turn confers precise control-flow analysis over control effects, such as exceptions, finally blocks, and of course, calls and returns. Both the finite-state and pushdown frameworks for abstract interpretation are sound and computable.