On 10/9/2015 9:33 AM, Ehsan Akhgari wrote:
This is not possible to achieve through static analysis based on the source code level constructs. In other words, you cannot build a tool that looks at source code, analyzes the tokens appearing in it, and infer whether a property on an object has been accessed.
The best static analysis on JS that you can probably get is to tell you when you're accessing a dynamic property on an object (i.e., filtering out IndexExpressions based on types of the object). In principle, that could be a starting point for manual analysis, but even that is likely to produce way too many false positives.
That all being said, analyses based on symbolic execution even in typed languages have a lot of practical limitations and using it even for the simplest cases such as your example below in JS may very well turn into a research project that would result in nothing in practice. In my opinion, it's impractical to detect any useful properties in an add-on JS code statically based on the source code.
As far as I'm aware, the only "production-scale" symbolic execution tools that are used are really concolic execution engines (SAGE is the ur-example here), since the ability to concretely execute code most of the time gets rid of a few problems with symbolic execution (namely, the fact that path numbers are exponentional or super-exponentional in program size). Unfortunately, JS has properties that make symbolic execution particularly difficult--its number system, for example, is inherently floating point (which causes most symbolic execution engines to keel over and die), and according to one of your references, string handling is inherently at least PSPACE-hard (boolean satisfiability is merely NP-hard).
-- Joshua Cranmer Thunderbird and DXR developer Source code archæologist _______________________________________________ dev-static-analysis mailing list [email protected] https://lists.mozilla.org/listinfo/dev-static-analysis
