The Essence of JavaScript

We reduce JavaScript to a core calculus structured as a small-step operational semantics. We present several peculiarities of the language and show that our calculus models them. We explicate the desugaring process that turns JavaScript programs into ones in the core. We demonstrate faithfulness to JavaScript using real-world test suites. Finally, we illustrate utility by defining a security property, implementing it as a type system on the core, and extending it to the full language. 1 The Need for Another JavaScript Semantics The growing use of JavaScript has created whole new technical and business models of program construction and deployment. JavaScript is a feature-rich language with many quirks, and these quirks are often exploited by security and privacy attacks. This is especially true in cases where JavaScript has a familiar syntax but an unconventional semantics. Due to its popularity and shortcomings, companies and researchers have tried to tame JavaScript via program analyses [4, 9, 10, 13], sub-language [5, 7, 17], and more. These works claim but do not demonstrate soundness, partly because we lack a tractable account of the language. The JavaScript standard [6] is capacious and informal, while one major formal semantics [15] is large, not amenable to conventional proof techniques, and inherits the standard’s complexities, as we discuss in section 5. In contrast: – We present a core language, λJS , that embodies JavaScript’s essential features (sans eval). λJS fits on three pages and lends itself well to proof techniques such as subject reduction. – We show that we can desugar JavaScript into λJS . In particular, desugaring handles notorious JavaScript features such as this and with, so λJS itself remains simple (and thus simplifies proofs that utilize it). – We mechanize both λJS and desugaring. – To show compliance with reality, we successfully test λJS and desugaring against the actual Mozilla JavaScript test suite. – Finally, we demonstrate the use of our semantics by building a safe subset of JavaScript. This application highlights how our partitioning of JavaScript into core and syntactic sugar lends structure to proofs. Our supplemental materials (full desugaring, tools, etc.) are available at http://www.cs.brown.edu/research/plt/dl/jssem/v1/ c = num | str | bool | undefined | null v = c | func(x · · ·) { return e } | { str:v· · · } e = x | v | let (x = e) e | e(e · · ·) | e[e] | e[e] = e | delete e[e] E = • | let (x = E) e | E(e · · ·) | v(v · · · E, e · · ·) | {str: v · · · str:E, str:e · · · } | E[e] | v[E] | E[e] = e | v[E] = e | v[v] = E | delete E[e] | delete v[E] let (x = v) e →֒ e[x/v] (E-Let) (func(x1 · · ·xn) { return e })(v1 · · · vn) →֒ e[x1/v1 · · ·xn/vn] (E-App) { · · · str: v · · · }[str] →֒v (E-GetField) strx 6∈ (str1 · · · strn) { str1: v1 · · · strn: vn } [strx] →֒ undefined (E-GetField-NotFound) { str1: v1 · · · stri: vi · · · strn: vn } [stri] = v →֒ { str1: v1 · · · stri: v · · · strn: vn } (E-UpdateField) strx 6∈ (str1 · · ·) { str1: v1 · · · } [strx] = vx →֒ { strx: vx, str1: v1 · · · } (E-CreateField) delete { str1: v1 · · · strx: vx · · · strn: vn } [strx] →֒ { str1: v1 · · · strn: vn } (E-DeleteField) strx 6∈ (str1 · · ·) delete { str1: v1 · · · } [strx] →֒ { str1: v1 · · · } (E-DeleteField-NotFound) Fig. 1. Functions and Objects 2 λJS: A Tractable Semantics for JavaScript JavaScript is full of surprises. Syntax that may have a conventional interpretation for many readers often has a subtly different semantics in JavaScript. To aid the reader, we introduce λJS incrementally. We include examples of JavaScript’s quirks and show how λJS faithfully models them. Figures 1, 2, 4, 8, and 9 specify the syntax and semantics of λJS . We use a Felleisen-Hieb small-step operational semantics with evaluation contexts [8]. We typeset λJS code in a sans-serif typeface, and JavaScript in a fixed-width typeface.