Goal-Directed Backwards Static Analysis for JavaScript

JavaScript is notoriously difficult to analyze due to its rampant use of standard dynamic features (e.g. duck typing, dynamic dispatch, first-class functions, and run-time string evaluation), as well as its idiosyncratic approach to scoping (scope object chains) and inheritance (prototyping). Therefore, despite its near-universal adoption as a client-side scripting language and its increasing use in server-side and mobile applications, JavaScript is rarely analyzed in practice and can be quite buggy, unreliable, and unsafe. We present a novel technique to improve precision and efficiency of JavaScript analysis by combining a standard forwards abstract interpretation with a goal-directed backwards symbolic execution. The backwards analysis can operate either as a standalone tool to refute false alarms that arise from over-approximation in the forwards analysis, or on-line, refuting spurious data-flow on demand at critical points during the forwards analysis. General Terms Languages, Algorithms, Verification