A Large-scale Study of the Use of Eval in JavaScript Applications

Transforming text into executable code with a function such as JavaScript’s eval endows programmers with the ability to extend applications, at any time, and in almost any way they choose. But this expressive power comes at a price. Reasoning about the dynamic behavior of programs that use this features becomes difficult. Any ahead-of-time analysis, to remain sound, is forced to make pessimistic assumptions about the impact of dynamically created code. This pessimism affects the optimizations that can be applied to programs, significantly limits the kinds of errors that can be caught statically and the security guarantees that can be enforced. A better understanding of how eval is used could lead to increased performance and security. This paper reports on a large-scale study of the use of eval in JavaScript-based web applications. We have recorded the behavior 317 MB of strings given as arguments to 481,844 calls to the eval function. We provide statistics on the nature and content of strings used in eval expressions, as well as their provenance and data obtained by observing their dynamic behavior. eval is evil. Avoid it. eval has aliases. Don’t use them. —Douglas Crockford