Post on 02-Jan-2016
description
transcript
The Essence of JavaScript
Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi
2
"JavaScript has much in common with Scheme […] Because of this deep similarity …"
( )
3
function bar(x) { return function() { var x = x; return x; };}
var f = bar(200);f() 200
function bar(x) { return function() { var x = x; return x; };}
var f = bar(200);f() undefined
4
var x = 0;var y = 900;
function baz(obj) { with (obj) { x = y; }}
baz({ y: 100 });x 100
var myObj = { x : 0 };baz(myObj);x 100myObj.x 900
Is JavaScript Even Lexically Scoped?
5
"JavaScript has much in common with Scheme […] Because of this deep similarity …"
No help to researchers studying Web security, building JavaScript analyses, etc.
6
Bad
Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi
weirdness
7
nytimes.com is a JavaScript mashup
<script lang="javascript" src="http://ad.doubleclick.net/..."><script lang="javascript" src="http://ad.linkstorms.com/...">
8
function safeLookup(obj, fd) { if (fd === "eval") { throw "cannot access eval"; } else { return obj[fd]; }}
window["ev" + "al"] window["eval"] vulnerability
safeLookup(window, "ev" + "al") safeLookup(window, "eval") * exception
Malicious 3rd party code
ADsafe / Caja / Facebook JavaScript Syntactic Checks +
Inserted Runtime Checks
Runtime Safety Check
“Sanitized” 3rd party code
BUGGY
9
How can we reason about JavaScript?
• The JavaScript standard (ECMA-262). 200 pages of prose and pseudocode.
• Maffeis, Mitchell, and Taly. An Operational Semantics for JavaScript. 70 pages of semantics.
We need a tractable semantics
10
11
12
13
14
The Essence of JavaScript:Functions, Prototype-Based Objects, State,
Control Operators, and Primitives
15
Thank You!
Questions?
16
What about the bad parts?
Thanks, Emery Berger
17
In practice most development effort goes into the “noise” that researchers abstract � �away […]. [M]inimalistic subsets give rise to a nice and simple formalization, whereas language implementers actually need help formalizing the rough edges of the language, not the beautiful and clean subset.
Erik Meijer.Confessions of a Used Programming Language Salesman.
OOPSLA 2007.
18
What about the bad parts?scope objects, with, switch, return, var, continue, for, do-while, for-in, implicit type conversions, function statements, named function expressions, function objects, "constructors", new-expressions, sparse "arrays", this keyword, toString(), valueOf(), variable-arity, Function.caller, Function.callee, the standard library, etc.
syntactic sugar
Thanks, Emery Berger
We implement desugaring (1,000 LOC)
19
Desugaring is Compositional*
desugar(e1 + e2) = C [ desugar(e1), desugar(e2) ]
desugar(obj[field]) = C [ desugar(obj), desugar(field) ]
etc.
program context, inserted by desugaring
*except for with statements
20
JavaScript program λJS programdesugar
Chrome,Firefox,Rhino
100LOCinterpreter
(Desugaring is Total) For all JavaScript programs e, is desugar(e) defined?
(Desugar Commutes with Eval) For all JavaScript programs e, does desugar(JS-eval(e)) = λJS-eval(desugar(e))?
theiranswer
ouranswer
21
Syntactic Form Occurrences (approx.)
with blocks 15
var statements 500
try blocks 20
if and switch statements 90
functions 200
typeof and instanceof 35
new expressions 50
Math library functions 15
5,400 lines of the Mozilla JavaScript test suite:
22
/* if F, G are inverse functions and x==y, this should return 1 */function match(x, y, F, G) { switch (x) { case F(G(y)): return 1; default: return 0; }}
test_case("A", match(17, f(fInverse(17)), f, fInverse)), 1);test_case("B", match(17, 2000, f, fInverse), 0);test_case("C", match(1, 1, Math.exp, Math.log), 1);test_case("D", match(1, 200, Math.exp, Math.log), 0);test_case("E", match(1, 1, Math.sin, Math.cos), 1);
23
$ ./test_firefox.sh tests/Statements/switch-001.jsBUGNUMBER: (none)STATUS: Testing the switch statement PASSED! Section A of test PASSED! Section B of test PASSED! Section C of test PASSED! Section D of test PASSED! Section E of test
$ ./test_lambdajs.sh tests/Statements/switch-001.jsBUGNUMBER: (none)STATUS: Testing the switch statement PASSED! Section A of test PASSED! Section B of test PASSED! Section C of test PASSED! Section D of test PASSED! Section E of test
Our semantics produces exactly the same result
24
Syntactic Form Occurrences (approx.)
with blocks 15
var statements 500
try blocks 20
if and switch statements 90
functions 200
typeof and instanceof 35
new expressions 50
Math library functions 15
5,400 lines of the Mozilla JavaScript test suite:
scalable strategy: add more tests
equivalent under diff
25
Recent JavaScript Research
• Staged Information Flow for JavaScript. PLDI’09.• GateKeeper. USENIX’09.• Static Analysis for Ajax Intrusion Detection.
WWW’09.• Type Analysis for JavaScript. SAS’09.• Object Views: Fine-Grained Sharing in
Browsers. WWW’10.• …
Proofs?desugar to λJS
do proofs for λJS
build tools for λJS
26
function safeLookup(obj, fd) { if (fd === "eval") { throw "cannot access eval"; } else { return obj[fd]; }}
function safeLookup(obj, fd) { if (fd === "eval") { throw "cannot access eval"; } else { return obj[fd.toString()]; }}
Implicit call in JavaScriptExplicit call in λJS
badObj ={toString:
function () {return "eval"}}
window[badObj] safeLookup(window, badObj) window[badObj.toString()] window[(function () return "eval")()] window["eval"]
27
Conclusion
• λJS is tractable and good for soundness proofs
• desugar is executable, so semantics-based tools can handle real source
• Used in Typed JavaScript, flow analyses, security type systems (JS source lang. too big, too implicit)
• λJS sets a new semantics standard: testing