goal-directed abstract interpretation for javascript
TRANSCRIPT
Goal-Directed Abstract Interpretation for JavaScript
prop
o[prop]
var o = {foo : function(){…},
bar : function(){…},
baz : function()
{… ; throw ‘error’;} };
var prop = someFunction();
o[prop]();
sourceprogram
Heuristically suspicious
abstract state
Potential Refutation
Type Analyzer for
JavaScript (TAJS)
ThresherJS: Goal-Directed
Abstract Interpretation
≠
ෝ𝑝 ≠ ො𝑝
Over-approximation in
someFunction causes analysis to infer ⊤ as prop’s value
Spurious call edges!