Correlation tracking for points-to analysis of javascript

Abstract

JavaScript poses significant challenges for points-to analysis, particularly due to its flexible object model in which object properties can be created and deleted at run-time and accessed via first-class names. These features cause an increase in the worst-case running time of field-sensitive Andersen-style analysis, which becomes O(N 4), where N is the program size, in contrast to the O(N 3) bound for languages like Java. In practice, we found that a standard implementation of the analysis was unable to analyze popular JavaScript frameworks. We identify correlated dynamic property accesses as a common code pattern that is analyzed very imprecisely by the standard analysis, and show how a novel correlation tracking technique enables us to handle this pattern more precisely, thereby making the analysis more scalable. In an experimental evaluation, we found that correlation tracking often dramatically improved analysis scalability and precision on popular JavaScript frameworks, though in some cases scalability challenges remain. © 2012 Springer-Verlag Berlin Heidelberg.