the essence of javascript arjun guha, claudiu saftoiu, and shriram krishnamurthi
TRANSCRIPT
![Page 1: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/1.jpg)
The Essence of JavaScript
Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi
![Page 2: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/2.jpg)
2
"JavaScript has much in common with Scheme […] Because of this deep similarity …"
( )
![Page 3: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/3.jpg)
3
function bar(x) { return function() { var x = x; return x; };}
var f = bar(200);f() 200
function bar(x) { return function() { var x = x; return x; };}
var f = bar(200);f() undefined
![Page 4: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/4.jpg)
4
var x = 0;var y = 900;
function baz(obj) { with (obj) { x = y; }}
baz({ y: 100 });x 100
var myObj = { x : 0 };baz(myObj);x 100myObj.x 900
Is JavaScript Even Lexically Scoped?
![Page 5: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/5.jpg)
5
"JavaScript has much in common with Scheme […] Because of this deep similarity …"
No help to researchers studying Web security, building JavaScript analyses, etc.
![Page 6: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/6.jpg)
6
Bad
Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi
weirdness
![Page 7: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/7.jpg)
7
nytimes.com is a JavaScript mashup
<script lang="javascript" src="http://ad.doubleclick.net/..."><script lang="javascript" src="http://ad.linkstorms.com/...">
![Page 8: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/8.jpg)
8
function safeLookup(obj, fd) { if (fd === "eval") { throw "cannot access eval"; } else { return obj[fd]; }}
window["ev" + "al"] window["eval"] vulnerability
safeLookup(window, "ev" + "al") safeLookup(window, "eval") * exception
Malicious 3rd party code
ADsafe / Caja / Facebook JavaScript Syntactic Checks +
Inserted Runtime Checks
Runtime Safety Check
“Sanitized” 3rd party code
BUGGY
![Page 9: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/9.jpg)
9
How can we reason about JavaScript?
• The JavaScript standard (ECMA-262). 200 pages of prose and pseudocode.
• Maffeis, Mitchell, and Taly. An Operational Semantics for JavaScript. 70 pages of semantics.
We need a tractable semantics
![Page 10: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/10.jpg)
10
![Page 11: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/11.jpg)
11
![Page 12: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/12.jpg)
12
![Page 13: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/13.jpg)
13
![Page 14: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/14.jpg)
14
The Essence of JavaScript:Functions, Prototype-Based Objects, State,
Control Operators, and Primitives
![Page 15: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/15.jpg)
15
Thank You!
Questions?
![Page 16: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/16.jpg)
16
What about the bad parts?
Thanks, Emery Berger
![Page 17: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/17.jpg)
17
In practice most development effort goes into the “noise” that researchers abstract � �away […]. [M]inimalistic subsets give rise to a nice and simple formalization, whereas language implementers actually need help formalizing the rough edges of the language, not the beautiful and clean subset.
Erik Meijer.Confessions of a Used Programming Language Salesman.
OOPSLA 2007.
![Page 18: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/18.jpg)
18
What about the bad parts?scope objects, with, switch, return, var, continue, for, do-while, for-in, implicit type conversions, function statements, named function expressions, function objects, "constructors", new-expressions, sparse "arrays", this keyword, toString(), valueOf(), variable-arity, Function.caller, Function.callee, the standard library, etc.
syntactic sugar
Thanks, Emery Berger
We implement desugaring (1,000 LOC)
![Page 19: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/19.jpg)
19
Desugaring is Compositional*
desugar(e1 + e2) = C [ desugar(e1), desugar(e2) ]
desugar(obj[field]) = C [ desugar(obj), desugar(field) ]
etc.
program context, inserted by desugaring
*except for with statements
![Page 20: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/20.jpg)
20
JavaScript program λJS programdesugar
Chrome,Firefox,Rhino
100LOCinterpreter
(Desugaring is Total) For all JavaScript programs e, is desugar(e) defined?
(Desugar Commutes with Eval) For all JavaScript programs e, does desugar(JS-eval(e)) = λJS-eval(desugar(e))?
theiranswer
ouranswer
![Page 21: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/21.jpg)
21
Syntactic Form Occurrences (approx.)
with blocks 15
var statements 500
try blocks 20
if and switch statements 90
functions 200
typeof and instanceof 35
new expressions 50
Math library functions 15
5,400 lines of the Mozilla JavaScript test suite:
![Page 22: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/22.jpg)
22
/* if F, G are inverse functions and x==y, this should return 1 */function match(x, y, F, G) { switch (x) { case F(G(y)): return 1; default: return 0; }}
test_case("A", match(17, f(fInverse(17)), f, fInverse)), 1);test_case("B", match(17, 2000, f, fInverse), 0);test_case("C", match(1, 1, Math.exp, Math.log), 1);test_case("D", match(1, 200, Math.exp, Math.log), 0);test_case("E", match(1, 1, Math.sin, Math.cos), 1);
![Page 23: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/23.jpg)
23
$ ./test_firefox.sh tests/Statements/switch-001.jsBUGNUMBER: (none)STATUS: Testing the switch statement PASSED! Section A of test PASSED! Section B of test PASSED! Section C of test PASSED! Section D of test PASSED! Section E of test
$ ./test_lambdajs.sh tests/Statements/switch-001.jsBUGNUMBER: (none)STATUS: Testing the switch statement PASSED! Section A of test PASSED! Section B of test PASSED! Section C of test PASSED! Section D of test PASSED! Section E of test
Our semantics produces exactly the same result
![Page 24: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/24.jpg)
24
Syntactic Form Occurrences (approx.)
with blocks 15
var statements 500
try blocks 20
if and switch statements 90
functions 200
typeof and instanceof 35
new expressions 50
Math library functions 15
5,400 lines of the Mozilla JavaScript test suite:
scalable strategy: add more tests
equivalent under diff
![Page 25: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/25.jpg)
25
Recent JavaScript Research
• Staged Information Flow for JavaScript. PLDI’09.• GateKeeper. USENIX’09.• Static Analysis for Ajax Intrusion Detection.
WWW’09.• Type Analysis for JavaScript. SAS’09.• Object Views: Fine-Grained Sharing in
Browsers. WWW’10.• …
Proofs?desugar to λJS
do proofs for λJS
build tools for λJS
![Page 26: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/26.jpg)
26
function safeLookup(obj, fd) { if (fd === "eval") { throw "cannot access eval"; } else { return obj[fd]; }}
function safeLookup(obj, fd) { if (fd === "eval") { throw "cannot access eval"; } else { return obj[fd.toString()]; }}
Implicit call in JavaScriptExplicit call in λJS
badObj ={toString:
function () {return "eval"}}
window[badObj] safeLookup(window, badObj) window[badObj.toString()] window[(function () return "eval")()] window["eval"]
![Page 27: The Essence of JavaScript Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi](https://reader030.vdocuments.us/reader030/viewer/2022032721/56649cd85503460f949a10a0/html5/thumbnails/27.jpg)
27
Conclusion
• λJS is tractable and good for soundness proofs
• desugar is executable, so semantics-based tools can handle real source
• Used in Typed JavaScript, flow analyses, security type systems (JS source lang. too big, too implicit)
• λJS sets a new semantics standard: testing