Static analysis tools for JavaScript must strike a delicate balance, achieving the level of precision required by the most complex features of target programs without incurring prohibitively high analysis time. For example, reasoning about dynamic property accesses sometimes requires precise relational information connecting the object, the dynamically-computed property name, and the property value. Even a minor precision loss at such critical program locations can result in a proliferation of spurious dataflow that renders the analysis results useless.
We present a technique by which a non-relational static dataflow analysis can be combined soundly with a refinement mechanism to increase precision on demand at critical locations. Crucially, our technique is able to incorporate relational information from the refinement mechanism into the non-relational domain of the dataflow analysis.
We demonstrate the feasibility of this approach by extending an existing JavaScript static analysis with a demand-driven refinement mechanism that relies on backwards abstract interpretation. Our evaluation finds that precise analysis of widely used JavaScript utility libraries depends heavily on the precision at a small number of critical locations which can be identified heuristically, and that backwards abstract interpretation is an effective refinement mechanism to provide that precision on demand.
[ PDF | BibTeX | supplementary material ]