Symbolic Execution for JavaScript

Santos, José Augusto Rodrigues dos; Maksimovic, Petar; Grohens, Théotime; Dolby, Julian; Gardner, Philippa

doi:10.1145/3236950.3236956

Cited by 18 publications

(21 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, we perform whole-program symbolic testing of the real-world Buckets.js [Santos 2016] data structure library, which has over 65K downloads on npm [npm, Inc. 2018]. We reproduce our previously reported bugs [Fragoso Santos et al 2018a], but also discover a new one, in times that are almost two orders of magnitude faster, suggesting scalability of our whole-program symbolic testing to much larger codebases. As in [Fragoso Santos et al 2018a,b], we perform the entire evaluation on a machine with an Intel Core i7-4980HQ CPU 2.80 GHz, DDR3 RAM 16GB, and a 256GB solid-state hard-drive running OSX.…”

Section: Discussionmentioning

confidence: 91%

“…The JSIL semantics, however, just like JavaScript semantics, does not observe the frame property: one can introduce bugs into a JSIL/JavaScript program by extending the state in which the program was run. Our solution is to design an instrumented state instantiation, and corresponding instrumented semantics [Fragoso Santos et al 2018a], that exhibits the frame property by explicitly keeping track of object properties that we know are not present. By having the instrumented semantics as a proper interim stage between the concrete semantics and the symbolic semantics, we obtain more modular reasoning and substantially simpler proofs than previous approaches based on weak locality [Gardner et al 2012[Gardner et al , 2008.…”

Section: Overviewmentioning

confidence: 99%

“…Just as for symbolic tests, the pre-condition of a bug spec can be concretised, revealing a concrete execution triggering the corresponding JS native error. On the other hand, success specs can be turned into actual symbolic tests [Fragoso Santos et al 2018a], meaning that, for example, after fixing the bug, we could collect all the success specs to produce a comprehensive symbolic test suite for our expression evaluator.…”

Section: Fig 3 Specification Of the Expression Evaluator -Predicatementioning

confidence: 99%

“…We introduce the interface of the Semantics Module (ğ3.2) and the general JSIL semantics (ğ3.3). Following our previous approaches [Fragoso Santos et al 2018a,b], we instantiate the Semantics Module to obtain the concrete and symbolic JSIL semantics (ğ3.4śğ3.5). We highlight our novel treatment of errors, essential for meaningful error reporting for whole-program symbolic testing, as well as for the inference of resource of the bi-abductive semantics, shown in ğ3.3.1 and ğ3.5.2.…”

Section: The Semantics Modulementioning

confidence: 99%

“…The bi-abductive symbolic execution discussed above generates a success spec. The value of success specs lies in the fact that they can be converted into concrete/symbolic tests [Fragoso Santos et al 2018a], effectively providing the user with a comprehensive concrete/symbolic test suite for the analysed program and bringing immediate value to the software development process.…”

Section: The Bi-abduction Modulementioning

confidence: 99%

See 4 more Smart Citations

JaVerT 2.0: compositional symbolic execution for JavaScript

Santos

Maksimovic

Sampaio

et al. 2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

We propose a novel, unified approach to the development of compositional symbolic execution tools, bridging the gap between classical symbolic execution and compositional program reasoning based on separation logic. Using this approach, we build JaVerT 2.0, a symbolic analysis tool for JavaScript that follows the language semantics without simplifications. JaVerT 2.0 supports whole-program symbolic testing, verification, and, for the first time, automatic compositional testing based on bi-abduction. The meta-theory underpinning JaVerT 2.0 is developed modularly, streamlining the proofs and informing the implementation. Our explicit treatment of symbolic execution errors allows us to give meaningful feedback to the developer during wholeprogram symbolic testing and guides the inference of resource of the bi-abductive execution. We evaluate the performance of JaVerT 2.0 on a number of JavaScript data-structure libraries, demonstrating: the scalability of our whole-program symbolic testing; an improvement over the state-of-the-art in JavaScript verification; and the feasibility of automatic compositional testing for JavaScript.

show abstract

Section: Discussionmentioning

confidence: 91%

Section: Overviewmentioning

confidence: 99%

Section: Fig 3 Specification Of the Expression Evaluator -Predicatementioning

confidence: 99%

Section: The Semantics Modulementioning

confidence: 99%

Section: The Bi-abduction Modulementioning

confidence: 99%

See 3 more Smart Citations

JaVerT 2.0: compositional symbolic execution for JavaScript

Santos

Maksimovic

Sampaio

et al. 2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

show abstract

Gillian, Part II: Real-World Verification for JavaScript and C

Maksimovic

Ayoun

Santos

et al. 2021

Computer Aided Verification

Self Cite

View full text Add to dashboard Cite

We introduce verification based on separation logic to Gillian, a multi-language platform for the development of symbolic analysis tools which is parametric on the memory model of the target language. Our work develops a methodology for constructing compositional memory models for Gillian, leading to a unified presentation of the JavaScript and C memory models. We verify the JavaScript and C implementations of the AWS Encryption SDK message header deserialisation module, specifically designing common abstractions used for both verification tasks, and find two bugs in the JavaScript and three bugs in the C implementation.

show abstract