Type Analysis for JavaScript

Simon Holm Jensen1, , Anders Møller1, , and Peter Thiemann2

1
Aarhus University, Denmark
{simonhj,amoeller}@cs.au.dk
2
Universität Freiburg, Germany
[email protected]

Abstract. JavaScript is the main scripting language for Web browsers,

and it is essential to modern Web applications. Programmers have started
using it for writing complex applications, but there is still little tool
support available during development.
We present a static program analysis infrastructure that can infer de-
tailed and sound type information for JavaScript programs using abstract
interpretation. The analysis is designed to support the full language as
defined in the ECMAScript standard, including its peculiar object model
and all built-in functions. The analysis results can be used to detect
common programming errors – or rather, prove their absence, and for
producing type information for program comprehension.
Preliminary experiments conducted on real-life JavaScript code indi-
cate that the approach is promising regarding analysis precision on small
and medium size programs, which constitute the majority of JavaScript
applications. With potential for further improvement, we propose
the analysis as a foundation for building tools that can aid JavaScript
programmers.

1 Introduction

In 1995, Netscape announced JavaScript as an “easy-to-use object scripting lan-

guage designed for creating live online applications that link together objects
and resources on both clients and servers” [25]. Since then, it has become the de
facto standard for client-side scripting in Web browsers but many other appli-
cations also include a JavaScript engine. This prevalence has lead developers to
write large programs in a language which has been conceived for scripting, but
not for programming in the large. Hence, tool support is badly needed to help
debug and maintain these programs.
The development of sound programming tools that go beyond checking mere
syntactic properties requires some sort of program analysis. In particular, type
analysis is crucial to catch representation errors, which e.g. confuse numbers
with strings or booleans with functions, early in the development process. Type

Supported by The Danish Research Council for Technology and Production,
grant no. 274-07-0488.

Corresponding author.

J. Palsberg and Z. Su (Eds.): SAS 2009, LNCS 5673, pp. 238–255, 2009.
c Springer-Verlag Berlin Heidelberg 2009
 Type Analysis for JavaScript 239

analysis is a valuable tool to a programmer because it rules out this class of

programming errors entirely.
Applying type analysis to JavaScript is a subtle business because, like most
other scripting languages, JavaScript has a weak, dynamic typing discipline
which resolves many representation mismatches by silent type conversions. As
JavaScript supports objects, first-class functions, and exceptions, tracking the
flow of data and control is nontrivial. Moreover, JavaScript’s peculiarities present
a number of challenges that set it apart from most other programming languages:

– JavaScript is an object-based language that uses prototype objects to model

inheritance. As virtually all predefined operations are accessed via prototype
objects, it is imperative that the analysis models these objects precisely.
– Objects are mappings from strings (property names) to values. In general,
properties can be added and removed during execution and property names
may be dynamically computed.
– Undefined results, such as accessing a non-existing property of an object, are
represented by a particular value undefined, but there is a subtle distinction
between an object that lacks a property and an object that has the property
set to undefined.
– Values are freely converted from one type to another type with few excep-
tions. In fact, there are only a few cases where no automatic conversion
applies: the values null and undefined cannot be converted to objects and
only function values can be invoked as functions. Some of the automatic
conversions are non-intuitive and programmers should be aware of them.
– The language distinguishes primitive values and wrapped primitive values,
which behave subtly different in certain circumstances.
– Variables can be created by simple assignments without explicit declara-
tions, but an attempt to read an absent variable results in a runtime error.
JavaScript’s with statement breaks ordinary lexical scoping rules, so even
resolving variable names is a nontrivial task.
– Object properties can have attributes, like ReadOnly. These attributes can-
not be changed by programs but they must be taken into account by the
analysis to maintain soundness and precision.
– Functions can be created and called with variable numbers of parameters.
– Function objects serve as first-class functions, methods, and constructors
with subtly different behavior. An analysis must keep these uses apart and
detect initialization patterns.
– With the eval function, a dynamically constructed string can be interpreted
as a program fragment and executed in the current scope.
– The language includes features that prescribe certain structures (the global
object, activation objects, argument objects) in the implementation of the
runtime system. These structures must be modeled in an analysis to obtain
sufficient precision.

This paper reports on the design and implementation of a program analyzer

for the full JavaScript language. In principle, the design is an application of